Click here to Skip to main content
16,020,568 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
Hello:

I am trying to set up an event to notify my user mode application from my mini filter driver whenever a callback is used. Currently I have successfully set up a shared event that both can connect to like so:

VB.NET
<DllImport("kernel32.dll")>
    Private Shared Function CreateEvent(lpEventAttributes As IntPtr, bManualReset As Boolean, bInitialState As Boolean, lpName As String) As IntPtr
    End Function

Dim RegisterEvent = CreateEvent(Nothing, True, False, "TEST_EVENT2")
        MsgBox("Event Handle: " & RegisterEvent.ToString)


This creates the shared event object I am able to then get a Handle for I then pass that handle via IOCTL to my mini filter driver like so

Const FILE_DEVICE_EVENTSYS As UInteger = 33552

Dim IOCTL_OPEN_EVENT As UInteger = CTL_CODE(FILE_DEVICE_EVENTSYS, 2052, IOCTL_METHOD.METHOD_BUFFERED, IOCTL_ACCESS.FILE_ANY_ACCESS)


bStatus = DeviceIoControl(hFile, IOCTL_OPEN_EVENT, CLng(RegisterEvent), Marshal.SizeOf(RegisterEvent), Nothing, 0, Bytes_IO, Nothing)
           If bStatus Then
               waitStatus = WaitForSingleObject(RegisterEvent, INFINITE)
               If Not waitStatus = WAIT_OBJECT_0 Then
                   MsgBox("The driver has successfully signaled our named event!")
                   ResetEvent(RegisterEvent)
               End If
           End If


The IOCTL Returns True and the waitforsingleobject is satisfied from my driver or so I think but the waitStatus = WAIT_OBJECT_0 is always 0 for both so no notification was sent from the driver to the user mode application.


DRIVER CODE:

#define FILE_DEVICE_EVENTSYS 0x00008310
#define IOCTL_OPEN_EVENT CTL_CODE(FILE_DEVICE_EVENTSYS, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS)


NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
	UNREFERENCED_PARAMETER(DeviceObject);
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
	ULONG returnLength = 0;
	PVOID* buffer = Irp->AssociatedIrp.SystemBuffer;
	ULONG inLength = irpsp->Parameters.DeviceIoControl.InputBufferLength;
	ULONG outLength = irpsp->Parameters.DeviceIoControl.OutputBufferLength;

	switch (irpsp->Parameters.DeviceIoControl.IoControlCode)
	{
	case IOCTL_OPEN_EVENT:
		SharedEvent = IoCreateNotificationEvent(&EventName, &SharedEventHandle);
		if (SharedEvent != NULL) {
			ObReferenceObject(SharedEvent);

			ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
			KeInitializeEvent(SharedEvent, KernelMode, FALSE);
			KeSetEvent(SharedEvent, KernelMode, FALSE);

			status = STATUS_SUCCESS;
		}
		else {
			status = STATUS_UNSUCCESSFUL;
			KdPrint(("Cannot open shared event"));
		}
		break;

	Irp->IoStatus.Status = status;
	Irp->IoStatus.Information = returnLength;
	IoCompleteRequest(Irp, IO_NO_INCREMENT);

	return status;
}


The way I am thinking about this is that the Shared Event will be created from the user mode application along with the event handle. The IOCTL in the driver will Open the shared event and receive the handle and ObReferenceObject(SharedEvent) for use. Here is where is gets a bit complicated for me when trying to figure out the synchronization and the IRQL Dispatch and passive levels as I know only some calls can be made and some cant causing BSOD. I am experiencing no notifications of the event and also deadlocking. My driver is monitoring process and image loads how can I set the event for each newly added callback from my preoperation so that the user mode application can block or allow or simply just get notified by event? I hope my question makes sense and that I am thinking this correctly.

Here is the link that I am trying to follow:
Kernel Dispatcher Objects | Programming the Microsoft Windows Driver Model[^]

What I have tried:

I have tried setting Dispatch and passive levels for IRQL but not sure its correct or within the correct area. I have tried KeSetEvent and KeInitalizeEvent with Passive IRQL. I have tried setting the event from within the preoperation... probably not a good idea, I think thats a page pool area but im not well informed it causes BSOD. I have also tried setting the event from within the IOCTL but it either does nothing or causes deadlock.

Is this correct?

1. User mode app creates event and handle
2. Driver receives Handle Via IOCTL
3. KeSetEvent sets the Shared Event signaled to true
4. user mode waitforsingleobject is satisfied by true signal
5. Event is fired?
Posted
Updated 19-Jul-22 23:01pm
v7
Comments
[no name] 2-Jun-22 17:07pm    
Do you still need help with this? You never reference the HANDLE that you pass. Shouldn't you be calling ObReferenceObjectByHandle on the HANDLE that you pass to your device driver?
Dale Seeley 2-Jun-22 23:16pm    
Yes please I would greatly appricate your help Randor. I am trying to understand how the logic works for this. I have changed the driver to include the ObReferenceObjectByHandle like so:

status = ObReferenceObjectByHandle(registerEvent->hEvent,
SYNCHRONIZE | EVENT_MODIFY_STATE,
*ExEventObjectType,
Irp->RequestorMode,
¬ifyRecord->Message.Event,
NULL
);

This code is from the driver event example you suggested to me. I have tried to run that example but it BSOD my system so I am trying to understand and add it to my mini filter driver to notify my user mode application.

is this thinking correct?

application creates the event object and passes the handle to the driver via IOCTL. the driver then gets a object reference by handle and CustomTimerDPC is called to Signal KeSetEvent so waitforsingleobject in user mode is satisfied to show the notification which in my case is just a simple message box but could work for anything.

at the moment the DeviceIoControl is always returning false or I am having BSOD with error code IRQL not equal or less or thread exception not handled... basically I am trying all i can think but getting nowhere.

I am aware but not sure where and when to set apc or dispatch levels and where all this fits into the mini filter driver.
[no name] 3-Jun-22 7:53am    
Are you saying that the Microsoft code sample is causing you to BSOD?

https://github.com/Microsoft/Windows-driver-samples/tree/master/general/event

That doesn't sound right. Can you show me the output of Fltmc.exe

Open a command prompt as Administrator and type fltmc.exe and show me the output.
Dale Seeley 5-Jun-22 19:17pm    
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
bindflt 1 409800 0
WdFilter 7 328010 0
storqosflt 0 244000 0
wcifs 0 189900 0
PrjFlt 0 189800 0
CldFlt 1 180451 0
FileCrypt 0 141100 0
luafv 1 135000 0
npsvctrig 1 46000 0
Wof 5 40700 0
FileInfo 7 40500 0

The BSOD occurs when I try to load the Driver sys file using OSRLOADER

Unhandled System Threading Exception
[no name] 7-Jun-22 19:14pm    
Your filter manager output looks normal. The OSRLOADER program is really old. You should ask Peter Viscarola over in the OSR forum for support with that tool.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900