F
Frankooo
Guest
auto hMapFile = OpenFileMappingA(FILE_MAP_WRITE, FALSE, "Global\\SharedMem");
this is what i am trying to do from my user mode app ofc am creating a driver handle with CreateFileA and it succeed without any problem
now my in kernel driver am doing this
CHAR sidBuffer[SECURITY_MAX_SID_SIZE];
ULONG sidSize = 0;
ACL daclSet;
SECURITY_DESCRIPTOR SecDescriptor;
HANDLE sectionHandle;
#define SHARED_MEMORY 0x100
status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &sidBuffer, sizeof(sidBuffer), &sidSize); // Looks up for administrator account SID and returns to buffer
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "SecLookupWellKnownSid failed: line #554\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
ULONG _sidSize = RtlLengthSid(&sidBuffer); // Get size of SID we want to add to DACL
ACCESS_ALLOWED_ACE _testing; // Allocate structure for sizing
ULONG _sidstartSize = sizeof(_testing.SidStart); //Get size of ULONG SidStart in ACCESS_ALLOWED_ACE
ULONG _ACLSize = sizeof(ACCESS_ALLOWED_ACE) - _sidstartSize + _sidSize; // Calculate full ACL size for ACL
status = RtlCreateAcl(&daclSet, _ACLSize + 0x10, ACL_REVISION); //Create ACL using the ACL size
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlCreateAcl failed: line #564\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
status = RtlAddAccessAllowedAce(&daclSet, ACL_REVISION, FILE_ALL_ACCESS, &sidBuffer); //Add SID to ACL
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlAddAccessAllowedAce failed: line #570\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
status = RtlCreateSecurityDescriptor(&SecDescriptor, SECURITY_DESCRIPTOR_REVISION); //Initialize Security Descriptor
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlCreateSecurityDescriptor failed: line #576\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
status = RtlSetDaclSecurityDescriptor(&SecDescriptor, FALSE, &daclSet, TRUE); //Add DACL to Security Descriptor
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlSetDaclSecurityDescriptor failed: line #582\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
OBJECT_ATTRIBUTES objAttr; //Allocate object attribute structure
WCHAR stringBuf[] = L"\\BaseNamedObjects\\Global\\SharedSectionKernel"; //Allocate buffer for name of shared memory
UNICODE_STRING sectionName; // Allocate UNICODE_STRING for section name
RtlInitUnicodeString(§ionName, stringBuf); // Initialize UNICODE_STRING with buffer
InitializeObjectAttributes(&objAttr, §ionName, OBJ_CASE_INSENSITIVE, NULL, &SecDescriptor); // Initialize OBJECT_ATTRIBUTES using section name and security descriptor
LARGE_INTEGER maxSize; // Allocate max size structure
maxSize.QuadPart = sizeof(SHARED_MEMORY); // Set quad part to size of shared memory structure
DbgBreakPoint();
status = ZwCreateSection(§ionHandle, SECTION_ALL_ACCESS, &objAttr, &maxSize, PAGE_READWRITE, SEC_COMMIT, NULL); // Create section with section handle, object attributes, and the size of shared mem struct
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "ZwCreateSection failed: line #595\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
i have also tried to change
WinBuiltinAdministratorsSid to WinBuiltinUsersSid but it also fails
also tried to disable the whole protection with DACL pram NULL but still it fails i can't find a solution
for it .
Continue reading...
this is what i am trying to do from my user mode app ofc am creating a driver handle with CreateFileA and it succeed without any problem
now my in kernel driver am doing this
CHAR sidBuffer[SECURITY_MAX_SID_SIZE];
ULONG sidSize = 0;
ACL daclSet;
SECURITY_DESCRIPTOR SecDescriptor;
HANDLE sectionHandle;
#define SHARED_MEMORY 0x100
status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &sidBuffer, sizeof(sidBuffer), &sidSize); // Looks up for administrator account SID and returns to buffer
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "SecLookupWellKnownSid failed: line #554\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
ULONG _sidSize = RtlLengthSid(&sidBuffer); // Get size of SID we want to add to DACL
ACCESS_ALLOWED_ACE _testing; // Allocate structure for sizing
ULONG _sidstartSize = sizeof(_testing.SidStart); //Get size of ULONG SidStart in ACCESS_ALLOWED_ACE
ULONG _ACLSize = sizeof(ACCESS_ALLOWED_ACE) - _sidstartSize + _sidSize; // Calculate full ACL size for ACL
status = RtlCreateAcl(&daclSet, _ACLSize + 0x10, ACL_REVISION); //Create ACL using the ACL size
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlCreateAcl failed: line #564\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
status = RtlAddAccessAllowedAce(&daclSet, ACL_REVISION, FILE_ALL_ACCESS, &sidBuffer); //Add SID to ACL
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlAddAccessAllowedAce failed: line #570\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
status = RtlCreateSecurityDescriptor(&SecDescriptor, SECURITY_DESCRIPTOR_REVISION); //Initialize Security Descriptor
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlCreateSecurityDescriptor failed: line #576\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
status = RtlSetDaclSecurityDescriptor(&SecDescriptor, FALSE, &daclSet, TRUE); //Add DACL to Security Descriptor
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "RtlSetDaclSecurityDescriptor failed: line #582\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
OBJECT_ATTRIBUTES objAttr; //Allocate object attribute structure
WCHAR stringBuf[] = L"\\BaseNamedObjects\\Global\\SharedSectionKernel"; //Allocate buffer for name of shared memory
UNICODE_STRING sectionName; // Allocate UNICODE_STRING for section name
RtlInitUnicodeString(§ionName, stringBuf); // Initialize UNICODE_STRING with buffer
InitializeObjectAttributes(&objAttr, §ionName, OBJ_CASE_INSENSITIVE, NULL, &SecDescriptor); // Initialize OBJECT_ATTRIBUTES using section name and security descriptor
LARGE_INTEGER maxSize; // Allocate max size structure
maxSize.QuadPart = sizeof(SHARED_MEMORY); // Set quad part to size of shared memory structure
DbgBreakPoint();
status = ZwCreateSection(§ionHandle, SECTION_ALL_ACCESS, &objAttr, &maxSize, PAGE_READWRITE, SEC_COMMIT, NULL); // Create section with section handle, object attributes, and the size of shared mem struct
if (!NT_SUCCESS(status))
{
DbgPrintEx(0, 0, "ZwCreateSection failed: line #595\n");
SECO_DPRINT("NTSTATUS %d\n", status);
return status;
}
i have also tried to change
WinBuiltinAdministratorsSid to WinBuiltinUsersSid but it also fails
also tried to disable the whole protection with DACL pram NULL but still it fails i can't find a solution
for it .
Continue reading...