none
Problem with OpenFileMappingA ERROR_ACCESS_DENIED RRS feed

  • Question

  • auto hMapFile = OpenFileMappingA(FILE_MAP_WRITE, FALSE, "Global\\SharedMem");

    this is what i am trying to do from my user mode app ofc am creating a driver handle with CreateFileA and it succeed without any problem

    now my in kernel driver am doing this

       CHAR sidBuffer[SECURITY_MAX_SID_SIZE];
        ULONG sidSize = 0;
        ACL daclSet;
        SECURITY_DESCRIPTOR SecDescriptor;
        HANDLE sectionHandle;
    #define SHARED_MEMORY 0x100
     
     
        status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &sidBuffer, sizeof(sidBuffer), &sidSize); // Looks up for administrator account SID and returns to buffer
        if (!NT_SUCCESS(status))
        {
            DbgPrintEx(0, 0, "SecLookupWellKnownSid failed: line #554\n");
            SECO_DPRINT("NTSTATUS %d\n", status);
            return status;
        }
        ULONG _sidSize = RtlLengthSid(&sidBuffer); // Get size of SID we want to add to DACL
        ACCESS_ALLOWED_ACE _testing; // Allocate structure for sizing
        ULONG _sidstartSize = sizeof(_testing.SidStart); //Get size of ULONG SidStart in ACCESS_ALLOWED_ACE
        ULONG _ACLSize = sizeof(ACCESS_ALLOWED_ACE) - _sidstartSize + _sidSize; // Calculate full ACL size for ACL
        status = RtlCreateAcl(&daclSet, _ACLSize + 0x10, ACL_REVISION); //Create ACL using the ACL size
        if (!NT_SUCCESS(status))
        {
            DbgPrintEx(0, 0, "RtlCreateAcl failed: line #564\n");
            SECO_DPRINT("NTSTATUS %d\n", status);
            return status;
        }
        status = RtlAddAccessAllowedAce(&daclSet, ACL_REVISION, FILE_ALL_ACCESS, &sidBuffer); //Add SID to ACL
        if (!NT_SUCCESS(status))
        {
            DbgPrintEx(0, 0, "RtlAddAccessAllowedAce failed: line #570\n");
            SECO_DPRINT("NTSTATUS %d\n", status);
            return status;
        }
        status = RtlCreateSecurityDescriptor(&SecDescriptor, SECURITY_DESCRIPTOR_REVISION); //Initialize Security Descriptor
        if (!NT_SUCCESS(status))
        {
            DbgPrintEx(0, 0, "RtlCreateSecurityDescriptor failed: line #576\n");
            SECO_DPRINT("NTSTATUS %d\n", status);
            return status;
        }
        status = RtlSetDaclSecurityDescriptor(&SecDescriptor, FALSE, &daclSet, TRUE); //Add DACL to Security Descriptor
        if (!NT_SUCCESS(status))
        {
            DbgPrintEx(0, 0, "RtlSetDaclSecurityDescriptor failed: line #582\n");
            SECO_DPRINT("NTSTATUS %d\n", status);
            return status;
        }
        OBJECT_ATTRIBUTES objAttr; //Allocate object attribute structure
        WCHAR stringBuf[] = L"\\BaseNamedObjects\\Global\\SharedSectionKernel"; //Allocate buffer for name of shared memory
        UNICODE_STRING sectionName; // Allocate UNICODE_STRING for section name
        RtlInitUnicodeString(&sectionName, stringBuf); // Initialize UNICODE_STRING with buffer
        InitializeObjectAttributes(&objAttr, &sectionName, OBJ_CASE_INSENSITIVE, NULL, &SecDescriptor); // Initialize OBJECT_ATTRIBUTES using section name and security descriptor
        LARGE_INTEGER maxSize; // Allocate max size structure
        maxSize.QuadPart = sizeof(SHARED_MEMORY); // Set quad part to size of shared memory structure
        DbgBreakPoint();
        status = ZwCreateSection(&sectionHandle, SECTION_ALL_ACCESS, &objAttr, &maxSize, PAGE_READWRITE, SEC_COMMIT, NULL); // Create section with section handle, object attributes, and the size of shared mem struct
        if (!NT_SUCCESS(status))
        {
            DbgPrintEx(0, 0, "ZwCreateSection failed: line #595\n");
            SECO_DPRINT("NTSTATUS %d\n", status);
            return status;
        }

    i have also tried to change

    WinBuiltinAdministratorsSid to WinBuiltinUsersSid but it also fails

    also tried to disable the whole protection with DACL pram NULL but still it fails i can't find a solution

    for it .

