26、Windows驱动程序的同步处理(2)
4、内核模式下的同步对象
用户模式下用句柄来操作同步对象,而内核模式下可以获得同步对象的指针。每种同步对象在内核中均对应一种数据结构。
1)等待
KeWaitForMultipleObjects
KeWaitForSingleObject
如果超时则返回STATUS_TIMEOUT。如果是因为数组中其一个同步对象变为激发态,则函数的返回值减去STATUS_WAIT_0,就是激发的同步对象在数组中的索引号。
2)多线程
PsCreateSystemThread 包括用户线程与系统线程。用户线程属于当前进程(当前IO操作的发起者;如在IRP_MJ_READ的派遣函数中调用 PsCreateSystemThread创建用户线程,新线程属于调用ReadFile的进程)中的线程。系统线程一般是System线程。
创建的线程必须手动用PsTerminateSystemThread结束。PEPROCESS记录进程信息。
代码
1
#include
"
ntddk.h
"
2
VOID SystemThread(IN PVOID pContext)
3
{
4
KdPrint((
"
Enter SystemThread\n
"
));
5
PEPROCESS pEProcess
=
IoGetCurrentProcess();
6
PTSTR ProcessName
=
(PTSTR)((ULONG)pEProcess
+
0x174
);
7
KdPrint((
"
this thread is run in %s process!\n
"
, ProcessName));
8
KdPrint((
"
Leave SystemThread\n
"
));
9
PsTerminateSystemThread (NT_STATUS);
10
}
11
12
VOID MyProcessThread(IN PVOID pContext)
13
{
14
KdPrint((
"
Enter MyProcessThread\n
"
));
15
PEPROCESS pEProcess
=
IoGetCurrentProcess();
16
PTSTR ProcessName
=
(PTSTR)((ULONG)pEProcess
+
0x174
);
17
KdPrint((
"
this thread is run in %s process!\n
"
, ProcessName));
18
KdPrint((
"
Leave MyProcessThread\n
"
));
19
PsTerminateSystemThread (NT_STATUS);
20
}
21
22
void
CreateThread_Test()
23
{
24
HANDLE hSystemThread, hMyThread;
25
NTSTATUS status
=
PsCreateSystemThread(
&
hSystemThread,
0
, NULL, NULL, NULL, SystemThread, NULL);
26
NTSTATUS status
=
PsCreateSystemThread(
&
hMyThread,
0
, NULL, NULL, NULL, MyProcessThread, NULL);
27
}
示例代码 P236
3)内核模式下的事件对象
KEVENT
KeInitializeEvent
代码
1
void
MyProcessThread(IN VOID pContext)
2
{
3
PKEVENT pEvent
=
(PKEVENT)pContext;
4
kdPrint((
"
Enter MyProcessThread\n
"
));
5
KeSetEvent(pEvent, IO_NO_INCREMENT, FALSE);
6
kdPrint((
"
Leave MyProcessThread\n
"
));
7
PsTerminateSystemThread (NT_STATUS);
8
}
9
void
Test()
10
{
11
HANDLE hMyThread;
12
KEVENT kEvent;
13
KeInitializeEvent(
&
kEvent, NotificationEvent, FALSE);
14
NTSTATUS status
=
PsCreateSystemThread(
&
hMyThread,
0
, NULL, NtCurrentProcess(), NULL, MyProcessThread,
&
kEvent);
15
keWaitforSingleobject(
&
kEvent, Executive, KernalMode, FALSE, NULL);
16
}
示例代码 P237
4)驱动程序与应用程序交互事件对象
在用户模式下创建一个同步事件,然后用DeviceIoControl把事件句柄传递给驱动程序。句柄是与进程相关的,一个进程中的句柄只能在这个进程中有效,句柄相当于事件对象在进程中的索引。DDK中提供了如下函数:
ObReferenceObjectByHandle
ObDereferenceObject
ObReferenceObjectByHandle 在得到指针的同时,会为对象的指针维护一个计数,每次调用ObReferenceObjectByHandle会使计数加1;为使计数平衡,应当在后面适当时候调用ObDereferenceObject 来使计数减一。
代码
1
int
main()
2
{
3
HANDLE hDevice
=
