Our examples so far have been resource and filesystem
specific, but the first phase of the AccessCheck function is not. Certain APIs
require special privilege to call, and Windows makes that access check decision in this
same AccessCheck function. For example, anyone who can load a kernel-mode device
driver can effectively take over the system, so it??™s important to restrict who can load
device drivers. There is no DACL on any object that talks about loading device drivers.
The API call itself doesn??™t have a DACL. Instead, access is granted or denied based on the
SeLoadDriverPrivilege in the token of the calling process.
The privilege check inside AccessCheck is straightforward. If the requested privilege is
in the token of the calling process, the access request is granted. If it is not, the access
request is denied.
AccessCheck??™s DACL Check
TheDACL check portion of the AccessCheck function is a little more involved. The caller
of the AccessCheck function will pass in all the information needed to make the DACL
check happen:
??? Security descriptor protecting the object, showing who is granted what access
??? Token of the process or thread requesting access, showing owner and group
membership
??? The specific desired access requested, in form of an access mask
TIP Technically, the DACL check passes these things by reference and also
passes some other stuff, but that??™s not super important right now.
Pages:
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716