Sending an arbitrary string from kmdf to user mode application

Sorry about this Anton. I have misinterpreted one of your statements. There it is:

http://www.osronline.com/showThread.CFM?link=276008

PS: Thank you Bing.

>>Or, you know, send it on a TCP-connection made from the driver via WSK to the app.

I suspect you are trying to be facetious,

BTW, WSK option in itself is not as insane and ridiculous as it seems to be at the first glance. Assuming that Windows allows registration of custom address families you could write an address family for this particular purpose, effectively bringing AF_NETLINK concepts to the Windows world.
For example, you could use it for packet filtering at NDIS level, or for sending/receiving raw Ethernet packets right from the userland,or maybe even for simulating a network device right from the userland - the list of possible useful applications goes on and on…

Anton Bassov

Abdel M. wrote:

http://www.osronline.com/showThread.CFM?link=276008

Ahh, yes. The “shut up or be banned” thread. I remember it well. Seems like it was just yesterday…

>Ahh, yes. The “shut up or be banned” thread.

Well, figuratively speaking, “got shot before even taking off”. What a pity…

Anton Bassov

> The problem with the section solution is that the user app must “talk” to the driver to ask for the

section to be mapped into its address space and ask for the address where it has been mapped
and therefore some data must be written by the driver to a buffer provided by the app.

More so: the shared section requires locks to synchronize access to it, and locks must be available from both driver and usermode.

This makes the shared section more complex then inverted calls.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

> I remember Anton citing the inverted call model as broken and source of lawsuits.

Both Windows and Linux use this model extensively. Look at PPP/PPTP in Linux, for instance.

Using it could not only cost the dev his shirt but send him to jail.

This can occur only if there is some certification-style/compliance-style document about the best current practices in a particular field, and the developer is proven to neglect it, causing things like death or injury in the end.

Have a medical device failed because of the inverted call model ?

Well, once on this forum some document of the above-mentioned kind was discussed, which says that “dynamic memory allocations are evil”. In such an industry (I think this is about the automotive engine control firmware), the inverted calls are maybe evil too.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

> I’m sure glad I deleted the suggestion to have the driver store the data onto Azure

:slight_smile:

Strange that WMI Events/ETW is forgotten in this context. A good solution.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

> BTW, WSK option in itself is not as insane and ridiculous as it seems to be at the first glance.

Assuming that Windows allows registration of custom address families you could write an address
family for this particular purpose, effectively bringing AF_NETLINK concepts to the Windows world.

AF_UNIX is by far a better option for IPC or kernel-to-user communication.

Anyway Windows has named pipes, which are rather similar to AF_UNIX.

For example, you could use it for packet filtering at NDIS level

So, AF_NETLINK in Linux is the same as “divert sockets” in FreeBSD?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

You know, there’s really not much more that can be added to this thread to make it complete.

Perhaps we can get a reference to Hitler or something, just to round it out?

Some politics, some religion… a discussion of whether the locavore movement is good or bad? Is global warming real science?

Peter
OSR
@OSRDrivers

>Both Windows and Linux use this model extensively. Look at PPP/PPTP in Linux, for instance.

If the point of the inverted call model is to execute ring3 code from ring0, and I think it is, than it makes no sense using this on Linux as everything is documented there.

Windows drivers cannot initiate a user-mode thread of execution, that’s why the inverted call model was developed. Let me quote OSR on that particular point:

?One of the most common questions we see from students, clients, and new Windows driver writing colleagues is, ?How can a driver perform a callback to a user-mode program??? The answer to this is simple: it can?t.?

Hey all thanks for your help. I would post in multiple forums and I can assure you that the help and attention I get here has been invaluable and incomparable. I will try the suggested solutions and see what I get.

> Perhaps we can get a reference to Hitler

Well, I am 100% sure Max would just love this discussion, and if you allowed discussing genocide on NTDEV, Mr.Kyler would, probably, come back to light out of the lurking mode as well…

Anton Bassov

Hey Anton,

You made some projects on API hooking on codeproject ? If so, thanks they were helpful to me.

Other may be kinder on this form, but your question as stated indicates that you have a primitive understanding of how operating systems work. Do some basic research or ask a better question and you will do better

The questions you are asking are like the claims made by a famous lawyer in a famous hacking case where it was claimed that nuclear weapons could be fired if a specific person was allowed to use the internet. Again look it up and you will understand that while it sounded great in 3rd grade, as an adult we expect more

Sent from Mailhttps: for Windows 10

From: xxxxx@gmail.commailto:xxxxx
Sent: July 15, 2016 9:01 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Sending an arbitrary string from kmdf to user mode application

>As Tim said show us the conversation. I have never heard of such a claim, in the 22 years I’ve been writing Windows drivers

Sorry about this statement. I can’t find the discussion so I take it back.

