Reading from TCP device object
I'm trying to open a handle to the TCP object device driver.
This is my code:
NTSTATUS OpenTcpDeviceObject(PHANDLE tcpFile, ACCESS_MASK DesiredAccess) {
UNICODE_STRING fileName;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK IOBlock;
RtlInitUnicodeString(&fileName, TEXT("\\Device\\Tcp"));
InitializeObjectAttributes(
&objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
NTSTATUS Status = NtOpenFile(
tcpFile, DesiredAccess | SYNCHRONIZE, &objectAttributes, &IOBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT);
if (!NT_SUCCESS(Status))
*tcpFile = INVALID_HANDLE_VALUE;
return Status;
}
However Status returns
-1073741790ACCESS_MASKFILE_READ_DATANOTE
The
StatusERROR_ACCESS_DENIED (5)So what is the problem?
the \Device\Tcp have next DACL
T FL AcessMsK Sid
A 00 001200A0 S-1-1-0 'Everyone'
A 00 001F01FF S-1-5-18 'SYSTEM'
A 00 001F01FF S-1-5-32-544 'Administrators'
A 00 001200A0 S-1-5-12 'RESTRICTED'
if you not SYSTEM or Administrators yo have only FILE_READ_ATTRIBUTES|FILE_EXECUTE|SYNCHRONIZE|READ_CONTROL or this combination declared as FILE_GENERIC_EXECUTE in wdm.h. so you not have FILE_READ_DATA access and must got c00000022 when you ask for FILE_READ_DATA
about GetAdaptersAddresses - it not open tcp device with FILE_READ_DATA. he ask only FILE_READ_ATTRIBUTES|SYNCHRONIZE. you never will be call ZwReadFile on tcp device. we got info from it via ZwDeviceIoControlFile. required access is encoded in every IOCTL code and most IOCTL codes declared as FILE_ANY_ACCESS - this mean that file handle with any access is ok. for example IOCTL_TCP_QUERY_INFORMATION_EX defined as CTL_CODE(FILE_DEVICE_NETWORK, METHOD_NEITHER, FILE_ANY_ACCESS) - so you not need read data access to file. open file with SYNCHRONIZE access only - this will be enough.
and as note GetAdaptersAddresses use \Device\Nsi on latest windows versions