[Kamran.Teimoori]

Hello

I,m developing a simple driver to notify process creation to user mode !
I searched an found some good example but that's only show result in "dbgView" !

My problem is retrieve and send the : ImageFileName and CommandLine from PPS_CREATE_NOTIFY_INFO CreateInfo.

This is my code in side the CreateProcessNotifyEx callback :

Code: Select all

VOID CreateProcessNotifyEx(
	__inout   PEPROCESS Process,
	__in      HANDLE ProcessId,
	__in_opt  PPS_CREATE_NOTIFY_INFO CreateInfo

	)
{ ...

			Pinfo->ParentId = CreateInfo->ParentProcessId;
			Pinfo->ProcessId = ProcessId;
			Pinfo->Create = CreateInfo->CreationStatus;
			Pinfo->ImageFileName= CreateInfo->ImageFileName;
	                Pinfo->CommandLine= CreateInfo->CommandLine;

..
			KeSetEvent(ProcessEvent, 0, FALSE);
			KeClearEvent(ProcessEvent);
....}

This code work perfectly and i got the Pinfo struct in user mode, but the Pinfo->ImageFileName and Pinfo->CommandLine does not contain any string ! (Pinfo->ProcessId and Pinfo->Create fills by true data)

Where is my wrong ?

{Ohhh Excuse my if my English is bad}

[EP_X0FF]

This code work perfectly and i got the Pinfo struct in user mode, but the Pinfo->ImageFileName and Pinfo->CommandLine does not contain any string ! (Pinfo->ProcessId and Pinfo->Create fills by true data)

Where is my wrong ?

{Ohhh Excuse my if my English is bad}

Because "=" operator does not magically copy strings, you assigned kernel mode address to whatever your structure pointer is. You need to allocate buffer for string and copy it yourself.

[Kamran.Teimoori]

Thanks EP

Unfortunately I'm new in driver programming and I'm not familiar with kernel mode memory management to allocate buffer and ...
Please if it's possible show me a simple example about this .

[EP_X0FF]

Your buffer is usermode

Pinfo struct in user mode

. You don't know how to allocate memory anywhere and copy array? Then what you do in kernel mode programming?

[Kamran.Teimoori]

You don't know how to allocate memory anywhere and copy array? Then what you do in kernel mode programming?

I told you I'm novice in "Kernel Programming", Actually my experience is in User-mode programming using Python and Delphi.

I read some about Allocating memory to PUNICODE_STRING and then try to use this code but can't use it too.

Code: Select all

		Pinfo->ImageFileName.Buffer = (PWSTR) ExAllocatePool(PagedPool,CreateInfo->ImageFileName.Length + sizeof(WCHAR));
		Pinfo->ImageFileName.MaximumLength = CreateInfo->ImageFileName.Length + sizeof(WCHAR);
               RtlCopyUnicodeString(Pinfo->ImageFileName, CreateInfo->ImageFileName);

I'm in learning... Please help if you can.

[Kamran.Teimoori]

Hello again

I write this function to Convert PUNICODE_STRING to char :

Code: Select all

VOID UnicodeToChar(PUNICODE_STRING src, char *dst)
{
	ANSI_STRING string;
	RtlUnicodeStringToAnsiString(&string, src, TRUE);
	strcpy(dst, string.Buffer);
	RtlFreeAnsiString(&string);
}

and use it like this :

Code: Select all

UnicodeToChar(CreateInfo->ImageFileName,PInfo->S);

The PInfo->S is an array of WCHAR :

Code: Select all

WCHAR S[MAXPATHLEN];

This method work and help me to return data from kernel to user mode ! But sometime driver was crach (Randome) !.
It's result of !analyze -v when i got BSOD !:

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8292af1f, The address that the exception occurred at
Arg3: 8c9a7a4c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ExFreePoolWithTag+464
8292af1f 0fb74ffa movzx ecx,word ptr [edi-6]

TRAP_FRAME: 8c9a7a4c -- (.trap 0xffffffff8c9a7a4c)
ErrCode = 00000000
eax=00000000 ebx=84d086c8 ecx=00000005 edx=00000004 esi=7365445c edi=7365445c
eip=8292af1f esp=8c9a7ac0 ebp=8c9a7b18 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!ExFreePoolWithTag+0x464:
8292af1f 0fb74ffa movzx ecx,word ptr [edi-6] ds:0023:73654456=????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: CreateProcessM

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 82a3bc22 to 8292af1f

STACK_TEXT:
8c9a7b18 82a3bc22 7365445c 00000000 84ad8de8 nt!ExFreePoolWithTag+0x464
8c9a7b64 82a2c7c9 84d086c8 84d086c8 84d086b0 nt!IopDeleteFile+0x148
8c9a7b7c 82882200 00000000 84d02030 84d086b0 nt!ObpRemoveObjectRoutine+0x59
8c9a7b90 82882170 84d086c8 82a4f556 a3deb3d0 nt!ObfDereferenceObjectWithTag+0x88
8c9a7b98 82a4f556 a3deb3d0 84d02030 00000168 nt!ObfDereferenceObject+0xd
8c9a7bdc 82a4f27c a3deb3d0 a3ea02d0 84d07920 nt!ObpCloseHandleTableEntry+0x21d
8c9a7c0c 82a4f616 84d07920 84d02001 0012fd8c nt!ObpCloseHandle+0x7f
8c9a7c28 828478c6 00000168 0012fdc4 77d370f4 nt!NtClose+0x4e
8c9a7c28 77d370f4 00000168 0012fdc4 77d370f4 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fdc4 00000000 00000000 00000000 00000000 0x77d370f4


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+464
8292af1f 0fb74ffa movzx ecx,word ptr [edi-6]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ExFreePoolWithTag+464

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 521e9cb6

FAILURE_BUCKET_ID: 0x8E_nt!ExFreePoolWithTag+464

BUCKET_ID: 0x8E_nt!ExFreePoolWithTag+464

Followup: MachineOwner
---------

Please give a reference to study this topic .

[nullptr]

Start here regarding the different I/O methods.
http://www.codeproject.com/Articles/950 ... to-Drivers
Then read the rest of the articles under Device Drivers.
http://www.codeproject.com/script/Artic ... mid=961412

[EP_X0FF]

Can you just copy unicode string to your preallocated PInfo->S and convert it in usermode?

Obviously it BSOD after your convertion because you even didn't bother to check NTSTATUS value of RtlUnicodeStringToAnsiString.

Are you familiar with C/C++ at start?

[Kamran.Teimoori]

Thanks all for your helps

Can you just copy unicode string to your preallocated PInfo->S and convert it in usermode?

I can't understand you(maybe for my English)!
I fill the Pinfo struct in kernel and pass it to user mode when user mode app request data by an IOCTL and then use the User mode version of Pinfo.

Are you familiar with C/C++ at start?

Yes about 60%.

----
Another problem is this call back doesn't work for all created process ! for example when i explicit double click on an exe an run it the callback work perfectly and return FileImageName .
But if i run an exe using "RUN Dialog" the callback can't retrieve the FileImageName of created process !

I'm trying to send only PID of created process to user mode and then GetProcessInformaion in user-mode, instance of kernel-mode. but any attempt to using CreateProcess encountering an error ! "The handle is invalid"

Any Idea ?

[EP_X0FF]

Show your wonderful code, both usermode and driver.