CodeGuru content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Environment: Visual C++ 6, NT4 SP3/2K/XP
Background
Recently I read a good article, in which the author wrote a device driver and a GUI program, and he want to notify the GUI App when some event happened in device driver. In his article, when a new process was created, a callback function in his driver would be called, it would notify the GUI App and display some information about the new process immediately. In device driver, the author create a named event and opened it in GUI App, when an event happened, his codes like this:
KeSetEvent(Event, 0, FALSE); KeClearEvent(Event);
At this time, the GUI App was waiting for the event. Between the interval of the two functions, the App must got information of the new process. It works, but I don’t think it’s a good solution.
Why does the author code like this? Because, if we create an event in kernel mode, we can’t modify its state in user mode, we only can check its state. But normally, we want the GUI App modify the event to non signaled, and it can wait the event again. I think this is the eligible IPC model to deal with this question.
About my solution
Kernel mode has higher priority than user mode. In kernel mode we can modify data in user mode conveniently. So I create an event object in user mode, and refer it in kernel mode. Now both device driver and GUI App can check and modify the state of the event object.
How to integrate it into your application
In your App, you must open the device object firstly, then code like this:
1 – Create an event object and down it into driver.
HANDLE m_hCommEvent = CreateEvent(NULL,
false,
false,
NULL);
// download event object to device driver,
// m_hCommDevice is the device object
DeviceIoControl(m_hCommDevice,
IO_REFERENCE_EVENT,
(LPVOID) m_hCommEvent,
0,
NULL,
0,
dwReturn,
NULL);
2 – Wait the event object to be signaled.
while(true)
{
WaitForSingleObject(m_hCommEvent, INFINITE);
// After this function, the event is set to
// non signaled. Get information and deal with it.
}
In device driver, codes like this:
1 – In IRP_MJ_DEVICE_CONTROL major routine:
case IO_REFERENCE_EVENT:
hEvent = (HANDLE) irpStack->
Parameters.DeviceIoControl.Type3InputBuffer;
status = ObReferenceObjectByHandle(hEvent,
GENERIC_ALL,
NULL,
KernelMode,
&gpEventObject,
&objHandleInfo);
the gpEventObject is a PRKEVENT object, so we can use KeEventXXX and KeWaitForXXX to operate it.
2 – When the object event happened
KeSetEvent(gpEventObject, 0, FALSE);
3 – When we don’t need it, we should dereference it:
case IO_DEREFERENCE_EVENT:
if(gpEventObject)
ObDereferenceObject(gpEventObject);
I have tested my solution in a personal firewall product. It works well. When my IP Filter Driver got an IP packet, it check the IP header as my security rules. If the packet will be intercepted, report to my GUI App.
The sample project file includes two projects: GUI app and device driver. The GUI App is a dialog based MFC application. It has a log window which can register the operations on event object. The device driver is only a very simple kernel mode device driver. It can operate the event object as GUI App asked. I you want to run this demo, you must install and start the driver firstly. Because there are so many tools can install and start device deriver, so I don’t include code to do these works.
If you have any problems and advices, Please notify me. It’s welcome.
