hi all, i'm going to make a kernel driver, that hooking into System Service Table, it's will hook NtCreateFile and NtOpenFile to keep track which file is accessed, then send this information to a program on usermode to check that if it's enough permission(that i define) to access the file, this program send back to kernel driver that allow or deny signal. The problem is in multiple threads running, i have not any idea to handing, like this
thread1-openfile --> my hook function --> wait for usermode
thread2-openfile --> my hook function --> wait for usermode
i don't know which allow/deny signal apply to which thread .
hum! any idea ? thanks very much.
thread1-openfile --> my hook function --> wait for usermode
thread2-openfile --> my hook function --> wait for usermode
i don't know which allow/deny signal apply to which thread .
hum! any idea ? thanks very much.
Why is this a problem? Its a systemwide hook, who cares what thread of what process is triggering this event? This question is spurious, and I really have to question the validity and merit of your post.
Its an EVENT, your usermode code should handle it ASYNCHRONOUSLY!
Its an EVENT, your usermode code should handle it ASYNCHRONOUSLY!
yeh, let's say that i have two thread, thread1 belong to process1, thread2 belong to process2, And a process X-which keep track all the EVENTs.
thread1 call NtOpenFile --> my hook function send signal to process X by raise an event and WaitForObject(objectname="myevent")
thread2 call NtOpenFile --> my hook function send signal to process X by raise an event and WaitForObject (objectname="myevent")
then after process-X do something and return deny code to the call of thread2, it signal thread2 to continue, but if i raise the event, maybe both of thread will resume to run, but thread1 will not to know it's should allow or deny the open file request.
may i was wrong in approach this problem?
thread1 call NtOpenFile --> my hook function send signal to process X by raise an event and WaitForObject(objectname="myevent")
thread2 call NtOpenFile --> my hook function send signal to process X by raise an event and WaitForObject (objectname="myevent")
then after process-X do something and return deny code to the call of thread2, it signal thread2 to continue, but if i raise the event, maybe both of thread will resume to run, but thread1 will not to know it's should allow or deny the open file request.
may i was wrong in approach this problem?
i found a solution at http://www.codeproject.com/KB/system/soviet_protector.aspx
i mean the use of event object, all other thread will wait util the request to usermode is return.
not very good but work :)
i mean the use of event object, all other thread will wait util the request to usermode is return.
KeWaitForSingleObject(&event,Executive,KernelMode,0,0);
strcpy(&output[8],buff);
RtlFreeAnsiString(&str);
a=1;
memmove(&output[0],&a,4);
while(1)
{
KeDelayExecutionThread(KernelMode,0,&li);
memmove(&a,&output[0],4);
if(!a)break;
}
memmove(&a,&output[4],4);
KeSetEvent(&event,0,0);
not very good but work :)
Ugh, the code in that article is horrible.
Now, whaaaat happens if a user tries to execute "x:\path\to\evil\file" - with no extension? Perfectly legal under win32.
.com, .scr, .pif, no-extension, etc?
Ugh, strcpy? In kernel mode?
Oh, and a nasty spinloop is used to synchronize with the client... not to mention that memmove with a 4-byte value is used instead of some DWORD casting and atomic intrinsics. That person shouldn't be writing kernel-mode code.
a=str.Length;buff=str.Buffer;
while(1)
{
if(buff=='.'){a++;break;}
a--;
}
Now, whaaaat happens if a user tries to execute "x:\path\to\evil\file" - with no extension? Perfectly legal under win32.
//if it is not executable, it does not make sense to be bothered about it
//return 1
if(_stricmp(&buff,"exe")){RtlFreeAnsiString(&str);return 1;}
.com, .scr, .pif, no-extension, etc?
strcpy(&output[8],buff);
Ugh, strcpy? In kernel mode?
Oh, and a nasty spinloop is used to synchronize with the client... not to mention that memmove with a 4-byte value is used instead of some DWORD casting and atomic intrinsics. That person shouldn't be writing kernel-mode code.
hi f0dder, i'm try to find a way to synchronize kernel-mode and user-mode and i haven't have experience about this before, i need to pause all other request to Open-Create File, then ask user-mode code for permission, thread by thread. Of course, about the examples, maybe think just as "runnable" and author didn't check that . Could you tell me the better way to synchronize ? thanks
other away, i think:
kernel-mode
usermode
is it better?
kernel-mode
KeWaitForMutexObject(enter_wait_object);
// ... Fill filename to output buffer then
KeSetEvent(usermode_should_read_buffer_now); // --> User-mode check for permission
KeWaitForEvent(usermode_finished);
// ... Read user return value from system buffer.
KeReleaseMutex(enter_wait_object);
usermode
while(true){
WaitForSingleObject(usermode_should_read_buffer_now);
ReadFile(....);
//process data and return value in kernel system buffer.
WriteFile(...);
SetEvent(usermode_finished);
}
is it better?
If kernelmode events can be shared with usermode, that would probably be a better solution, yes - but you will likely run into IRQL issues that you need to take into consideration.