Waiting on events

Dave_Wilkes · August 11, 2005, 6:03am

Hello all,

I am progressing slowly with my file filter driver (but at least I am
still progressing!). Anyway I have a problem with events within my driver,
the scenario is as follows:

Bear in mind I am writing a mini-filter based driver if this makes a
difference. I also want to set the event in the user mode app and do the
waiting in the driver (assuming this is possible).

Create an event in a user mode app.
Pass this event handle to the driver
call the following code to get the pointer to the event in the driver.

ntStatus = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE, NULL,
KernelMode, &pevent, NULL);

call the following code to wait on the event in the driver

ntStatus = KeWaitForSingleObject(pevent, UserRequest, KernelMode, FALSE,
&lInt);

Result:

The KeWaitForSingleObject function returns immediately with STATUS_TIMEOUT.

Is this fundamentally flawed (probably) or should this work?

Thanks in advance,

Dave

Slava_Imameyev · August 11, 2005, 6:21am

This is normally , waiting time depends on the last parameter for
KeWaitForSingleObject().
I suppose “lInt” is zero, therefore KeWaitForSingleObject returns
immediately.
If the last parameter is NULL pointer(i.e. KeWaitForSingleObject (…,
NULL) ) then KeWaitForSingleObject() waits indefinitely until the event
object is set to the signaled state.

“Dave Wilkes” wrote in message
news:xxxxx@ntfsd…
> Hello all,
>
> I am progressing slowly with my file filter driver (but at least I am
> still progressing!). Anyway I have a problem with events within my driver,
> the scenario is as follows:
>
> Bear in mind I am writing a mini-filter based driver if this makes a
> difference. I also want to set the event in the user mode app and do the
> waiting in the driver (assuming this is possible).
>
> 1) Create an event in a user mode app.
> 2) Pass this event handle to the driver
> 3) call the following code to get the pointer to the event in the driver.
>
> ntStatus = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE, NULL,
> KernelMode, &pevent, NULL);
>
> 4) call the following code to wait on the event in the driver
>
> ntStatus = KeWaitForSingleObject(pevent, UserRequest, KernelMode, FALSE,
> &lInt);
>
> Result:
>
> The KeWaitForSingleObject function returns immediately with
> STATUS_TIMEOUT.
>
> Is this fundamentally flawed (probably) or should this work?
>
> Thanks in advance,
>
> Dave
>
>

Dave_Wilkes · August 11, 2005, 6:46am

Thanks for the response,

lInt was not actually zero but was set to a much too low value, I have got
this bit working now.

Thanks,

Dave

OSR_Community_User · August 11, 2005, 7:15am

I see you have figured out your timeout issue (usually I see people pass
in small positive values, which triggers the “timeout” point almost
immediately).

However, nobody has pointed out the glaring security hole you’ve
introduced by not validating the handle (remember: NEVER trust ANYTHING
coming from user mode…)

ObReferenceObjectByHandle should be called with the correct OBJECT_TYPE
parameter to validate that the handle is what you think it will be:

ntStatus = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE,
ExEventObjectType, KernelMode, &pevent, NULL);

That ensures the handle really IS an event object and that someone
doesn’t pass you the wrong type of handle (this really is a common
attack vector).

Just because you think it’s your application, there’s no guarantee that
it isn’t. Best to validate.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dave Wilkes
Sent: Thursday, August 11, 2005 6:03 AM
To: ntfsd redirect
Subject: [ntfsd] Waiting on events

Hello all,

I am progressing slowly with my file filter driver (but at least I am
still progressing!). Anyway I have a problem with events within my
driver,
the scenario is as follows:

Bear in mind I am writing a mini-filter based driver if this makes a
difference. I also want to set the event in the user mode app and do the
waiting in the driver (assuming this is possible).

Create an event in a user mode app.
Pass this event handle to the driver
call the following code to get the pointer to the event in the
driver.

ntStatus = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE, NULL,
KernelMode, &pevent, NULL);

call the following code to wait on the event in the driver

ntStatus = KeWaitForSingleObject(pevent, UserRequest, KernelMode, FALSE,
&lInt);

Result:

The KeWaitForSingleObject function returns immediately with
STATUS_TIMEOUT.

Is this fundamentally flawed (probably) or should this work?

Thanks in advance,

Dave

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Dave_Wilkes · August 11, 2005, 8:13am

Thanks for the info Tony,

I will change my code, I still have a lot to learn.

Thanks again,

Dave

Dave_Wilkes · August 11, 2005, 10:57am

Hello again,

I have the following function in my driver (it is only a proof of concept
at this stage so please do not be too critical).

It is supposed to make the driver wait for a period of time until a user
mode app sets the event to start things off again.

