Bugcheck C4 (DRIVER_VERIFIER_DETECTED_VIOLATION) about systeminformer HOT 7 CLOSED

@mxmauro

Converting a user-mode handle to kernel-mode handle would be a bad idea since it could be abused to elevate handle privileges?

Driver Verifier can also be problematic because it's not designed for software drivers and additionally KProcessHacker blocks it's queries since verifier hasn't been signed with our certificate.

RE: suggestions.

A) IsKernelHandle is identical to ObIsKernelHandle.
b) Including pdb files with the binary distribution would allow plugins to call non-exported functions and bypass security restrictions.

from systeminformer.

Hi @dmex , well it is not a conversion exactly. Is re-opening the handle in kernel mode to do the check and close it. There is no security issues because the driver is not sending the duplicated handle to user mode.

from systeminformer.

@mxmauro

just wanted to be sure since "convert the user-mode handle to kernel-mode" can have a different meaning to "re-opening the handle in kernel mode to do the check" 😉

I'm going to close this since we're replacing the driver and this issue is no longer a problem with new version 👍

from systeminformer.

Glad to hear about a new version. Excellent job.

Kind regards.

from systeminformer.

@mxmauro

MS finally fixed one of the pdb security flaws:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1037

from systeminformer.

Hi @dmex I'm a bit lost about relationship between the pdb vulnerability and user/kernel mode handle conversion. Regards.

from systeminformer.

@mxmauro You asked me to include pdb files with the releases in addition to the handle conversion?

b) Include .pdb files in binary distributions.

from systeminformer.