Is there a way to create a user-mode process from kernel-mode on Windows NT platform (XP-W7)?
EDIT: I must install only the driver. This is a specific of the project.
To create a valid win32 process the driver must communicate with CSRSS (what is completely undocumented). So I ended up by queuing a user-mode APC and allocating virtual memory for the APC code in the context of the existing win32 process (that code will call CreateProcess and do the job).
It is a tricky way but it works.
I don't know an easier way to achieve this. But what about having a Windows service running which makes an overlapped DeviceIoControl into your driver? On return the service could examine the data it has received from the driver and start the according application.
This can't be directly done - Creating a win32 process requires some set up by the user mode part of CreateProcess, not just creating the process object in kernel mode.
You need some user mode code here - either a service, a desktop app, or so on, to launch the your user mode application.
Related
i have a question for making a Kernel Driver
i hope to Run process using kernel driver when "notepad.exe" is started,
tried to using "PsSetLoadImageNotifyRoutine" and i successfully get a point what "notepad.exe" is launched.
but is there a way to run a "osk.exe" process in that point?
couldn't find code what i need to running it
i wanted to using this code "ZwOpenProcess" , "ZwOpenFile".
but there didn't enough what document to how to using it
You cannot start a regular Windows process from kernel mode.
While CreateProcess does call into the kernel to create a process, after doing that it connects the new process to csrss.exe and this is required for many Windows APIs to work correctly.
Create a service that can create processes for your kernel code. Use the WTS API and CreateProcessAsUser to create the new process in the desired session. The driver should use inverted callbacks.
If PsSetLoadImageNotifyRoutine is the only reason you are in the kernel then you can drop the driver and just use WMI in the service to get notifications about new processes...
I have a little problem with my virtual disk device in Windows Explorer.
After sending IOCTL_VCRYD_MOUNT_VOLUME to device driver, I want it to show up in explorer. My device successfully mounts (if I kill explorer.exe process in Task Manager and then run it again, I'm able to see my device in drives list), but i can't see it in Windows Explorer (if I don't perform an operation described above).
I haven't found anything appropriate in Kernel Mode, so I tried to use SHChangeNotify(SHCNE_DRIVEADD, SHCNF_PATH, mydrivestring, NULL); with mydrivestring in different formats in User Mode application. But this doesn't help.
So how can i notify Windows Explorer about new disk drive added?
You can make this by calling WinAPI BroadcastSystemMessage function
But if someone can tell me how to use SHChangeNotify, I'd be grateful.
I'm trying to use QSharedMemory and QClipboard to share data between a SYSTEM process (running on the WinSta0\\Winlogon desktop) and a normal user process, but both fail to share data with others non-SYSTEM processes running on the normal desktop. I belive this is because the WinSta0\\Winlogon desktop is a isolated desktop.
My app is a program that takes shots of the Windows Secure Desktop and send it to clipboard.
The question is: Is there any way to share memory data between that process and non-SYSTEM processes? (Actually I'm using a file to do the job).
On Windows Vista and later, system services run in an isolated session ("session 0"). This is the most likely cause of your problem. (Note that all system services run in session 0, regardless of whether they are running in the SYSTEM security context or not. Similarly, it is possible to launch processes as SYSTEM in an arbitrary session.)
Each session has a separate WinSta0 workstation, and hence a separate clipboard. So clipboard functionality is not going to work here.
It is possible for file mapping objects (shared memory) to work across session boundaries. However, I don't know whether it is possible to do this with Qt. The best bet would appear to be to use setNativeKey which presumably determines the name of the file mapping; to make a file mapping cross session boundaries, use a name that begins with Global\ as described in the MSDN article on CreateFileMapping. If possible, consider using the Win32 API directly rather than Qt.
I'm building a HW-simulator for our driver team. Now, the simulator is devided in to 2 modules:
First module runs inside the driver, in kernel mode and that's where the main interface between the driver and the HW-Simulator.
Second module is an executable user-mode code which generates data for the simulator and transports it to the simulator via calls to DeviceIOControl (under windows API)
My need is this: I want to be able to execute the user-mode executable from within the kernel-mode. And I need to be able to do this in a relatively portable way. Currently I'm only running on Windows, but that should change soon.
Further more, I need to be able to communicate with the user-mode code via it'sstdin pipe, in order to reconfigure it and eventually close it.
I found this:
Executing a user-space function from the kernel space
but it's only relevant for the linux-kernel. Is there a more portable alternative? Or a windows alternative?
Can I do this in Windows by simply using the ShellExecute/RunAs API functions?
Note: We are aware of the security risks involved in invoking user-mode code from the kernel-space. But as this is only meant to be used as a test-environment and will not ever reach our release code, then we are not concerned.
There isn't a clean way to do this in the Windows kernel. The user-mode API CreateProcess to create processes use undocumented APIs (NtCreateProcess/NtCreateThread) to create a process.
The recommended thing to do would be to have a "partner service", a user-mode service that communicates with your driver using IOCTL. You can use the inverted call model to have your driver call your service to have it create a process.
Really, there is no documented way to do it without triggering process creation from user-mode.
But there is one undocumented tricky way if You don't want to create user-mode application:
To create a valid win32 process the driver must communicate with CSRSS (what is undocumented).
You can enqueue a user-mode APC, allocate some virtual memory for the APC code in the context of any existing process. This code should simply call CreateProcess and anything else You want.
I'm writing some software that automatically connects a Bluetooth device using the Windows Bluetooth API. When it connects, Windows automatically starts installing the Bluetooth HID device driver, as expected:
This takes about 10-15 seconds, after which Windows displays the familar "ready for use" message:
The problem is that BluetoothSetServiceState() returns as soon as the driver install begins, not when the device is actually ready for use. This causes some problems for my code, because it invokes a separate library for device communication as soon as it's "connected". The first few calls fail because the drivers haven't finished installing, and making those connection attempts appears to interfere with the driver installation, because if I try to use the communication library before the driver installation has finished Windows wants to restart before the device can be used.
What I'm looking for is a way to hook that "ready to use" event, when driver installation has actually finished, so I don't make my communication library calls prematurely. Is there some Windows API call I can use to either register a function callback or directly polling the state of driver installation?
I'm writing this in vanilla C/C++, no .NET. Thanks for your help!
You might want to have a look at
this sample code and RegisterDeviceNotification function. I'm not sure for 100%, but it seems to work if you specify correct guid for your device class.
Here is what I would do:
Download Winspector (or use Spy++)
Start up Winspector, and begin watching for Window Messages
Install your driver
Watch for WM's indicative of a completed driver installation
I wish I could be more descriptive on #4, but I'm not familiar with the specific window message you need. Have a look here for possible Window Messages to expect.
However, once you determine the correct window message to look for, then programmatically have your program wait for (and handle) this WM. CodeProject has an excellent write up on how to do this in C++. Personally, I'd prefer to do it in Delphi.
If it is a network binding then RNDIS sends a message when it completes installation as per RNDIS Driver Implemenation guide
and definition of RNDIS
or
You can install or query the device list programatically through Devcon utility (source code is available with MSDN ) as given in Examples