driver: hard code security descriptor bytes

This is compatible with old Windows. Generated by:

  #include <stdio.h>
  #include <windows.h>
  #include <sddl.h>

  int main(int argc, char *argv[])
  {
      PSECURITY_DESCRIPTOR sd;
      ULONG sd_len;

      if (!ConvertStringSecurityDescriptorToSecurityDescriptorA("O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)", SDDL_REVISION_1, &sd, &sd_len))
          return 1;
      for (ULONG i = 0; i < sd_len; ++i)
          printf("0x%02x%s%s", ((unsigned char *)sd)[i], i == sd_len - 1 ? "" : ",", i == sd_len -1 || i % 8 == 7 ? "\n": " ");
      return 0;
  }

This can be easily checked from kernel space with this ugly snippet:

  UNICODE_STRING Func;
  RtlInitUnicodeString(&Func, L"SeConvertSecurityDescriptorToStringSecurityDescriptor");
  WCHAR *Str = NULL;
  ((NTSTATUS(NTAPI *)(PSECURITY_DESCRIPTOR, DWORD, DWORD, WCHAR **, DWORD *))MmGetSystemRoutineAddress(&Func))(
      TunDispatchSecurityDescriptor, 1, 0x14, &Str, NULL);
  DbgPrint("Did it work? %ls\n", Str);

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld 2021-06-25 14:30:35 +02:00
parent 6154c73032
commit d33732ab4b

View File

@ -184,7 +184,15 @@ static NDIS_HANDLE NdisMiniportDriverHandle;
static DRIVER_DISPATCH *NdisDispatchDeviceControl, *NdisDispatchClose; static DRIVER_DISPATCH *NdisDispatchDeviceControl, *NdisDispatchClose;
static ERESOURCE TunDispatchCtxGuard, TunDispatchDeviceListLock; static ERESOURCE TunDispatchCtxGuard, TunDispatchDeviceListLock;
static RTL_STATIC_LIST_HEAD(TunDispatchDeviceList); static RTL_STATIC_LIST_HEAD(TunDispatchDeviceList);
static SECURITY_DESCRIPTOR *TunDispatchSecurityDescriptor; /* Binary representation of O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI) */
static SECURITY_DESCRIPTOR *TunDispatchSecurityDescriptor = (SECURITY_DESCRIPTOR *)(__declspec(align(8)) UCHAR[]){
0x01, 0x00, 0x14, 0x90, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00,
0x00, 0x02, 0x00, 0x1c, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x14, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x30, 0x00, 0x00, 0x02, 0x00, 0x34, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x14, 0x00, 0xff, 0x01, 0x1f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00,
0x00, 0x00, 0x18, 0x00, 0xff, 0x01, 0x1f, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00,
0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00
};
_IRQL_requires_max_(DISPATCH_LEVEL) _IRQL_requires_max_(DISPATCH_LEVEL)
static VOID static VOID
@ -836,19 +844,6 @@ cleanup:
return DidClose; return DidClose;
} }
_Must_inspect_result_
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID);
#ifdef ALLOC_PRAGMA
# pragma alloc_text(INIT, TunInitializeDispatchSecurityDescriptor)
#endif
_Use_decl_annotations_
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
{
UNICODE_STRING Sddl;
RtlInitUnicodeString(&Sddl, L"O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)");
return SeSddlSecurityDescriptorFromSDDL(&Sddl, FALSE, &TunDispatchSecurityDescriptor);
}
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
static VOID static VOID
TunProcessNotification(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create) TunProcessNotification(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
@ -1416,7 +1411,6 @@ TunUnload(PDRIVER_OBJECT DriverObject)
NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle); NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
ExDeleteResourceLite(&TunDispatchCtxGuard); ExDeleteResourceLite(&TunDispatchCtxGuard);
ExDeleteResourceLite(&TunDispatchDeviceListLock); ExDeleteResourceLite(&TunDispatchDeviceListLock);
ExFreePool(TunDispatchSecurityDescriptor);
} }
DRIVER_INITIALIZE DriverEntry; DRIVER_INITIALIZE DriverEntry;
@ -1435,8 +1429,6 @@ DriverEntry(DRIVER_OBJECT *DriverObject, UNICODE_STRING *RegistryPath)
if (NdisVersion > NDIS_MINIPORT_VERSION_MAX) if (NdisVersion > NDIS_MINIPORT_VERSION_MAX)
NdisVersion = NDIS_MINIPORT_VERSION_MAX; NdisVersion = NDIS_MINIPORT_VERSION_MAX;
if (!NT_SUCCESS(Status = TunInitializeDispatchSecurityDescriptor()))
return Status;
ExInitializeResourceLite(&TunDispatchCtxGuard); ExInitializeResourceLite(&TunDispatchCtxGuard);
ExInitializeResourceLite(&TunDispatchDeviceListLock); ExInitializeResourceLite(&TunDispatchDeviceListLock);
@ -1492,6 +1484,5 @@ cleanupNotifier:
cleanupResources: cleanupResources:
ExDeleteResourceLite(&TunDispatchCtxGuard); ExDeleteResourceLite(&TunDispatchCtxGuard);
ExDeleteResourceLite(&TunDispatchDeviceListLock); ExDeleteResourceLite(&TunDispatchDeviceListLock);
ExFreePool(TunDispatchSecurityDescriptor);
return Status; return Status;
} }