Sharing Events Between Kernel and User

September 12, 2012

tags: ,
no comments

I’m writing this because the WDK documentation left things out.


This API: IoCreateSynchronizationEvent says that you have two options to share an Event with user-mode application: 1. The process creates an event and sends the handle to the driver (more secure) and 2. Use named events.


The documentation says that named evevnts require “\\BaseNamedObjects\Xxx” on the driver’s side and “xxx” on the process side. This should be “\BaseNamedObjects\Xxx” with one back-slash. Your code should look like this “\\BaseNamedObjects\\Xxx” and not like this: “\\\\BaseNamedObjects\\Xxx


Also I found that the user space process created the Named Event under “\Sessions\1\BaseNamedObjects\Xxx” where 1 is the Session ID and Xxx is the Event Name.


I assume that this is relevant for KeInitializeEvent, IoCreateSynchronizationEvent, and ZwCreateEvent.


Using an administrator account, not running the process using “Run as administrator” this works.


 


 

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*