I am making a filter driver that needs to create a shared memory region however I noticed adding this to my DriverEntry function results in it failing. I then tried moving it to my Filter_EvtDeviceAdd function since that loads later but that also fails. However, when my VM is already running and then I start my driver it works fine which is why I think its an issue where I can’t create a shared memory region / IoNotificationEvent during the startup process because its too early. Not sure if this is correct but I would like a solution so that it can always work. Here is the code that fails and I would greatly appreciate anyone who explains how this is typically handled since I wan’t to ensure I use the best solution when working with things as sensitive as drivers.
RtlInitUnicodeString(&eventUniName, L"\\BaseNamedObjects\\MyCustomEvent");
g_hEvent = IoCreateNotificationEvent(&eventUniName, &g_hEvent);
if (!g_hEvent) {
DebugMessage("Failed g_hEvent \n");
}
// Initialize section name and create shared section
sectionSize.QuadPart = sizeof(INPUT_DATA);
RtlInitUnicodeString(§ionUniName, L"\\BaseNamedObjects\\SharedSection");
InitializeObjectAttributes(&objAttributes, §ionUniName, OBJ_KERNEL_HANDLE, NULL, NULL);
if (!NT_SUCCESS(status = ZwCreateSection(&g_hSection, PAGE_READWRITE, &objAttributes, §ionSize, PAGE_READWRITE, SEC_COMMIT, NULL))) {
DebugMessage("Failed mouse ZwCreateSection \n");
}
else if (!NT_SUCCESS(status = ZwMapViewOfSection(g_hSection, NtCurrentProcess(), &g_pSharedBuffer, 0, sizeof(INPUT_DATA), NULL, &viewSize, ViewUnmap, 0, PAGE_READWRITE))) {
DebugMessage("Failed mouse ZwMapViewOfSection \n");
}