Error while sharing named event between user mode and kernel mode

I read an article http://www.osronline.com/article.cfm?id=108 and
tried doing “Sharing Events by Name” in which it is creating event with name specified
e.g CreateEvent(NULL, TRUE, FALSE, L"SharedEvent"); in user space and in
Kernel space using IoCreateNotificationEvent(&EventName, &SharedEventname);
getting PKEVENT pointer to kernel event and calling KeSetEvent() for this pointer,
but code link provided with above article is giving me error 0x00000102 i.e The given timed out interval expired.

Can anyone help me with this?

Help you with WHAT, exactly.

The link to the 13+ year old example (with a VC 6 project for the app and sources/dirs. for the driver) does work (surprisingly).

What is it, specifically, that you’re having trouble getting working?

Peter
OSR
@OSRDrivers

I too did a recent project that shares a named event between KM and UM.
Works well. Explain your errors, and I will try to help.

On Mon, May 2, 2016 at 10:14 AM wrote:

>

>
> Help you with WHAT, exactly.
>
> The link to the 13+ year old example (with a VC 6 project for the app and
> sources/dirs. for the driver) does work (surprisingly).
>
> What is it, specifically, that you’re having trouble getting working?
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

xxxxx@yahoo.com wrote:

I read an article http://www.osronline.com/article.cfm?id=108 and
tried doing “Sharing Events by Name” in which it is creating event with name specified
e.g CreateEvent(NULL, TRUE, FALSE, L"SharedEvent"); in user space and in
Kernel space using IoCreateNotificationEvent(&EventName, &SharedEventname);
getting PKEVENT pointer to kernel event and calling KeSetEvent() for this pointer,
but code link provided with above article is giving me error 0x00000102 i.e The given timed out interval expired.

I assume you cut-and-pasted this code into your own driver. It’s
impossible for me to imagine that you actually found a Visual Studio 98
installation and a Windows XP DDK to build this in its original form, so
you must have adapted it.

Why don’t you show us your actual code? My guess is you made a
transcription error.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

The issue with named events is where they reside in the object namespace.
When the kernel driver loads, if it loads early, there is no
BaseNamedObjects. So, in my code, I simply passed a handle to the driver
from user-mode for delayed initialization via an IOCTL, and then do the
normal ObReferenceObjectByHandle on the passed in handle. Then the
KeSetEvent(), and other event APIs work as expected. If you would share
more code, maybe I can be of more help. Though I
suspect IoCreateNotificationEvent will work, but in my case, I passed the
handle down. Sort of defeats the idea of naming the event, so technically,
it could be a nameless event in my case.

What is EventName set to in your driver?

On Mon, May 2, 2016 at 1:28 PM Tim Roberts wrote:

> xxxxx@yahoo.com wrote:
> > I read an article http://www.osronline.com/article.cfm?id=108 and
> > tried doing “Sharing Events by Name” in which it is creating event with
> name specified
> > e.g CreateEvent(NULL, TRUE, FALSE, L"SharedEvent"); in user space and in
> > Kernel space using IoCreateNotificationEvent(&EventName,
> &SharedEventname);
> > getting PKEVENT pointer to kernel event and calling KeSetEvent() for
> this pointer,
> > but code link provided with above article is giving me error 0x00000102
> i.e The given timed out interval expired.
>
> I assume you cut-and-pasted this code into your own driver. It’s
> impossible for me to imagine that you actually found a Visual Studio 98
> installation and a Windows XP DDK to build this in its original form, so
> you must have adapted it.
>
> Why don’t you show us your actual code? My guess is you made a
> transcription error.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

I just tried it with a FS minifilter driver out of curiosity.
Here’s an outline of the steps I followed:

User module:

1. hEvent = CreateEvent(L"SharedEvent")
2. FilterSendMessage(DUMMY_IOCTL)
3. WaitForSingleObject(hEvent)

Kernel module: (DUMMY_IOCTL handler)

1. pEvent = IoCreateNotificationEvent(L"\BaseNamedObjects\SharedEvent");
2. ObReferenceObject(pEvent);

And then
KeSetEvent(pEvent, 0, FALSE);
from a different thread.