    Friday, March 8, 2019 5:15 PM

Answers

  • A security descriptor is a tree of variable-length structures, and you're trying to statically allocate it (and you're corrupting the stack). Rather than explain each part, I found an example that should help you here

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Saturday, March 9, 2019 12:44 AM
    Moderator

All replies

  • You are opening SharedMem but where are you creating this?  


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Friday, March 8, 2019 6:20 PM
  • You are opening SharedMem but where are you creating this?  


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    forgot to say that i have changed the name to 
    BaseNamedObjects\\Global\\SharedMem  but that isn't a problem because i can view section with FILE_MAP_READ
    problem is with 
    FILE_MAP_WRITE where i get Access Denied
    • Edited by Frankooo Friday, March 8, 2019 6:52 PM
    Friday, March 8, 2019 6:52 PM
  • Use WinObj (from Sysinternals) to check the security descriptor on the section that you create

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, March 8, 2019 11:51 PM
    Moderator
  • Use WinObj (from Sysinternals) to check the security descriptor on the section that you create

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    so i have opened my section in winobject and that's what i have found : 

    Adminstrator account : Query Data , Query State , Special permissions
    System : Delete , Query Data , Query State , modify State , Special permissions

    but how could i add read,write now as am wondering i have added every single permission to that admin sid in the code but it didn't work , any hints or help . i will very appreciate your help :)

    Saturday, March 9, 2019 12:09 AM
  • A security descriptor is a tree of variable-length structures, and you're trying to statically allocate it (and you're corrupting the stack). Rather than explain each part, I found an example that should help you here

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Saturday, March 9, 2019 12:44 AM
    Moderator
  • A security descriptor is a tree of variable-length structures, and you're trying to statically allocate it (and you're corrupting the stack). Rather than explain each part, I found an example that should help you 

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    i tried it but i got BSOD 
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    System_thread_exception_not_handled

    this is the code : 

    ULONG DaclLength;
    PACL Dacl;
    PSID SeLocalSystemSid;
    PSID SeAliasAdminsSid;
    PSID SeWorldSid;
    
    
    
    	NTSTATUS Status = STATUS_SUCCESS;
    	DbgPrintEx(0, 0, "CreateSharedMemory calling..\n");
    	
    	
    
    	Status = RtlCreateSecurityDescriptor(&SecDescriptor,SECURITY_DESCRIPTOR_REVISION);
    	if (!NT_SUCCESS(Status)) {
    		DbgPrintEx(0, 0, "RtlCreateSecurityDescriptor failed : %p\n", Status);
    		return Status;
    	}
    	DbgPrintEx(0, 0, "RtlCreateSecurityDescriptor was successfully created : %p\n", Status);
    
    
    	
    
    	DaclLength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) * 3 + RtlLengthSid(SeLocalSystemSid) + RtlLengthSid(SeAliasAdminsSid) +
    		RtlLengthSid(SeWorldSid);
    
    	Dacl = ExAllocatePoolWithTag(PagedPool, DaclLength, 'lcaD');
    
    	if (Dacl == NULL) {
    		return STATUS_INSUFFICIENT_RESOURCES;
    		DbgPrintEx(0, 0, "ExAllocatePoolWithTag  failed  : %p\n", Status);
    	}
    
    	DbgPrintEx(0, 0, "ExAllocatePoolWithTag  succeed  : %p\n", Status);
    
    	Status = RtlCreateAcl(Dacl, DaclLength, ACL_REVISION);
    
    	if (!NT_SUCCESS(Status)) {
    		ExFreePool(Dacl);
    		DbgPrintEx(0, 0, "RtlCreateAcl  failed  : %p\n", Status);
    		return Status;
    	}
    
    	DbgPrintEx(0, 0, "RtlCreateAcl  succeed  : %p\n", Status);
    
