驱动层和应用层的同步通信

首先是同步问题，通过Ring3创建事件，并将该事件传递给Ring0，同时Ring3创建监控线程，等待Ring0发起事件。

                                           监控到事件（通知）

Ring0（监控）----------------------------------------------------------------> Ring3  

应用层得到事件通知后，向驱动层发起数据获取请求。由Ring3主动发起，Ring0被动接受。

                                          询问（CTL_CODE）

Ring3     ---------------------------------------------------------------- >     Ring0  

                                        回答（通过OUT参数）

Ring3     <----------------------------------------------------------------       Ring0  

 

具体实现：

应用层：

HANDLE hDevice = CreateFile("\\\\.\\PRMonitor",

                                GENERIC_READ|GENERIC_WRITE,

                                0,

                                NULL,

                                OPEN_EXISTING,

                                FILE_ATTRIBUTE_SYSTEM,

                                NULL);   //打开设备

    if(hDevice==INVALID_HANDLE_VALUE)

    {

        printf("Failed to obtain device with error code: %d\n",GetLastError());

        getchar();

        return;

    }



    

    DWORD dwOutput;

    char* OutputBuffer[256];

    HANDLE m_hEvent = CreateEvent(NULL,FALSE,FALSE,NULL);  //创建事件

    DeviceIoControl(hDevice,IOCTL_STARTHOOK,&m_hEvent,sizeof(HANDLE),NULL,0,&dwOutput,NULL); //发事件给ring0

    

    printf("IoControl code sent\n");

    while(true)

    {



        WaitForSingleObject(m_hEvent,INFINITE);  //等待ring0事件通知

        DeviceIoControl(hDevice,IOCTL_GETINFO,NULL,0,&OutputBuffer,256,&dwOutput,NULL);  //获取数据

        printf("%s\n",OutputBuffer);

        ResetEvent(m_hEvent);  //重置事件

    }

驱动层：

PRKEVENT gpEventObject;
POBJECT_HANDLE_INFORMATION objHandleInfo;

NTSTATUS DevDispatch(PDEVICE_OBJECT  DeviceObject,PIRP  Irp)

{

    PVOID pInBuffer;

    ULONG pInbufferSize;

    PVOID pOutBuffer;

    ULONG pOutbufferSize;

    NTSTATUS status;

    PIO_STACK_LOCATION ps = IoGetCurrentIrpStackLocation(Irp);

            

    switch(ps->Parameters.DeviceIoControl.IoControlCode)

    {

    case IOCTL_STARTHOOK:  //传送事件

        if(!bProcMon)

        {

            ……

            pInBuffer = Irp->AssociatedIrp.SystemBuffer;

            pInbufferSize = ps->Parameters.DeviceIoControl.InputBufferLength;

            if(pInBuffer == NULL || pInbufferSize < sizeof(HANDLE))

            {

                KdPrint(("Set Event Error\n"));

                status = STATUS_INVALID_BUFFER_SIZE;

                break;

            }

            hEvent = *(HANDLE*)pInBuffer;



            status = ObReferenceObjectByHandle(hEvent,

                GENERIC_ALL,

                NULL,

                KernelMode,

                &gpEventObject,

                &objHandleInfo);

            KdPrint(("gpEventObject: %x\n",gpEventObject));

            

            

        }

        

        break;



    case IOCTL_GETINFO:    //传送数据

        pOutBuffer = Irp->AssociatedIrp.SystemBuffer;

        pOutbufferSize = ps->Parameters.DeviceIoControl.OutputBufferLength;

        RtlCopyMemory(pOutBuffer,output,sizeof(output));

        

        Irp->IoStatus.Information = pOutbufferSize; 

        

        break;

    }

    //////////////////////////////////////////////////////////////////////////

    Irp->IoStatus.Status = STATUS_SUCCESS;

    IoCompleteRequest(Irp,IO_NO_INCREMENT);

    return STATUS_SUCCESS;

}

在需要通知应用层事件的地方（比如监控到某一事件时）加上这一句

KeSetEvent(gpEventObject,0,FALSE);  

这时应用层程序就会通过DeviceIoControl向驱动层请求数据。