user impersonation

Sunil_Patil · November 22, 2010, 6:34am

Hi,

With reference to mail thread *“Impersonate User In Kernel Mode”*,
http://www.osronline.com/showThread.cfm?link=45076

I want to know if it is possible to impersonate a user from volume filter
driver. Solution mentioned in the above link uses
SeCreateClientSecurity, SeImpersonateClient,
PsRevertToSelf, SeDeleteClientSecurity, ZwQueryInformationToken, and talks
about impersonation at File-System filter driver level that uses “ntifs.h”.

Basically I have a CIFS file-system mapped to Z:. This is mapped using guest
access and needs no user-login/password. I want to access files on Z: from
my volume filter driver. Here, ZwOpenFile is failing with error “-1073741766
(ERROR_PATH_NOT_FOUND)”

Any suggestion?

Pointer to code will be helpful.

Thanks,
Sunil

Scott_Noone_OSR · November 22, 2010, 10:12am

>I want to know if it is possible to impersonate a user from volume filter

driver.

Sure. Impersonation is just a way to get a thread running under the correct
security context before issuing a create, it doesn’t really matter what the
function is of your driver outside of that. You have two issues with
impersonation:

You need to find someone to impersonate that has access to the resource
that you want.
You have to make sure you’re running at PASSIVE_LEVEL

#1 is usually the tricky part. Typically drivers will create a user mode
service that runs with the credentials necessary to access the resource and
then have it send a request to the driver so that the driver can capture the
security context. An alternative solution is to create a system thread that
runs in the context of that user process (see PsCreateSystemThread).

I don’t know of any examples, though it comes up on NTFSD often enough that
I’m guessing you’ll find something by searching the archives.

-scott

Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Sunil Patil” wrote in message news:xxxxx@ntdev…
Hi,

With reference to mail thread “Impersonate User In Kernel Mode”,
http://www.osronline.com/showThread.cfm?link=45076

I want to know if it is possible to impersonate a user from volume filter
driver. Solution mentioned in the above link uses SeCreateClientSecurity,
SeImpersonateClient, PsRevertToSelf, SeDeleteClientSecurity,
ZwQueryInformationToken, and talks about impersonation at File-System filter
driver level that uses “ntifs.h”.

Basically I have a CIFS file-system mapped to Z:. This is mapped using guest
access and needs no user-login/password. I want to access files on Z: from
my volume filter driver. Here, ZwOpenFile is failing with error “-1073741766
(ERROR_PATH_NOT_FOUND)”

Any suggestion?

Pointer to code will be helpful.

Thanks,
Sunil