内核事件与应用事件

在内核中创建事件，并设置其安全描述符可以被普通应用程序打开。

如果不设置安全描述符，只能通过管理员运行的应用程序打开

内核事件的创建

typedef NTSTATUS(*FUN_ZwSetSecurityObject)(
     HANDLE  Handle,
     SECURITY_INFORMATION  SecurityInformation,
     PSECURITY_DESCRIPTOR  SecurityDescriptor
    );


PVOID GetKernelFunctionByName(PWCHAR FunctionName) {
    UNICODE_STRING routineName;
    RtlInitUnicodeString(&routineName, FunctionName);
    return MmGetSystemRoutineAddress(&routineName);
}

NTSTATUS CCaptureDevice::CreateNamedEvent()
{
    UNICODE_STRING eventName;
    RtlInitUnicodeString(&eventName, L"\\BaseNamedObjects\\MayGlobalEvent");
    m_NoticeEvent = IoCreateSynchronizationEvent(&eventName, &m_EventHandle);
    if (m_NoticeEvent == NULL)
    {
        KdPrint(("Failed to create event\n"));
        return STATUS_UNSUCCESSFUL;
    }

    NTSTATUS status = STATUS_SUCCESS;
    do
    {
        SECURITY_DESCRIPTOR SecurityDescriptor;// = (PSECURITY_DESCRIPTOR)ExAllocatePool(NonPagedPool, sizeof(SECURITY_DESCRIPTOR));
        NTSTATUS status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
        if (!NT_SUCCESS(status))
        {
            KdPrint(("RtlCreateSecurityDescriptor err 0x%08x\n", status));
            break;
        }

        FUN_ZwSetSecurityObject pFunc = (FUN_ZwSetSecurityObject)GetKernelFunctionByName(L"ZwSetSecurityObject");
        if (pFunc == NULL)
        {
            KdPrint(("ZwSetSecurityObject==null \n"));
            status =  STATUS_UNSUCCESSFUL;
            break;
        }
        status = pFunc(m_EventHandle, DACL_SECURITY_INFORMATION, &SecurityDescriptor);
        if (!NT_SUCCESS(status))
        {
            KdPrint(("RtlCreateSecurityDescriptor err 0x%08x\n", status));
            break;
        }
    } while (0);

    if (status != STATUS_SUCCESS)
    {
        ZwClose(m_EventHandle);
        m_EventHandle = NULL;
    }

    return status;
}

应用程序

    HANDLE  hEvent = OpenEvent(
        SYNCHRONIZE,        // 请求同步访问权限
        FALSE,              // 不继承句柄
        L"Global\\MyGlobalEvent"    // 事件名称（不需要\BaseNamedObjects\前缀）
    );

    if (hEvent == NULL) {
        printf("OpenEvent failed (%d)\n", GetLastError());
        return 1;
    }
        DWORD waitResult = WaitForSingleObject(hEvent, INFINITE);
        switch (waitResult) {
        case WAIT_OBJECT_0:
            printf("Event was signaled\n");
            break;
        case WAIT_FAILED:
            printf("Wait failed (%d)\n", GetLastError());
            break;
        default:
            printf("Unexpected wait result\n");
        }

    CloseHandle(hEvent);