How detect USER Mode Application is loaded in kernel mode driver

How detect USER Mode Application is loaded in kernel mode driver

Post by William In » Tue, 01 Jul 2003 16:50:35


Are you not getting a close irp when the AP is shut down? Are you
associating events with the file object owned by the calling application so
you can cancel event notification when the hand is closed?



that
singe

filter


form
 
 
 

How detect USER Mode Application is loaded in kernel mode driver

Post by wschun » Wed, 02 Jul 2003 10:46:49

ear Alexander Grigoriev,
thank for your reply, How I keep traceing event notification in my driver?
the follow is
my code in my AP and Driver

Drievr::inint
{ .....
devExt->Event = IoCreateNotificationEvent(&eventPath, &devExt->Handle);
.....
}
Driver::AckAP
{
.....
if (devExt->Handle != NULL) {
if (KeReadStateEvent(devExt->Event)) {
KeClearEvent(devExt->Event);
}
KeSetEvent(devExt->Event, 0, FALSE);
KeClearEvent(devExt->Event);
}
.....
}
AP::init()
{.....
AfxBeginThread(EvenWaitingThread, (LPVOID)0, THREAD_PRIORITY_NORMAL);
.....
}

AP::UINT EvenWaitingThread(LPVOID pParam)
{
keep = 1;
hEvent = OpenEvent(SYNCHRONIZE, FALSE, eventPath);
while (keep) {
dwEvent = WaitForMultipleObjects( nCount, &hEvent, FALSE, INFINITE);
if (dwEvent != WAIT_TIMEOUT) {
if (dwEvent == 0) Do_something_AP()
}
}
CloseHandle(hEvent);
}





"Alexander Grigoriev" < XXXX@XXXXX.COM >
news:ek7pe# XXXX@XXXXX.COM ...
open
when
unloaded
is
application
to
AP
user-mode
the
running



 
 
 

How detect USER Mode Application is loaded in kernel mode driver

Post by Matt Vinal » Wed, 02 Jul 2003 17:26:06

see you're creating the event from kernel mode. Following the advice of Mr
Oney et al, I tend to get the AP to create the event, and then pass that to
the driver through an ioctl. This gets around various nastys with process
space etc.

AP::init()
{
HANDLE hEvent = CreateEvent(...);

int result = DeviceIoControl( hDevice, custom_IOCTL_code, &hEvent,
sizeof(hEvent), ...);

AfxBeginThread( EventWaitingThread, hEvent, THREAD_PRIORITY_NORMAL);
}

Driver::DispatchControl( ...)
{
switch()
{
case custom_IOCTL_code:

hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer;

if( pDevExt->pKEvent)
{
ObDereferenceObject( pDevExt->pKEvent);
pDevExt->hEvent = NULL;
}

if( hEvent)
{
status = ObReferenceObjectByHandle( hEvent, 0, NULL, KernelMode,
&pDevExt->pKEvent, NULL);

...
}

...
}
}

and then Driver:AckAP stays the same. Because you maintain a reference on
the object, it won't get destroyed when the AP exits, so technically it
doesn't matter if you don't cleanup when the AP exits. However, for
completeness and tidy code, you should still do that.

Matt

"wschung" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
driver?
INFINITE);
should
AP
KeSetEvent()
problem.
called
is


 
 
 

How detect USER Mode Application is loaded in kernel mode driver

Post by Matt Vinal » Wed, 02 Jul 2003 17:30:18

h, just found this link in another thread:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q228785

"Matt Vinall" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
Mr
to
KernelMode,
&devExt->Handle);
use
reference
to
the
if
One


 
 
 

How detect USER Mode Application is loaded in kernel mode driver

Post by Alexander » Wed, 02 Jul 2003 23:45:23

he proper procedure would be:

case custom_IOCTL_code:

PIO_STACK_LOCATION pIo=IoGetCurrentIrpStackLocation(pIrp); //++
if (pIo->InputBufferLength < sizeof (HANDLE)) //++
{
pIrp->IoStatus.Status = STATUS_INVALID_BUFFER_LENGTH; //++
IoCompleteRequest(pIrp, IO_NO_INCREMENT); //++
return STATUS_INVALID_BUFFER_LENGTH; //++
}

hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer;

PVOID pNewEvent = NULL; //++
if( hEvent)
{
status = ObReferenceObjectByHandle(
hEvent, EVENT_MODIFY_STATE, //++
ExEventObjectType, //++
UserMode, //++
&pNewEvent, NULL);

}
PVOID pOldEvent = InterlockedExchangePointer( & pDevExt->pKEvent,
pNewEvent); //++
if(NULL != pOldEvent)
{
ObDereferenceObject( pOldEvent);
}


Make sure also to release the event object in IRP_MJ_CLOSE handler.

"Matt Vinall" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
Mr
to
KernelMode,
&devExt->Handle);
use
reference
to
the
if
One


 
 
 

How detect USER Mode Application is loaded in kernel mode driver

Post by wschun » Thu, 03 Jul 2003 10:14:32

hank to Mr. Alexander Grigoriev and Mr. Matt Vinall.
I get a way to solute my problem with your help..

Thank more..
Best Regards
WS.Chung

"Alexander Grigoriev" < XXXX@XXXXX.COM >
news:# XXXX@XXXXX.COM ...
of
process
on
THREAD_PRIORITY_NORMAL);
the
user.
detect
you
get