[cziter15]

Hello,

I want to control access rights of specific handle.
How to do this from ring0 driver?
What is the best way?

[EP_X0FF]

https://github.com/Microsoft/Windows-dr ... obcallback

[cziter15]

I am already using ObRegisterCallbacks and it is working for newly created handles only.
I want to revoke all already existing handles access rights after ObCallbacks registration, because
when someone obtain handle before my ObRegisterCallbacks call, it will still be accessible.

[Brock]

@cziter15

There exists no clean way to do what you're asking. If a handle is acquired before your callback is installed then you are at the mercy of the other processes, for the most part. You could however close existing handles by enumerating all currently active processes, attach to their context and enumerate their handle table for the specific handle you're interested in. It's not pretty but works for handles opened pre-callback installation

KeStackAttachProcess(Process, &ApcState) ---> Enum Handle Table ---> ZwSetInformationObject(TargetHandle, ObjectHandleFlagInformation, &HandleData.ProtectFromClose = FALSE, sizeof(HandleData)) ---> ZwClose(TargetHandle) ---> KeUnstackDetachProcess(&ApcState)

P.S: If you don't mind getting dirtier then you could try setting a new granted access for the handle in the table entry but personally I've never modified the access this way, I've always just closed them for the sake of simplicity.

Best Regards,
Brock

[cziter15]

Thank you Brock. Looks like I have to manually enumerate handles by PEProcess->HandleTable and then remove interesting bits from mask handle by handle.

@Any mod, please change topic "Change ha" to "Change handle access mask". Thanks.

[Brock]

You're welcome. Sorry that it's not what you wanted to hear but I don't see any other way to achieve what you've asked. Good luck!

Best Regards,
Brock

[Vrtule]

What about loading your driver at boot time? Whould that help?

[cziter15]

Most disadvantage of my concept is to load driver at request, but I have to do that.
So, that's why I have to enumerate and revoke accesses.

On x86 it was soo easy, just by placing hook on ObReferenceObjectByHandle and
then checking handles "on reference handle" instead of "on open/create handle"

[Brock]

Just remember to install the callback first and then do the enumeration + modification of handle granted access bitmask, otherwise you're susceptible to a race condition

Best Regards,
Brock

[cziter15]

RESOLVED the problem using ExpLookupHandleTableEntry unexported function.

Code: Select all

PHANDLE_TABLE_ENTRY NTAPI ExpLookupHandleTableEntry(	
   IN PHANDLE_TABLE 	HandleTable,
   IN EXHANDLE 	LookupHandle 
)