none
ObGetObjectSecurity issue. RRS feed

  • Question

  • Im trying to get the security descriptor for a process in a driver. I use ZwOpenProcess with PROCESS_ALL_ACCESS to get a handle and then use ObReferenceObjectByHandle;

    mystatus = ObReferenceObjectByHandle(OpenProcessByID(processID),STANDARD_RIGHTS_ALL,*PsProcessType,KernelMode,&myhandle,NULL);

    I then use ObGetObjectSecurity using "myhandle" but i get a bugcheck 3b(system service exception).

    I could not find any code examples on how to use this API. Am i using it incorrectly or can i not get the security descriptor for a process using this method ?

    THanks

    Monday, October 1, 2012 5:20 PM

Answers

  • Have you tried ZwQuerySecurityObject?  I've done this in the kernel before for customers.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    • Marked as answer by R__K Friday, October 5, 2012 3:15 PM
    Thursday, October 4, 2012 3:05 PM

All replies

  • First are you sucessfully getting the process with ZwOpenProcess and ObReferenceObjectByHandle?  This stuff all works and the most likely reason you are bug checking is that the myhandle (terrible name by the way since this is an object pointer not a handle), is invalid.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Monday, October 1, 2012 5:30 PM
  • thanks Don.(sorry for the terrible names!). I am checking the status of both ZwOpenProcess and ObReferenceObjectByHandle. Both return STATUS_SUCCESS. IRQL is fine too(PASSIVE_LEVEL). 

    Anyway here is what im trying to do: i am using this article(http://www.osronline.com/article.cfm?article=100) as reference and trying to do something similar except that i do not want to pass the security descriptor down through an IOCTL and instead open it in the driver and then use SeAccessCheck to perform some access checks. 


    • Edited by R__K Monday, October 1, 2012 5:50 PM
    Monday, October 1, 2012 5:47 PM
  • you probably want to pass UserMode, not KernelMode

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, October 1, 2012 6:02 PM
  • Thanks Doron. I tried UserMode for ObReferenceObjectByHandle and it fails with Invalid handle. Before calling ZwOpenProcess, i use InitializeObjectAttributes with OBJ_KERNEL_HANDLE. Does that have anything to do with this ? If i remove it, windows crashes with bugcheck C4(driver verifier??).
    Monday, October 1, 2012 6:18 PM
  • Can you show us the exact code here?  This sounds like something overlooked.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Monday, October 1, 2012 6:20 PM
  • Here is the exact code:

    PSECURITY_DESCRIPTOR *SecurityDescriptor = NULL;

    OBJECT_ATTRIBUTES ObjectAttributes;

    BOOLEAN MemoryAllocated;

    HANDLE myhandle,hProcess;

    InitializeObjectAttributes(&ObjectAttributes,NULL,OBJ_CASE_INSENSITIVE,(HANDLE) NULL,(PSECURITY_DESCRIPTOR) NULL);

    clientId.UniqueProcess = (HANDLE)processID;

    clientId.UniqueThread = NULL;

    ntStatus = ZwOpenProcess( &hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &clientId );

    if(ntStatus != STATUS_SUCCESS)
     {
      TraceMessage(TRACE_LEVEL_CRITICAL, DBG_CREATE_CLOSE,
                       "ZwOpenProcess failed with status0x%x\n",ntStatus );
      goto end;
     }

    ntStatus = ObReferenceObjectByHandle(hProcess,STANDARD_RIGHTS_READ,*PsProcessType,UserMode,&myhandle,NULL);

    if(ntStatus != STATUS_SUCCESS)
     {
      TraceMessage(TRACE_LEVEL_CRITICAL, DBG_CREATE_CLOSE,
                       "ObReferenceObjectByHandle failed with status0x%x\n",ntStatus );
      goto end;
     }

    ntStatus = ObGetObjectSecurity(&myhandle,SecurityDescriptor,&MemoryAllocated);

    Thanks

    Monday, October 1, 2012 6:44 PM
  • Thanks Pavel. Tried that. I am still getting the exception...Is there some sample code using this api that somebody can point me to ? 
    • Edited by R__K Monday, October 1, 2012 7:11 PM
    Monday, October 1, 2012 7:11 PM
  • Bump! Anybody?!
    Monday, October 1, 2012 8:20 PM
  • Try rolling back to KERNEL_MODE for both the InitializeObjectAttributes and the ObReferenceObjectByHandle.  Checking my old notes, I never had sucess with these as USER_MODE.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, October 2, 2012 12:46 PM
  • Rolled back. Still get an exception. Any pointers to example usage ? Ive not been able to find any using google,stackoverflow etc. Or is there any other way to get a process's security descriptor without passing it down via IOCTL?
    • Edited by R__K Tuesday, October 2, 2012 2:05 PM
    Tuesday, October 2, 2012 1:51 PM
  • bump!? anybody figure out how to use this API yet ? 
    Thursday, October 4, 2012 3:00 PM
  • Have you tried ZwQuerySecurityObject?  I've done this in the kernel before for customers.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    • Marked as answer by R__K Friday, October 5, 2012 3:15 PM
    Thursday, October 4, 2012 3:05 PM
  • thanks Donald. that works.
    Friday, October 5, 2012 3:15 PM