In my WDF driver, I want to save some custom data used for specific device to the registry. But I cannot use the WdfRegistryCreateKey() function provided by umdf2 to create a new key under "hardware_key\Device Parameters" on windows10 1909 platform. The error code is "Access Denied". And I have opened the parent key correctly in READ_KEY mask(if not READ_KEY mask, WdfDeviceOpenRegistryKey() will return STATUS_INVALID_PARAMETER indicate insufficient access rights). How to solve this problem?
Thanks in advance.
// create subkey function definition
NTSTATUS registry_create_key(WDFKEY parent_key, PUNICODE_STRING key_str,
WDFKEY* key)
{
NTSTATUS status;
WDFKEY new_key;
status = WdfRegistryCreateKey(parent_key, key_str, KEY_CREATE_SUB_KEY,
REG_OPTION_NON_VOLATILE, NULL, WDF_NO_OBJECT_ATTRIBUTES,
&new_key);
if (!NT_SUCCESS(status)) {
return status;
}
if (key)
*key = new_key;
else
WdfRegistryClose(new_key);
return status;
}
// open parent key, I have removed the return value judgment for brevity
status = WdfDeviceOpenRegistryKey(
DeviceContext->Device,
PLUGPLAY_REGKEY_DEVICE,
KEY_READ,
WDF_NO_OBJECT_ATTRIBUTES,
&hkey);
// The key name I want to create
UNICODE_STRING myKeyStr;
RtlInitUnicodeString(
&myKeyStr,
L"myKeyStr"
);
// Call the subkey create function
status = registry_create_key(hkey, &myKeyStr, &subkey);
WdfRegistryClose(subkey);
You're opening the parent key for KEY_READ access then trying to create a subkey under it. You need to open the parent key with KEY_CREATE_SUB_KEY access.
Related
I have a windows service that creates a JobObject that i need to keep alive as long as the machine is turned on - the goal is to manage a few user session processes that can terminate/start at any time with this JobObject. I am creating it in a service to make sure the process is running at startup, and that it can't be killed by regular users.
However, i don't seem to be able to open a handle to this JobObject from the user session, I always get an access denied (5) error, despite going as far as creating it with a NULL DACL.
I have found a somewhat related question here: Open an Event object created by my service from my application, but for me, even with the NULL DACL, when asking for a JOB_OBJECT_ASSIGN_PROCESS right, i get access denied (asking for SYNCHRONIZE works for example).
The service code:
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(psd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(psd, TRUE, NULL, FALSE);
SECURITY_ATTRIBUTES secAttr= {0};
secAttr.nLength = sizeof(secAttr);
secAttr.bInheritHandle = false;
secAttr.lpSecurityDescriptor = psd;
hJobObject = CreateJobObject(&secAttr, SCL_JOBOBJECTNAME);
LocalFree(psd);
The user session code:
hJobObject = OpenJobObject(JOB_OBJECT_ASSIGN_PROCESS, FALSE, SCL_JOBOBJECTNAME);
if (hJobObject == NULL)
{
DWORD wError = GetLastError();
printf("Error: %d\n", wError); // this always pops 5
return 1;
}
Any ideas? As a test, i tried spawning a user session process from within the service, and assign the JobObject via the service code, and that worked,.. so i'm fairly certain its related to security settings i am missing, despite the NULL DACL.
if you create Job in service - this object by default will be have WinSystemLabelSid label SID: S-1-16-16384 - System Mandatory Level. (i just check this) so you need not only set Dacl but Sacl too. for example:
ULONG cb = MAX_SID_SIZE;
PSID LowLabelSid = (PSID)alloca(MAX_SID_SIZE);
if (CreateWellKnownSid(WinLowLabelSid, 0, LowLabelSid, &cb))
{
PACL Sacl = (PACL)alloca(cb += sizeof(ACL) + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
InitializeAcl(Sacl, cb, ACL_REVISION);
if (AddMandatoryAce(Sacl, ACL_REVISION, 0, 0, LowLabelSid))
{
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
SetSecurityDescriptorSacl(&sd, TRUE, Sacl, FALSE);
SECURITY_ATTRIBUTES sa= { sizeof(sa), &sd, FALSE };
if (HANDLE hJob = CreateJobObject(&sa, L"Global\\{58BFC6DB-BE93-4cdb-919C-4C713ACB5A32}"))
{
CloseHandle(hJob);
}
}
}
I've been banging my head on this for days, and I must have read every page on the Internet even remotely related, but I still can't find an answer. Help!
