itstartedwithkeyboards itstartedwithkeyboards - 3 years ago 212
C Question

Reading from TCP device object

I'm trying to open a handle to the TCP object device driver.

This is my code:

NTSTATUS OpenTcpDeviceObject(PHANDLE tcpFile, ACCESS_MASK DesiredAccess) {
UNICODE_STRING fileName;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK IOBlock;

RtlInitUnicodeString(&fileName, TEXT("\\Device\\Tcp"));

InitializeObjectAttributes(
&objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL);

NTSTATUS Status = NtOpenFile(
tcpFile, DesiredAccess | SYNCHRONIZE, &objectAttributes, &IOBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT);

if (!NT_SUCCESS(Status))
*tcpFile = INVALID_HANDLE_VALUE;
return Status;
}


However Status returns
-1073741790
, the question is why is this not working? I'm running this from usermode, on a non-administrator account. From my understanding, this operation doesn't require admin privileges as long as I have the
ACCESS_MASK
set to
FILE_READ_DATA
.

NOTE

The
Status
that is returned points to
ERROR_ACCESS_DENIED (5)
as a Dos Error. But how can access be denied if I only ask for read permissions? However, when I run GetAdaptersAddresses which accesses the Tcp device object, it allows me to access multicast/unicast addresses without privileges!

So what is the problem?

Answer Source

the \Device\Tcp have next DACL

T FL AcessMsK Sid
A 00 001200A0 S-1-1-0 'Everyone'
A 00 001F01FF S-1-5-18 'SYSTEM'
A 00 001F01FF S-1-5-32-544 'Administrators'
A 00 001200A0 S-1-5-12 'RESTRICTED'

if you not SYSTEM or Administrators yo have only FILE_READ_ATTRIBUTES|FILE_EXECUTE|SYNCHRONIZE|READ_CONTROL or this combination declared as FILE_GENERIC_EXECUTE in wdm.h. so you not have FILE_READ_DATA access and must got c00000022 when you ask for FILE_READ_DATA

about GetAdaptersAddresses - it not open tcp device with FILE_READ_DATA. he ask only FILE_READ_ATTRIBUTES|SYNCHRONIZE. you never will be call ZwReadFile on tcp device. we got info from it via ZwDeviceIoControlFile. required access is encoded in every IOCTL code and most IOCTL codes declared as FILE_ANY_ACCESS - this mean that file handle with any access is ok. for example IOCTL_TCP_QUERY_INFORMATION_EX defined as CTL_CODE(FILE_DEVICE_NETWORK, METHOD_NEITHER, FILE_ANY_ACCESS) - so you not need read data access to file. open file with SYNCHRONIZE access only - this will be enough.

and as note GetAdaptersAddresses use \Device\Nsi on latest windows versions

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download