CreateFile(
"
\\\\.\\HelloDDK
"
,
4
GENERIC_READ
|
GENERIC_WRITE,
5
0
,
6
NULL,
7
OPEN_EXISTING,
8
FILE_ATTRIBUTE_NORMAL,
9
NULL);
10
if
(hDevice
==
INVALID_HANDLE_VALUE)
11
{
12
printf(
"
Failed to obtain file handle to device:%s with win32 error code:%d\n
"
,
"
MYWDMDevice
"
, GetLastError());
13
return
1
;
14
}
15
bool
bRet;
16
DWORD dwOutput;
17
HANDLE hEvent
=
CreateEvent(NULL, FALSE, FALSE, NULL);
18
//
建立辅助线程
19
HANDLE hThread1
=
(HANDLE)_beginthreadex(NULL,
0
, Thread1,
&
hEvent,
0
, NULL);
20
//
将用户模式下的事件句柄传递给驱动
21
//
IOCTL_TRANSMIT_EVENT是自己定义的CODE
22
bRet
=
DeviceIoControl(hDevice,
23
IOCTL_TRANSMIT_EVENT,
24
&
hEvent,
25
sizeof
(hEvent),
26
NULL,
27
0
,
28
&
dwOutput,
29
NULL);
30
WaitForSingleObject(hThread1, INFINITE);
31
CloseHandle(hDevice);
32
CloseHandle(hThread1);
33
CloseHandle(hEvent);
34
return
0
;
35
}
36
37
NTSTATUS HelloDDKDeviceIoControl(IN PDEVICE_OBJECT pDevObj,
38
IN PIRP pIrp)
39
{
40
NTSTATUS status
=
STATUS_SUCESS;
41
KdPrint((
"
Enter HelloDDKDeviceIoControl\n
"
));
42
PIO_STACK_LOCATION stack
=
IoGetCurrentIrpStackLocation(pIrp);
43
//
获得输入参数大小
44
ULONG cbin
=
stack
->
Parameters.DeviceIoControl.InputBufferLength;
45
//
获得输出参数大小
46
ULONG cbout
=
stack
->
Parameters.DeviceIoControl.OutPutBufferLength;
47
//
获得IOCTL码
48
ULONG code
=
stack
->
Parameters.DeviceIoControl.IoControlCode;
49
ULONG info
=
0
;
50
switch
(code)
51
{
52
case
IOCTL_TRANSMIT_EVENT:
53
{
54
//
得到应用程序传进来的事件
55
HANDLE hUserEvent
=
*
(HANDLE
*
)pIrp
->
AssociatedIrp.SystemBuffer;
56
PKEVENT pEvent;
57
status
=
ObReferenceObjectByHandle(hUserEvent, EVENT_MODIFY_STATE,
*
ExEventObjecttype,
58
kernalmode,
59
(PVOID
*
)
&
pEvent, NULL);
60
keSetEvent(pEvent, IO_NO_INCREMENT, FALSE);
61
ObDereferenceObject(pEvent);
62
break
;
63
}
64
default
:
65
status
=
STATUS_INVALID_PARAMETER;
66
}
67
pIrp
->
IoStatus.Status
=
status;
68
pIrp
->
IoStatus.Information
=
info;
69
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
70
return
status;
71
}
示例代码 P238
5)驱动程序与驱动程序间交互事件对象
最简单的方法是创建一个有名字的事件对象,这样在另一个驱动程序中就可以根据名字来寻找到事件对象的指针。
6)内核模式下的信号灯
用户模式下,信号灯对象用句柄表示,在内核模式下,用ksemaphore结构表示。
KeInitializeSemaphore
KeReadStateSemaphore
KeReleaseSemaphore 释放信号灯会增加计数
KeWaitXXX可获取信号灯,如果成功获得,计数减一,否则等待。
示例代码 P240,基本原理同上,略
7)内核模式下的互斥体
KeInitializeMutex
KeReleaseMutex
代码
1
VOID MyProcessThread1(IN PVOID pContext)
2
{
3
PKMUTEX pkMutex
=
(PKMUTEX)pContext;
4
keWaitforSingleobject(pkMutex, Executive, KernalMode, FALSE, NULL);
