Hey , I’m working on a filter driver that does some processing in a completion routine and in some common conditions needs to append a new item to a linked list protected with a Mutex
due to IRQL constraints I cant run the append part from the completion routine so I tried to queue a work item , something like this :
`NTSTATUS FilterReadCompletion(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
auto status = Irp->IoStatus.Status;
if (Irp->PendingReturned)
IoMarkIrpPending(Irp);
if (Irp->IoStatus.Status == STATUS_SUCCESS)
{
PKEYBOARD_INPUT_DATA InputData = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
int NumberOfKeysRead = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
PWORK_QUEUE_ITEM workItem = new(NonPagedPool, TAG)WORK_QUEUE_ITEM;
PWORKER_CONTEXT Context = new(NonPagedPool, TAG)WORKER_CONTEXT;
PKEYBOARD_INPUT_DATA Data = (PKEYBOARD_INPUT_DATA)ExAllocatePoolWithTag(NonPagedPool, sizeof(KEYBOARD_INPUT_DATA) * NumberOfKeysRead, TAG);
if (Data && workItem && Context)
{
// we have to copy the system buffer as by the time the worker will process it the IRP is likely to already be completed
RtlCopyMemory(Data, InputData, sizeof(KEYBOARD_INPUT_DATA) * NumberOfKeysRead);
Context->Count = NumberOfKeysRead;
Context->Data = Data;
if (workItem)
{
ExInitializeWorkItem(workItem, (PWORKER_THREAD_ROUTINE)FilterWorker, Context);
ExQueueWorkItem(workItem, DelayedWorkQueue);
}
}
}
ExReleaseRundownProtection(&PendingIrps);
return status;
}`
and the work item itself :
`
void FilterWorker(PDEVICE_OBJECT DeviceObject,PVOID Context) {
ExAcquireRundownProtection(&PendingIrps);
PWORKER_CONTEXT CompletionData = (PWORKER_CONTEXT)Context;
PKEYBOARD_INPUT_DATA InputData = (PKEYBOARD_INPUT_DATA)CompletionData->Data;
int NumberOfKeysRead = CompletionData->Count;
for (int i = 0; i < NumberOfKeysRead; i++)
{
// record key only if it is a key press or a special key press / release
if (InputData[i].Flags == KEY_MAKE || IsSpecialMakecode(InputData[i].MakeCode))
{
Recording.Append(InputData[i].MakeCode, InputData[i].Flags);
}
}
ExFreePoolWithTag(InputData, TAG);
delete CompletionData;
ExReleaseRundownProtection(&PendingIrps);
}`
Now , even if I only try to
DbgPrint("[*] Data 0x%p , Count %d\n",InputData,NumberOfKeysRead")
I get a bugcheck , any clear issue with what im doing ?
on another note, any lock that is possible to use at dispatch level ? im using a mutex but KeWaitForSingleObject is not allowed in some cases , it also triggered a bugcheck (SWITCH_FROM_DPC…)