hi all, i'm going to make a kernel driver, that hooking into System Service Table, it's will hook NtCreateFile and NtOpenFile to keep track which file is accessed, then send this information to a program on usermode to check that if it's enough permission(that i define) to access the file, this program send back to kernel driver that allow or deny signal. The problem is in multiple threads running, i have not any idea to handing, like this
thread1-openfile --> my hook function --> wait for usermode
thread2-openfile --> my hook function --> wait for usermode

i don't know which allow/deny signal apply to which thread .
hum! any idea ? thanks very much.
Posted on 2008-09-26 10:26:36 by secmask
Why is this a problem? Its a systemwide hook, who cares what thread of what process is triggering this event? This question is spurious, and I really have to question the validity and merit of your post.

Its an EVENT, your usermode code should handle it ASYNCHRONOUSLY!

Posted on 2008-09-26 10:40:30 by Homer
yeh, let's say that i have two thread, thread1 belong to process1, thread2 belong to process2, And a process X-which keep track all the EVENTs.
thread1 call NtOpenFile --> my hook function send signal to process X by raise an event and WaitForObject(objectname="myevent")
thread2 call NtOpenFile --> my hook function send signal to process X by raise an event and WaitForObject (objectname="myevent")
then after process-X do something and return deny code to the call of thread2, it signal thread2 to continue, but if i raise the event, maybe both of thread will resume to run, but thread1 will not to know it's should allow or deny the open file request.
may i was wrong in approach this problem?
Posted on 2008-09-26 12:48:00 by secmask
i found a solution at http://www.codeproject.com/KB/system/soviet_protector.aspx
i mean the use of event object, all other thread will wait util the request to usermode is return.




not very good but work  :)
Posted on 2008-10-01 22:09:01 by secmask
Ugh, the code in that article is horrible.


Now, whaaaat happens if a user tries to execute "x:\path\to\evil\file" - with no extension? Perfectly legal under win32.

    //if it is not executable, it does not make sense to be bothered about it

    //return 1

    if(_stricmp(&buff,"exe")){RtlFreeAnsiString(&str);return 1;}

.com, .scr, .pif, no-extension, etc?


Ugh, strcpy? In kernel mode?

Oh, and a nasty spinloop is used to synchronize with the client... not to mention that memmove with a 4-byte value is used instead of some DWORD casting and atomic intrinsics. That person shouldn't be writing kernel-mode code.
Posted on 2008-10-02 01:00:00 by f0dder
hi f0dder, i'm try to find a way to synchronize kernel-mode and user-mode and i haven't have experience about this before, i need to pause all other request to Open-Create File, then ask user-mode code for permission, thread by thread. Of course, about the examples, maybe think just as "runnable" and author didn't check that . Could you tell me the better way to synchronize ? thanks
Posted on 2008-10-02 03:26:48 by secmask
other away, i think:


// ... Fill filename to output buffer then

KeSetEvent(usermode_should_read_buffer_now);           //  --> User-mode check for permission


// ... Read user return value from system buffer.



       //process data and return value in kernel system buffer.

is it better?
Posted on 2008-10-02 03:53:42 by secmask
If kernelmode events can be shared with usermode, that would probably be a better solution, yes - but you will likely run into IRQL issues that you need to take into consideration.
Posted on 2008-10-02 06:04:54 by f0dder