[abhijit_mohanta]

I am new to device driver programming.I was going through the following link http://www.codeproject.com/KB/system/hide-driver.aspx NtQueryDirectoryfile in the diagram in the section named "NT Function Call Scheme and Hook" returns an process list.
Can anybody tell me how does the list transferred to user mode.
Please give me a little detailed description like how irp wud be filled with data etc.

[EP_X0FF]

Hello,

I am new to device driver programming.I was going through the following link http://www.codeproject.com/KB/system/hide-driver.aspx NtQueryDirectoryfile in the diagram in the section named "NT Function Call Scheme and Hook" returns an process list.
Can anybody tell me how does the list transferred to user mode.
Please give me a little detailed description like how irp wud be filled with data etc.

NtQueryDirectoryFile does not operate with processes it operate with files/directories. When this service called you supply address of user mode data buffer to where this service must store returned data.

NtQueryDirectoryFile (ntdll.dll) ->KiFastSystemCall(ntdll.dll)->sysenter->_KiSystemService(ntoskrnl.exe)->NtQueryDirectoryFile(ntoskrnl.exe)->FSD request IRP_MJ_DIRECTORY_CONTROL (the address of buffer you supply set as irp->UserBuffer field, irp itself allocates by kernel service via IoAllocateIrp)

Describe your question more clearly.

[abhijit_mohanta]

ya this is somewhat near to what i wanted to know.
1)Is the buffer created created in user mode then forwarded to kernel mode?
or is it created in kernel mode and pointer returned to user mode
2)Is there any IRP completion routine called and the buffer is filled filled by data

I am bit confused in theses because I m quite new to this so plz give me some more ideas if my idea is wrong

[EP_X0FF]

ya this is somewhat near to what i wanted to know.
1)Is the buffer created created in user mode then forwarded to kernel mode?
or is it created in kernel mode and pointer returned to user mode
2)Is there any IRP completion routine called and the buffer is filled filled by data

I am bit confused in theses because I m quite new to this so plz give me some more ideas if my idea is wrong

In case of NtQueryDirectoryFile(ntdll.dll) you allocate buffer in user mode and it transfered as Irp->UserBuffer.

Internally NtQueryDirectoryFile(ntoskrnl) allocates Irp, setups it and then queues the packet, calls the driver, synchronize appropriately with I/O completion.
IoCallDriver and IoCompleteRequest (in simple words, if skip all checks about synchronous i/o etc).

[abhijit_mohanta]

thnks understood it.I ll get back to u if i have further doubts