Communication between GUI Application and Device Driver

Download demo project - 24.6 Kb

Background

Recently I read a good article in which the author wrote a device driver and a GUI program, and he wanted to notify the GUI App when some event happened in the device driver. In his article, when a new process was created, a callback function in his driver would be called and it would notify the GUI App and display some information about the new process immediately. In the device driver, the author create a named event and opened it in GUI App. Then when an event happened, he handled it like this:

KeSetEvent(Event, 0, FALSE);
KeClearEvent(Event);

At this time, the GUI App was waiting for the event. Between the interval of the two functions, the App must got information of the new process. It works, but I don't think it's a good solution.

Why does the author code like this? Because, if we create an event in kernel mode, we can't modify its state in user mode, we only can check its state. But normally, we want the GUI App to modify the event to to non signaled, and it can wait the event again. I think this is the eligible IPC model to deal with this question.

About my solution

Kernel mode has higher priority than user mode. In kernel mode we can modify data in user mode conveniently. So I create an event object in user mode, and refer it in kernel mode. Now both device driver and GUI App can check and modify the state of the event object.

How to integrate it into your application

In your App, you must open the device object firstly, then code like this:

Create an event object and down it into driver.

HANDLE m_hCommEvent = CreateEvent(NULL, false, false, NULL);
//download event object to device driver, m_hCommDevice is the device object
DeviceIoControl(m_hCommDevice,
                IO_REFERENCE_EVENT,
                (LPVOID) m_hCommEvent, 
                 0,
                 NULL,
                 0,
                 &dwReturn,
                 NULL);

Wait the event object to be signaled.

while(true)
{
	WaitForSingleObject(m_hCommEvent, INFINITE);
	//After this function, the event is set to non signaled. 
	//Get information and deal with it.
}

In the device driver the code like this:

In the IRP_MJ_DEVICE_CONTROL major routine:

case IO_REFERENCE_EVENT:
hEvent = (HANDLE) irpStack->Parameters.DeviceIoControl.Type3InputBuffer;
status = ObReferenceObjectByHandle(
              hEvent,
              GENERIC_ALL,
              NULL,
              KernelMode,
              &gpEventObject,
              &objHandleInfo);

the gpEventObject is a PRKEVENT object, so we can use KeEventXXX and KeWaitForXXX to operate it.

When the object event happened
```
KeSetEvent(gpEventObject, 0, FALSE);
```

When we don't need it, we should dereference it:

case IO_DEREFERENCE_EVENT:
	if(gpEventObject)
              ObDereferenceObject(gpEventObject);

I have tested my solution in a personal firewall product. It works well. When my IP Filter Driver got an IP packet, it checks the IP header as my security rules. If the packet will be intercepted, it reports to my GUI App.

The sample download include two projects: a GUI app and a device driver. The GUI App is a dialog based MFC application. It has a log window which can register the operations on event object. The device driver is only a very simple kernel mode device driver. It can operate the event object as the GUI App requries. I you want to run this demo, you must install and start the driver firstly.

Because there are so many tools can install and start device deriver, so I don't include the code to do this work.

If you have any problems and advices, Please notify me.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

lizhiwei

United States

Member

Article Top

Poor

Excellent

Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

You must Sign In to use this message board. (secure sign-in)

Search this forum
	Profile popups Noise Layout Per page

My vote of 5

CHRISTINE GREEN

3:26 29 Mar '12

practical
Sign In·View Thread·Permalink

Personnal Firewall

tigzy

19:56 3 Jul '11

Hello Is it possible to have some snippets of your firewall code? I think a real example would be much complete than only a notification example... For example, how can you pause the analysis of a paquet while the user hasn't approved or rejected the paquet (with userland app)? Thanks
Sign In·View Thread·Permalink

Communication between Driver an Application

dereck78_zg

5:01 10 Dec '08

Hi First of all, sorry for my english. I don't know how I can to communicate with my apllication when an event happen in the driver. For example, I want to display something in a C# application when the driver detect an interrupt. Thank you so much And sorry again
Sign In·View Thread·Permalink	1.50/5 (2 votes)

how to install driver

romon

1:27 13 May '07

hi, if i know how to install this driver, it will be very helpful for me thanks
Sign In·View Thread·Permalink	3.00/5 (4 votes)

Re: how to install driver

Maruf Maniruzzaman

2:26 9 Jul '07

Let us assume the driver file name is SampleDriver.sys and we are running 32 bit windows. Copy the sys file to [System32\drivers] folder. Create a file named setup.reg with content, run it and restart the system.



REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SampleDriver]

"ErrorControl"=dword:00000001

#

# When to start the driver:

#   At boot:  Start=1

#   Manually: Start=3

#

"Start"=dword:00000001

"Type"=dword:00000001

Maruf Maniruzzaman
Dhaka, Bangladesh.
Blog you should not miss
Home Page

Tomorrow is a blank page

how to build

dhirendra_1980

18:35 3 Nov '05

Hi lizhiwei, The article you provide is really good. But i could not find any help reagarding HOW TO BUILD IT? Similar queries were there but no answer . I could build it only through DDK build enviornment. It would be great help if you can explain little how to build it thru VC++ IDE. Regards.. Dhirendra. Dhirendra Pratap Singh
Sign In·View Thread·Permalink	2.00/5 (4 votes)

UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS

ekzot

4:53 6 Sep '05

Hi,
I have serious problem. I'm currently developing application which will protect registry, files, etc. I'm hooking native NT functions in my driver (via KeServiceDescriptorTable).

My user application (server app.) reads some informations (PID, exePath,...) about calling process from driver via DeviceIoControl function (after event from driver [KeSetEvent]).

Now where's the problem. When I start 5 test applications (one application has 5 threads) and each thread is reading registry via our hooked function, when we want to close our "server" and driver, blue-screen appeared with
UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS.
I have IoCsqxxx routines implemented in my driver (from DDK example).

Does anybody know something about this problem? Any articles or suggestions?
Thanks in advance.

Marun

Using DeviceIoControl

Anonymous

13:26 13 Jul '05

Hello,

I have a problem with using DeviceIoControl. It always fails and the error I get is "ERROR_INVALID_FUNCTION".

I am using DeviceIoControl to establish a connection to my keyboard filter driver (modifed from "kbfiltr" in the DDK). I have fully checked to make sure the parameters that I pass to DeviceIoControl are infact correct?

Does anyone have any idea what I am doing wrong?

Thanks,
Bob

Re: Using DeviceIoControl

euacela

5:24 25 Aug '05

Hello there. I am having the exact same problem. I get an error each time I call deviceiocontrol. Does anyone have any ideea why. have succeded in doing anything ? gabby
Sign In·View Thread·Permalink

Driver installation

cbt38

1:13 2 Mar '05

How do I have to procced to install the driver ? Do I Need to create a .inf file ? Claire
Sign In·View Thread·Permalink	2.33/5 (3 votes)

How about using WMI?

sohailkadiwala

19:30 19 Oct '04

Hi, You did a good job on this article. I think we could even use WMI for event notification. WMI is an important feature as far as WDM drivers are concerned. What do u think about this? Cheers! ------------------------- Have a great day ahead! Regards, Sohail Kadiwala (My COM Blog - http://lovecom.blogspot.com)
Sign In·View Thread·Permalink

user mode to control device driver

Horsy

11:19 20 Sep '04

I am trying to create a user mode application to talk to the devices from other vender.

What is the easiest way to find out the GUID interface for a PnP device? I tried the regedt32 but couldn't find it.

Also, I connect several of this outside vender's devices to several virtual COM port (COM3, COM5, COM7, etc). How do I talk to those devices separately (mainly stop the device so I can safely unplug it)?

Thank you for your advice.

Is there .inf for the driver?

Gordon Smith

0:43 27 Aug '04

When I run the .exe and try to open the device event it asks me to install the device driver. Is there a .inf for it or do I just need to copy the device driver to the appropriate Windows directory? Cheers.
Sign In·View Thread·Permalink	1.50/5 (2 votes)

Help Required

Kamran Shakir

20:41 23 Aug '04

I am using two USB video cameras of the same manufacturer and having same driver. But i want to detect them seperately that camera1 is found at that Port1 and Camera2 is found at Port2. I want to ask from you that is there any way at Driver Information level that we can detect these cameras seperately or is their any structure provided by Microsoft which gives us information about the device attached to a USB ports..? problem we are facing that the window didnt generate two diferent driver Index for two cameras. Please suggest me what should I do.

