Hi All,
We have WaitForSingleObject() function in usermode to wait for a process to be terminated. Is this possible in kernel mode? How?
Thanks & Regards,
Amit.
Read on PsSetCreateProcessNotifyRoutine in WDK documentation.
–PA
Have u tried KeWaitForsingleObject…
Thnks,
Sudhakar
PsSetCreateProcessNotifyRoutine will work if we installed callback routine before process terminates, otherwise it will not give notification.
KeWaitForsingleObject does it work? No documentation I have seen stating that we can use KeWaitForsingleObject for this perpose.
No, it won’t work on a PEPROCESS. There is magic in the object manager
wrappers ZwWaitForSingleObject that converts objects handles like a process
or thread object handle into pointers with the associated KEVENT, which does
not begin at the start of the object structure. Your system will crash
rather spectacularly if you pass a PEPROCESS to KeWaitForSingleObject. This
support is needed for all “waitable” objects that do not really begin with a
DISPATCHER_HEADER, and for those objects, you cannot pass a pointer directly
to KeWaitFor*Object*-style routines.
You can, however, wait on a handle to a process object via
ZwWaitForSingleObject.
–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
wrote in message news:xxxxx@ntdev…
> PsSetCreateProcessNotifyRoutine will work if we installed callback routine
> before process terminates, otherwise it will not give notification.
>
> KeWaitForsingleObject does it work? No documentation I have seen stating
> that we can use KeWaitForsingleObject for this perpose.
>
Hrm… teach me to post too fast. Disregard this; it should work for
process/thread objects; I was thinking of file objects…
–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
“Skywing” wrote in message
news:xxxxx@ntdev…
> No, it won’t work on a PEPROCESS. There is magic in the object manager
> wrappers ZwWaitForSingleObject that converts objects handles like a
> process or thread object handle into pointers with the associated KEVENT,
> which does not begin at the start of the object structure. Your system
> will crash rather spectacularly if you pass a PEPROCESS to
> KeWaitForSingleObject. This support is needed for all “waitable” objects
> that do not really begin with a DISPATCHER_HEADER, and for those objects,
> you cannot pass a pointer directly to KeWaitForObject-style routines.
>
> You can, however, wait on a handle to a process object via
> ZwWaitForSingleObject.
>
> –
> Ken Johnson (Skywing)
> Windows SDK MVP
> http://www.nynaeve.net
> wrote in message news:xxxxx@ntdev…
>> PsSetCreateProcessNotifyRoutine will work if we installed callback
>> routine before process terminates, otherwise it will not give
>> notification.
>>
>> KeWaitForsingleObject does it work? No documentation I have seen stating
>> that we can use KeWaitForsingleObject for this perpose.
>>
>
>
> This support is needed for all “waitable” objects that do not really begin with a
DISPATCHER_HEADER
Actually, EPROCESS does begin with DISPATCHER_HEADER…
However, when it comes to processes, the main idea of your post is absolutely correct - when you call WaitForSingleObject() from the user mode, the resulting call to KeWaitForSingleObject() receives a pointer not to EPROCESS but to some dummy object that seems to be constructed on the stack, rather than being allocated from non-paged pool the way waitable objects are supposed to be allocated…
At the same time, I don’t think the same applies to threads (I have yet to investigate it) - according to MSDN, KeWaitForSingleObject() can wait on events, mutexes, semaphores, threads and timers.
I see a good reason why it may not apply to threads, although it applies to processes - under Windows, the execution unit is thread, rather than process, and process is just a “host environment”. Therefore, a process terminates only when its main thread is terminated, i.e. process termination is secondary, and, hence, what you really wait for is not process termination but termination of its main thread. Therefore, WaitForSingleObject() substitutes a dummy object for EPROCESS, but it does not have to do the same for ETHREAD…
Anton Bassov
Waiting on a thread to die is easy:
PsCreateSystemThread(
&ThreadHandle,
THREAD_ALL_ACCESS,
&attr,
NULL,
NULL,
::CloseSocketThread,
this
);
…
//Convert it to a pointer:
ObReferenceObjectByHandle(
ThreadHandle,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
&ThreadObject,
NULL
);
// wait on the pointer:
KeWaitForSingleObject(
ThreadObject,
WaitReason,
WaitMode,
Alertable,
Timeout
);
// and don’t forget to release the reference
ObDereferenceObject(ThreadObject);
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Tuesday, June 12, 2007 8:02 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to wait on process handel in kernel mode?> This support is needed for all “waitable” objects that do
not really
> begin with a DISPATCHER_HEADERActually, EPROCESS does begin with DISPATCHER_HEADER…
However, when it comes to processes, the main idea of your
post is absolutely correct - when you call
WaitForSingleObject() from the user mode, the resulting call
to KeWaitForSingleObject() receives a pointer not to EPROCESS
but to some dummy object that seems to be constructed on the
stack, rather than being allocated from non-paged pool the
way waitable objects are supposed to be allocated…At the same time, I don’t think the same applies to threads
(I have yet to investigate it) - according to MSDN,
KeWaitForSingleObject() can wait on events, mutexes,
semaphores, threads and timers.I see a good reason why it may not apply to threads, although
it applies to processes - under Windows, the execution unit
is thread, rather than process, and process is just a “host
environment”. Therefore, a process terminates only when its
main thread is terminated, i.e. process termination is
secondary, and, hence, what you really wait for is not
process termination but termination of its main thread.
