Why you are not using ZwDuplicateObject ?
You must have handle to initial system process - you can obtain it
by opening the process in which context your DriverEntry was called.
In DriverEntry save PsGetCurrentProcess() to some variable.
Then when you have called IoCreateXxxxEvent, call:
ObOpenObjectByPointer(
SavedSystemProcessPointer,
0,
NULL,
PROCESS_DUP_HANDLE,
*PsProcessType,
KernelMode,
&SystemProcessHandle );
ZwDuplicateObject(
NtCurrentProcess(),
EventHandle,
SystemProcessHandle,
&TargetHandle,
0,
0,
SUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES );
ZwClose(SystemProcessHandle);
Also if you want to close EventHandle you have to |
DUPLICATE_CLOSE_SOURCE
or call ZwClose after duplication.
Another way to force IoCreateXxxxEvent to create the handle in some
other
process context is to attach to this process before calling it.
KeAttachProcess((PKPROCESS)SavedSystemProcessPointer);
IoCreateXxxxxEvent(…);
KeDetachProcess();
After this returned handle should reside in the system process context.
But this technique should be tested, I’m not sure if it is clear.
Hope this helps.
Paul
//
// Needed prototypes (mostly from NTIFS.H)
//
NTKERNELAPI
VOID
KeAttachProcess (
IN PRKPROCESS Process
);
NTKERNELAPI
VOID
KeDetachProcess (
VOID
);
#define DUPLICATE_CLOSE_SOURCE 0x00000001
#define DUPLICATE_SAME_ACCESS 0x00000002
#define DUPLICATE_SAME_ATTRIBUTES 0x00000004
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject (
IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle OPTIONAL,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
IN ULONG Options
);
NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer (
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
#define PROCESS_DUP_HANDLE (0x0040)
extern POBJECT_TYPE *PsProcessType;
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@esrange.ssc.se
Sent: Monday, January 15, 2001 12:48 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Switch context
Thanks,
now I think that I can at least understand what went on.
Unfortunately, even incrementing the reference count in this context
doesn’t
help, as the object’s name is still deleted from BaseNamedObjects
directory
when all handle references to it are closed. I ended up using
XxQueueWorkItem and call IoCreateNotificationEvent from inside the
procedure
to fix the problem - which seems to work.
This last part I’m not sure about: It seemed like the KEVENT itself was
also
destroyed after the app exited even though I additionally referenced it
right after creation. I created the event using
IoCreateNotificationEvent()
and right afterwards called ObReferenceObject() and got a page fault in
my
driver when accessing the event some time after the application exited -
even with the extra reference count. The event was in this case created
and
referenced inside my IRP_MJ_CREATE handler. Is this possible or am I
mistaken?
// Johan
-----Original Message-----
From: Hrdina Pavel [mailto:xxxxx@compelson.com]
Sent: den 15 januari 2001 12:01
To: NT Developers Interest List
Subject: [ntdev] Re: Switch context
Yes, it is exactly like you’re saying.
TotalReferenceCount = ReferenceCount + HandleCount
i.e. there is one additional reference for any handle.
And KEVENT returned from IoCreateXxxxxEvent has
ReferenceCount really equal to one.
It is also evident from steps done in the routine:
ZwCreateEvent //RefCnt = 1, HndCnt = 1
ObReferenceObjectByhandle //RefCnt = 2, HndCnt = 1
ObDereferenceObject //RefCnt = 1, HndCnt = 1
Referencing (and dereferencing) is done only for obtaining
event pointer.
So if you can ensure the event remains valid you must do
one additional referencing right after IoCreateXxxxEvent.
Paul
You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com