- Re: How detect USER Mode Application is loaded in kernel mode driver
- Posted by William Ingle on June 30th, 2003
Are you not getting a close irp when the AP is shut down? Are you
associating events with the file object owned by the calling application so
you can cancel event notification when the hand is closed?
"wschung" <wschung@emc.com.tw> wrote in message
news:uYXSDFrPDHA.2424@tk2msftngp13.phx.gbl...
- Posted by wschung on July 1st, 2003
Dear Alexander Grigoriev,
thank for your reply, How I keep traceing event notification in my driver?
the follow is
my code in my AP and Driver
Drievr::inint
{ .....
devExt->Event = IoCreateNotificationEvent(&eventPath, &devExt->Handle);
.....
}
Driver::AckAP
{
.....
if (devExt->Handle != NULL) {
if (KeReadStateEvent(devExt->Event)) {
KeClearEvent(devExt->Event);
}
KeSetEvent(devExt->Event, 0, FALSE);
KeClearEvent(devExt->Event);
}
.....
}
AP::init()
{.....
AfxBeginThread(EvenWaitingThread, (LPVOID)0, THREAD_PRIORITY_NORMAL);
.....
}
AP::UINT EvenWaitingThread(LPVOID pParam)
{
keep = 1;
hEvent = OpenEvent(SYNCHRONIZE, FALSE, eventPath);
while (keep) {
dwEvent = WaitForMultipleObjects( nCount, &hEvent, FALSE, INFINITE);
if (dwEvent != WAIT_TIMEOUT) {
if (dwEvent == 0) Do_something_AP()
}
}
CloseHandle(hEvent);
}
"Alexander Grigoriev" <alegr@earthlink.net> ¼¶¼g©ó¶l¥ó
news:ek7pe#wPDHA.2160@TK2MSFTNGP11.phx.gbl...
- Posted by Matt Vinall on July 1st, 2003
I see you're creating the event from kernel mode. Following the advice of Mr
Oney et al, I tend to get the AP to create the event, and then pass that to
the driver through an ioctl. This gets around various nastys with process
space etc.
AP::init()
{
HANDLE hEvent = CreateEvent(...);
int result = DeviceIoControl( hDevice, custom_IOCTL_code, &hEvent,
sizeof(hEvent), ...);
AfxBeginThread( EventWaitingThread, hEvent, THREAD_PRIORITY_NORMAL);
}
Driver:
ispatchControl( ...)
{
switch()
{
case custom_IOCTL_code:
hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer;
if( pDevExt->pKEvent)
{
ObDereferenceObject( pDevExt->pKEvent);
pDevExt->hEvent = NULL;
}
if( hEvent)
{
status = ObReferenceObjectByHandle( hEvent, 0, NULL, KernelMode,
&pDevExt->pKEvent, NULL);
...
}
...
}
}
and then Driver:AckAP stays the same. Because you maintain a reference on
the object, it won't get destroyed when the AP exits, so technically it
doesn't matter if you don't cleanup when the AP exits. However, for
completeness and tidy code, you should still do that.
Matt
"wschung" <wschung@emc.com.tw> wrote in message
news:OAsU8K3PDHA.1612@TK2MSFTNGP11.phx.gbl...
- Posted by Matt Vinall on July 1st, 2003
Ah, just found this link in another thread:
http://support.microsoft.com/default...;EN-US;Q228785
"Matt Vinall" <matthew.vinall@snellwilcox.com> wrote in message
news:uZpVtp6PDHA.560@TK2MSFTNGP10.phx.gbl...
- Posted by Alexander Grigoriev on July 1st, 2003
The proper procedure would be:
case custom_IOCTL_code:
PIO_STACK_LOCATION pIo=IoGetCurrentIrpStackLocation(pIrp); //++
if (pIo->InputBufferLength < sizeof (HANDLE)) //++
{
pIrp->IoStatus.Status = STATUS_INVALID_BUFFER_LENGTH; //++
IoCompleteRequest(pIrp, IO_NO_INCREMENT); //++
return STATUS_INVALID_BUFFER_LENGTH; //++
}
hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer;
PVOID pNewEvent = NULL; //++
if( hEvent)
{
status = ObReferenceObjectByHandle(
hEvent, EVENT_MODIFY_STATE, //++
ExEventObjectType, //++
UserMode, //++
&pNewEvent, NULL);
}
PVOID pOldEvent = InterlockedExchangePointer( & pDevExt->pKEvent,
pNewEvent); //++
if(NULL != pOldEvent)
{
ObDereferenceObject( pOldEvent);
}
Make sure also to release the event object in IRP_MJ_CLOSE handler.
"Matt Vinall" <matthew.vinall@snellwilcox.com> wrote in message
news:uZpVtp6PDHA.560@TK2MSFTNGP10.phx.gbl...
- Posted by wschung on July 2nd, 2003
Thank to Mr. Alexander Grigoriev and Mr. Matt Vinall.
I get a way to solute my problem with your help..
Thank more..
Best Regards
WS.Chung
"Alexander Grigoriev" <alegr@earthlink.net> ¼¶¼g©ó¶l¥ó
news:#EW9n99PDHA.2228@tk2msftngp13.phx.gbl...
