Hello:
I am trying to set up an event to notify my user mode application from my mini filter driver whenever a callback is used. Currently I have successfully set up a shared event that both can connect to like so:
VB.NET
<DllImport("kernel32.dll")>
Private Shared Function CreateEvent(lpEventAttributes As IntPtr, bManualReset As Boolean, bInitialState As Boolean, lpName As String) As IntPtr
End Function
Dim RegisterEvent = CreateEvent(Nothing, True, False, "TEST_EVENT2")
MsgBox("Event Handle: " & RegisterEvent.ToString)
This creates the shared event object I am able to then get a Handle for I then pass that handle via IOCTL to my mini filter driver like so
Const FILE_DEVICE_EVENTSYS As UInteger = 33552
Dim IOCTL_OPEN_EVENT As UInteger = CTL_CODE(FILE_DEVICE_EVENTSYS, 2052, IOCTL_METHOD.METHOD_BUFFERED, IOCTL_ACCESS.FILE_ANY_ACCESS)
bStatus = DeviceIoControl(hFile, IOCTL_OPEN_EVENT, CLng(RegisterEvent), Marshal.SizeOf(RegisterEvent), Nothing, 0, Bytes_IO, Nothing)
If bStatus Then
waitStatus = WaitForSingleObject(RegisterEvent, INFINITE)
If Not waitStatus = WAIT_OBJECT_0 Then
MsgBox("The driver has successfully signaled our named event!")
ResetEvent(RegisterEvent)
End If
End If
The IOCTL Returns True and the waitforsingleobject is satisfied from my driver or so I think but the waitStatus = WAIT_OBJECT_0 is always 0 for both so no notification was sent from the driver to the user mode application.
DRIVER CODE:
#define FILE_DEVICE_EVENTSYS 0x00008310
#define IOCTL_OPEN_EVENT CTL_CODE(FILE_DEVICE_EVENTSYS, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS)
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
NTSTATUS status = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
ULONG returnLength = 0;
PVOID* buffer = Irp->AssociatedIrp.SystemBuffer;
ULONG inLength = irpsp->Parameters.DeviceIoControl.InputBufferLength;
ULONG outLength = irpsp->Parameters.DeviceIoControl.OutputBufferLength;
switch (irpsp->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_OPEN_EVENT:
SharedEvent = IoCreateNotificationEvent(&EventName, &SharedEventHandle);
if (SharedEvent != NULL) {
ObReferenceObject(SharedEvent);
ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
KeInitializeEvent(SharedEvent, KernelMode, FALSE);
KeSetEvent(SharedEvent, KernelMode, FALSE);
status = STATUS_SUCCESS;
}
else {
status = STATUS_UNSUCCESSFUL;
KdPrint(("Cannot open shared event"));
}
break;
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = returnLength;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
The way I am thinking about this is that the Shared Event will be created from the user mode application along with the event handle. The IOCTL in the driver will Open the shared event and receive the handle and ObReferenceObject(SharedEvent) for use. Here is where is gets a bit complicated for me when trying to figure out the synchronization and the IRQL Dispatch and passive levels as I know only some calls can be made and some cant causing BSOD. I am experiencing no notifications of the event and also deadlocking. My driver is monitoring process and image loads how can I set the event for each newly added callback from my preoperation so that the user mode application can block or allow or simply just get notified by event? I hope my question makes sense and that I am thinking this correctly.
Here is the link that I am trying to follow:
Kernel Dispatcher Objects | Programming the Microsoft Windows Driver Model[
^]
What I have tried:
I have tried setting Dispatch and passive levels for IRQL but not sure its correct or within the correct area. I have tried KeSetEvent and KeInitalizeEvent with Passive IRQL. I have tried setting the event from within the preoperation... probably not a good idea, I think thats a page pool area but im not well informed it causes BSOD. I have also tried setting the event from within the IOCTL but it either does nothing or causes deadlock.
Is this correct?
1. User mode app creates event and handle
2. Driver receives Handle Via IOCTL
3. KeSetEvent sets the Shared Event signaled to true
4. user mode waitforsingleobject is satisfied by true signal
5. Event is fired?