PsSuspendProcess 阻塞/等待/卡住 - Windows Kernel 编程
[英]PsSuspendProcess blocking / waiting / stuck - Windows Kernel Programming
问题描述
i come here with a very low level question in the Windows Kernel.
我在 Windows Kernel 中提出了一个非常低级的问题。 I am in a callback function on a minifilter driver.我在一个微过滤驱动程序上的回调 function 中。 The goal of the driver is to pause any process witch try to open a file I marked as protected.驱动程序的目标是暂停任何试图打开我标记为受保护的文件的进程。 I'm using PsSuspendProcess that I got from this function:我正在使用从 function 获得的 PsSuspendProcess:
(pPsSuspendProcess)ReturnSystemRoutineAddress(L"PsSuspendProcess");
But when I call it with the above code, my program get stuck at the Suspend call.但是当我用上面的代码调用它时,我的程序卡在了 Suspend 调用中。 On the task manager, the process is well suspended, but the driver never ends this function.在任务管理器上,进程很好挂起,但驱动程序永远不会结束这个 function。
It only continues when I unpause manually the process or kill it from taskmgr.只有当我手动取消暂停进程或从 taskmgr 中终止它时,它才会继续。
I'm totally blocked, as PsSuspendProcess is an undocumented function...我完全被阻止了,因为 PsSuspendProcess 是一个无证的 function ...
Here my code:这是我的代码:
FLT_PREOP_CALLBACK_STATUS
DfPreCreateCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Outptr_result_maybenull_ PVOID* CompletionContext
)
{
PAGED_CODE();
NTSTATUS status;
ULONG options = Data->Iopb->Parameters.Create.Options;
UCHAR disposition = (options >> 24) & 0xff;
ULONG createOptions = (options << 8) >> 8;
if ((createOptions & FILE_NON_DIRECTORY_FILE) && (disposition == FILE_OPEN || disposition == FILE_OPEN_IF
|| disposition == FILE_OVERWRITE || disposition == FILE_OVERWRITE_IF))
{
HANDLE processId = (HANDLE)FltGetRequestorProcessId(Data);
PEPROCESS p = FltGetRequestorProcess(Data);
if (p == NULL)
goto callback_end;
LPSTR processName = PsGetProcessImageFileName(p);
if (processName == NULL)
goto callback_end;
for (int i = 0; i < (sizeof(ExcludedProcess) / sizeof(LPCWSTR)); i++)
{
if (strcmp(processName, ExcludedProcess[i]) == 0)
goto callback_end;
}
PFLT_FILE_NAME_INFORMATION FileInfo;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &FileInfo);
if (NT_ERROR(status))
goto callback_end;
if (!IsProtected(&FileInfo->Name))
goto callback_end;
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DBG PROTECTED %wZ", FileInfo->Name);
PsSuspendProcess(p);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DBG SUSPENDED")
}
callback_end:
CompletionContext = NULL;
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
1 个解决方案
解决方案1
1 已采纳 2020-05-25 08:03:42
you call by fact你按事实打电话
PsSuspendProcess(FltGetRequestorProcess(Data));
but for file operations Pre Callbacks almost always called in context of thread that requested a given I/O operation.但对于文件操作 Pre Callbacks 几乎总是在请求给定 I/O 操作的线程上下文中调用。 so almost always所以几乎总是
FltGetRequestorProcess(Data) == IoGetCurrentProcess();
so you suspend current process and current thread.所以你暂停当前进程和当前线程。 as result next line结果下一行
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DBG SUSPENDED");
of course will be not executed until thread will be not resumed当然不会执行,直到线程不会恢复
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.