In Windows XP SP2, access to PhysicalMemory, call NtOpenSection denied
???
Posted on 2005-01-17 00:23:31 by Ctrl+Break
Are you opening it for reading or writing? Write access requires modifying the ACL even by admin. Maybe even read is denied by default on SP2 - check it. Snippet below (NASM) sets required access to kernel handle:

	; open handle to the object

callf NtOpenSection, mem_section, WRITE_DAC|READ_CONTROL, obj_attr
callf NtErrorTest, e_opens1

; get security descriptor
callf GetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, p_old_dacl, 0, p_sec_descr
callf ErrorTestZ, e_getsec

; modify access rights ;]
mov dword [access+EXPLICIT_ACCESS.grfAccessPermissions], SECTION_ALL_ACCESS
mov dword [access+EXPLICIT_ACCESS.grfAccessMode], GRANT_ACCESS
mov dword [access+EXPLICIT_ACCESS.grfInheritance], NO_INHERITANCE
mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.MultipleTrusteeOperation], NO_MULTIPLE_TRUSTEE
mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeForm], TRUSTEE_IS_NAME
mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeType], TRUSTEE_IS_USER
mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.ptstrName], s_cur_user

; create new acl
callf SetEntriesInAclA, 1, access, [p_old_dacl], p_new_dacl
callf ErrorTestZ, e_setacl

; update security descriptor with new acl
callf SetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, [p_new_dacl], 0
callf ErrorTestZ, e_setsec

callf LocalFree, p_sec_descr
callf NtClose, [mem_section]

; ok.. now we have writable physical memory ;]
; open it in r/w mode
callf NtOpenSection, mem_section, SECTION_MAP_READ|SECTION_MAP_WRITE, obj_attr
callf NtErrorTest, e_opens2
...
align 4
obj_attr: dd OBJECT_ATTRIBUTES_SIZE
dd 0
dd mem_dev_name
dd OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE
dd 0
dd 0

access times EXPLICIT_ACCESS_SIZE db 0
mem_section resd 1
p_old_dacl resd 1
p_new_dacl resd 1
p_sec_descr resd 1

Posted on 2005-01-17 12:18:59 by omega_red
omega_red, does that code (permanently) replace the ACL for physicalmemory? If so, I think it would be a good idea to restore the old ACL after you have done what you need to do...
Posted on 2005-01-17 17:47:14 by f0dder
I tried
ACL modified
However, access denied!
I will post code later!
Thanks
Posted on 2005-01-18 21:27:57 by Ctrl+Break
Ctrl+Break, do you have administrative rights?
Posted on 2005-01-18 23:07:23 by f0dder
omega_red, does that code (permanently) replace the ACL for physicalmemory? If so, I think it would be a good idea to restore the old ACL after you have done what you need to do...

It is a code from program startup, after (in this case) reading descriptor tables, ACL is restored to normal state.
Posted on 2005-01-19 12:39:45 by omega_red