NtCreateNamedPipeFile (NTDLL) is called when CreateNamedPipe (KERNE元2) is called however it is not exported by NTOSKRNL but since NTDLL performs a system call, this means there is an address to the routine within the System Service Dispatch Table (SSDT). ![]() You can re-create your own wrapper for Win32 API pipe functions yourself. ![]() One of the most preferred methods for kernel-mode to user-mode communication transitioning is through Ports (an example for this is demonstrated by Microsoft in the file-system mini-filter device driver samples). You can also use Shared Events (trigger an event to cause a routine elsewhere execute an operation), Inverted Calls, or even shared named pipes (although named pipes is not supported in kernel-mode by default - using this technique would be "hacky" and not recommended unless you are certain you know what you are doing and have a good reason for doing so). You can use this combination to send IOCTL (Input & Output Control) codes to the device driver which will handle the requests through IRP_MJ_XXXXXX callback routines. You can acquire this handle through using CreateFile(A/W). ![]() It is best to stick to supported, documented techniques though (for stability and maintenance purposes).įunctions like DeviceIoControl require a handle. There is a lot within this topic due to how many different methods there really are, some are however naturally unsupported.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
June 2023
Categories |