Can KMDF driver check if an IOCTL came from an admin user-mode process?

I’m playing with a KMDF (kernel mode) sample driver that came with VS 2022.

I’ve added the following code to process IOCTL in my Queue.c:

VOID
TestEvtIoDeviceControl(
    _In_ WDFQUEUE Queue,
    _In_ WDFREQUEST Request,
    _In_ size_t OutputBufferLength,
    _In_ size_t InputBufferLength,
    _In_ ULONG IoControlCode
    )
{
    NTSTATUS status = STATUS_SUCCESS;

    if(IoControlCode == IOCTL_MY_TEST)
    {
            REQ_TEST* pReq = NULL;
            size_t szcbRead = 0;
            status = WdfRequestRetrieveInputBuffer(Request, sizeof(*pReq), &pReq, &szcbRead);
            if(NT_SUCCESS(status) &&
                 szcbRead == sizeof(*pReq))
            {
                //Process data received in pReq ...

            }
    }

    WdfRequestComplete(Request, status);
}

where:

#define IOCTL_MY_TEST CTL_CODE(0x8000, 0x800, METHOD_BUFFERED, FILE_WRITE_ACCESS)

typedef struct _REQ_TEST
{
    ULONG Param1;
    int Param2;
}REQ_TEST, *PREQ_TEST;

The question is – can I find out if the user-mode process sending my IOCTL_MY_TEST IOCTL is running as a member of the built-in admin group, and if not prevent processing of this IOCTL request?

You need to sign in to view this answers