none
Show UAC prompt before access is denied by IoCreateDeviceSecure function RRS feed

  • Question

  • Hi. I am adding the access control for a driver (WinPcap's NDIS 6 filter driver) running on Windows 7 and 8. We want to let only administrators (users in Administrators group) to use the driver. So I used the new IoCreateDeviceSecure function instead of original IoCreateDevice call.

    My code is as belows:

    UNICODE_STRING sddl = RTL_CONSTANT_STRING(L"D:P(A;;GA;;;SY)(A;;GA;;;BA)");
    const GUID guidClassNPF = { 0x26e0d1e0L, 0x8189, 0x12e0, { 0x99, 0x14, 0x08, 0x00, 0x22, 0x30, 0x19, 0x04 } };
    status = IoCreateDeviceSecure(adriverObjectP, sizeof(DEVICE_EXTENSION), &deviceName, FILE_DEVICE_TRANSPORT,
    FILE_DEVICE_SECURE_OPEN, FALSE, &sddl, (LPCGUID) &guidClassNPF, &devObjP);

    My SDDL string is "D:P(A;;GA;;;SY)(A;;GA;;;BA)" which means "allows the kernel, system, and administrator complete control over the device. No other users may access the device.".

    It seems that only build-in Administrator account can directly access my device now. The other members of Administrators group will be denied because they don't have an escalated access token based on Windows's User Account Control. I know that when a user tries to make critical changes for the system, a UAC prompt will show up to the user to ask for permissions.

    My question is, is there a way that Windows shows such a prompt when executing my driver's IoCreateDeviceSecure call, so if the user agrees with the UAC prompt, the call can succeed. The currently silent denial is not very friendly for a member in Administrators group to use rights. thanks!

    Friday, June 19, 2015 2:43 AM

Answers

  • No; it is fundamental to the security system that access checks are only done when a handle is opened to a secured object. See chapter 6 of Windows Internals, 6th edition

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, June 19, 2015 3:18 AM
    Moderator

All replies

  • No; it is fundamental to the security system that access checks are only done when a handle is opened to a secured object. See chapter 6 of Windows Internals, 6th edition

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, June 19, 2015 3:18 AM
    Moderator
  • No; it is fundamental to the security system that access checks are only done when a handle is opened to a secured object. See chapter 6 of Windows Internals, 6th edition

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thanks for your answer! I have been stuck on this problem for nearly a week and don't know what to do about it. Do you know if there is a way to fulfill my need: make only all members of Administrators group to be able to access my driver?
    Friday, June 19, 2015 4:20 AM
  • I can think of two ways:

    1. The app that is opening the handle will have to be elevated.

    2. A service (running elevated) opens the handle to the driver, and then copies the handle (using the DuplicateHandle API) into the process that wants to access the device - after validating the target process is part of the Admin group.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog


    Friday, June 19, 2015 7:54 AM
    Moderator
  • I can think of two ways:

    1. The app that is opening the handle will have to be elevated.

    2. A service (running elevated) opens the handle to the driver, and then copies the handle (using the DuplicateHandle API) into the process that wants to access the device - after validating the target process is part of the Admin group.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog


    My software is a combination of some DLLs (wpcap.dll and packet.dll) and a driver (npcap.sys). Other people develop the applications (like Wireshark and Nmap) to use my DLLs and driver. The invoking path is: EXE -> wpcap.dll -> packet.dll -> npcap.sys. And I don't want to change this architecture too much, so I can't make a service. But getting app elevated also has issue. Because other people develop the apps. I'd like to do the elevating thing in the DLL level.

    I have learnt that an application (EXE) can specify /MANIFESTUAC: highestAvailable in its manifest to enforce an Administrator elevation. I have tried to add  /MANIFESTUAC: highestAvailable option to a DLL too (in VS 2008, by modifying Properties -> Linker -> Manifest File -> UAC Execution Level to highestAvailable), but nothing happened. I doubt if it is meaningful to add such an option to a DLL. Is there a way for DLL to enforce an Administrator elevation for the process that loads it? So when an EXE (without /MANIFESTUAC: highestAvailable) loading my DLL (with /MANIFESTUAC: highestAvailable) tries to start, it will be required to be elevated by a UAC prompt?



    • Edited by Yang Luo Friday, June 19, 2015 3:54 PM
    Friday, June 19, 2015 3:10 PM
  • You could make your DLL a COM object and have it run elevated

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, June 19, 2015 8:08 PM
    Moderator