But the WaitForSingleObject() call never returns.

The FS filter driver is started manually so we can be sure that BaseNamedObjects is created.
I feel this has to be in the context of the same process… only then it’ll work.

“\\BaseNamedObjects\SharedEvent” maybe?

On Tue, May 3, 2016 at 4:15 PM wrote:

> I just tried it with a FS minifilter driver out of curiosity.
> Here’s an outline of the steps I followed:
>
> User module:
> 1. hEvent = CreateEvent(L"SharedEvent")
> 2. FilterSendMessage(DUMMY_IOCTL)
> 3. WaitForSingleObject(hEvent)
>
> Kernel module: (DUMMY_IOCTL handler)
> 1. pEvent = IoCreateNotificationEvent(L"\BaseNamedObjects\SharedEvent");
> 2. ObReferenceObject(pEvent);
>
> And then
> KeSetEvent(pEvent, 0, FALSE);
> from a different thread.
>
> But the WaitForSingleObject() call never returns.
>
> The FS filter driver is started manually so we can be sure that
> BaseNamedObjects is created.
> I feel this has to be in the context of the same process… only then it’ll
> work.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

I read this thread and just cannot believe my own eyes…

The OP speaks about sharing events between the kernel and userland… and he actually gets help,
without any screaming in capitals, without any requests to “PUBLIH THE NAME OF YOUR
COMPANY(etc)”, without terrifying stories about the multi-million lawsuits against those who use this technique and/or supposed 100+k bugs in products that relies upon it, and, in general, without any “exciting features” that one would normally expect on a thread like this.

What happened to “USE THE INVERTED CALL” crowd???

Anton Bassov

Shut up, Anton.

Contribute something useful, shut up, or get banned. Your choice.

Peter
OSR
@OSRDrivers

Sorry, Peter - the whole thing looked so tempting that I just could not resist this time. As you must have noticed, these days I try my best to behave…

Anton Bassov

Hi,

I can be wrong, but I think that you could send the handle of your event to your minifilter and get a pointer to it by using ObReferenceObjectByHandle. Once you have a pointer to the object you can use KeSetEvent.

Eugenio Barahona

Guys… We’ve now given the OP about 2 million options, and he hasn’t posted a follow-up since his original post on Monday.

What say we wait to hear back from him? And, if we don’t, then none of us has to bother writing pointless blather about what he might or might not be able to do…

Peter
OSR
@OSRDrivers

thank you so much for your replies and sorry for my late reply.

@Peter,
I am new in Kernel Development.
I build the code given in the article and tested it and found that
the waitforsingleobject() call never returns when time interval is INFINITE and returns 0x00000102 i.e “The given timed out interval expired” when some Finite time interval.
I am using IoCreateNotificationEvent() from kernel and signaling user app using KeSetEvent() from Kernel.

but using second approach i.e sending name event handle in IOCTL and get pointer to it using ObReferenceObjectByHandle and signaling it using KeSetEvent() worked perfectly fine.

why is IoCreateNotificationEvent() approach is not working, as the article specify that we should use
“sharing event by name” as context is not an issue?

@Tim, @Jamey,
I use the code attach with this http://www.osronline.com/article.cfm?id=108.

Thanks

xxxxx@yahoo.com wrote:

I am new in Kernel Development.
I build the code given in the article…

How did you build it? As we mentioned, the project in that article was
designed for Visual Studio 98 and the Windows XP DDK. What tools did
you use? How much did you modify the code?

and tested it…

How did you test it? Which operating system? How did you install it?

and found that
the waitforsingleobject() call never returns when time interval is INFINITE and returns 0x00000102 i.e “The given timed out interval expired” when some Finite time interval.
I am using IoCreateNotificationEvent() from kernel and signaling user app using KeSetEvent() from Kernel.
…
why is IoCreateNotificationEvent() approach is not working, as the article specify that we should use
“sharing event by name” as context is not an issue?

