用户土地访问内核土地驱动程序系统通知
User land access to Kernel land driver system notifications
我最近在 Windows 中发现了一种允许驱动程序响应低内存条件的机制,我想知道我的应用程序是否可以响应类似于定义的标准事件对象的事件 (通过其他机制):
https://msdn.microsoft.com/en-us/library/windows/hardware/ff563847(v=vs.85).aspx
- 高内存条件
- 低内存条件
- HighPagedPoolCondition
- LowPagedPoolCondition
- HighNonPagedPoolCondition
- LowNonPagedPoolCondition
- 低提交条件
- 高提交条件
- 最大提交条件
这听起来非常适合我在我的应用程序中所做的事情,因为我需要检测油门条件并做出相应的响应。
但是,这些似乎都在内核域中,那么用户域中的应用程序应该如何响应相同的条件?
感谢任何指点 - Laythe
您也可以在用户模式下非常轻松地使用此事件。只需使用 ZwOpenEvent
和所有打开它。例如
HANDLE hEvent;
STATIC_OBJECT_ATTRIBUTES(ke,"\KernelObjects\LowMemoryCondition") ;
ZwOpenEvent(&hEvent, SYNCHRONIZE|EVENT_QUERY_STATE, &ke);
WaitForSingleObject(hEvent, INFINITE);
STATIC_OBJECT_ATTRIBUTES
- 我的静态初始化 Unicode 字符串宏 。您可以编写自己的实现 - 使用 RTL_CONSTANT_STRING
作为提示或在 运行-time
中初始化 Unicode 字符串
发现示例 \KernelObjects
目录
void TestKO()
{
STATIC_OBJECT_ATTRIBUTES(soa, "\KernelObjects");
OBJECT_ATTRIBUTES oa = { sizeof(oa) };
if (0 <= ZwOpenDirectoryObject(&oa.RootDirectory, DIRECTORY_QUERY, &soa))
{
ULONG Context = 0, rcb;
PVOID buf = alloca(PAGE_SIZE);
NTSTATUS status, s;
do
{
if (0 <= (status = ZwQueryDirectoryObject(oa.RootDirectory, buf, PAGE_SIZE, FALSE, FALSE, &Context, &rcb)))
{
DIRECTORY_BASIC_INFORMATION* pdbi = (DIRECTORY_BASIC_INFORMATION*)buf;
while (pdbi->ObjectTypeName.Length)
{
//DbgPrint("%wZ %wZ\n", &pdbi->ObjectTypeName, &pdbi->ObjectName);
STATIC_UNICODE_STRING_(Event);
if (RtlEqualUnicodeString(&Event, &pdbi->ObjectTypeName, TRUE))
{
oa.ObjectName = &pdbi->ObjectName;
HANDLE hEvent;
if (0 <= (s = ZwOpenEvent(&hEvent, READ_CONTROL|EVENT_QUERY_STATE, &oa)))
{
EVENT_BASIC_INFORMATION ebi;
if (0 <= (s = ZwQueryEvent(hEvent, EventBasicInformation, &ebi, sizeof(ebi), &rcb)))
{
PCSTR szEventType;
switch (ebi.EventType)
{
case NotificationEvent:
szEventType = "Notification ";
break;
case SynchronizationEvent:
szEventType = "Synchronization";
break;
default:
char cc[16];
sprintf(cc, "%x", ebi.EventType);
szEventType = cc;
}
DbgPrint("%x %s %wZ\n", ebi.EventState, szEventType, &pdbi->ObjectName);
}
else
{
DbgPrint("QueryEvent(%wZ)=%x\n", &pdbi->ObjectName, s);
}
DumpAccess(hEvent);// not lisred here
NtClose(hEvent);
}
else
{
DbgPrint("OpenEvent(%wZ)=%x\n", &pdbi->ObjectName, s);
}
}
pdbi++;
}
}
} while (status == STATUS_MORE_ENTRIES);
NtClose(oa.RootDirectory);
}
}
和结果(事件状态、类型和访问):
0 Notification MemoryErrors
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowNonPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification SuperfetchScenarioNotify
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 Synchronization SuperfetchParametersChanged
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 Notification PhysicalMemoryChange
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification HighCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighNonPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighMemoryCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification SystemErrorPortReady
T FL AcessMsK Sid
0 00 00120001 S-1-2-0 LOCAL
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-1-0 Everyone
0 Notification MaximumCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification LowCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowMemoryCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Synchronization PrefetchTracesReady
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
我最近在 Windows 中发现了一种允许驱动程序响应低内存条件的机制,我想知道我的应用程序是否可以响应类似于定义的标准事件对象的事件 (通过其他机制):
https://msdn.microsoft.com/en-us/library/windows/hardware/ff563847(v=vs.85).aspx
- 高内存条件
- 低内存条件
- HighPagedPoolCondition
- LowPagedPoolCondition
- HighNonPagedPoolCondition
- LowNonPagedPoolCondition
- 低提交条件
- 高提交条件
- 最大提交条件
这听起来非常适合我在我的应用程序中所做的事情,因为我需要检测油门条件并做出相应的响应。
但是,这些似乎都在内核域中,那么用户域中的应用程序应该如何响应相同的条件?
