driver: hard code security descriptor bytes
This is compatible with old Windows. Generated by: #include <stdio.h> #include <windows.h> #include <sddl.h> int main(int argc, char *argv[]) { PSECURITY_DESCRIPTOR sd; ULONG sd_len; if (!ConvertStringSecurityDescriptorToSecurityDescriptorA("O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)", SDDL_REVISION_1, &sd, &sd_len)) return 1; for (ULONG i = 0; i < sd_len; ++i) printf("0x%02x%s%s", ((unsigned char *)sd)[i], i == sd_len - 1 ? "" : ",", i == sd_len -1 || i % 8 == 7 ? "\n": " "); return 0; } This can be easily checked from kernel space with this ugly snippet: UNICODE_STRING Func; RtlInitUnicodeString(&Func, L"SeConvertSecurityDescriptorToStringSecurityDescriptor"); WCHAR *Str = NULL; ((NTSTATUS(NTAPI *)(PSECURITY_DESCRIPTOR, DWORD, DWORD, WCHAR **, DWORD *))MmGetSystemRoutineAddress(&Func))( TunDispatchSecurityDescriptor, 1, 0x14, &Str, NULL); DbgPrint("Did it work? %ls\n", Str); Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
6154c73032
commit
d33732ab4b
@ -184,7 +184,15 @@ static NDIS_HANDLE NdisMiniportDriverHandle;
|
|||||||
static DRIVER_DISPATCH *NdisDispatchDeviceControl, *NdisDispatchClose;
|
static DRIVER_DISPATCH *NdisDispatchDeviceControl, *NdisDispatchClose;
|
||||||
static ERESOURCE TunDispatchCtxGuard, TunDispatchDeviceListLock;
|
static ERESOURCE TunDispatchCtxGuard, TunDispatchDeviceListLock;
|
||||||
static RTL_STATIC_LIST_HEAD(TunDispatchDeviceList);
|
static RTL_STATIC_LIST_HEAD(TunDispatchDeviceList);
|
||||||
static SECURITY_DESCRIPTOR *TunDispatchSecurityDescriptor;
|
/* Binary representation of O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI) */
|
||||||
|
static SECURITY_DESCRIPTOR *TunDispatchSecurityDescriptor = (SECURITY_DESCRIPTOR *)(__declspec(align(8)) UCHAR[]){
|
||||||
|
0x01, 0x00, 0x14, 0x90, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00,
|
||||||
|
0x00, 0x02, 0x00, 0x1c, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x14, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x01,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x30, 0x00, 0x00, 0x02, 0x00, 0x34, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x14, 0x00, 0xff, 0x01, 0x1f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x18, 0x00, 0xff, 0x01, 0x1f, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00,
|
||||||
|
0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00
|
||||||
|
};
|
||||||
|
|
||||||
_IRQL_requires_max_(DISPATCH_LEVEL)
|
_IRQL_requires_max_(DISPATCH_LEVEL)
|
||||||
static VOID
|
static VOID
|
||||||
@ -836,19 +844,6 @@ cleanup:
|
|||||||
return DidClose;
|
return DidClose;
|
||||||
}
|
}
|
||||||
|
|
||||||
_Must_inspect_result_
|
|
||||||
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID);
|
|
||||||
#ifdef ALLOC_PRAGMA
|
|
||||||
# pragma alloc_text(INIT, TunInitializeDispatchSecurityDescriptor)
|
|
||||||
#endif
|
|
||||||
_Use_decl_annotations_
|
|
||||||
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
|
|
||||||
{
|
|
||||||
UNICODE_STRING Sddl;
|
|
||||||
RtlInitUnicodeString(&Sddl, L"O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)");
|
|
||||||
return SeSddlSecurityDescriptorFromSDDL(&Sddl, FALSE, &TunDispatchSecurityDescriptor);
|
|
||||||
}
|
|
||||||
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
static VOID
|
static VOID
|
||||||
TunProcessNotification(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
|
TunProcessNotification(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
|
||||||
@ -1416,7 +1411,6 @@ TunUnload(PDRIVER_OBJECT DriverObject)
|
|||||||
NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
|
NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
|
||||||
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
||||||
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
||||||
ExFreePool(TunDispatchSecurityDescriptor);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
DRIVER_INITIALIZE DriverEntry;
|
DRIVER_INITIALIZE DriverEntry;
|
||||||
@ -1435,8 +1429,6 @@ DriverEntry(DRIVER_OBJECT *DriverObject, UNICODE_STRING *RegistryPath)
|
|||||||
if (NdisVersion > NDIS_MINIPORT_VERSION_MAX)
|
if (NdisVersion > NDIS_MINIPORT_VERSION_MAX)
|
||||||
NdisVersion = NDIS_MINIPORT_VERSION_MAX;
|
NdisVersion = NDIS_MINIPORT_VERSION_MAX;
|
||||||
|
|
||||||
if (!NT_SUCCESS(Status = TunInitializeDispatchSecurityDescriptor()))
|
|
||||||
return Status;
|
|
||||||
ExInitializeResourceLite(&TunDispatchCtxGuard);
|
ExInitializeResourceLite(&TunDispatchCtxGuard);
|
||||||
ExInitializeResourceLite(&TunDispatchDeviceListLock);
|
ExInitializeResourceLite(&TunDispatchDeviceListLock);
|
||||||
|
|
||||||
@ -1492,6 +1484,5 @@ cleanupNotifier:
|
|||||||
cleanupResources:
|
cleanupResources:
|
||||||
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
||||||
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
||||||
ExFreePool(TunDispatchSecurityDescriptor);
|
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user