none
Handling abnormal exit of app that is sharing memory to kernel driver RRS feed

  • Question

  • Hi All,

    Assume that the memory is allocated by the user mode application and mapped to system address space using IOCTL. The shared memory is used to exchange data between app and driver. I know this is bad approach.

    But wondering how can i handle unmapping of this shared memory in kernel driver when application exits due to not-handled exception. Accessing this mapped memory in the driver code when application already exited will cause issue. 

    Thanks,


    Friday, February 14, 2020 10:39 PM

Answers

  • Yes, regardless of how a process terminates, all handles will be closed and your driver will get a CLOSE IRP. No need for process notification callback

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by Boomi.s Sunday, February 16, 2020 5:08 PM
    Sunday, February 16, 2020 5:06 PM
    Moderator
  • Leave the handle open, and when the app terminates the handle will be closed automatically. When the driver is informed that the handle is closing, unmap the memory

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, February 14, 2020 11:07 PM
    Moderator

All replies

  • Leave the handle open, and when the app terminates the handle will be closed automatically. When the driver is informed that the handle is closing, unmap the memory

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, February 14, 2020 11:07 PM
    Moderator
  • Hi Brian,

    Which handle you are mentioning here, do i need to pass application handle to the driver code?

    Sunday, February 16, 2020 3:53 PM
  • The handle you used to send the IOCTL

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Sunday, February 16, 2020 4:44 PM
    Moderator
  • Usually when application calls CloseHandle(), i can handle the IRP_MJ_CLOSE ioctl and unmap the memory.

    But this ioctl is invoked even if the app terminates unexpectedly also? 

    I am planning to register for ProcessNotification callback in my driver code. When the process i am interested is getting closed, i will unmap the memory. Of course, i have the particular process id information when it registers with the driver for the first time. I will use this information to check the particular process in the ProcessNotification callback. Only my concern is, this callback will be invoked for all process, may be performance degrade. I am not planning to do anything during the process creation callback, simply return. Only in the deletion path i will check for the particular process and unmap the memory. But still thinking performance issue. Is there anyway to register ProcessNotification callback only when processes terminates, so that i don't get callback during process creation. 

    Sunday, February 16, 2020 5:02 PM
  • Yes, regardless of how a process terminates, all handles will be closed and your driver will get a CLOSE IRP. No need for process notification callback

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by Boomi.s Sunday, February 16, 2020 5:08 PM
    Sunday, February 16, 2020 5:06 PM
    Moderator
  • Thanks Brian.
    Sunday, February 16, 2020 5:08 PM