- Kernel handle and user thread
- Posted by Alexander Grigoriev on April 24th, 2004
When a driver works in context of an user thread, what are rules for handles
opened with OBJ_KERNEL_HANDLE flag? The DDK documentation says such a handle
can only be closed in a context of a system thread or when previous mode is
KernelMode.
Does it mean if a dispatch routine opens a kernel handle (for example, using
ZwOpenKey), it cannot be closed in the same context?
- Posted by Doron Holan [MS] on April 24th, 2004
it can be closed in the same context that it was opened it.
OBJ_KERNEL_HANDLE means that the handle being created is placed in the
system handle table and not the handle table of the current process. You
can close a kernel handle from any context (given that you are calling at
the correct IRQL). If you do not specify OBJ_KERNEL_HANDLE, you *must*
close the handle in the process that it was opened in.
d
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please reply to newsgroups only.
"Alexander Grigoriev" <alegr@earthlink.net> wrote in message
news:eMARabgKEHA.3392@TK2MSFTNGP10.phx.gbl...
- Posted by Maxim S. Shatskih on April 24th, 2004
The value of the kernel handle (yes, the (ULONG_PTR)Handle itself) has some
bit set, which is not set in other handles.
When Obxxx routines see this bit set in the handle, they a) mandate the
previous mode to be KernelMode b) search for the handle in the System process's
table, not in the current process's one.
So, you can only use Zwxxx functions on the kernel handle, or
ObReferenceObjectByHandle with previous mode as KernelMode.
The user code doing a syscall cannot specify the "kernel" bit in the
handle, it will be immediately caught.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com
"Doron Holan [MS]" <doronh@nospam.microsoft.com> wrote in message
news:uJc56IiKEHA.1388@TK2MSFTNGP09.phx.gbl...
- Posted by Alexander Grigoriev on April 25th, 2004
So the documentation is a bit misleading.
It looks like ZwClose description mixes previous mode and current mode? When
ZwClose is called, the current mode becomes "previous mode" for the kernel
code which actually closes the handle?
Or is the paragraph:
"Drivers must close every handle they open once the handle is no longer
required. Kernel handles, which are handles opened from a system thread or
with the OBJ_KERNEL_HANDLE flag specified, can only be closed when the
previous processor mode is KernelMode (see ExGetPreviousMode).
This is true for a system thread, or while inside a dispatch routine for an
IRP issued from kernel-mode.
"
correct?
If an IRP is issued from user-mode ReadFile or DeviceIoControl, will ZwClose
called from the dispatch routine be able to close the kernel handle?
"Doron Holan [MS]" <doronh@nospam.microsoft.com> wrote in message
news:uJc56IiKEHA.1388@TK2MSFTNGP09.phx.gbl...
- Posted by Doron Holan [MS] on April 25th, 2004
AFAIK, yes, that will work.
d
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please reply to newsgroups only.
"Alexander Grigoriev" <alegr@earthlink.net> wrote in message
news:uabLlwlKEHA.2472@TK2MSFTNGP10.phx.gbl...
- Posted by Maxim S. Shatskih on April 25th, 2004
ZwClose calls NtClose via a trap frame. After this trap frame, the previous
mode will be KernelMode, regardless of who have called ZwClose.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com
"Alexander Grigoriev" <alegr@earthlink.net> wrote in message
news:uabLlwlKEHA.2472@TK2MSFTNGP10.phx.gbl...