Here's the scenario: In Windows 7, I have a process running under an admin user account (not a service). It creates a global named mutex, which is later used in a child process running under a regular user account. No matter what I do, or what ACLs I put on the mutex, the child process keeps returning Access Denied when trying to get the handle.
I've distilled my code down into a test app just to experiment with the process and mutex parts, and I found something surprising: if I call OpenMutex from the user app without first creating the mutex, I would expect a Not Found error but I still get Access Denied. However, if I launch the user app from Explorer instead (shift-right-click, Run as different user...), I get the expected behavior. I also noticed that the user app has a plain blocky window border rather than the normal Windows theme when launched from the admin app.
So my guess is that there's something wrong with how I'm launching the user app, but I just can't see what I'm missing.
Here are the relevant parts:
bool CUserTest::LogInUser()
{
if ((m_hUserToken == NULL) && !LogonUser(TEST_USER_NAME, L".", TEST_USER_PASS, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &m_hUserToken))
{
CloseHandle(m_hUserToken);
m_hUserToken = NULL;
}
return (m_hUserToken != NULL);
}
bool CUserTest::LaunchTestApp()
{
PROCESS_INFORMATION ProcInfo;
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(si);
si.lpDesktop = L"winsta0\\default";
wchar_t wszCmdLine[MAX_PATH + 1] = { 0 };
wcscpy(wszCmdLine, L"UserTestClient.exe");
bool bSuccess = false;
LPVOID pEnv;
PROFILEINFO sProfileInfo;
ZeroMemory(&sProfileInfo, sizeof(PROFILEINFO));
sProfileInfo.dwSize = sizeof(PROFILEINFO);
sProfileInfo.lpUserName = TEST_USER_NAME;
if (LoadUserProfile(m_hUserToken, &sProfileInfo))
{
if (ImpersonateLoggedOnUser(m_hUserToken))
{
if (CreateEnvironmentBlock(&pEnv, m_hUserToken, FALSE))
{
bSuccess = CreateProcessAsUser(
m_hUserToken,
NULL,
wszCmdLine,
NULL, // ProcessAttributes
NULL, // ThreadAttributes
FALSE, // InheritHandles
CREATE_UNICODE_ENVIRONMENT, // CreationFlags
pEnv, // Environment
NULL, // CurrentDirectory
&si,
&ProcInfo); // ProcessInformation
DestroyEnvironmentBlock(pEnv);
}
RevertToSelf();
}
UnloadUserProfile(m_hUserToken, sProfileInfo.hProfile);
}
if (bSuccess)
{
CloseHandle(ProcInfo.hThread);
CloseHandle(ProcInfo.hProcess);
}
return bSuccess;
}
I never could get the CreateProcessAsUser call to work correctly, but I finally got it working using CreateProcessWithLogonW instead. The trick was to set si.lpDesktop to NULL rather than "winsta0\default", contrary to everything I'd read up to this point.
I am working on MAC Application to create VPN Connection from MY Application.
After a lot of Research i found that i need to run application as ROOT to store User password and sharedSecretKey in SYSTEM keychain.
Application user will not gonna open application as ROOT so that i need to add user password and sharedsecretkey in SYSTEM KEYCHAIN without ROOT Access.
I search on web on this and found that Apple Provide this code : https://developer.apple.com/library/mac/samplecode/SMJobBless/Introduction/Intro.html
https://developer.apple.com/library/mac/samplecode/EvenBetterAuthorizationSample/Introduction/Intro.html
but didn't understand how can i use this 2 code in my application to store user's password and SharedSecretKey in SYSTEM KEYCHAIN WITH OUT ROOT ACCESS.
Any help will be appreciated.
Thanks in advance.
Here is my code to add Password in SYSTEM KEYCHAIN Which is work great if i run my code as ROOT.
// Vendor dependencies
#import <Security/SecKeychain.h>
// Local dependencies
#import "VPNKeychain.h"
// These are the applications which are going to get access to new Keychain items.
