Executing a user-mode executable from kernel-mode
https://stackoverflow.com/questions/6127115
-
07-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm building a HW-simulator for our driver team. Now, the simulator is devided in to 2 modules:
First module runs inside the driver, in kernel mode and that's where the main interface between the driver and the HW-Simulator.
Second module is an executable user-mode code which generates data for the simulator and transports it to the simulator via calls to DeviceIOControl (under windows API)
My need is this: I want to be able to execute the user-mode executable from within the kernel-mode. And I need to be able to do this in a relatively portable way. Currently I'm only running on Windows, but that should change soon.
Further more, I need to be able to communicate with the user-mode code via it'sstdin pipe, in order to reconfigure it and eventually close it.
I found this: Executing a user-space function from the kernel space
but it's only relevant for the linux-kernel. Is there a more portable alternative? Or a windows alternative?
Can I do this in Windows by simply using the ShellExecute/RunAs API functions?
Note: We are aware of the security risks involved in invoking user-mode code from the kernel-space. But as this is only meant to be used as a test-environment and will not ever reach our release code, then we are not concerned.
Solution
There isn't a clean way to do this in the Windows kernel. The user-mode API CreateProcess to create processes use undocumented APIs (NtCreateProcess/NtCreateThread) to create a process.
The recommended thing to do would be to have a "partner service", a user-mode service that communicates with your driver using IOCTL. You can use the inverted call model to have your driver call your service to have it create a process.
OTHER TIPS
Really, there is no documented way to do it without triggering process creation from user-mode.
But there is one undocumented tricky way if You don't want to create user-mode application:
To create a valid win32 process the driver must communicate with CSRSS (what is undocumented).
You can enqueue a user-mode APC, allocate some virtual memory for the APC code in the context of any existing process. This code should simply call CreateProcess and anything else You want.
