Executing a user-mode executable from kernel-mode_问答_开发者

Executing a user-mode executable from kernel-mode

开发者 https://www.devze.com 2023-03-08 13:19 出处：网络

I\'m building a HW-simulator for our driver team. Now, the simulator is devided in to 2 modules: First module runs inside the driver, in kernel mode andthat\'s where the main interface between the dri

I'm building a HW-simulator for our driver team. Now, the simulator is devided in to 2 modules: First module runs inside the driver, in kernel mode and that's where the main interface between the driver and the HW-Simulator. Second module is an executable user-mode code which generates data for the simulator and transports it to the simulator via calls to DeviceIOControl (under windows API)

My need is this: I want to be able to execute the user-mode executable from within the kernel-mode. And I need to be able to do this in a relatively portable way. Currently I'm only running on Windows, but that should change soon. Further more, I need to be able to communicate with the user-mode code via it'sstdin pipe, in order to reconfigure it and eventually close it.

I found this: Ex开发者_如何学Pythonecuting a user-space function from the kernel space

but it's only relevant for the linux-kernel. Is there a more portable alternative? Or a windows alternative?

Can I do this in Windows by simply using the ShellExecute/RunAs API functions?

Note: We are aware of the security risks involved in invoking user-mode code from the kernel-space. But as this is only meant to be used as a test-environment and will not ever reach our release code, then we are not concerned.

There isn't a clean way to do this in the Windows kernel. The user-mode API CreateProcess to create processes use undocumented APIs (NtCreateProcess/NtCreateThread) to create a process.

The recommended thing to do would be to have a "partner service", a user-mode service that communicates with your driver using IOCTL. You can use the inverted call model to have your driver call your service to have it create a process.

Really, there is no documented way to do it without triggering process creation from user-mode.

But there is one undocumented tricky way if You don't want to create user-mode application:

To create a valid win32 process the driver must communicate with CSRSS (what is undocumented).

You can enqueue a user-mode APC, allocate some virtual memory for the APC code in the context of any existing process. This code should simply call CreateProcess and anything else You want.