I have a handle associated with some file and I need to get its security descriptor in WinDbg kernel mode, but I cannot find it anywhere.
Here is the output of !handle
command:
<code>WINDBG>!handle 0x9c
SessionId: 1 Cid: 0900 Peb: 10f583c000 ParentCid: 069c
DirBase: 19874f000 ObjectTable: ffff8f0f4c2ac840 HandleCount: 41.
Image: CreateFileTests.exe
Handle table at ffff8f0f4c2ac840 with 41 entries in use
009c: Object: ffffd20750657b40 GrantedAccess: 00120089 (Protected) Entry: ffff8f0f4b7fe270
Object: ffffd20750657b40 Type: (ffffca02924f37a0) File
ObjectHeader: ffffd20750657b10 (new version)
HandleCount: 1 PointerCount: 32767
Directory Object: 00000000 Name: TESTtest.txt {HarddiskVolume3}
<code>WINDBG>!handle 0x9c
PROCESS ffffd20753ab2080
SessionId: 1 Cid: 0900 Peb: 10f583c000 ParentCid: 069c
DirBase: 19874f000 ObjectTable: ffff8f0f4c2ac840 HandleCount: 41.
Image: CreateFileTests.exe
Handle table at ffff8f0f4c2ac840 with 41 entries in use
009c: Object: ffffd20750657b40 GrantedAccess: 00120089 (Protected) Entry: ffff8f0f4b7fe270
Object: ffffd20750657b40 Type: (ffffca02924f37a0) File
ObjectHeader: ffffd20750657b10 (new version)
HandleCount: 1 PointerCount: 32767
Directory Object: 00000000 Name: TESTtest.txt {HarddiskVolume3}
</code>
WINDBG>!handle 0x9c
PROCESS ffffd20753ab2080
SessionId: 1 Cid: 0900 Peb: 10f583c000 ParentCid: 069c
DirBase: 19874f000 ObjectTable: ffff8f0f4c2ac840 HandleCount: 41.
Image: CreateFileTests.exe
Handle table at ffff8f0f4c2ac840 with 41 entries in use
009c: Object: ffffd20750657b40 GrantedAccess: 00120089 (Protected) Entry: ffff8f0f4b7fe270
Object: ffffd20750657b40 Type: (ffffca02924f37a0) File
ObjectHeader: ffffd20750657b10 (new version)
HandleCount: 1 PointerCount: 32767
Directory Object: 00000000 Name: TESTtest.txt {HarddiskVolume3}
Displaying the object header (ffffd20750657b10):
<code>WINDBG>dt nt!_OBJECT_HEADER ffffd20750657b10
+0x000 PointerCount : 0n32767
+0x008 NextToFree : 0x00000000`00000001 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : 0x65 'e'
+0x019 DbgTracePermanent : 0y0
+0x01a InfoMask : 0x4c 'L'
+0x01b KernelObject : 0y0
+0x01b KernelOnlyAccess : 0y0
+0x01b ExclusiveObject : 0y0
+0x01b PermanentObject : 0y0
+0x01b DefaultSecurityQuota : 0y0
+0x01b SingleHandleEntry : 0y0
+0x01b DeletedInline : 0y0
+0x020 ObjectCreateInfo : 0xfffff800`84453ac0 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : 0xfffff800`84453ac0 Void
+0x028 SecurityDescriptor : (null)
<code>WINDBG>dt nt!_OBJECT_HEADER ffffd20750657b10
+0x000 PointerCount : 0n32767
+0x008 HandleCount : 0n1
+0x008 NextToFree : 0x00000000`00000001 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : 0x65 'e'
+0x019 TraceFlags : 0 ''
+0x019 DbgRefTrace : 0y0
+0x019 DbgTracePermanent : 0y0
+0x01a InfoMask : 0x4c 'L'
+0x01b Flags : 0 ''
+0x01b NewObject : 0y0
+0x01b KernelObject : 0y0
+0x01b KernelOnlyAccess : 0y0
+0x01b ExclusiveObject : 0y0
+0x01b PermanentObject : 0y0
+0x01b DefaultSecurityQuota : 0y0
+0x01b SingleHandleEntry : 0y0
+0x01b DeletedInline : 0y0
+0x01c Reserved : 0
+0x020 ObjectCreateInfo : 0xfffff800`84453ac0 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : 0xfffff800`84453ac0 Void
+0x028 SecurityDescriptor : (null)
+0x030 Body : _QUAD
</code>
WINDBG>dt nt!_OBJECT_HEADER ffffd20750657b10
+0x000 PointerCount : 0n32767
+0x008 HandleCount : 0n1
+0x008 NextToFree : 0x00000000`00000001 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : 0x65 'e'
+0x019 TraceFlags : 0 ''
+0x019 DbgRefTrace : 0y0
+0x019 DbgTracePermanent : 0y0
+0x01a InfoMask : 0x4c 'L'
+0x01b Flags : 0 ''
+0x01b NewObject : 0y0
+0x01b KernelObject : 0y0
+0x01b KernelOnlyAccess : 0y0
+0x01b ExclusiveObject : 0y0
+0x01b PermanentObject : 0y0
+0x01b DefaultSecurityQuota : 0y0
+0x01b SingleHandleEntry : 0y0
+0x01b DeletedInline : 0y0
+0x01c Reserved : 0
+0x020 ObjectCreateInfo : 0xfffff800`84453ac0 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : 0xfffff800`84453ac0 Void
+0x028 SecurityDescriptor : (null)
+0x030 Body : _QUAD
As you can see, the SecurityDescriptor field is null:
<code>+0x028 SecurityDescriptor : (null)
<code>+0x028 SecurityDescriptor : (null)
</code>
+0x028 SecurityDescriptor : (null)
I tried to get it from _FILE_OBJECT->FsContext, _OBJECT_CREATE_INFORMATION->SecurityDescriptor with the same result.
SysInternals Process Explorer also cannot access file security descriptors from the Handles tab.
It’s not a file specific issue because I can view the security attributes in File Explorer, but that’s not what I need.
So the question is:
Is there any way to get the security descriptor of a file by its handle in kernel mode debugger?