1 / 11

User / Kernel Communication Model

User / Kernel Communication Model. Advantages. Bi-directional messaging facility Minifilter defines the security on the channel Fast User-to-Kernel messaging, no buffering Efficient Kernel-to-User messaging with the capability for user mode to reply back to the filter.

fausto
Télécharger la présentation

User / Kernel Communication Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User / Kernel Communication Model © 2004 Microsoft Corporation. All rights reserved.

  2. Advantages • Bi-directional messaging facility • Minifilter defines the security on the channel • Fast User-to-Kernel messaging, no buffering • Efficient Kernel-to-User messaging with the capability for user mode to reply back to the filter. • Can associate I/O completion ports for Kernel-to-User communication © 2004 Microsoft Corporation. All rights reserved.

  3. Communication Ports • Filter creates a named communication port • Filter implicitly begins to listen for incoming connections on the port • Connection will be denied if user doesn’t have sufficient access as specified by security descriptor on listener port • Each connection to the listener port gets its own message queue and private endpoints © 2004 Microsoft Corporation. All rights reserved.

  4. Communication Ports (cont’d) • Closing either endpoint (kernel/user) terminates that connection • Closing listener port handle prevents future connections • Existing connections will not be terminated • Unload safe • When minifilter unloads, Filter manager forcibly terminates existing connections © 2004 Microsoft Corporation. All rights reserved.

  5. Creating Communication Port • Minifilter creates a named port with: • FltCreateCommunicationPort( IN PFLT_FILTER Filter, OUT PFLT_PORT *ServerPort, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PVOID ServerPortCookie OPTIONAL, IN PFLT_CONNECT_NOTIFY ConnectNotifyCallback, IN PFLT_DISCONNECT_NOTIFY DisconnectNotifyCallback, IN PFLT_MESSAGE_NOTIFY MessageNotifyCallback, IN ULONG MaxConnections); • Minifilter closes named port with: • FltCloseCommunicationPort() © 2004 Microsoft Corporation. All rights reserved.

  6. Establishing a Connection from User-Mode • Application connects to named port with: • FilterConnectCommunicationPort( IN LPCWSTR lpPortName, IN DWORD dwOptions, IN LPVOID lpContext OPTIONAL, IN WORD wSizeOfContext, IN LPSECURITY_ATTRIBUTES lpSecurityAttributes OPTIONAL, OUT HANDLE *hPort); • Application disconnects from named port with: • CloseHandle() © 2004 Microsoft Corporation. All rights reserved.

  7. Establishing a Connection (cont’d) • User connect triggers ConnectNotify() callback in minifilter • Receives a handle to the new connection just created • On return, user-mode receives a separate handle representing its endpoint to the connection • User-mode handle is a file handle • Can be used to associate I/O completion ports © 2004 Microsoft Corporation. All rights reserved.

  8. User-to-Kernel Messaging • FilterSendMessage() • Sends synchronous message from user to kernel • Minifilter receives message via MessageNotify() callback • Buffers are raw user buffers • Must use try-except(), probe/capture, etc., to safely access buffers © 2004 Microsoft Corporation. All rights reserved.

  9. Kernel-to-User Messaging • FltSendMessage() • Sends message to waiting user-mode receiver • Can block if no user-mode receivers are available • Timeout may be specified, use with care • FilterGetMessage() • Called by user mode application to receive a message from the minifilter • Recommend that you use overlapped structure to issue multiple asynchronous gets • FilterReplyMessage() • Applications reply to a specific message • Requires agreed upon message protocol between application and minifilter © 2004 Microsoft Corporation. All rights reserved.

  10. Terminating a Connection • User-mode close of handle triggers DisconnectNotify() in minifilter • Filter then calls FltCloseClientPort() to finish closing the connection • Minifilter unload also triggers DisconnectNotify() © 2004 Microsoft Corporation. All rights reserved.

  11. Sample • Look at Scanner minifilter sample © 2004 Microsoft Corporation. All rights reserved.

More Related