A forum for reverse engineering, OS internals and malware analysis 

A strange question about KEVENT and RegistryCallback

Forum for discussion about kernel-mode development.

A strange question about KEVENT and RegistryCallback

 #24603  by myid
 Sun Dec 14, 2014 8:48 am
Hi, everyone. I do a test: "pause" all registry operations, then "resume".
OS: WIN8X64/WIN8.1X64

I define a global variable:
Code: Select all
KEVENT gTestNotifyEvent
I initialize it in DriverEntry:
Code: Select all
KeInitializeEvent(&gTestNotifyEvent,NotificationEvent,TRUE);
I use this code in RegistryCallback:
Code: Select all
KeWaitForSingleObject(&gTestNotifyEvent,Executive,KernelMode,0,0);
Then, I call this code in driver dispatch routine:
Code: Select all
KeClearEvent(&gTestNotifyEvent);
Before next step, all things are OK.
IF I CALL THIS CODE IN driver dispatch routine:
Code: Select all
KeSetEvent(&gTestNotifyEvent, IO_NO_INCREMENT, FALSE);
The system "freeze" immediately. NO BSOD, not response for any operations.

IF I use the same code in CreateProcessNotify/CreateThreadNotify/LoadImageNotify, that is all OK. No exception occurs.

Re: A strange question about KEVENT and RegistryCallback

 #24605  by Vrtule
 Sun Dec 14, 2014 12:42 pm
Hello,

do you have a proof that the execution reached the KeSetEvent code in your dispatch routine? How did you call the dispatch routine, via DeviceIoControl?

My experience is that by doing this sort of things you may easily cause a deadlock or system freeze since it is not clear which API routines might perform registry operations as a sideeffect.

Can you post output of the following command WinDbg command?
Code: Select all
!process 0 0x1f
(maybe, put the output to a ZIP/RAR file since it might be very long)

Best regards
Vrtule

Re: A strange question about KEVENT and RegistryCallback

 #24608  by myid
 Sun Dec 14, 2014 5:42 pm
Vrtule wrote:Hello,

do you have a proof that the execution reached the KeSetEvent code in your dispatch routine? How did you call the dispatch routine, via DeviceIoControl?

My experience is that by doing this sort of things you may easily cause a deadlock or system freeze since it is not clear which API routines might perform registry operations as a sideeffect.

Can you post output of the following command WinDbg command?
Code: Select all
!process 0 0x1f
(maybe, put the output to a ZIP/RAR file since it might be very long)

Best regards
Vrtule
Thanks for your reply.
1.YES. Call KeXxxEvent via DeviceIoControl.
2.Output:
Code: Select all
lkd> !process 0 0x1f
**** NT ACTIVE PROCESS DUMP ****
GetPointerFromAddress: unable to read from 0000000000000000
Error in reading nt!_EPROCESS at 0000000000000000

Re: A strange question about KEVENT and RegistryCallback

 #24610  by Vrtule
 Sun Dec 14, 2014 11:34 pm
How is your WinDbg connected to the kernel with your driver? WinDbg seems unable to list the running (or recently exitted) processes.

My plan is to see stacks of all running threads which may show the problem. At least, a stack of the thread that is attempting to call the KeSetEvent function in your code should be interesting.

Re: A strange question about KEVENT and RegistryCallback

 #24631  by myid
 Tue Dec 16, 2014 4:02 pm
Vrtule wrote:How is your WinDbg connected to the kernel with your driver? WinDbg seems unable to list the running (or recently exitted) processes.

My plan is to see stacks of all running threads which may show the problem. At least, a stack of the thread that is attempting to call the KeSetEvent function in your code should be interesting.
Thank you. This problem has been solved.
 Return to “Kernel-Mode Development”