Here is the function:

// hEvent is passed to the driver from the user mode app.
NTSTATUS WaitForUserModeApp(HANDLE hEvent)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
LARGE_INTEGER lInt;
PKEVENT pEvent;

lInt.QuadPart = TIMEOUT; // 30 seconds

if(hEvent)
{
status = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE,
*ExEventObjectType, KernelMode, &pEvent, NULL);

if (NT_SUCCESS( status ))
WriteToEventLog(L"ObReferenceObjectByHandle Worked");
else
WriteToEventLog(L"ObReferenceObjectByHandle Failed");

WriteToEventLog(L"About to wait");

status = KeWaitForSingleObject(pEvent, UserRequest, KernelMode, FALSE,
&lInt);

WriteToEventLog(L"Wait Over");

switch(status)
{
… // Logging result
}
}

return status;
}

I can successfully call this function from within the driver and the
driver will pause execution of this thread for 30 seconds.

However, when I call the same function from within a callback function
from a call to PsSetCreateThreadNotifyRoutine(…) I get a BSOD every
time. It seems that it is the call to ObReferenceObjectByHandle(…) that
is causing the problem.

Does anyone have an idea of what I am doing wrong?

Thanks in advance,

Dave

Don_Burn_1 · August 11, 2005, 11:02am

This will fail, the context of the callback is a process with no handles,
the handle is from a different process! You need to resolve the handle to a
pointer in the context of the process to be notified, not in the system or
process being created which are the contexts you will see in the callback.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Dave Wilkes” wrote in message
news:xxxxx@ntfsd…
> Hello again,
>
> I have the following function in my driver (it is only a proof of concept
> at this stage so please do not be too critical).
>
> It is supposed to make the driver wait for a period of time until a user
> mode app sets the event to start things off again.
>
> Here is the function:
>
> // hEvent is passed to the driver from the user mode app.
> NTSTATUS WaitForUserModeApp(HANDLE hEvent)
> {
> NTSTATUS status = STATUS_UNSUCCESSFUL;
> LARGE_INTEGER lInt;
> PKEVENT pEvent;
>
> lInt.QuadPart = TIMEOUT; // 30 seconds
>
> if(hEvent)
> {
> status = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE,
> *ExEventObjectType, KernelMode, &pEvent, NULL);
>
> if (NT_SUCCESS( status ))
> WriteToEventLog(L"ObReferenceObjectByHandle Worked");
> else
> WriteToEventLog(L"ObReferenceObjectByHandle Failed");
>
> WriteToEventLog(L"About to wait");
>
> status = KeWaitForSingleObject(pEvent, UserRequest, KernelMode, FALSE,
> &lInt);
>
> WriteToEventLog(L"Wait Over");
>
> switch(status)
> {
> … // Logging result
> }
> }
>
> return status;
> }
>
> I can successfully call this function from within the driver and the
> driver will pause execution of this thread for 30 seconds.
>
> However, when I call the same function from within a callback function
> from a call to PsSetCreateThreadNotifyRoutine(…) I get a BSOD every
> time. It seems that it is the call to ObReferenceObjectByHandle(…) that
> is causing the problem.
>
> Does anyone have an idea of what I am doing wrong?
>
> Thanks in advance,
>
> Dave
>
>

Dave_Wilkes · August 11, 2005, 11:13am

Thanks very much for your prompt response Don,

It now works correctly.

Regards,

Dave

OSR_Community_User · August 11, 2005, 11:14am

Pass NULL instead of &llInt

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dave Wilkes”
To: “Windows File Systems Devs Interest List”
Sent: Thursday, August 11, 2005 2:02 PM
Subject: [ntfsd] Waiting on events

> Hello all,
>
> I am progressing slowly with my file filter driver (but at least I am
> still progressing!). Anyway I have a problem with events within my driver,
> the scenario is as follows:
>
> Bear in mind I am writing a mini-filter based driver if this makes a
> difference. I also want to set the event in the user mode app and do the
> waiting in the driver (assuming this is possible).
>
> 1) Create an event in a user mode app.
> 2) Pass this event handle to the driver
> 3) call the following code to get the pointer to the event in the driver.
>
> ntStatus = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE, NULL,
> KernelMode, &pevent, NULL);
>
> 4) call the following code to wait on the event in the driver
>
> ntStatus = KeWaitForSingleObject(pevent, UserRequest, KernelMode, FALSE,
> &lInt);
>
> Result:
>
> The KeWaitForSingleObject function returns immediately with STATUS_TIMEOUT.
>
> Is this fundamentally flawed (probably) or should this work?
>
> Thanks in advance,
>
> Dave
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 11, 2005, 8:38pm

> However, when I call the same function from within a callback function

from a call to PsSetCreateThreadNotifyRoutine(…) I get a BSOD every
time. It seems that it is the call to ObReferenceObjectByHandle(…) that
is causing the problem.

No, this must not BSOD even if the handle is not valid.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com