Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Two-way interaction between user-mode app and kernel-mode driver?

Tags:

windows

process

kernel

driver

I'm about to write the following interaction:

  • When there is a process about to start, driver will notify user app and then it will wait for response from the app.

  • The app will decide whether or not to allow that process to be created normally or terminated immediately, and send its decision back to the driver.

  • Base on the decision from user app. The driver will then allow or block the process execution.

My question is: What is recommended way to notify user-mode app from driver and then make the driver wait for the response?

like image 617
Joseph Do Avatar asked Apr 08 '13 02:04

Joseph Do

People also ask

How communication happens between user mode and kernel mode?

The filter manager supports communication between user mode and kernel mode through communication ports. The minifilter driver controls security on the port by specifying a security descriptor to be applied to the communication port object.

How would you differentiate kernel mode device driver and user mode device driver?

In kernel mode, the program has direct and unrestricted access to system resources. In user mode, the application program executes and starts. In user mode, a single process fails if an interrupt occurs. Kernel mode is also known as the master mode, privileged mode, or system mode.

Why we need two separate modes of operation user mode and kernel mode?

Necessity of Dual Mode (User Mode and Kernel Mode) in Operating System. A running user program can accidentaly wipe out the operating system by overwriting it with user data. Multiple processes can write in the same system at the same time, with disastrous results.

Which are the three different ways the CPU can go from user mode to kernel mode?

There are three events at which the processor should switch to the kernel address space: (1) supervisor call (called a trap instruction on the PDP-11); (2) an interrupt; and (3) an illegal instruction.

1 Answers

For event notification, you can use a notification event. I.e. the kernel calls IoCreateNotificationEvent and KeSetEvent. The user calls KeWaitForSingleObject. For user-kernel message communication, you can use IOCTL.

Alternatively, you can just use a named pipe for both purpose.

P.S. You can't use PsSetCreateProcessNotifyRoutine() for your purpose because it's only for auditing, but not for prevention/cancellation.

like image 73
Wu Yongzheng Avatar answered Sep 27 '22 21:09

Wu Yongzheng
Sign in to Comment

Related questions

SetTimer() pitfalls
How do you efficiently trim an SQlite database down to a given file size?
Does Oracle provide public Symbol Files (PDB) for OCCI/OCI?
What is the window class name assigned by Visual Studio when creating .NET form?
how to check vbs script in windows is running or not?
Download Windows Updates Using C#
How to rotate tomcat logs in Windows? What is the best method?
Previews of matlab figures in Windows explorer (utility to set an image as the thumbnail for another file)
Windows Batch file - pipe to FIND
java performance Windows vs Linux
Windows Common Item Dialog: ctypes + COM access violation
No CUDA-capable device is detected
I need to avoid attempting to update non-physical fields in a Delphi TClientDataset connected to a TSQLQuery
ConnectEx requires the socket to be "initially bound", but to what?
Associating my Windows computer to a wifi AP with Python
How to convert a linux executable file (binary) to windows exe file?
Java applications prevent server restart after JRE update
Is there seccomp analogue for Windows
Register program on windows registry so that it appears on "Uninstall a program" on Control Panel
How to use std::map in Windows kernel? STLPort?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!