[fsdhook]

Hi, everyone.
I have a very difficult question.

I want to call a KERNEL API must run on PASSIVE_LEVEL (such as ZwWriteFile) in High IRQL environment(DISPATCH_LEVEL). How can I do?
0.Call KeLowerIrql before call target KERNEL API, then call KeRaiseIrql, the result is BSOD.
1.Use system thread to call target KERNEL API, wait system thread with EVENT, but KeWaitForSingleObject cannot run on DISPATCH_LEVEL.
2.Use worker thread (ExQueueWorkItem) to call target KERNEL API, but how to wait worker thread finished?

[Cr4sh]

2.Use worker thread (ExQueueWorkItem) to call target KERNEL API, but how to wait worker thread finished?

Actually, it's a key idea of IRQL >= DISPATCH_LEVEL: you can't switch thread that running on it to the waitable state, it will be a violation of NT design.
If you need to do that -- it means that you're solving your task in a wrong way.

[fsdhook]

2.Use worker thread (ExQueueWorkItem) to call target KERNEL API, but how to wait worker thread finished?

Actually, it's a key idea of IRQL >= DISPATCH_LEVEL: you can't switch thread that running on it to the waitable state, it will be a violation of NT design.
If you need to do that -- it means that you're solving your task in a wrong way.

Thanks a lot. But I want to tell you why I need to do that.
I use WFP to intercept net connection. In WFP notify function, (sometimes) the IRQL is very high.
But I need to do something like HIPS (show a message box and ask user to permit or block this connection).
So I need to use KeWaitForSingleObject or wait a little while.

[Vrtule]

Hello,

AFAIK operations intercepted by the WFP interface can be usually pended or dropped temporarily. The HIPS scenario is the following:
1) the callout routine is invoked to inform about a network event (bind, connect, incomming packet etc.),
2) event-related data are examined,
3) the operation is pended (for ALE operations only) and/or packet associated with it is silently dropped,
5) the user mode component of the HIPS is informed about a new network operation in progress (through an event object, workitem etc.).
4) the callout routine returns control to its caller.
5) the user mode component delivers its decision to the kernel,
6) the network event is resumed (in case of non-ALE events, the packet associated with the operation is reinjected).

The similar scenario may happen when you are trying to implement a File System Minifilter (or filter) driver with HIPS capabilities. Some FS requests may also arrive at IRQL = DISPATCH_LEVEL.

[fsdhook]

Hello,

AFAIK operations intercepted by the WFP interface can be usually pended or dropped temporarily. The HIPS scenario is the following:
1) the callout routine is invoked to inform about a network event (bind, connect, incomming packet etc.),
2) event-related data are examined,
3) the operation is pended (for ALE operations only) and/or packet associated with it is silently dropped,
5) the user mode component of the HIPS is informed about a new network operation in progress (through an event object, workitem etc.).
4) the callout routine returns control to its caller.
5) the user mode component delivers its decision to the kernel,
6) the network event is resumed (in case of non-ALE events, the packet associated with the operation is reinjected).

The similar scenario may happen when you are trying to implement a File System Minifilter (or filter) driver with HIPS capabilities. Some FS requests may also arrive at IRQL = DISPATCH_LEVEL.

it's very kind of you. Thank you. :D