5
kdPrint((
"
Enter MyProcessThread1\n
"
));
6
//
停止50ms
7
KeStallExecutionProcessor(
50
);
8
kdPrint((
"
Leave MyProcessThread1\n
"
));
9
KeReleaseMutex(pkMutex, FALSE);
10
PsTerminateSystemThread(STATUS_SUCCESS);
11
}
12
13
VOID MyProcessThread2(IN PVOID pContext)
14
{
15
PKMUTEX pkMutex
=
(PKMUTEX)pContext;
16
keWaitforSingleobject(pkMutex, Executive, KernalMode, FALSE, NULL);
17
kdPrint((
"
Enter MyProcessThread2\n
"
));
18
//
停止50ms
19
KeStallExecutionProcessor(
50
);
20
kdPrint((
"
Leave MyProcessThread2\n
"
));
21
KeReleaseMutex(pkMutex, FALSE);
22
PsTerminateSystemThread(STATUS_SUCCESS);
23
}
24
#pragma
PAGEDCODE
25
VOID Test()
26
{
27
HANDLE hMyThread1, hMyThread2;
28
KMUTEX hMutex;
29
KeInitializeMutex(
&
hMutex,
0
);
30
NTSTATUS status
=
PsCreateSystemThread(
&
hMyThread1,
0
, NULL, NtCurrentProcess(), NULL, MyProcessThread1,
&
hMutex);
31
NTSTATUS status2
=
PsCreateSystemThread(
&
hMyThread2,
0
, NULL, NtCurrentProcess(), NULL, MyProcessThread2,
&
hMutex);
32
PVOID Pointer_Array[
2
];
33
ObReferenceObjectByHandle(hMyThread1,
0
, NULL,
34
kernalmode,
35
Pointer_Array[
0
],
36
NULL);
37
ObReferenceObjectByHandle(hMyThread2,
0
, NULL,
38
kernalmode,
39
Pointer_Array[
1
],
40
NULL);
41
KeWaitForMultipleObjects(
2
, Pointer_Array, WaitAll, Executive, KernelMode,
42
FALSE, NULL, NULL);
43
ObDereferenceObject(Pointer_Array[
0
]);
44
ObDereferenceObject(Pointer_Array[
1
]);
45
kdPrint((
"
After KeWaitForMultipleObjects\n
"
));
46
}
示例代码 P242
8)快速互斥体
比普通互斥体快。不过不能递归获取互斥体对象。普通互斥体数据结构是MUTEX,快带互斥体是FAST_MUTEX。
示例代码 P244 基本原理同上,只是数据结构变了,此略
4、其他同步方法
1)使用自旋锁
KeInitializeSpinLock
KeReleaseSpinLock
代码
1
#include
"
windows.h
"
2
#include
"
process.h
"
3
#include
"
stdio.h
"
4
#include
"
winioctl.h
"
5
#define
"..\NT_Driver\Ioctls.h"
6
7
UINT WINAPI Thread1(LPVOID pContext)
8
{
9
BOOL bRet;
10
DWORD dwOutput;
11
bRet
=
DeviceIoControl(
*
(PHANDLE)pContext,
12
IOCTL_MYDEFINITION,
13
NULL,
14
0
,
15
NULL,
16
0
,
17
&
dwOutput,
18
NULL);
19
return
0
;
20
}
21
22
int
main()
23
{
24
HANDLE hDevice
=
CreateFile(
"
\\\\.\\HelloDDK
"
,
25
GENERIC_READ
|
GENERIC_WRITE,
26
0
,
27
NULL,
28
OPEN_EXISTING,
29
FILE_ATTRIBUTE_NORMAL,
30
NULL);
31
if
(hDevice
==
INVALID_HANDLE_VALUE)
32
{
33
printf(
"
Failed to obtain file handle to device:%s with win32 error code:%d\n
"
,
"
MYWDMDevice
"
, GetLastError());
34
return
1
;
35
}
36
HANDLE hThread1
=
(HANDLE)_beginthreadex(NULL,
0
, Thread1,
&
hDevice,
0
