Hello guys,
Suppose you have a WDM driver. At certain admin need to unload it, but there are some deinitializtion that you need to do in non arbitrary thread context. One of options to do is to trigger APC from Unload routine and wait until it end.
So we setup KEVENT to be notified when APC is over, initialize APC, finally we queue it and do KeWait on our event.
Suppose KAPC looks like this:
VOID NTAPI MyApcAtUnload(_In_ PRKAPC Apc,
_Inout_opt_ PKNORMAL_ROUTINE* NormalRoutine,
_Inout_opt_ PVOID* NormalContext,
_Inout_ PVOID* SystemArgument1,
_Inout_ PVOID* SystemArgument2) noexcept
{
UNREFERENCED_PARAMETER(Apc);
UNREFERENCED_PARAMETER(NormalRoutine);
UNREFERENCED_PARAMETER(NormalContext);
KeSetEvent(apc_complete_event, 0, FALSE);
// Here however we have few ret code :)
}
Now if I am at unload routine I am waiting on KeWait so once KeSetEvent happens in APC in theory we can be woken up and unload faster then actual APC routine will end - isn't it? If so then we would get bugcheck isn't it?
Is there actually more secure way to make sure APC is over and routine (MyApcAtUnload) is not executing?
Thank you!