2

I'm currently working on developing some driver. For now connection between kernel and system is done via simple text file created like this:

 handle=CreateFile(TEXT("\\\\.\\" FILE_NAME),
    GENERIC_READ | GENERIC_WRITE,
    0,
    NULL,
    OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL,
    NULL);

File is used for transfering data from kernel to system, kernel driver writes file and system app reads from it. My concern is safety of such solution, as for now anyone can simply go into this file, get all data in file, and what's even worse, modify it. Is it possible to make file not accesible for user, but still being accesible for system app?

UPDATE:

After doing some research I found a pattern how to do it for specific users:

    ea[1].grfAccessPermissions = ACCESS_SYSTEM_SECURITY | READ_CONTROL | WRITE_DAC | GENERIC_ALL;
    ea[1].grfAccessMode = DENY_ACCESS;
    ea[1].grfInheritance = NO_INHERITANCE;
    ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
    ea[1].Trustee.ptstrName = reinterpret_cast<char*>(&everyone_sid);
dwRes = SetEntriesInAclA(2, ea, NULL, &pNewDACL);
    if (ERROR_SUCCESS != dwRes) {
        printf("SetEntriesInAcl Error %u\n", dwRes);
        //TODO: goto Cleanup;
    }

    PSECURITY_DESCRIPTOR pSD = NULL;

    // Initialize a security descriptor.  
    pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,
        SECURITY_DESCRIPTOR_MIN_LENGTH);
    if (NULL == pSD)
    {
        printf("error");
    }

    if (!InitializeSecurityDescriptor(pSD,
        SECURITY_DESCRIPTOR_REVISION))
    {
        
        printf("error");
    }

    // Add the ACL to the security descriptor. 
    if (!SetSecurityDescriptorDacl(pSD,
        TRUE,     // bDaclPresent flag   
        pNewDACL,
        FALSE))   // not a default DACL
    {
        printf("error");
    }
    SECURITY_ATTRIBUTES sa;
    // Initialize a security attributes structure.
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor = pSD;
    sa.bInheritHandle = FALSE;

    HANDLE hFile = CreateFileA(filename, GENERIC_ALL, 0, &sa, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);

By this code I managed to make file not accesible for any user so It's great progress. However, I have no idea how to make it accesible for another project, for example:

int main()
{
    std::cout << "Hello World!\n";
    std::fstream testfile;
//basically in another project
    testfile.open("created_file.txt", ios::out);

    testfile.write("elo",3);
    testfile.close();
}

I belive that maybe there is a way to get proccess SID and then give full access for it's SID, but question is how could I get process SID?

szefitoo
  • 99
  • 6
  • All files and directories have owners. I don't know the API functions to use to work with file ownership, but you could remove all but `SYSTEM`. – Some programmer dude Jul 19 '22 at 10:33
  • You should look into `SetSecurityDescriptorOwner()` and `SetFileSecurity()`. – Cyclonecode Jul 19 '22 at 10:43
  • Route access to the file through the driver itself? Make an API/Interface to modify settings and let the driver change the actual file? This will allow you to change the file format (e.g. add encryption), or even change ways to store that data completely (e.g. database/registry/cloud) without having to change the client (application code). – Pepijn Kramer Jul 19 '22 at 10:53
  • [This should be helpful](https://learn.microsoft.com/en-us/windows/win32/secauthz/modifying-the-acls-of-an-object-in-c--?redirectedfrom=MSDN) even if it is in C++ you should be able to make use of it – Farid Fakhry Jul 20 '22 at 14:40

0 Answers0