Muhammad Talha

If u don't answers question don't start articles Chris must be aware to on this

alexwinx

0:51 14 Jun '04

How to communicate revers, from Driver (for exmpl interrupt in ISR and u wanna send some message to Application) to App
Sign In·View Thread·Permalink	1.00/5 (2 votes)

Re: If u don't answers question don't start articles Chris must be aware to on this

tomithecat

22:00 13 Dec '04

have a look at my article at http://www.codeproject.com/system/KernelToUserMode.asp[^] It might be of interest to you. Regards, Tamas
Sign In·View Thread·Permalink

Can anybody help me

firstxx

1:11 30 Apr '04

I'm writing personal firewall and I need to receive some data from driver .
I know how to send data to driver, but I dont now how to read data from driver.
Can you show me how to do this.
For example how to send string-"hello" from driver to GUI application.

If You know how to do this please email me firstx@o2.pl (source code or some projects will be very usefull)

Thanks.
(sorry for my english Smile | :)

)

Comm. between usermode Application and Device Driver

SETI51

7:36 27 Mar '04

Hi!

I'm working on a virtual soundcard, based on the "MSVAD" example contained in the Windows DDK. Microphone and speaker will be emulated by software. Realtime problems should be handled with an appropiate buffer. In general this is a minor problem for my project.

The question is, how to exchange stream data every 10 milliseconds between driver and user-mode application. I tried to use IRP-messages for I/O like it is done in multiple simple examples. Unfortunately it was either possible to initialize the sound or (XOR!) the access from an application. Having sound and access at the same time was not possible.

The application tries to connect to the driver with "CreateFile", but the resulting handle is invalid. I haven't found a way to tell the driver, how to open the device properly.

The second approach was a second device (with GUID) created in the driver. This device has the same structure as the I/O-Example. After some codechanges the driver started, but the "CreateFile" always called the sounddevice, resulting in a broken handle. D'Oh! | :doh:

dynamic loading of dlls in kernel mode

Anonymous

22:19 1 Dec '03

Is there any way to dynamically load a kernel-mode DLL? Some kernel-mode routines similiar to LoadLibrary? Or should i just use kernel32.dll's LoadLibrary in kernel-mode? Or should kernel-mode DLLs be linked only statically ? Thank you, phoCus.
Sign In·View Thread·Permalink	1.00/5 (2 votes)

Re: dynamic loading of dlls in kernel mode

Ketil Jensen

21:28 23 May '05

You can use LdrLoadDll from ntdll.dll ( i think )

the functions prototype is:

NTSYSAPI
NTSTATUS
NTAPI
LdrLoadDll(
IN PWCHAR PathToFile OPTIONAL,
IN ULONG Flags OPTIONAL,
IN PUNICODE_STRING ModuleFileName,
OUT PHANDLE ModuleHandle );

By the way ... You can't user kernel32.dll or any other usermode dll's in ring0.

If you have any more questions about this topic, just drop me a mail.

If there is any interest for it, i can write a paper on function-hooking and hooking of the kernels service table in kernel-mode.

As i said, just drop me a mail.

Ketil Jensen
minpost2@start.no

I create Event in driver

xenic

20:44 9 Nov '03

when i develop a personal firewall ,i create the named event in the driver. and when i want to set the event to non-signal ,i use API DeviceIoControl to call the driver to do the thing that Reset the event. i think this method is more secure. I am a willing boy..
Sign In·View Thread·Permalink	2.00/5 (1 vote)

Isn't it really slow?

tomithecat

3:30 19 Aug '03

Hi,

I'm doing the same thing in my driver, except that I call KeSetEvent() from an ISR routine. Here is the client side:

while(!bExit)
{
IRQCnt++;

tmp = WaitForMultipleObjects(2, hEvents, FALSE, INFINITE);

switch(tmp)
{
case WAIT_OBJECT_0:
bExit = TRUE;
break;

case WAIT_OBJECT_0 + 1:
ReadPortByte(BaseAddress, &Data);
ResetEvent(hEvents[1]);
IRQCnt++;
break;
}
}