It’s not working because you have introduced a bug. If you want to zip
up your exact project folder and put it in some public place, we can
take a look.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I have build the code in VS 2013 and using WDK 8.1.

I have tested it on Windows 7 x86 machine.

Steps:

1. Install driver using .inf file.
2. Run an app which will create an event and will send an IOCTL.
3. Wait for kernel to signal this event.

Code is as below:

#define FILTER_DRIVER_PORT_NAME L"\FltDriverPort"

Kernel Mode :

case eIOCTL_TEST_IOCTL_1:
DbgPrint(“\n%s:: eIOCTL_TEST_IOCTL_1.\n”, FUNCTION);

/**
* Process IOCTL.
*/
RtlInitUnicodeString(&ucEventName, L"\BaseNamedObjects\SharedEvent");

sharedEvent = IoCreateNotificationEvent(&ucEventName, &hEvent);

if (sharedEvent != NULL) {
DbgPrint(“\n%s:: IoCreateNotificationEvent Successful.”, FUNCTION);
nsStatus = STATUS_SUCCESS;

ObReferenceObject(sharedEvent);
}
else {
DbgPrint(“\n%s:: IoCreateNotificationEvent Unsuccessful.”, FUNCTION);
nsStatus = STATUS_UNSUCCESSFUL;
}

lRet = KeSetEvent(sharedEvent, 0, FALSE);
DbgPrint(“\n%s:: Return value of KeSetEvent(): %ld.”, FUNCTION, lRet);

User Mode :

hResult = FilterConnectCommunicationPort(FILTER_DRIVER_PORT_NAME, 0, NULL, 0, NULL, &hPort);
if (FAILED(hResult))
{
_tprintf(_T(“\nFilterConnectCommunicationPort(HRESULT: 0x%lX)(ErrCode: %d)…FAILED.”),
hResult, HRESULT_CODE(hResult));
return hResult;
}
Ioctl.TestIoctl = (PTEST_IOCTL_1)malloc(sizeof(TEST_IOCTL_1));

if (NULL == Ioctl.TestIoctl)
{
return -1;
}

hEvent = CreateEvent(NULL, TRUE, FALSE, L"SharedEvent");

if (NULL == hEvent)
{
printf(“Cannot create named event!\n”);
return 0;
}

Ioctl.OpCode = eIOCTL_TEST_IOCTL_1;

hResult = FilterSendMessage(hPort, &Ioctl, sizeof(Ioctl), &TestIoctl_1_Return, sizeof(TestIoctl_1_Return), &dwLen);
if (FAILED(hResult))
{
_tprintf(_T(“\nFilterSendMessage(HRESULT: 0x%lX)(ErrCode: %d)…FAILED.”), hResult, HRESULT_CODE(hResult));
free(Ioctl.TestIoctl);
CloseHandle(hPort);
return hResult;
}

_tprintf(_T(“\neIOCTL_TEST_IOCTL_1 sent successfully…!!!”));

WaitStatus = WaitForSingleObject(hEvent, 10000);

if (WaitStatus != WAIT_OBJECT_0) {

printf(“\nDriver failed to signal event! WaitForSingleObject returned 0x%8.8x\n”,
WaitStatus);

}
else {

printf(“\nThe driver has successfully signaled our named event!\n”);

}

/**
* Clean-up.
*/
free(Ioctl.TestIoctl);
CloseHandle(hEvent);
CloseHandle(hPort);

hEvent = CreateEvent(NULL, TRUE, FALSE, L"SharedEvent");

Needs to be:

hEvent = CreateEvent(NULL, TRUE, FALSE, L"Global\SharedEvent");

Thank you so much.
It worked.