Therefore, WaitForSingleObject() substitutes a dummy object
for EPROCESS, but it does not have to do the same for ETHREAD…Anton Bassov
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
> Waiting on a thread to die is easy:
It looks like my theory is correct - indeed, process seems to be just an exception to the rule…
Anton Bassov
> Hrm… teach me to post too fast. Disregard this; it should work for
process/thread objects;
Ironically, your post seems to apply pretty well to processes, although not to threads - a pointer that KeWaitForSingleObject() receives when you want to wait on a process seems to point to the caller stack (under XP SP2 44 bytes away from the top of the stack at the moment KeWaitForSingleObject() enters execution)…
Anton Bassov
At least it is not so for threads, you can KeWaitForSingleObject on
ETHREAD.
I think for processes too.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
“Skywing” wrote in message
news:xxxxx@ntdev…
> No, it won’t work on a PEPROCESS. There is magic in the object manager
> wrappers ZwWaitForSingleObject that converts objects handles like a process
> or thread object handle into pointers with the associated KEVENT, which does
> not begin at the start of the object structure. Your system will crash
> rather spectacularly if you pass a PEPROCESS to KeWaitForSingleObject. This
> support is needed for all “waitable” objects that do not really begin with a
> DISPATCHER_HEADER, and for those objects, you cannot pass a pointer directly
> to KeWaitForObject-style routines.
>
> You can, however, wait on a handle to a process object via
> ZwWaitForSingleObject.
>
> –
> Ken Johnson (Skywing)
> Windows SDK MVP
> http://www.nynaeve.net
> wrote in message news:xxxxx@ntdev…
> > PsSetCreateProcessNotifyRoutine will work if we installed callback routine
> > before process terminates, otherwise it will not give notification.
> >
> > KeWaitForsingleObject does it work? No documentation I have seen stating
> > that we can use KeWaitForsingleObject for this perpose.
> >
>
>
Yep, both KPROCESS/KTHREAD begin with a DISPATCHER_HEADER; realized that
about 5 minutes after I posted 
–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> At least it is not so for threads, you can KeWaitForSingleObject on
> ETHREAD.
>
> I think for processes too.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Skywing” wrote in message
> news:xxxxx@ntdev…
>> No, it won’t work on a PEPROCESS. There is magic in the object manager
>> wrappers ZwWaitForSingleObject that converts objects handles like a
>> process
>> or thread object handle into pointers with the associated KEVENT, which
>> does
>> not begin at the start of the object structure. Your system will crash
>> rather spectacularly if you pass a PEPROCESS to KeWaitForSingleObject.
>> This
>> support is needed for all “waitable” objects that do not really begin
>> with a
>> DISPATCHER_HEADER, and for those objects, you cannot pass a pointer
>> directly
>> to KeWaitForObject-style routines.
>>
>> You can, however, wait on a handle to a process object via
>> ZwWaitForSingleObject.
>>
>> –
>> Ken Johnson (Skywing)
>> Windows SDK MVP
>> http://www.nynaeve.net
>> wrote in message news:xxxxx@ntdev…
>> > PsSetCreateProcessNotifyRoutine will work if we installed callback
>> > routine
>> > before process terminates, otherwise it will not give notification.
>> >
>> > KeWaitForsingleObject does it work? No documentation I have seen
>> > stating
>> > that we can use KeWaitForsingleObject for this perpose.
>> >
>>
>>
>
>