SepCreateSystemProcessToken calls ObCreateObject like this:

 

Status = ObCreateObject(KernelMode,
                          SepTokenObjectType,
                          NULL,
                          KernelMode,
                          NULL,
                          sizeof(TOKEN),
                          0,
                          0,
                          (PVOID*)&AccessToken);

 

the ObjectAttributes parameter is set to NULL,and ObCreateObject passes ObjectAttributes to call ObpCaptureObjectAttributes like this:

 

Status = ObpCaptureObjectAttributes(ObjectAttributes,
                                        ProbeMode,
                                        FALSE,
                                        ObjectCreateInfo,
                                        &ObjectName);

 

and in ObpCaptureObjectAttributes ,there's a check condition that checks if ObjectAttributes is NULL, if ObjectAttributes is NULL,it will cause ObpCaptureObjectAttributes fail,and then cause ObCreateObject fail,then cause SepCreateSystemProcessToken fail,and the return value of SepCreateSystemProcessToken will ever be NULL.

 

Could someone explain why???am i wrong??