Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Access kernel objects in different TS sessions?

183 views
Skip to first unread message

Gudrun Berger

unread,
Nov 30, 2006, 8:49:37 AM11/30/06
to
Is it possible for (administrative) process to modify DACLs of objects
in a different ts session?

Olof Lagerkvist

unread,
Nov 30, 2006, 4:35:47 PM11/30/06
to
Gudrun Berger wrote:

> Is it possible for (administrative) process to modify DACLs of objects
> in a different ts session?

Kernel objects? Yes, you will find them under
Session\<sessionnumber>\<nameofobject> in user mode with Win32 calls or
\Session\<sessionnumber>\BaseNamedObjects\<nameofobject> in kernel mode
or with user mode native calls.

For example, to open an event object called "abc" in session 2:

OpenEvent("Session\\2\\abc", ...)

--
Olof Lagerkvist
ICQ: 724451
Web: http://here.is/olof

Gudrun Berger

unread,
Dec 1, 2006, 5:29:39 AM12/1/06
to
Thanks Olof!

>
> Kernel objects? Yes, you will find them under
> Session\<sessionnumber>\<nameofobject> in user mode with Win32 calls or
> \Session\<sessionnumber>\BaseNamedObjects\<nameofobject> in kernel mode
> or with user mode native calls.
>
> For example, to open an event object called "abc" in session 2:
>
> OpenEvent("Session\\2\\abc", ...)
>

I tried to open my current windowsstation Winsta0 this way but both
calls failed with different error codes:

OpenWindowStation("\\Session\\0\\BaseNamedObjects\\Winsta0", FALSE,
STANDARD_RIGHTS_READ);

GetLastError returns 161 (invalid path)

OpenWindowStation("Session\\0\\Winsta0", FALSE, STANDARD_RIGHTS_READ);
GetLastError returns 3 (path not found)


Is there any other way to open and modify Winsta0 in a different session?

Olof Lagerkvist

unread,
Dec 1, 2006, 6:40:02 AM12/1/06
to
Gudrun Berger wrote:
> Thanks Olof!
>
>>
>> Kernel objects? Yes, you will find them under
>> Session\<sessionnumber>\<nameofobject> in user mode with Win32 calls
>> or \Session\<sessionnumber>\BaseNamedObjects\<nameofobject> in kernel
>> mode or with user mode native calls.
>>
>> For example, to open an event object called "abc" in session 2:
>>
>> OpenEvent("Session\\2\\abc", ...)

Typo, it should be "Sessions", not "Session", in the examples above but
anyway it does not help in your case.

> I tried to open my current windowsstation Winsta0 this way but both
> calls failed with different error codes:

Window Station objects are created by the Win32 subsystem under
\Windows\WindowStations in the kernel object namespace, not under
\BaseNamedObjects as objects like e.g. events, file-mapping and
semaphores are. The method I described can only be used for kernel
objects under \BaseNamedObjects.

> Is there any other way to open and modify Winsta0 in a different session?

I don't know of any easy documented way, but it might be possible to
create a symbolic link object under \Windows\WindowStations in the
object namespace and let that link point to
\Sessions\<sessionnumber>\Windows\WindowStations\<windowstationname>
where the Window Station objects for each session are.

There is no documented way of creating symbolic links from user-mode,
but there is an undocumented call in ntdll.dll,
NtCreateSymbolicLinkObject(), that does it.
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Symbolic%20Link/NtCreateSymbolicLinkObject.html

It is however fully documented how to create a symbolic link in kernel-mode.
http://msdn.microsoft.com/library/en-us/Kernel_r/hh/Kernel_r/k104_72bb6571-da2d-4027-bfcd-24438e3bd08a.xml.asp

Gudrun Berger

unread,
Dec 1, 2006, 9:17:52 AM12/1/06
to
Hi Olof!

Thank you for your info!

I will try that and keep you posted!

Gudrun Berger

unread,
Dec 4, 2006, 8:02:16 AM12/4/06
to
Hi Olof!

I messad a little around with SymbolicLinks but somehow the result's
puzzle me - not sure wether I'm doing it correctly.

As a starting point I try to open Winsta0 of a different session and
dump the DACL of that object.

I use some code like the following:

---------------------------------- Start Code snippet ---------
int main()
{
NTSTATUS ntS;
HANDLE SymLink, Section;
OBJECT_ATTRIBUTES ObAttributes;
char *p;
HANDLE h;

INIT_UNICODE(ObName,
L"\\Sessions\\2\\Windows\\WindowStations\\Winsta0");
INIT_UNICODE(ObNewName, L"\\??\\Test");

p = (char *)ObName.Buffer;

InitializeObjectAttributes(&ObAttributes,
&ObNewName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);

ntS = NtCreateSymbolicLinkObject(&SymLink, SYMBOLIC_LINK_ALL_ACCESS,
&ObAttributes, &ObName);
if (ntS != STATUS_SUCCESS) {
printf("error: NtCreateSymbolicLinkObject (code: %x)\n", ntS);
return(0);
}

DumpWistaDesktopDacl2(SymLink);

....
....
---------------------------------- end Code snippet ---------

(The routine DumpWistaDesktopDacl2() I adapted from Felix Kaszca's
website so I suppose the code is ok).

What me puzzles:

I tried
\\Sessions\\0\\Windows\\WindowStations\\Winsta0
\\Sessions\\0\\Windows\\WindowStations\\Winsta0\Default
\\Sessions\\2\\Windows\\WindowStations\\Winsta0
\\Sessions\\2\\Windows\\WindowStations\\Winsta0\Default

(Session 2 actually exists)

Regardless which winsta0 or desktop I create a symlink to I always get
the same results.

Something is supposed to be incorrect ......


Can you help me?

0 new messages