How to retrieve GENERIC_MAPPING for a kernel object ? RRS feed

  • Question

  • There is a MapGenericMask function in windows used to map generic access right to object specific access right , it require a GENERIC_MAPPING structure as an input .

    But where is this GENERIC_MAPPING structure for a kernel object ? I found only a function IoGetFileObjectGenericMapping whihc used to get a GENERIC_MAPPING structure for a file object . I travel all functions in Windows security but found NOT such function to return a GENERIC_MAPPING for other kernel object (such as process , thread and synchronization objects )

    Because some function such as AccessCheck require a GENERIC_MAPPING as a input , I think this iinputted parameter is NOT defined by programmer , it should supplied by system according to object tyoe .

    Anybody can help me ?

    Tuesday, February 2, 2016 9:22 AM

All replies

  • Do you indeed need to call AccessCheck on anything besides of files?  (as opposite to just trying to get the access). Can you give an example why, please?

    -- pa

    • Edited by Pavel A Tuesday, February 2, 2016 2:53 PM
    Tuesday, February 2, 2016 2:52 PM
  • I presume you will be using this information to compute the results of combining different permissions before changing those permissions and/or to programmatically check the effect of already configured ACLs.

    For some types (files, registry keys and some others), the relevant GENERIC_MAPPING is available as defines in winnt.h or other files included by windows.h, just be sure to use the headers that were released with the specific Windows version and if necessary make your program use different constant values for different Windows versions.

    In low level programs, some of the relevant GENERIC_MAPPING values are exported as read only variables from the kernel (ntoskrnl.exe etc., import name "NT" available only in kernel mode) and/or the user mode ntdll.dll.

    Finally, there are/were an undocumented call to get this information for any kernel type.  Specifically, ZwQueryInformationObject() could be called with query type "ObjectTypeInformation" or "ObjectAllTypesInformation", while ZwQuerySystemInformation() could be called with query type SystemObjectInformation.  The latter two queries for all types may only work/have worked in special debug boot modes set via the gflags.exe utility. 

    Monday, March 28, 2016 2:36 PM