感谢任何指点 - Laythe
您也可以在用户模式下非常轻松地使用此事件。只需使用 ZwOpenEvent
和所有打开它。例如
HANDLE hEvent;
STATIC_OBJECT_ATTRIBUTES(ke,"\KernelObjects\LowMemoryCondition") ;
ZwOpenEvent(&hEvent, SYNCHRONIZE|EVENT_QUERY_STATE, &ke);
WaitForSingleObject(hEvent, INFINITE);
STATIC_OBJECT_ATTRIBUTES
- 我的静态初始化 Unicode 字符串宏 。您可以编写自己的实现 - 使用 RTL_CONSTANT_STRING
作为提示或在 运行-time
发现示例 \KernelObjects
目录
void TestKO()
{
STATIC_OBJECT_ATTRIBUTES(soa, "\KernelObjects");
OBJECT_ATTRIBUTES oa = { sizeof(oa) };
if (0 <= ZwOpenDirectoryObject(&oa.RootDirectory, DIRECTORY_QUERY, &soa))
{
ULONG Context = 0, rcb;
PVOID buf = alloca(PAGE_SIZE);
NTSTATUS status, s;
do
{
if (0 <= (status = ZwQueryDirectoryObject(oa.RootDirectory, buf, PAGE_SIZE, FALSE, FALSE, &Context, &rcb)))
{
DIRECTORY_BASIC_INFORMATION* pdbi = (DIRECTORY_BASIC_INFORMATION*)buf;
while (pdbi->ObjectTypeName.Length)
{
//DbgPrint("%wZ %wZ\n", &pdbi->ObjectTypeName, &pdbi->ObjectName);
STATIC_UNICODE_STRING_(Event);
if (RtlEqualUnicodeString(&Event, &pdbi->ObjectTypeName, TRUE))
{
oa.ObjectName = &pdbi->ObjectName;
HANDLE hEvent;
if (0 <= (s = ZwOpenEvent(&hEvent, READ_CONTROL|EVENT_QUERY_STATE, &oa)))
{
EVENT_BASIC_INFORMATION ebi;
if (0 <= (s = ZwQueryEvent(hEvent, EventBasicInformation, &ebi, sizeof(ebi), &rcb)))
{
PCSTR szEventType;
switch (ebi.EventType)
{
case NotificationEvent:
szEventType = "Notification ";
break;
case SynchronizationEvent:
szEventType = "Synchronization";
break;
default:
char cc[16];
sprintf(cc, "%x", ebi.EventType);
szEventType = cc;
}
DbgPrint("%x %s %wZ\n", ebi.EventState, szEventType, &pdbi->ObjectName);
}
else
{
DbgPrint("QueryEvent(%wZ)=%x\n", &pdbi->ObjectName, s);
}
DumpAccess(hEvent);// not lisred here
NtClose(hEvent);
}
else
{
DbgPrint("OpenEvent(%wZ)=%x\n", &pdbi->ObjectName, s);
}
}
pdbi++;
}
}
} while (status == STATUS_MORE_ENTRIES);
NtClose(oa.RootDirectory);
}
}
和结果(事件状态、类型和访问):
0 Notification MemoryErrors
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowNonPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification SuperfetchScenarioNotify
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 Synchronization SuperfetchParametersChanged
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 Notification PhysicalMemoryChange
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification HighCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighNonPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighMemoryCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification SystemErrorPortReady
T FL AcessMsK Sid
0 00 00120001 S-1-2-0 LOCAL
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-1-0 Everyone
0 Notification MaximumCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification LowCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowMemoryCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Synchronization PrefetchTracesReady
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM