Hi everyone,
is my first time posting on the list. I am developping a file system
filter driver and i have found a problem when within the pre-create of
a network file i try to perform a FltCreateFile of another network
file in the same directory of the first one. The problem definition
is: given a network file f1.txt located in \192.168.1.2\testdir, i
perform the creation of a network file f2.txt located in the same
place via FltCreateFile getting as return status STATUS_LOGON_FAILURE.
The code is:
? ? ? ?// Initialize object attributes
? ? ? ?InitializeObjectAttributes(&objectAttributes,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&streamContext->AuxiliarFileName,
/* \Device\LanmanRedirector\192.168.1.2\testdir\f2.txt */
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?OBJ_KERNEL_HANDLE,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?NULL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?NULL);
? ? ? ?// Open/Create file
? ? ? ?status = FltCreateFile(
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FilterHandle,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Data->Iopb->TargetInstance,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?AuxiliarFileHandle,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_READ_DATA,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&objectAttributes,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&ioStatus,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(PLARGE_INTEGER) NULL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_ATTRIBUTE_NORMAL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_SHARE_READ | FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_OPEN_IF,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_COMPLETE_IF_OPLOCKED | FILE_WRITE_THROUGH ,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?NULL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?0L,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?IO_IGNORE_SHARE_ACCESS_CHECK);
Problem seems to be that filter code is executed in System thread
context, so user process network session privileges are not passed to
System thread context, is it like that? I have tried to solve the
problem using impersonation, but the problem is not solved and the
status returned is the same: STATUS_LOGON_FAILURE.
The code used to impersonation is the following
SECURITY_QUALITY_OF_SERVICE ClientSecurityQos;
? ? ? ?ClientSecurityQos.Length = sizeof(ClientSecurityQos);
? ? ? ?ClientSecurityQos.ImpersonationLevel = SecurityDelegation;
? ? ? ?ClientSecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
? ? ? ?ClientSecurityQos.EffectiveOnly = TRUE;
? ? ? ? ? ? ? ?status = SeCreateClientSecurity(
? ? ? ? ? ? ? ? ? ? ? ?Data->Thread,
? ? ? ? ? ? ? ? ? ? ? ?&ClientSecurityQos,
? ? ? ? ? ? ? ? ? ? ? ?FALSE,
? ? ? ? ? ? ? ? ? ? ? ?&ClientContext
? ? ? ? ? ? ? ? );
? ? ? ? ? ? ? ?// ?Apply impersonation
? ? ? ? ? ? ? ?status = SeImpersonateClientEx(
? ? ? ? ? ? ? ? ? ? ? ?&ClientContext,
? ? ? ? ? ? ? ? ? ? ? ?NULL
? ? ? ? ? ? ? ?);
// trigger FltCreateFile
I don’t really know what i am doing wrong.
Other solution is to open a new session (from System) with the network
in order to get the privileges, but i didn’t find documentation about
how to login from a file system filter.
I would appreciate any help to solve this problem.
Thanks.
Fran