IoCreateNotificationEvent 同步r3和r0

今天逆向驱动加载防火墙看到了这个函数

PKEVENT 
  IoCreateNotificationEvent(
    IN PUNICODE_STRING  EventName,
    OUT PHANDLE  EventHandle
    );

ddk中说可以用于r3和r0同步和便于传递信息，使用共享的事件对象有以下2个办法：

• The user-mode application creates the event object and passes a handle to the object to the driver by sending an IOCTL to the driver. The driver must handle the IOCTL in the context of the process that created the event object and must validate the handle by calling ObReferenceObjectByHandle. This method is the recommended method for sharing event objects between user and kernel modes.
• 翻译：（用户模式创建事件对象，通过IOCTL然后把句柄传递给驱动，这个IOCTL必须是在创建这个事件的进程中
• 并且要通过调用ObReferenceObjectByHandle.来引用这个句柄。这个方法是推荐使用在r3和r0共享事件对象的）
• The driver creates a named event object in the //BaseNamedObjects object directory. You can open a kernel-mode event named //BaseNamedObjects/Xxx in user mode under the name Xxx. Note that security settings can prevent an application from opening the event. For more information, see the  OpenEvent Fails in a Non-Administrator Account KB article. The //BaseNamedObjects object directory is not created until the Microsoft Win32 subsystem initializes, so drivers that are loaded at boot time cannot create event objects in the //BaseNamedObjects directory in their DriverEntry routines   （这个是这个驱动防火墙所使用的）

在DriverEntry中

  RtlInitUnicodeString(&EventName, L"//BaseNamedObjects//NtDrvAntiNotifyEvent");
  Event = IoCreateNotificationEvent(&EventName, &Handle);
  KeClearEvent(Event);

 

然后在用户模式下等待这个对象，当内核要求r3来取信息时，可以使用

                           KeSetEvent(Event, 0, 0);
                           KeClearEvent(Event);

 

这样r3等待的线程就可以继续执行了