I'm trying to open a handle to the TCP object device driver.
This is my code:
NTSTATUS OpenTcpDeviceObject(PHANDLE tcpFile, ACCESS_MASK DesiredAccess) {
UNICODE_STRING fileName;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK IOBlock;
RtlInitUnicodeString(&fileName, TEXT("\\Device\\Tcp"));
InitializeObjectAttributes(
&objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
NTSTATUS Status = NtOpenFile(
tcpFile, DesiredAccess | SYNCHRONIZE, &objectAttributes, &IOBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT);
if (!NT_SUCCESS(Status))
*tcpFile = INVALID_HANDLE_VALUE;
return Status;
}
-1073741790
ACCESS_MASK
FILE_READ_DATA
Status
ERROR_ACCESS_DENIED (5)
the \Device\Tcp have next DACL
T FL AcessMsK Sid
A 00 001200A0 S-1-1-0 'Everyone'
A 00 001F01FF S-1-5-18 'SYSTEM'
A 00 001F01FF S-1-5-32-544 'Administrators'
A 00 001200A0 S-1-5-12 'RESTRICTED'
if you not SYSTEM
or Administrators
yo have only FILE_READ_ATTRIBUTES|FILE_EXECUTE|SYNCHRONIZE|READ_CONTROL
or this combination declared as FILE_GENERIC_EXECUTE
in wdm.h. so you not have FILE_READ_DATA
access and must got c00000022
when you ask for FILE_READ_DATA
about GetAdaptersAddresses
- it not open tcp device with FILE_READ_DATA
. he ask only FILE_READ_ATTRIBUTES|SYNCHRONIZE
. you never will be call ZwReadFile
on tcp device. we got info from it via ZwDeviceIoControlFile
. required access is encoded in every IOCTL code and most IOCTL codes declared as FILE_ANY_ACCESS
- this mean that file handle with any access is ok. for example IOCTL_TCP_QUERY_INFORMATION_EX
defined as CTL_CODE(FILE_DEVICE_NETWORK, METHOD_NEITHER, FILE_ANY_ACCESS)
- so you not need read data access to file. open file with SYNCHRONIZE
access only - this will be enough.
and as note GetAdaptersAddresses
use \Device\Nsi on latest windows versions