Folks,
I have an ‘issue’ trying to use ObGetObjectSecurity(); maybe someone
here can point me in the right direction.
I have been given the task to fix a problem with a filter driver that
sits above NTFS. This filter driver intercepts IRP_MJ_CREATE calls to
perform some additional checks which are performed by a user-mode
process utilizing an IOCTL request/response mechanism (which seems to
work fine).
If the user-mode process returns with an ‘OK’ status, the filter driver
then allocates an IRP and calls the underlying driver to see if the
CREATE may proceed. The ‘problem’ is that if an ACL has been applied to
the file which is defined to prevent the user access, user access is
still allowed (as indicated by the return status from the
filter-driver-created I/O request).
From what I can tell, the IRP that was created by the driver is calling
down with ‘RequestMode’ set to zero (0 or KernelMode) and my guess is
that what is causing the bypass of any security checks. Based on that
assumption, at the beginning of handling the CREATE code, I grabbed the
file object pointer in the following manner within the filter’s
IRP_MJ_CREATE code:
PIO_STACK_LOCATION piosl;
PFILE_OBJECT pfo;
piosl = IoGetCurrentIrpStackLocation(pirp); // pirp
passed in
pfo = piosl->FileObject;
I use ‘pfo’ (FILE_OBJECT pointer) as the first parameter to
ObGetObjectSecurity() in the following manner:
BOOLEAN sd_allocated, access_allowed;
PSECURITY_DESCRIPTOR sdp;
ntstatus = ObGetObjectSecurity(pfo, &sdp, &sd_allocated);
Normally this seems to works fine, but if the file in question has an
ACL associated with it, ObGetObjectSecurity() returns 0xc000000d
(STATUS_INVALID_PARAMETER). My guess is that there is something about
the file object that isn’t quite right; any thoughts on what may be
wrong?
Thanks in advance…