Embed Size (px)
Citation preview
© 2004 Microsoft Corporation. All rights reserved. 1
User / Kernel Communication Model
© 2004 Microsoft Corporation. All rights reserved. 2
Advantages Bi-directional messaging facility Minifilter defines the security on the
channel Fast User-to-Kernel messaging, no buffering Efficient Kernel-to-User messaging with the
capability for user mode to reply back to the filter.
Can associate I/O completion ports for Kernel-to-User communication
© 2004 Microsoft Corporation. All rights reserved. 3
Communication Ports Filter creates a named communication port Filter implicitly begins to listen for
incoming connections on the port Connection will be denied if user doesn’t
have sufficient access as specified by security descriptor on listener port
Each connection to the listener port gets its own message queue and private endpoints
© 2004 Microsoft Corporation. All rights reserved. 4
Communication Ports (cont’d) Closing either endpoint (kernel/user)
terminates that connection Closing listener port handle prevents
future connections Existing connections will not be
terminated Unload safe
When minifilter unloads, Filter manager forcibly terminates existing connections
© 2004 Microsoft Corporation. All rights reserved. 5
Creating Communication Port Minifilter creates a named port with:
FltCreateCommunicationPort(
IN PFLT_FILTER Filter,
OUT PFLT_PORT *ServerPort,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PVOID ServerPortCookie OPTIONAL,
IN PFLT_CONNECT_NOTIFY ConnectNotifyCallback,
IN PFLT_DISCONNECT_NOTIFY DisconnectNotifyCallback,
IN PFLT_MESSAGE_NOTIFY MessageNotifyCallback,
IN ULONG MaxConnections);
Minifilter closes named port with: FltCloseCommunicationPort()
© 2004 Microsoft Corporation. All rights reserved. 6
Establishing a Connection from User-Mode
Application connects to named port with: FilterConnectCommunicationPort(
IN LPCWSTR lpPortName,
IN DWORD dwOptions,
IN LPVOID lpContext OPTIONAL,
IN WORD wSizeOfContext,
IN LPSECURITY_ATTRIBUTES lpSecurityAttributes OPTIONAL,
OUT HANDLE *hPort);
Application disconnects from named port with:
CloseHandle()
© 2004 Microsoft Corporation. All rights reserved. 7
Establishing a Connection (cont’d)
User connect triggers ConnectNotify() callback in minifilter Receives a handle to the new connection just
created On return, user-mode receives a separate
handle representing its endpoint to the connection
User-mode handle is a file handle Can be used to associate I/O completion ports
© 2004 Microsoft Corporation. All rights reserved. 8
User-to-Kernel Messaging
FilterSendMessage() Sends synchronous message from
user to kernel Minifilter receives message via MessageNotify() callback
Buffers are raw user buffers Must use try-except(), probe/capture,
etc., to safely access buffers
© 2004 Microsoft Corporation. All rights reserved. 9
Kernel-to-User Messaging FltSendMessage()
Sends message to waiting user-mode receiver Can block if no user-mode receivers are available Timeout may be specified, use with care
FilterGetMessage() Called by user mode application to receive a
message from the minifilter Recommend that you use overlapped structure
to issue multiple asynchronous gets FilterReplyMessage()
Applications reply to a specific message Requires agreed upon message protocol
between application and minifilter
© 2004 Microsoft Corporation. All rights reserved. 10
Terminating a Connection
User-mode close of handle triggers DisconnectNotify() in minifilter Filter then calls FltCloseClientPort() to finish closing the connection
Minifilter unload also triggers DisconnectNotify()
© 2004 Microsoft Corporation. All rights reserved. 11
Sample
Look at Scanner minifilter sample
