A forum for reverse engineering, OS internals and malware analysis 

How to complete the pending IRP immediately?

Forum for discussion about kernel-mode development.

How to complete the pending IRP immediately?

 #31051  by myid
 Mon Nov 27, 2017 6:59 am
Hi, everyone.
I built an IRP and call it, IoCallDriver return STATUS_PENDING.
I wait it for 3 seconds, KeWaitForSingleObject return STATUS_TIMEOUT.
I use IoCompleteRequest to complete this IRP, but the system BSOD immediately.
So, how to complete the pending IRP immediately? There is no cancel routine of this IRP, cannot use IoCancelIrp.

Re: How to complete the pending IRP immediately?

 #31054  by Vrtule
 Mon Nov 27, 2017 9:00 am
By calling IoCallDriver you passed the IRP to a different driver that now owns it. Maybe that driver also passed the IRP to another driver etc. Who knows who is now serving it.AFAIK you can do nothing about the IRP (except IoCancelIrp which, as you said, is not an option since there is no cancel routine registered). You have to just wait until it completes.

That means, your driver cannot unload until all such IRPs are complete.

Re: How to complete the pending IRP immediately?

 #31057  by myid
 Mon Nov 27, 2017 9:06 am
Vrtule wrote:By calling IoCallDriver you passed the IRP to a different driver that now owns it. Maybe that driver also passed the IRP to another driver etc. Who knows who is now serving it.AFAIK you can do nothing about the IRP (except IoCancelIrp which, as you said, is not an option since there is no cancel routine registered). You have to just wait until it completes.

That means, your driver cannot unload until all such IRPs are complete.
YES, I found that. Thanks.
 Return to “Kernel-Mode Development”