The Missing Object Security Command

Published 19 December 07 04:56 PM | marioh

One of the most intriguing command omissions from the native debugger package is that of being able to display extended security information (such as a security descriptor) on a kernel mode object from user mode via its associated user mode handle. The workaround is somewhat tedious and involves hooking up the kernel debugger (live or actual) and get the security information from there. The most interesting part of this omission is that getting extended security information about a kernel mode object from user mode is relatively straightforward using the GetUserObjectSecurity API. As such, the first thing that popped into my mind was to write a custom debugger extension that achieved just

that. Fortunately, before taking this approach, I did some research and found that an extension like that already exists and is called SDbgExt (developed by Skywing). In addition to extended security information it includes a lot of other excellent commands such as:

* VC STL support

* Symbol commands

* Security commands

One of the commands in the security category is called objsec. The objsec command can be used to dump out the security descriptor of a kernel mode object using the associated user mode handle value. Let's take a look at an example of how to use the objsec extension command. I used notepad.exe as the target application (on a XP SP2 machine).

Prior to running the example, copy the debugger DLL (sdbgext.dll) into the WinExt folder of the debugger installation path. On my machine for example it would be located in the following folder:

C:\Program Files\Debugging Tools for Windows\winext

Launch an instance of notepad.exe under the debugger using the following command line:

C:\> ntsd notepad.exe

Once started, fix the symbols using:

.symfix

.reload

Issue the handle command to get a list of currently opened handles in the process:

0:001> !handle

Handle c

Type File

Handle 770

Type Section

...

Handle 7cc

Type Semaphore

Handle 7d0

Type WindowStation

Handle 7d4

Type Desktop

Handle 7d8

Type Event

Handle 7dc

Type Mutant

Handle 7e0

Type Directory

Handle 7e4

Type Key

Handle 7e8

Type WindowStation

Handle 7ec

Type Port

Handle 7f0

Type Directory

Handle 7f4

Type File

Handle 7f8

Type Directory

Handle 7fc

Type KeyedEvent

37 Handles

Type Count

Event 5

Section 4

File 4

Port 2

Directory 3

Mutant 8

WindowStation 2

Semaphore 3

Key 4

Desktop 1

KeyedEvent 1

Pick a handle that you are interested in and use the objsec extension command on that handle. For example, I choose the Directory event with a handle of 7f0:

0:001> !sdbgext.objsec 7f0

The object type is Directory

Security descriptor for object handle 7F0:

Owner: BUILTIN\Administrators

Primary group: NT AUTHORITY\SYSTEM

Revision: 1, Control: DaclPresent

Dacl: Revision 2 Size 48 bytes used, 8 bytes free, 2 ACEs present

Ace: Index 0 Flags: <empty> Type: AccessAllowedAce SecurityPrincipal: Everyone

AccessMask: Query Traverse ReadControl

Ace: Index 1 Flags: <empty> Type: AccessAllowedAce SecurityPrincipal: NT AUTHORITY\SYSTEM

AccessMask: Query Traverse CreateObject CreateSubdirectory Delete ReadControl WriteDac WriteOwner

Sacl: not present

The information resulting from executing the objsec extension command shows the security descriptor associated with the kernel object represented by process relative handle 7f0. Information such as owner, all the access control entries as well as access masks are displayed.

It is often necessary to analyze the security descriptor of any given object (for example when debugging access denied errors) and the objsec command of the sdbg extension DLL gives that power without having to revert to kernel mode debugging.

For more information on this excellent debugger extension, please see the following links:

http://www.valhallalegends.com/skywing/
http://www.nynaeve.net/?p=6

Until next time.

Cheers,

Mario