Hello,
I need to intercept an event of signal exit of a Windows process since handle processid,
or whether the process is still active according to the variable handle returned by the PsGetCurrentProcessID.
Why:
I developed a driver disk mapping on a user-mode process and when I left the process in task manager (mstask.exe), my driver detects if the process is still existing, if not the case, it must set the flag on my logical drive mapped to it is inaccessible and it does not expect the data sent by my process managing the logical drive.
In function KeWaitForSingleObject can i pass a HANDLE returned by PsGetCurrentProcessId?
Otherwise how to detect if the handle process is always exists returned by previously existing PsGetCurrentProcessID?
Thank you
Well since KeWaitForSingleObject does not take handle’s you have a problem.
I believe that PsGetCurrentProcess will work in this case, but it hasn’t
been something I have tried in a long time.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Hello,
>
> I need to intercept an event of signal exit of a Windows process since
> handle processid,
> or whether the process is still active according to the variable handle
> returned by the PsGetCurrentProcessID.
>
> Why:
> I developed a driver disk mapping on a user-mode process and when I left
> the process in task manager (mstask.exe), my driver detects if the process
> is still existing, if not the case, it must set the flag on my logical
> drive mapped to it is inaccessible and it does not expect the data sent by
> my process managing the logical drive.
>
> In function KeWaitForSingleObject can i pass a HANDLE returned by
> PsGetCurrentProcessId?
>
> Otherwise how to detect if the handle process is always exists returned by
> previously existing PsGetCurrentProcessID?
>
> Thank you
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4631 (20091123)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4631 (20091123)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
>>In function KeWaitForSingleObject can i pass a HANDLE returned by PsGetCurrentProcessId?
You are confused because of the way the signature of PsGetCurrentProcessId is mentioned in WDK docs.
treat it like,
ULONG_PTR PsGetCurrentProcessId( VOID );
Now obviously we can not pass a number in place of a handle, right? So it will not work.
[quote]
Why:
I developed a driver disk mapping on a user-mode process and when I left the
process in task manager (mstask.exe), my driver detects if the process is
still existing, if not the case, it must set the flag on my logical drive
mapped to it is inaccessible and it does not expect the data sent by my
process managing the logical drive.
[quote]
Could you not notify your driver when your user mode process starts up and
send your PID to it, then implement a PsSetCreateProcessNotifyRoutine
callback in your driver so that when any process terminates you can check
the PIDS and see if it is “your” process, and if it is - set the flag so
that the other process does not then expect the data…
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4631 (20091123) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
About acquiring a handle of the current process, you could obtain the EPROCESS pointer by calling:
PEPROCESS
PsGetCurrentProcess(
VOID
);
After that you could obtain a handle for that object by calling:
NTSTATUS
ObOpenObjectByPointer(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
Now... If the handle was obtained in the context of your monitoring process, you could use it as a parameter to WaitForSingleObject() directly on user mode.
If not, the obtained handle should be duplicated to your monitoring process before using it on your monitoring process.
Regards,
Fernando Roberto da Silva
DriverEntry Kernel Development
It is possible to monitor the lifetime of processes in various ways. But if
this is your own process it will receive a IRP_MJ_CLEANUP if the last handle
to your device object is closed (also if the process terminates).
If necessary your driver can create a separate device object that your
process obtains a handle to which is used only for this notification
purpose.
//Daniel
wrote in message news:xxxxx@ntdev…
> Hello,
>
> I need to intercept an event of signal exit of a Windows process since
> handle processid,
> or whether the process is still active according to the variable handle
> returned by the PsGetCurrentProcessID.
>
> Why:
> I developed a driver disk mapping on a user-mode process and when I left
> the process in task manager (mstask.exe), my driver detects if the process
> is still existing, if not the case, it must set the flag on my logical
> drive mapped to it is inaccessible and it does not expect the data sent by
> my process managing the logical drive.
>
> In function KeWaitForSingleObject can i pass a HANDLE returned by
> PsGetCurrentProcessId?
>
> Otherwise how to detect if the handle process is always exists returned by
> previously existing PsGetCurrentProcessID?
>
> Thank you
>
> I need to intercept an event of signal exit of a Windows process since handle processid, or
whether the process is still active according to the variable handle returned by
the PsGetCurrentProcessID.
You just THINK that you need it…
Why: I developed a driver disk mapping on a user-mode process and when I left the process
in task manager (mstask.exe), my driver detects if the process is still existing, if not the case,
it must set the flag on my logical drive mapped to it is inaccessible and it does not expect the data
sent by my process managing the logical drive.
This is what Ps… callbacks are for - if your target process terminates you will get informed about it by callback invocation…
Anton Bassov
> But if this is your own process it will receive a IRP_MJ_CLEANUP if the last handle to your device
object is closed (also if the process terminates).
Consider what happens if target handle gets duplicated to some other process (for example, by some rogue DLL that gets injected into his process). In this case IRP_MJ_CLEANUP will not necessarily be received upon his process termination - everything depends on what the other process does with this handle…
Anton Bassov
If a system is compromised and your solution targeted then all bets are off.
//Daniel
wrote in message news:xxxxx@ntdev…
> (for example, by some rogue DLL that gets injected into his process).
> If a system is compromised and your solution targeted then all bets are off.
That’s for sure…
OTOH, handle duplication without app’s knowledge can be done not only by malware . For example, it may get done by some “monitoring tool” that runs upon user request , which injects its DLL into all processes in the system for the obviously idiotic purpose of “monitoring how and by whom devices are being accessed”. The problem (IMHO, of course) with the method you have suggested is that it is prone to accidental interops with such components…
Anton Bassov
Problem solved:
I managed to make the simplest possible kernel function PsSetCreateProcessNotifyRoutine.
AC seems to work.
Thank you very much.