locked
Decode enumerated FWPM_CONDITION_ALE_USER_ID, invalid security descriptors? RRS feed

  • Question

  • I'm currently trying to enumerate all filters and conditions and whatnot. It worked pretty fine so far, but now I'm trying to decode a FWP_SECURITY_DESCRIPTOR_TYPE value. Programming language is CLI/C++, running in user mode.

    c is of type FWPM_FILTER_CONDITION.

    This is how it looks like so far, after checking that c->fieldKey == FWPM_CONDITION_ALE_USER_ID:

    SECURITY_DESCRIPTOR* sd = (SECURITY_DESCRIPTOR*) c->conditionValue.sd->data;
    
    if (IsValidSecurityDescriptor(sd) == FALSE)
    {
      this->ValidSecurityDescriptor = false;
      return;
    }
    
    PSECURITY_DESCRIPTOR_CONTROL control = NULL;
    DWORD revision = NULL;
    
    if (GetSecurityDescriptorControl(sd, control, &revision) == FALSE)
    {
      throw gcnew Win32Exception();
    }
    
    SecurityDescriptorControlFlags flags = (SecurityDescriptorControlFlags)*control;
    
    BOOL ownerDefaulted;
    BOOL groupDetaulted;
    PSID userSid = NULL;
    PSID groupSid = NULL;
    
    if (GetSecurityDescriptorOwner(sd, &userSid, &ownerDefaulted) == FALSE)
    {
      throw gcnew Win32Exception();
    }
    
    if (GetSecurityDescriptorGroup(sd, &groupSid, &groupDetaulted) == FALSE)
    {
      throw gcnew Win32Exception();
    }

    This will always crash at the GetSecurityDescriptorControl (Access Violation), which I inserted just to see if it works. It doesn't.

    If I remove the GetSecurityDescriptorControl call and surroundings, the code will run all the way to the very end, with the debugger showing both userSid and groupSid to be "<undefined value>". No method ever complains or indicates an error.

    I've poked this mess for well over an hour and am out of ideas. I assume the problem is ridiculously simple, as always.

    And, before you ask: No, I have no idea how FWPM_CONDITION_ALE_USER_ID is supposed to work. I was sort of trying to reverse engineer it.

    Friday, November 15, 2013 1:37 AM

All replies

  • When I run the program under Windows 8.1, everything is fine. The behavior above was observed on Windows 7.
    Saturday, November 16, 2013 2:50 PM