Communicate with filter driver without admin rights

[bowtiejicode]

I am aware that USBPcapCMD.exe forces the application to run in elevated mode, but is it possible for someone to build their own user-land application (such that it runs without admin rights) to communicate with the filter driver (USBPcapDriver)?

I am not familiar with driver stuffs, so would appreciate if you can clarify my doubts

[desowin]

You can do that but USBPcapDriver will refuse to give capture data to not-elevated user-space applications. In fact, USBPcapCMD does not require elevated mode to query the corresponding root hub (which is used by extcap interface) - but that is the only action that non-elevated user-space application can do.

If you want to access capture data from not-elevated user-space, then you have to modify USBPcapDriver to allow it. The relevant code in driver is

usbpcap/USBPcapDriver/USBPcapRootHubControl.c

Lines 70 to 78 in 1a8893c

	status = IoCreateDeviceSecure(hubExt->pDrvObj,
	sizeof(DEVICE_EXTENSION),
	&ntDeviceName,
	FILE_DEVICE_UNKNOWN,
	FILE_DEVICE_SECURE_OPEN,
	FALSE, /* Non-Exclusive device */
	&SDDL_DEVOBJ_SYS_ALL_ADM_ALL_EVERYONE_ANY,
	NULL,
	&controlDevice);

and the SDDL string is

usbpcap/USBPcapDriver/USBPcapRootHubControl.c

Lines 21 to 24 in 1a8893c

	DECLARE_CONST_UNICODE_STRING(
	SDDL_DEVOBJ_SYS_ALL_ADM_ALL_EVERYONE_ANY,
	L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GX;;;WD)(A;;GX;;;RC)"
	);

[bowtiejicode]

Thank you very much for the clarification!