And here is the ISR:

if (KeReadStateEvent(deviceExtension->UserNotificationEvent))
{
KdPrint(("Byte lost.\n"));
InterlockedIncrement(&deviceExtension->LostBytes);
}
else
{
KeSetEvent(deviceExtension->UserNotificationEvent, 0, FALSE);
}

My problem is that even at very slow IRQ freq. (2Hz!) I get this "Byte lost" message, which means that the client had no time to call ResetEvent() and another IRQ has already came in. The strange thing is that if I fire IRQs at highter freqs. tghe number of lost bytes doesn't increase proportionally (it doesn't increase at all).

Any ideas? I heard that this is the standard way of notifying user-mode apps, but I just can't believe that it's this slow.

Thanks.
Tamas

Re: Isn't it really slow?

DavidR_r

9:04 7 Jul '04

I think your problem is that interrupt is not caused by eadge ,and you do not release the reason for the ISR. What I mean is that when you get a new byte a flag is set and each time while the flag is set you get new ISR about the same byte. the solution is to relase the flag in the client. DavidR
Sign In·View Thread·Permalink

Re: Isn't it really slow?

tomithecat

9:33 7 Jul '04

Thank you David!

Long time passed since I asked this question. Since then I figured out many things about kernel-mode drivers. I wrote 2 drivers (PCI, parallel port) and completely left out this kind of user notification technique. I think it's a bad solution most of the time, because it always takes considerable amount of time to switch between user mode and kernel mode. The proper way of doing it is to handle the IRQ within the driver and have the user call ReadFile() to get data from the driver. Both of my drivers were used in time critical scenarios and it could handle 20kHz IRQ rate fine, without burning much CPU resources.

Anyway, thanks for the help!
Tamas

Re: Isn't it really slow?

Anonymous

11:37 5 Nov '04

I'm sending this to Richard Marcel, for some reason his eamil address was rejected by my smtp server:

Once you can handle the IRQ, the rest is a piece of cake. Smile | :)

Ok, so, here is how I do it:

In user mode:
1. Open the driver with CreateFile() - (Remember that you have to call IoCreateSymbolicLink() in your driver somewhere (most probably in the DriverEntry routine) to be able to access the driver this way. Also, you must pass in the OPEN_EXISTING and the FILE_FLAG_OVERLAPPED flags)
2. Call ReadFile() asynchronously and pass it a buffer. (ie. use an OVERLAPPED structure)
3. Call WaitForSingleObject() or use GetQueuedCompletionStatus()
4. You have the data in the buffer!

In kernel mode:
1. Have a dispatch Read function in your driver (DriverObject->MajorFunction[IRP_MJ_READ] = )
2. Create a queue by the InitializeListHead() function in your DriverEntry routine.
3. Init the CS queue (Cancel-safe queue) with IoCsqInitialize() in your DriverEntry routine. (the DDK help has a complete sample)
4. In your dispatch Read function, queue the IRP into a CSQ.
a. Call IoCsqInsertIrp() to queue the IRP.
b. return STATUS_PENDING from your dispatch routine.

At this stage the ReadFile() function returns with STATUS_PENDING in the user mode code and step 3. starts.

5. When an IRQ arrives, queue your DPC routine with KeInsertQueueDpc()
6. In your DPC routine:
a. Call IoCsqRemoveNextIrp() to get the IRP you queued in the Read dispatch routine.
b. Get access to the user buffer by something like this:
PUCHAR p = (PUCHAR)MmGetSystemAddressForMdl(Irp->MdlAddress);
c. Fill the buffer with any data you like.
7. Call KeFlushIoBuffers(Irp->MdlAddress, TRUE, FALSE);
8. Call IoCompleteRequest(Irp, ...) to complete the IRP.

When 8. completes, step 3 in the user code returns and you have the data in your buffer!

Of course, you may skip 7 and 8 and fill the buffer step by step in more than one IRQ and call them when the buffer is full.

So, it's as simple as that! I hope it helps. Drop me a mail if you have any more questions.

Regards,
Tamas Karoly