A
Archimedes.Syracuse
Guest
Hello. So I'm creating a device with a symlink accessible from win32, but I only want admin/system access. I'm creating an UpperFilter via SetupAPIs.
So I've tested both in the add device handler callback.
IoCreateDevice(DriverObject,
sizeof(FDO_DEVEXT),
&usNtDevName,
FILE_DEVICE_UNKNOWN, //tested a few variants
FILE_DEVICE_SECURE_OPEN,
TRUE,
&FuncDeviceObject);
IoCreateDeviceSecure(DriverObject,
sizeof(FDO_DEVEXT),
NULL,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN | FILE_AUTOGENERATED_DEVICE_NAME,
FALSE,//TRUE,
&SDDL_DEVOBJ_SYS_ALL_ADM_ALL,
NULL,
&FuncDeviceObject);
But when I look at both SD of there Object they appear as NULL.
0: kd> !object @@(FuncDeviceObject)
Object: ffffe281f7ef8d00 Type: (ffffe281ec2f04e0) Device
ObjectHeader: ffffe281f7ef8cd0 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffff93009b60c2e0 Name: aaaaaaaaaaaaaaaaaaaa
0: kd> dt nt!_OBJECT_HEADER ffffe281f7ef8cd0 SecurityDescriptor
+0x028 SecurityDescriptor : (null)
Why do my devices have NULL DACL even though I use flags FILE_DEVICE_SECURE_OPEN and SDDL_DEVOBJ_SYS_ALL_ADM_ALL, as any standard user can open a handle (I tested it) to my device looking at winobj, or am I not understanding at this correctly - the DeviceObject OBJECT SecurityDescriptor does indicate the accesses right i.e. if a user opens a handle to it.
Now what this makes more stranger, is another device (not mine). AgileVPN. Looking at Winobj, there symbolic link in \GLOBAL??\AgileVPN (has ACL for Everyone:Query, Admin/system:Full), but the pointed device \Device\AgileVPN has an ACL with SYSTEM :Full only, which is what I somewhat want.
But looking at !object of AgileVPN also has a NULL DACL, but if I try to open a handle to it from user it's denied - so there's a discrepancy between Winobj SD and !object SD, but winobj SD is correct.
//UNDERLYING DEVICE
0: kd> !object \Device\AgileVPN
Object: ffffe281f7c65a30 Type: (ffffe281ec2f04e0) Device
ObjectHeader: ffffe281f7c65a00 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffff93009b60c2e0 Name: AgileVPN
0: kd> dt nt!_OBJECT_HEADER ffffe281f7c65a00 SecurityDescriptor
+0x028 SecurityDescriptor : (null)
// SYMBOLIC LINK
0: kd> !object \GLOBAL??\AgileVPN
Object: ffff9300a421b990 Type: (ffffe281ec2aa640) SymbolicLink
ObjectHeader: ffff9300a421b960 (new version)
HandleCount: 0 PointerCount: 1
Directory Object: ffff93009b60be50 Name: AgileVPN
Flags: 00000000 ( Local )
Target String is '\Device\AgileVPN'
0: kd> dt nt!_OBJECT_HEADER ffff9300a421b960 SecurityDescriptor
+0x028 SecurityDescriptor : 0xffff9300`9b60c4ae Void
// Winobj does not show a NULL DACL for the underlying device, it shows a valid ACL with System Control only.
// I'm confused, do I apply ACL to device itself or symbolic link object? IoCreateSymbolicLink() has no params for SDDL, then what is the point of SDDL in device creation?
Testing on Win 10 1903.
Continue reading...
So I've tested both in the add device handler callback.
IoCreateDevice(DriverObject,
sizeof(FDO_DEVEXT),
&usNtDevName,
FILE_DEVICE_UNKNOWN, //tested a few variants
FILE_DEVICE_SECURE_OPEN,
TRUE,
&FuncDeviceObject);
IoCreateDeviceSecure(DriverObject,
sizeof(FDO_DEVEXT),
NULL,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN | FILE_AUTOGENERATED_DEVICE_NAME,
FALSE,//TRUE,
&SDDL_DEVOBJ_SYS_ALL_ADM_ALL,
NULL,
&FuncDeviceObject);
But when I look at both SD of there Object they appear as NULL.
0: kd> !object @@(FuncDeviceObject)
Object: ffffe281f7ef8d00 Type: (ffffe281ec2f04e0) Device
ObjectHeader: ffffe281f7ef8cd0 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffff93009b60c2e0 Name: aaaaaaaaaaaaaaaaaaaa
0: kd> dt nt!_OBJECT_HEADER ffffe281f7ef8cd0 SecurityDescriptor
+0x028 SecurityDescriptor : (null)
Why do my devices have NULL DACL even though I use flags FILE_DEVICE_SECURE_OPEN and SDDL_DEVOBJ_SYS_ALL_ADM_ALL, as any standard user can open a handle (I tested it) to my device looking at winobj, or am I not understanding at this correctly - the DeviceObject OBJECT SecurityDescriptor does indicate the accesses right i.e. if a user opens a handle to it.
Now what this makes more stranger, is another device (not mine). AgileVPN. Looking at Winobj, there symbolic link in \GLOBAL??\AgileVPN (has ACL for Everyone:Query, Admin/system:Full), but the pointed device \Device\AgileVPN has an ACL with SYSTEM :Full only, which is what I somewhat want.
But looking at !object of AgileVPN also has a NULL DACL, but if I try to open a handle to it from user it's denied - so there's a discrepancy between Winobj SD and !object SD, but winobj SD is correct.
//UNDERLYING DEVICE
0: kd> !object \Device\AgileVPN
Object: ffffe281f7c65a30 Type: (ffffe281ec2f04e0) Device
ObjectHeader: ffffe281f7c65a00 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffff93009b60c2e0 Name: AgileVPN
0: kd> dt nt!_OBJECT_HEADER ffffe281f7c65a00 SecurityDescriptor
+0x028 SecurityDescriptor : (null)
// SYMBOLIC LINK
0: kd> !object \GLOBAL??\AgileVPN
Object: ffff9300a421b990 Type: (ffffe281ec2aa640) SymbolicLink
ObjectHeader: ffff9300a421b960 (new version)
HandleCount: 0 PointerCount: 1
Directory Object: ffff93009b60be50 Name: AgileVPN
Flags: 00000000 ( Local )
Target String is '\Device\AgileVPN'
0: kd> dt nt!_OBJECT_HEADER ffff9300a421b960 SecurityDescriptor
+0x028 SecurityDescriptor : 0xffff9300`9b60c4ae Void
// Winobj does not show a NULL DACL for the underlying device, it shows a valid ACL with System Control only.
// I'm confused, do I apply ACL to device itself or symbolic link object? IoCreateSymbolicLink() has no params for SDDL, then what is the point of SDDL in device creation?
Testing on Win 10 1903.
Continue reading...