// How do we know them? Just create a VPN service manualy and run the following command:
// security dump-keychain -a /Library/Keychains/System.keychain
// Among the results, you will find your VPN service and you can see the paths that have access to it
static const char * trustedAppPaths[] = {
"/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper", "/System/Library/PreferencePanes/Network.prefPane/Contents/XPCServices/com.apple.preference.network.remoteservice.xpc",
"/System/Library/CoreServices/SystemUIServer.app",
"/usr/sbin/pppd",
"/usr/sbin/racoon",
"/usr/libexec/configd",
};
// This class contains all code we need to handle System Keychain Items
// Exit status codes: 60-79
#implementation VPNKeychain
// This will create a PPP Password Keychain Item
+ (int) createPasswordKeyChainItem:(NSString*)label forService:(NSString*)service withAccount:(NSString*)account andPassword:(NSString*)password {
return [self createItem:label withService:service account:account description:#"PPP Password" andPassword:password];
}
// This will create an IPSec Shared Secret Keychain Item
+ (int) createSharedSecretKeyChainItem:(NSString*)label forService:(NSString*)service withPassword:(NSString*)password {
service = [NSString stringWithFormat:#"%#.SS", service];
return [self createItem:label withService:service account:#"" description:#"IPSec Shared Secret" andPassword:password];
}
// A generic method to create Keychain Items holding Network service passwords
+ (int) createItem:(NSString*)label withService:(NSString*)service account:(NSString*)account description:(NSString*)description andPassword:(NSString*)password {
// This variable will hold all sorts of operation status responses
OSStatus status;
// Converting the NSStrings to char* variables which we will need later
const char *labelUTF8 = [label UTF8String];
const char *serviceUTF8 = [service UTF8String];
const char *accountUTF8 = [account UTF8String];
const char *descriptionUTF8 = [description UTF8String];
const char *passwordUTF8 = [password UTF8String];
// This variable is soon to hold the System Keychain
SecKeychainRef keychain = NULL;
status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, &keychain);
if (status == errSecSuccess) {
NSLog(#"Succeeded opening System Keychain");
} else {
NSLog(#"Could not obtain System Keychain: %#", SecCopyErrorMessageString(status, NULL));
return 60;
}
NSLog(#"Unlocking System Keychain");
status = SecKeychainUnlock(keychain, 0, NULL, FALSE);
if (status == errSecSuccess) {
NSLog(#"Succeeded unlocking System Keychain");
} else {
NSLog(#"Could not unlock System Keychain: %#", SecCopyErrorMessageString(status, NULL));
return 61;
}
// This variable is going to hold our new Keychain Item
SecKeychainItemRef item = nil;
SecAccessRef access = nil;
status = SecAccessCreate(CFSTR("Some VPN Test"), (__bridge CFArrayRef)(self.trustedApps), &access);
if(status == noErr) {
NSLog(#"Created empty Keychain access object");
} else {
NSLog(#"Could not unlock System Keychain: %#", SecCopyErrorMessageString(status, NULL));
return 62;
}
// Putting together the configuration options
SecKeychainAttribute attrs[] = {
{kSecLabelItemAttr, (int)strlen(labelUTF8), (char *)labelUTF8},
{kSecAccountItemAttr, (int)strlen(accountUTF8), (char *)accountUTF8},
{kSecServiceItemAttr, (int)strlen(serviceUTF8), (char *)serviceUTF8},
{kSecDescriptionItemAttr, (int)strlen(descriptionUTF8), (char *)descriptionUTF8},
};
SecKeychainAttributeList attributes = {sizeof(attrs) / sizeof(attrs[0]), attrs};
status = SecKeychainItemCreateFromContent(kSecGenericPasswordItemClass, &attributes, (int)strlen(passwordUTF8), passwordUTF8, keychain, access, &item);
if(status == noErr) {
NSLog(#"Successfully created Keychain Item");
} else {
NSLog(#"Creating Keychain item failed: %#", SecCopyErrorMessageString(status, NULL));
return 63;
}
return 0;
}
+(NSArray*) trustedApps {
NSMutableArray *apps = [NSMutableArray array];
SecTrustedApplicationRef app;
OSStatus err;
for (int i = 0; i < (sizeof(trustedAppPaths) / sizeof(*trustedAppPaths)); i++) {
err = SecTrustedApplicationCreateFromPath(trustedAppPaths[i], &app);
if (err == errSecSuccess) {
//NSLog(#"SecTrustedApplicationCreateFromPath succeeded: %#", SecCopyErrorMessageString(err, NULL));
} else {
NSLog(#"SecTrustedApplicationCreateFromPath failed: %#", SecCopyErrorMessageString(err, NULL));
}
[apps addObject:(__bridge id)app];
}
return apps;
}
In OS X, applications do not handle users' credentials directly, but instead request the system to do so, via the function call AuthorizationCopyRights, which is documented in Authorization Services.