, NULL);
37
HANDLE hThread2
=
(HANDLE)_beginthreadex(NULL,
0
, Thread1,
&
hDevice,
0
, NULL);
38
WaitForMultipleObjects(
2
, hThread, TRUE, INFINITE);
39
CloseHandle(hThread1);
40
CloseHandle(hThread2);
41
CloseHandle(hDevice);
42
return
0
;
43
}
44
45
NTSTATUS HelloDDKDeviceIoControl(IN PDEVICE_OBJECT pDevObj,
46
IN PIRP pIrp)
47
{
48
ASSERT(KeGetCurrentIrpl()
==
PASSIVE_LEVLE));
49
PDEVICE_EXTENSION pdx
=
(PDEVICE_EXTENSION)pDevObj
->
DeviceExtension;
50
KIRQL oldirql;
51
KeAcquireSpinLock(
&
pdx
->
My_SpinLock,
&
oldirql);
52
//
...开始
53
ASSERT(KeGetCurrentIrpl()
==
DISPATCH_LEVEL));
54
pIrp
->
IoStatus.Status
=
STATUS_SUCCESS;
55
pIrp
->
IoStatus.information
=
0
;
56
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
57
NTSTATUS status
=
STATUS_SUCESS;
58
//
...结束
59
KeReleaseSpinLock(
&
pdx
->
My_SpinLock, oldirql);
60
return
status;
61
}
示例代码 P245
2)互锁操作进行同步
在多线程操作中,对于全局变量的自增、自减等操作,可能不同时候操作,结果是不一样的。因为一个自增等操作翻译成汇编是多条语句,多个线程访问导致了不可重入性。解决方法一是通过自旋锁等同步操作,另外一个方法,便是下面介绍的互锁操作。
保证操作的原子性。DDK提供了如下函数:
InterlockedXX
ExInterlockedXX
1
int
number
=
0
;
2
void
Foo()
3
{
4
KeAcquireSpinLock(...)
5
number
++
;
6
KeReleaseSpinLock(...)
7
}
8
9
int
number2
=
0
;
10
void
Foo2()
11
{
12
InterlockedIncrement(
&
number2);
//
原子方式的自增
13
}
前者不通过自旋锁实现,内部不会提升IRQL,可以操作非分页数据和分页数据;后者是通过自旋锁实现的,需要程序员提供一个自旋锁,不能操作分页内存的数据。
ExInterlockedXX
| 内核函数 |
功能 |
| ExInterlockedAddLargeInteger |
64位整数加法互锁操作 |
| ExInterlockedAddLargeStatistic |
64位整数加法互锁操作 |
| ExInterlockedAddUlong |
32位整数加法互锁操作 |
| ExInterlockedAllocateFromZone |
分配互锁操作 |
| ExInterlockedCompareExchange64 |
两个32位整数互换互锁操作 |
| ExInterlockedDecrementLong |
32位整数减法互锁操作 |
| ExInterlockedExchangeAddLargeInteser |
64为整数加法互锁操作 |
| ExInterlockedExchangeUlong |
两个整数互换互锁操作 |
| ExInterlockedFlushSList |
删除链表全部元素的互锁操作 |
| ExInterlockedIncrementLong |
32位整数自增互锁操作 |
| ExInterlockedInsertHeadList |
插入双向链表互锁操作 |
| ExInterlockedInsertTailList |
插入双向链表互锁操作 |
| ExInterlockedPopEntryList |
删除单向链表互锁操作 |
| ExInterlockedPopEntrySList |
删除单向链表互锁操作 |
| ExInterlockedPushEntryList |
插入单向链表互锁操作 |
| ExInterlockedPushEntrySList |
插入单向链表互锁操作 |
| ExInterlockedRemoveHeadList |
插入双向链表互锁操作 |
InterlockedXX
| 内核函数 |
功能 |
| InterlockedCompareExchange |
比较互锁操作 |
| InterlockedCompareExchangePointer |
比较互锁操作 |
| InterlockedDecrement |
整型自减互锁操作 |
| InterlockedExchange |
整型交换互锁操作 |
| InterlockedExchangeAdd |
两个整型相加互锁操作 |
| InterlockedExchangePinter |
为指针赋值互锁操作 |
| InterlockedIncrement |
整型自增互锁操作 |