> >I don’t know if this was serious but to me, IOCTLs are handy when it comes to share data between user-mode and kernel-mode. Of course this is not the primary meaning of the I/O Manager but drivers don’t have system calls and the only function table drivers have is the dispatch table.

>I’m not sure what you’re getting at here. Statistically speaking, it’s likely that most of I/O manager’s requests are ioctls. And ReadFile, WriteFile and DeviceIoControl certainly are system calls, in exactly the same sense that Unix uses.

I was talking about the special case of running ring 0 code. The goal was not to run a device but just to run ring 0 code for instance to check system data in a security project.

As you know many malwares are ring 0 malwares and they definitely do not run in kernel to run a device. I was wondering if sending data from kernel-mode to user-mode using IOCTLs is legitimate. Can you use I/O although this has nothing to do with I/O ?

The thing is: you have no other choice.

How can an antivirus’s system component communicates with a user-mode companion ? The I/O Manager is the only mean there although this has nothing to do with I/O.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:>

It is, or should be, well known that no general purpose operating system is appropriate for use in any life critical or safety critical system. In this respect Windows and Linux and most UNIX operating systems are all on the same footing: they are not eligible to be the OS used in the JSF or a cardiac arrest suppression machine ? oh well

Sent from Mailhttps: for Windows 10

From: Maxim S. Shatskihmailto:xxxxx
Sent: July 16, 2016 5:50 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re:[ntdev] Sending an arbitrary string from kmdf to user mode application

> I remember Anton citing the inverted call model as broken and source of lawsuits.

Both Windows and Linux use this model extensively. Look at PPP/PPTP in Linux, for instance.

>Using it could not only cost the dev his shirt but send him to jail.

This can occur only if there is some certification-style/compliance-style document about the best current practices in a particular field, and the developer is proven to neglect it, causing things like death or injury in the end.

>Have a medical device failed because of the inverted call model ?

Well, once on this forum some document of the above-mentioned kind was discussed, which says that “dynamic memory allocations are evil”. In such an industry (I think this is about the automotive engine control firmware), the inverted calls are maybe evil too.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:>

Hitler is so pass? these days that I?m surprised that you mention him at all ?? today we have much more fluid issues like agog Germans and French who cannot fathom that the brits wouldn?t want to join with them in a united Europe after waging war over the previous 800 or so years to prevent exactly that

If I have failed to supply the irrelevant details that you crave, please feel free to censure me Peter. Otherwise let the mayhem continue - within the usual course of irrelevant if interesting details such as the effective speed of light in certain materials, or the probably relevance of quantum computing

Sent from Mailhttps: for Windows 10

From: xxxxx@osr.commailto:xxxxx
Sent: July 16, 2016 11:46 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Sending an arbitrary string from kmdf to user mode application

You know, there’s really not much more that can be added to this thread to make it complete.

Perhaps we can get a reference to Hitler or something, just to round it out?

Some politics, some religion… a discussion of whether the locavore movement is good or bad? Is global warming real science?

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:>

>Other may be kinder on this form, but your question as stated indicates that you have a primitive understanding of how operating systems work.? Do some basic research or ask a better question and you will do better?

Why should you be kind ? If you just could be helpful or even useful, that would be great.

On Jul 16, 2016, at 10:17 AM, xxxxx@gmail.com wrote:

> Both Windows and Linux use this model extensively. Look at PPP/PPTP in Linux, for instance.

If the point of the inverted call model is to execute ring3 code from ring0, and I think it is, than it makes no sense using this on Linux as everything is documented there.

We’re getting deeply into splitting hairs here. I think of “inverted call” as way to notify ring 3 code, or to trigger ring 3 code. It’s not like the kernel code is saying "please execute the function at address 0x12345678 in process 0x1234. It’s not a callback in the sense I usually use the word.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Truer words were never typed. “Incomparable” describes it particularly well, I think.

For some value of the word “initiate” this is true. For most common definitions of the word “initiate” it is not.

Perhaps we should have auto-deleting threads on NTDEV… like SnapChat.

So, what do people think about the new home kit for FC Barcelona this year? Too stripey? And while it’s hardly politically correct to say anything negative about anything French these days, don’t you really have to agree that the Marseille outfit is, well, kinda blah?

Peter
OSR
@OSRDrivers

> more fluid issues like agog Germans and French who cannot fathom that the brits wouldn?t want to

join with them in a united Europe after waging war over the previous 800 or so years to prevent
exactly that

Oh my God.

Let’s also discuss Erdogan, whether he is democratic or not so.
Or let’s discuss whether the rebels of the Ukrainian East are terrorists or sacred freedom fighters.
Or let’s discuss whether al-Nusra in Syria is a democratic opposition, or the al-Qaeda’s daugher company and thus not much different from ISIL.

European refugee crisis is also a good idea to discuss.

And so on.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com