A Gui application cannot directly perform administrative (root) actions and since Yosemite (10.10), Gui applications cannot run as root. Instead, your application must use a 'helper' application via XPC services, which is what the SMJobBless and BetterAuthorization samples demonstrate. You can read more about XPC here.
In your case, you would need to create such a helper application, which will have the necessary rights to access the system keychain.
Note that if you plan to distribute your application via the Apple Store, the application must be sandboxed and cannot use any security services, such as calling the function AuthorizationCopyRights.
It is explained in the sample code that you link to, see ReadMe.txt:
Once you run the sample you'll be prompted for an admin user name and
password. Enter your admin user name and password and, if all goes
well, the sample's window will show "The Helper Tool is available!"
indicating that everything is OK. If not, you can look in the console
log for information about the failure.
So generally, your application will have to ask for admin credentials at some point.
Update:
This should be done through a privileged helper tool, as demonstrated in cited SMJobBless example. Your helper tool should perform keychain access for your app. Here are main steps to install such helper tool:
Create authorisation object with AuthorizationCreate function.
Perform preauthorisation on the object with given set of rights using
AuthorizationCopyRights function. This will in fact result in asking your user for admin credentials.
Verify, install and register helper tool with launchd using
SMJobBless function.
Once the helper tool is installed and registered you should use NSXPCConnection to talk to your helper tool. See Sandboxing with NSXPCConnection sample code for details on how to achieve it.
I'm developing a miniFilter driver and took the Microsoft's SwapBuffers
miniFilter as example.
An InstaceSetup routin by default is attaching to all volumes. But I don't want
to attach to all of them, only to some choosen...
I tried to set "NULL" instead of "InstanceSetup" in "FLT_REGISTRATION
FilterRegistration" and then to call "FltAttachVolume" in the "DriverEntry"
routin. I've done the following:
PFLT_VOLUME vol;
UNICODE_STRING vname;
....
RtlInitUnicodeString(&vname, L"E:\");
FltGetVolumeFromName(gFilterHandle, &vname, &vol);
...
FltAttachVolume(gFilterHandle, vol, NULL, NULL);
...
When i tried to call FltAttachVolume with the "NULL" 3-d parameter
(PCUNICODE_STRING InstanceName) i received a
"STATUS_FLT_INSTANCE_NAME_COLLISION" error.
If i call FltAttachVolume with a "NOT NULL" 3-d parameter, such as a
"UniqueInstaceName" it returns me "-2145452013".
I'm receiving the same errors, when i,m trying to attach a volume, using a
FilterAttach routine from my User application, like this:
...
driver.driverName = L"swapBuffers";
...
LPCWSTR vname = L"F:\";
...
FilterAttach(driver.driverName, vname, NULL, NULL, NULL);
With "NULL" 3-d parameter (LPCWSTR lpInstanceName):
"ERROR_FLT_INSTANCE_NAME_COLLISION"
With "NOT-NULL": "-2145452013".
In MiniSpy miniFilter there is a User application, and the routine FilterAttach
is used. I tried to call this routine in my application the same way - no
results.
Finally, i changed the swapBuffers inf-file:
there was no DefaultInstance parameter, i set it: "SwapBuffers - Top
Instance".
also i copied this from the MiniSpy inf-file:
[MiniFilter.AddRegistry]
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
HKR,"Instances\"%Instance2.Name%,"Altitude",0x00000000,%Instance2.Altitude%
HKR,"Instances\"%Instance2.Name%,"Flags",0x00010001,%Instance2.Flags%
HKR,"Instances\"%Instance3.Name%,"Altitude",0x00000000,%Instance3.Altitude%
HKR,"Instances\"%Instance3.Name%,"Flags",0x00010001,%Instance3.Flags%
.............
