[Tigzy]

Nobody?

[0xC0000022L]

Yep, I use IRPs, that's a good stuff for communication where all comes from userland.
In my case, the problem is all comes from a hook proxy function. So there's no Irps...

BTW, is anybody got an idea about how to put my proxy function in a wait state, the time my UL process checks whether it should return SUCCESS or not?
And how resume it from UL? (with IRPs I guess) . that's for CreateSection hook

Sorry, not watching the forum at the moment. So you have installed the hook using the OS facilities (i.e. it's a notification) or you hooked the SSDT?

[Tigzy]

Sorry, in the meantime I found a solution with both LPC and Mutex waits
Yes, I hooked the SSDT

Proxy func:

Code: Select all

    //Message sending to UL app (via LPC)
    ...

    //Waiting for response
    x.QuadPart = RELATIVE(SECONDS(2));
    Status = KeWaitForSingleObject(&CreationQueue.semQueue,Executive,KernelMode,FALSE,&x);      
    if (Status == STATUS_SUCCESS)
    {
            pListEntry = ExInterlockedRemoveHeadList(&CreationQueue.QueueListHead, &CreationQueue.lockQueue);
                   
       //**** Get data back ****
       perm = CONTAINING_RECORD(pListEntry,PERMISSION,ListEntry);   
                   
       if (!perm->isAllowed)
       {      
          return STATUS_ACCESS_DENIED;
       }
    }

    ...
    return real API

Dispatch func:

Code: Select all

    case IOCTL_CREATION_ALLOWED:
    {
       DbgPrint("Process creation allowed\n");
             
       //****** release sem ******
       perm = (PERMISSION*)ExAllocatePoolWithTag(NonPagedPool,sizeof(PERMISSION), '1gaT');   
       perm->isAllowed = TRUE;

       ExInterlockedInsertTailList(&CreationQueue.QueueListHead, &perm->ListEntry, &CreationQueue.lockQueue);
       KeReleaseSemaphore(&CreationQueue.semQueue,0,1,FALSE);
       //****************************
                
       retVal = STATUS_SUCCESS;
       break;         
    }