Driver to User-Mode Communication

0
votes

I am trying to write a tool to monitor processes. Whenever a high privileged process with SYSTEM privileges is created it will alert the user. I'm doing this with a driver that monitors every process creation and a user mode app to check if it runs under SYSTEM and if so to make the alert. For doing this the user-mode app should listen to the driver. I'm trying to do it with event. Whenever a process is created the driver will signal the event with IoCreateNotificationEvent (which the use-mode app listens to with WaitForSingleObject) and then the app will send an IRP to the driver to get the pid. That doesn't work well for me and I was looking for other methods to do that communication from the driver to a listening user-mode app and I couldn't find so.. How can I make it work?

Thanks for helping

2
cwindowswinapikerneldriver

2 Answers

1
votes

The usual method would be to use an asynchronous IOCTL, forget the event entirely, just have the driver save the IOCTL if there is no outstanding process creation to read and then complete the IOCTL when you get a new process. This does require that the client submit the IOCTL requests ahead of process creation. For best results I would say bind your device handle to an IOCP (I find IOCP far easier to deal with than needing to track which event goes with which OVERLAPPED).

0
votes

Another way to communicate from Driver to User mode process is for the user mode process to open a pipe in message mode and listen to messages from kernel. It is simpler than implementing asynchronous IOCTL as you do not have to deal with pending IOCTL that may need to be cancelled. Make sure that when you open the pipe, it is ACL'd correctly so that only the kernel can talk to the pipe opened by the user mode process.