OSRLogoOSRLogoOSRLogo x Subscribe to The NT Insider

Everything Windows Driver Development

GoToHomePage xLoginx

    Thu, 14 Mar 2019     118020 members


  Online Dump Analyzer
OSR Dev Blog
The NT Insider
The Basics
File Systems
ListServer / Forum
  Express Links
  · The NT Insider Digital Edition - May-June 2016 Now Available!
  · Windows 8.1 Update: VS Express Now Supported
  · HCK Client install on Windows N versions
  · There's a WDFSTRING?
  · When CAN You Call WdfIoQueueP...ously

IoValidateDeviceIoControlAccess() in XP SP1/.NET

Suppose you want to implement more security in your driver, specifically on your IOCTLs.  But, when you defined those IOCTLs, you created them with FILE_ANY_ACCESS.  Now, you wish you had specified either FILE_READ_ACCESS or FILE_WRITE_ACCESS, or both.

You can't change the IOCTL definitions if you have already written or distributed apps that use these IOCTLs.   What's a driver writer to do?  Use a new feature provided in the XP SP1 DDK precisely for this purpose.   Windows XP SP1 and Windows .NET set new flags in the IRP's I/O stack location flags word to indicate the access granted to a driver when processing an IOCTL.

The new flags added to the IRP are:

SL_READ_ACCESS_GRANTED -    This flag is set in IoStack->Flags of the IRP if the handle was opened with READ_DATA access.

SL_WRITE_ACCESS_GRANTED -  This flag is set in IoStack->Flags of the IRP if the handle was opened with WRITE_DATA access.

The function used to check this is:



    IN  PIRP    Irp,

    IN  ULONG   RequiredAccess);

The RequestAccess argument is an access mask, which may be FILE_READ_ACCESS, FILE_WRITE_ACCESS or both.





You can use this function directly, if your code only needs to run on XP SP1 or later.  However, if you need your code to run on older systems, you can still call this function by including the header file WDMSEC.H and linking with the library WDMSEC.LIB.  Just like IoCreateDeviceSecure, this includes the code in your driver.  The function in the library also is aware of which system you're running on, and returns STATUS_SUCCESS on systems where these flags are not supported, so backward compatibility is guaranteed.

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
Post Your Comment

Post Your Comments.
Print this article.
Email this article.
bottom nav links