Reputation: 91
Two-way interaction between user-mode app and kernel-mode driver?
I'm about to write the following interaction:
When there is a process about to start, driver will notify user app and then it will wait for response from the app.
The app will decide whether or not to allow that process to be created normally or terminated immediately, and send its decision back to the driver.
Base on the decision from user app. The driver will then allow or block the process execution.
My question is: What is recommended way to notify user-mode app from driver and then make the driver wait for the response?
Upvotes: 8
Views: 2593
Answers (1)
Reputation: 1707
For event notification, you can use a notification event. I.e. the kernel calls IoCreateNotificationEvent and KeSetEvent. The user calls KeWaitForSingleObject. For user-kernel message communication, you can use IOCTL.
Alternatively, you can just use a named pipe for both purpose.
P.S. You can't use PsSetCreateProcessNotifyRoutine() for your purpose because it's only for auditing, but not for prevention/cancellation.
Upvotes: 6
Related Questions
- Is it possible to call functions from a kernel mode driver in a user mode application on Windows?
- Communication between kernel-mode and user-mode application
- Two-way communication between kernel-mode driver and user-mode application?
- Driver to User-Mode Communication
- Kernel-Mode to User-Mode communication
- Intercepting process execution in a NT driver
- How to send and receive data from a kernel mode driver to a binary in user mode
- Create a process from a driver
- Windows drivers - communicate with user process
- User-mode and kernel driver communication