    	Status = RtlAddAccessAllowedAce(Dacl,ACL_REVISION, FILE_ALL_ACCESS,SeWorldSid);
    
    	if (!NT_SUCCESS(Status)) {
    		ExFreePool(Dacl);
    		DbgPrintEx(0, 0, "RtlAddAccessAllowedAce SeWorldSid failed  : %p\n", Status);
    		return Status;
    	}
    	DbgPrintEx(0, 0, "RtlAddAccessAllowedAce SeWorldSid succeed  : %p\n", Status);
    
    	Status = RtlAddAccessAllowedAce(Dacl,
    		ACL_REVISION,
    		FILE_ALL_ACCESS,
    		SeAliasAdminsSid);
    
    	if (!NT_SUCCESS(Status)) {
    		ExFreePool(Dacl);
    		DbgPrintEx(0, 0, "RtlAddAccessAllowedAce SeAliasAdminsSid failed  : %p\n", Status);
    		return Status;
    	}
    
    	DbgPrintEx(0, 0, "RtlAddAccessAllowedAce SeAliasAdminsSid succeed  : %p\n", Status);
    
    	Status = RtlAddAccessAllowedAce(Dacl,
    		ACL_REVISION,
    		FILE_ALL_ACCESS,
    		SeLocalSystemSid);
    
    	if (!NT_SUCCESS(Status)) {
    		ExFreePool(Dacl);
    		DbgPrintEx(0, 0, "RtlAddAccessAllowedAce SeLocalSystemSid failed  : %p\n", Status);
    		return Status;
    	}
    
    	DbgPrintEx(0, 0, "RtlAddAccessAllowedAce SeLocalSystemSid succeed  : %p\n", Status);
    
    	Status = RtlSetDaclSecurityDescriptor(&SecDescriptor,
    		TRUE,
    		Dacl,
    		FALSE);
    
    
    
    	if (!NT_SUCCESS(Status)) {
    		ExFreePool(Dacl);
    		DbgPrintEx(0, 0, "RtlSetDaclSecurityDescriptor failed  : %p\n", Status);
    		return Status;
    	}
    
    	DbgPrintEx(0, 0, "RtlSetDaclSecurityDescriptor  succeed  : %p\n", Status);
    
    	OBJECT_ATTRIBUTES objAttr; 
    	UNICODE_STRING sectionName; 
    	RtlInitUnicodeString(&sectionName, SharedSectionName);
    	InitializeObjectAttributes(&objAttr, &sectionName, OBJ_CASE_INSENSITIVE, NULL, &SecDescriptor);
    
    
    
    	ExFreePool(Dacl);
    	if (!NT_SUCCESS(Status)) {
    		DbgPrintEx(0, 0, "last thing  has failed : %p\n", Status);
    	}
    
    	DbgPrintEx(0, 0, "last thing  was successfully created : %p\n", Status);

    DaclLength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) * 3 + RtlLengthSid(SeLocalSystemSid) + RtlLengthSid(SeAliasAdminsSid) +
    		RtlLengthSid(SeWorldSid);
    in windbg this is what causes the bsod

    • Edited by Frankooo Saturday, March 9, 2019 11:08 AM
    Saturday, March 9, 2019 10:52 AM
  • So, it is failing in RtlLengthSid. Check the values of the inputs to ensure that they are valid. Obviously, they aren't valid, because you aren't initializing them.

    If you include NTIFS.H, it will import SeExports from NTOSKRNL, which is a structure containing the SIDs that you want. You would use them like this: RtlLengthSid (SeExports->SeWorldSid)

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog



    Saturday, March 9, 2019 6:05 PM
    Moderator
  • So, it is failing in RtlLengthSid. Check the values of the inputs to ensure that they are valid. Obviously, they aren't valid, because you aren't initializing them.

    If you include NTIFS.H, it will import SeExports from NTOSKRNL, which is a structure containing the SIDs that you want. You would use them like this: RtlLengthSid (SeExports->SeWorldSid)

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog



    thank you its not giving any BSOD now and working fine : nvm i fixed my problem it was about the ExFreePool and now i have access to File_map_write thank you so much man +REP



    • Edited by Frankooo Saturday, March 9, 2019 8:19 PM
    Saturday, March 9, 2019 7:33 PM
  • Try the !sd command in WinDBG to display the security descriptor

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Saturday, March 9, 2019 8:14 PM
    Moderator
  • Try the !sd command in WinDBG to display the security descriptor

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    nvm i fixed it , see my other comment ^^ thank you again :D
    Saturday, March 9, 2019 11:22 PM