Sunday 3 November 2013

Object Security - Object Manager

As promised, I'm going to explain some other topics relating to Objects and the Object Manager.

When a process is created, and then wishing to use the object, either through opening a handle or using a pointer (reserved for kernel), then it must inform the Object Manager of which access rights it wishes to acquire. For example, opening a handle to a file object (can be a storage device), it may wish to read or write to that device. If so, the Object Manager will need to call the Security Reference Monitor, and show the desired access rights of the process, if the object's security descriptor permits these access rights, then the process gains a granted access rights.

We can view the access rights of a object using WinObj, ensure your running the program as a Administrator, by clicking File and and then Run As Administrator.

Here is an example of using a Object directory, and then viewing it's security access rights. Right-Click the Object Type/Directory, and then select Properties.

We can view the Security Descriptor of a object using WinDbg, I'm using a process object in this example:

Enter the !process extension, to obtain the address of the process object, to be used with the !object extension.

Now, use the !object extension with the address of the process object, this will give us the address of the Object Header data structure, which will contain the Security Descriptor field, which in turn will contain the address of the Security Descriptor to be used with the !sd extension.

Use !sd extension with the address in the Security Descriptor field to obtain all the Security Descriptor information. Since, the !sd extension didn't work in my Kernel Memory dump, I've taken the example from the WinDbg documentation.

I'm unlikely to be able to explain every detail of how Security Descriptors are formed, and all the internals of Object Security, since it's a wide topic for a blog post.

I'll explain some of the fields for the !sd extension:

Revision: Version of the SRM (Security Reference Monitor) security model. 

Flags: Characteristics of the security descriptor.

Owner: Owner SID, or security ID.

Group: Group SID for primary group for the object.

The flags which are currently set are:

SE_DACL_PRESENT: Indicates that the security descriptor has a discretionary access control list present (DACL), which shows who has access to that object. If this flag is not set or NULL, then everyone has full access to that object.

SE_SELF_RELATIVE: Indicates that the security descriptor has all the security information in one continuous block of memory (most likely a array).

We can also view security descriptor information in Process Explorer.

No comments:

Post a Comment