用户土地访问内核土地驱动程序系统通知
User land access to Kernel land driver system notifications
我最近遇到了窗口中的一种机制,该机制允许驾驶员响应低内存条件,并想知道我的应用程序是否有可能响应与已定义的标准事件对象相似的事件通过(通过其他一些机制):
https://msdn.microsoft.com/en-us/library/windows/hardware/ff563847(v = vs.85).aspx
- HighMemoryCondition
- 低膜管辖
- HighPagedPoolCondition
- 低pagedpoolcondition
- HighnonPagedPoolCondition
- lownonpagedpoolcondition
- lowcommitcondition
- HighCommitCondition
- 最大范围内存
这听起来非常适合我在应用中所做的事情,因为我需要检测油门条件并做出相应的响应。
但是,这些似乎在内核土地上,所以用户土地中的应用应该如何应对相同的条件?
感谢您的任何指示-Laythe
您也可以在用户模式下轻松使用此事件。只需用ZwOpenEvent和所有内容打开它。例如
HANDLE hEvent;
STATIC_OBJECT_ATTRIBUTES(ke,"\KernelObjects\LowMemoryCondition") ;
ZwOpenEvent(&hEvent, SYNCHRONIZE|EVENT_QUERY_STATE, &ke);
WaitForSingleObject(hEvent, INFINITE);
STATIC_OBJECT_ATTRIBUTES-我的宏观初始化unicode字符串。您可以编写自己的实现 - 在运行时使用RTL_CONSTANT_STRING作为提示或初始化Unicode字符串
发现KernelObjects目录的示例
void TestKO()
{
STATIC_OBJECT_ATTRIBUTES(soa, "\KernelObjects");
OBJECT_ATTRIBUTES oa = { sizeof(oa) };
if (0 <= ZwOpenDirectoryObject(&oa.RootDirectory, DIRECTORY_QUERY, &soa))
{
ULONG Context = 0, rcb;
PVOID buf = alloca(PAGE_SIZE);
NTSTATUS status, s;
do
{
if (0 <= (status = ZwQueryDirectoryObject(oa.RootDirectory, buf, PAGE_SIZE, FALSE, FALSE, &Context, &rcb)))
{
DIRECTORY_BASIC_INFORMATION* pdbi = (DIRECTORY_BASIC_INFORMATION*)buf;
while (pdbi->ObjectTypeName.Length)
{
//DbgPrint("%wZ %wZn", &pdbi->ObjectTypeName, &pdbi->ObjectName);
STATIC_UNICODE_STRING_(Event);
if (RtlEqualUnicodeString(&Event, &pdbi->ObjectTypeName, TRUE))
{
oa.ObjectName = &pdbi->ObjectName;
HANDLE hEvent;
if (0 <= (s = ZwOpenEvent(&hEvent, READ_CONTROL|EVENT_QUERY_STATE, &oa)))
{
EVENT_BASIC_INFORMATION ebi;
if (0 <= (s = ZwQueryEvent(hEvent, EventBasicInformation, &ebi, sizeof(ebi), &rcb)))
{
PCSTR szEventType;
switch (ebi.EventType)
{
case NotificationEvent:
szEventType = "Notification ";
break;
case SynchronizationEvent:
szEventType = "Synchronization";
break;
default:
char cc[16];
sprintf(cc, "%x", ebi.EventType);
szEventType = cc;
}
DbgPrint("%x %s %wZn", ebi.EventState, szEventType, &pdbi->ObjectName);
}
else
{
DbgPrint("QueryEvent(%wZ)=%xn", &pdbi->ObjectName, s);
}
DumpAccess(hEvent);// not lisred here
NtClose(hEvent);
}
else
{
DbgPrint("OpenEvent(%wZ)=%xn", &pdbi->ObjectName, s);
}
}
pdbi++;
}
}
} while (status == STATUS_MORE_ENTRIES);
NtClose(oa.RootDirectory);
}
}
和结果(事件状态,类型和访问):
0 Notification MemoryErrors
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowNonPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification SuperfetchScenarioNotify
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 Synchronization SuperfetchParametersChanged
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 Notification PhysicalMemoryChange
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification HighCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighNonPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighMemoryCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification SystemErrorPortReady
T FL AcessMsK Sid
0 00 00120001 S-1-2-0 LOCAL
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-1-0 Everyone
0 Notification MaximumCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification LowCommitCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Notification HighPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowMemoryCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
0 Notification LowPagedPoolCondition
T FL AcessMsK Sid
0 00 00120001 S-1-1-0 Everyone
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
0 00 00120001 S-1-15-2-1 ALL APPLICATION PACKAGES
1 Synchronization PrefetchTracesReady
T FL AcessMsK Sid
0 00 001F0003 S-1-5-32-544 Administrators
0 00 001F0003 S-1-5-18 SYSTEM
相关文章:
- C++,系统无法执行指定的程序
- 在UNIX系统中使用DIR查找文件的字节大小
- 错误处理.将系统错误代码映射到泛型
- 当系统的卷被修改时,如何修改WASAPI环回捕获卷
- 有什么好的方法可以让系统调用代理允许在单元测试中进行模拟
- 在C++游戏中与库存系统作斗争
- 文件系统:复制功能的速度秘诀是什么
- c++17文件系统::recursive_directory迭代器()在mac上没有给出这样的目录,但在windows上
- 在gtest.中使用fff.h模拟系统API
- 如何制作无限制照明系统
- 系统.将数组移交给c#中动态加载的c++DLL时发生AccessViolationException
- 如何传递多个 std::文件系统选项?
- 遍历顺序由 std::文件系统directory_iterator给出
- C++系统找不到指定的文件错误
- 系统参数信息A 与 SPI_GETMOUSE 返回 0
- libstdc++ 文件系统中未初始化的用法?
- 如何在ECS框架中更新组件数据和通知系统
- boost::文件系统::recursive_directory_iterator多线程安全
- 如果整个应用程序是虚拟映射的,为什么 new 会进行系统调用?
- 用户土地访问内核土地驱动程序系统通知
