locked
Lowering resource integrity level RRS feed

  • Question

  • Hi, I'm working in a Single Sign On App, and I need to comunicate a BHO with it's controller App, I'm using a memory mapped file for that.

    If the BHO is the one who creates the mapped file, everything works fine (The mapped file is LI)

    If the controller app creates the mapped file, the BHO fails to open the mapped file (The Mapped file is MI )

    So I decided to lower the maped file integrity using the code provided by MS in the paper "Understanding and working in protected mode internet explorer".

    But that code doesnt work, and I have seen in this forum that a lot of people is having problems with that code, and I can't find any documentation about this at MSDN

    In resume: How can I lower a resource integrity level?

    Can someone help me or give me a hint?

    Here is the code I'm using to create the mapped file and lower the it's Integrity level:

    Notice that I replaced the values SDDL_REVISION_1 by 1 and LABEL_SECURITY_INFORMATION by 0x00000010L because I cant find where are defined.

    Thanks in advance


    Code Snippet

    HANDLE m_hMapVars = CreateFileMapping(INVALID_HANDLE_VALUE,
    NULL, //&sa,
    PAGE_READWRITE,
    0,
    1024,
    "F31B3896-3455-4d0d-1234-2389346239874");

    // Genero Security Descriptor

    #define LOW_INTEGRITY_SDDL_SACL "S:(ML;;NW;;;LW)"
    PSECURITY_DESCRIPTOR pSd = NULL;
    PACL pSacl = NULL;
    BOOL fSaclPresent = FALSE;
    BOOL fSaclDefaulted = FALSE;

    if(ConvertStringSecurityDescriptorToSecurityDescriptor(LOW_INTEGRITY_SDDL_SACL, 1, &pSd , NULL)) {

    if(GetSecurityDescriptorSacl(pSd, &fSaclPresent, &pSacl, &fSaclDefaulted)) {

    if(ERROR_SUCCESS != SetSecurityInfo(m_hMapVars, SE_FILE_OBJECT, 0x00000010L , NULL,NULL,NULL, pSacl))
    MessageBox("setSecurityInfo", NULL,NULL);

    Tuesday, April 10, 2007 7:33 PM

Answers

  • SDDL_REVISION_1 is defined in sddl.h

    LABEL_SECURITY_INFORMATION is defined in winnt.h

     

    Is it possible that your project's settings didn't include the SDK include path?

     

    Specifying the security descriptor at object creation time is always easier.

    In case you still need to reACL the object later, I believe that the issue was the an incorrect SE_OBJECT_TYPE was specified.

    SE_KERNEL_OBJECT should probably have been used in this case.

    Thursday, May 24, 2007 1:56 AM

All replies

  • Please anyone?
    I cant fix this
    Friday, April 27, 2007 12:50 PM
  • I'm seeing lots of products that suggest to turn off protected mode in order to allow their BHOs to work, and I'm talking about Single Sign On products from recognized companies.
    Check eToken web Sign on manual from Aladdin soft, and you'll see it.

    Come on MS people, that's what you want?
    Friday, April 27, 2007 3:10 PM
  •  

    If the mapped memory is page based, you should probably create it with the appropriate tokens when you

    create it. Something like this worked for me:

     

    Code Snippet

    BOOL retval = FALSE;
      PSECURITY_DESCRIPTOR sd = NULL;
      ULONG sdsz = 0;
      BOOL retcode = ConvertStringSecurityDescriptorToSecurityDescriptor("S:(ML;;NW;;;LW)", SDDL_REVISION_1, &sd, &sdsz);
      SECURITY_ATTRIBUTES sa = { sizeof sa, sd, FALSE };
      SECURITY_ATTRIBUTES* sattr = &sa;

      if(retcode == 0){
          fprintf(stderr, "ConvertStringSecurityDescriptorToSecurityDescriptor FAILED, GLE() = %d\n", GetLastError());
          goto exit;
        }
      }
     
      m_file_mapping_handle =
        CreateFileMapping(INVALID_HANDLE_VALUE, sattr, PAGE_READWRITE, 0, SEGMENT_SIZE, m_memory_name);
     
      m_status_code = GetLastError();
     
      if (m_file_mapping_handle == NULL){ goto exit; }
     
      m_start_address =
        (char*) MapViewOfFile(m_file_mapping_handle, FILE_MAP_ALL_ACCESS, 0, 0, 0);
     
      if (m_start_address == NULL){  goto exit;  }  

     

     

    Friday, April 27, 2007 6:20 PM
  • Thanks a lot Smile
    I'll check if that solves my problem
    Friday, April 27, 2007 6:31 PM
  • SDDL_REVISION_1 is defined in sddl.h

    LABEL_SECURITY_INFORMATION is defined in winnt.h

     

    Is it possible that your project's settings didn't include the SDK include path?

     

    Specifying the security descriptor at object creation time is always easier.

    In case you still need to reACL the object later, I believe that the issue was the an incorrect SE_OBJECT_TYPE was specified.

    SE_KERNEL_OBJECT should probably have been used in this case.

    Thursday, May 24, 2007 1:56 AM
  • Thanks a lot Eric
    Michael Dunn from thecodeproject told me to use SE_KERNEL_OBJECT intead of SE_FILE_OBJECT and that solved the problem a few weeks ago.
    Thursday, May 24, 2007 12:19 PM