Instance1.Name = "SwapBuffers - Middle Instance"
Instance1.Altitude = "370000"
Instance1.Flags = 0x1 ; Suppress automatic attachments
Instance2.Name = "SwapBuffers - Bottom Instance"
Instance2.Altitude = "361000"
Instance2.Flags = 0x1 ; Suppress automatic attachments
Instance3.Name = "SwapBuffers - Top Instance"
Instance3.Altitude = "385100"
Instance3.Flags = 0x1 ; Suppress automatic attachments
changing the flags to 0x1 to suppress automatic attachments.
And only installing my SwapBuffers miniFilter through this Inf file, i received
"STATUS_SUCCESS" from FltAttachVolume routine in my driver. But it isn't really
attaching to the disk...
What am i doing wrong?
Thanks.
Instance1.Flags = 0x1
That is fine.
I have somewhat similar code and that works fine.
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
FLT_ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
status = FltBuildDefaultSecurityDescriptor(&sd,
FLT_PORT_ALL_ACCESS);
if (!NT_SUCCESS(status)) {
return status;
}
RtlInitUnicodeString(&uniString, PORT_NAME);
InitializeObjectAttributes(&oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd);
status = FltCreateCommunicationPort(gFilterHandle,
&gServerPort,
&oa,
NULL,
Connect,
Disconnect,
Message,
1);
FltFreeSecurityDescriptor(sd);
BREAK_HERE(); // DbgBreak() macro
//
// Start filtering i/o
//
status = FltStartFiltering(gFilterHandle);
if (!NT_SUCCESS(status)) {
FltUnregisterFilter(gFilterHandle);
}
else {
RtlInitUnicodeString(&uniString, L"\\Device\\HarddiskVolume1");
PFLT_VOLUME vol;
FltGetVolumeFromName(gFilterHandle, &uniString, &vol);
status = FltAttachVolume(gFilterHandle, vol, NULL, NULL);
// status == 0x0 at that point and the mini filter is attached to the Volume
}
}
I normally attach to all volumes but I wanted to try attaching to a single volume and it works fine.
With UAC disabled, I need to create a process with the same characteristics as the process created with UAC enabled - basically I'm emulating process creation with UAC enabled.
My only roadblock is virtualization. The sample code below should create an instance of notedpad at medium IL with virtualization enabled. In actuality, it creates an instance of notepad at medium IL with virtualization disabled. I'm not entirely sure why the virtualization token is being ignored. Any ideas?
BOOL bRet;
HANDLE hToken;
HANDLE hNewToken;
// Notepad is used as an example
WCHAR wszProcessName[MAX_PATH] =
L"C:\\Windows\\System32\\Notepad.exe";
// Medium integrity SID
WCHAR wszIntegritySid[20] = L"S-1-16-8192";
PSID pIntegritySid = NULL;
DWORD EnableVirtualization = 1;
TOKEN_MANDATORY_LABEL TIL = {0};
PROCESS_INFORMATION ProcInfo = {0};
STARTUPINFO StartupInfo = {0};
ULONG ExitCode = 0;
if (OpenProcessToken(GetCurrentProcess(),MAXIMUM_ALLOWED, &hToken))
{
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
SecurityImpersonation, TokenPrimary, &hNewToken))
{
if (ConvertStringSidToSid(wszIntegritySid, &pIntegritySid))
{
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
// Set the process integrity level
if (SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid)))
{
// Enable FS Virtualization
if (SetTokenInformation(hNewToken, TokenVirtualizationEnabled,
&EnableVirtualization, sizeof(EnableVirtualization)))
{
// Create the new process at Low integrity
bRet = CreateProcessAsUser(hNewToken, NULL,
wszProcessName, NULL, NULL, FALSE,
0, NULL, NULL, &StartupInfo, &ProcInfo);
}
}
LocalFree(pIntegritySid);
}
CloseHandle(hNewToken);
}
CloseHandle(hToken);
}
So, I was approaching this incorrectly - fs virtualization is not what I want. To emulate UAC, as described above, its necessary to create a restricted token with the administrators group disabled and use that token to create the process.
The reason that this doesn't work, is that the SetTokenInformation call to turn on virtualisation is working on the primary token created for CreateProcessAsUser. What's needed is an access token for the actual process. This can be obtained by creating the process with the CreationFlag CREATE_SUSPENDED, and calling OpenProcessToken with the process handle from ProcInfo. Use SetTokenInformation on that token to enable virtualisation, and then ResumeThread to run the process.