How to signal file handle WaitForSingleObject

c++ / delphi package - dll injection and api hooking

How to signal file handle WaitForSingleObject

Postby dcsoft » Sat Dec 19, 2015 1:31 am

Hello, I am hooking ReadFile() and the caller is basically doing something like:

Code: Select all
// Start reading file asynchronously
HANDLE hFile = CreateFile(..., FILE_FLAG_OVERLAPPED, ...);
BYTE bReadBuffer[10];
OVERLAPPED oRead = { 0 };
ReadFile(hFile, bReadBuffer, 10, NULL, &oRead);

// Thread continues to do work while file is being read
...

// Wait for read to finish
WaitForSingleObject(hFile, INFINITE);

// ReadFile has finished
// bReadBuffer now contains data which can be used
...



In my API hook of ReadFile, I need to signal the caller the read is done. But I don't know of an API that will signal a File handle being WaitForSingleObject()'ed. I've tried ReleaseMutex, ReleaseSemaphore (with a count of 1), and SetEvent, and all have failed with Error 6 (handle is invalid). These are the API's Jeffrey Richter in his book Windows Via C/C++ says are called by SignalObjectAndWait(). What other API's work to release a handle kernel object, and which one works with a handle returned by CreateFile?

Thanks for any help,
David
Last edited by dcsoft on Sat Dec 19, 2015 6:59 am, edited 1 time in total.
dcsoft
 
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA

Re: How to signal file handle WaitForSingleObject

Postby iconic » Sat Dec 19, 2015 6:11 am

Hi DcSoft,

According to the code (all that I can see of course) the hEvent member of the overlapped struct is not filled in, what happens is the kernel itself will actually signal its own assigned handle at this point in which it creates for the readfile operation, since one was not explicitly specified it creates its own internal kernel event handle. This would be different if say CreateEvent() was supplied from usermode within the overlapped struct. Not exactly sure what can be done here myself, at least from usermode... I don't think it will return until the kernel signals it directly by setting the event

--Iconic
iconic
Site Admin
 
Posts: 967
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Postby iconic » Sat Dec 19, 2015 6:29 am

You could always hook the wait API and compare handles to whatever you're interested in within the readfile call, it's a hack but definitely possible, might also hook closehandle to ensure that the handle still references the same object you're interested in. Not pretty and a hack but definitely worst case scenario

--Iconic
iconic
Site Admin
 
Posts: 967
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Postby dcsoft » Sat Dec 19, 2015 6:47 am

Hi Iconic. Yes, Windows allows waiting for the file handle itself and not an event. That is supported. If an event is provided in the OVERLAPPED, Windows will signal it by calling SetEvent. But it also somehow signals the file handle. And I don't know what API to use to do that.

I have looked through the NT/Zw Undocumented API and haven't found anything either. Perhaps it is a kernel mode API?

I don't understand how hooking WaitForSingleObject would help. The caller thread is blocking until the file handle is signaled. I can't understand why there are user API's to signal kernel objects like events, mutexes and semaphores but not file handles?

Thanks,
David
dcsoft
 
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA

Re: How to signal file handle WaitForSingleObject

Postby iconic » Sat Dec 19, 2015 6:53 am

Perhaps I didn't read the code well enough, I saw an ellipsis ... and assumed an overlapped result was retrieved (GetOverlappedResult). The hooking of the Wait function is to stop the 2nd argument (being INFINITE) based on a handle comparison, I don't see any other way to do so without, and since it's waiting directly on the handle (and not an event be it usermode created or kernel assigned) it then becomes a kernel object. All you can do is create a table of handles to compare to and hook the wait function to alter the wait timeout from what I see. Just my 2 and 1/2 pennies

P.S: CreateFile specified this flag and also input an overlapped var

FILE_FLAG_OVERLAPPED
0x40000000
The file or device is being opened or created for asynchronous I/O.
When subsequent I/O operations are completed on this handle, the event specified in the OVERLAPPED structure will be set to the signaled state.


--Iconic
iconic
Site Admin
 
Posts: 967
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Postby dcsoft » Sat Dec 19, 2015 7:05 am

I added some comments in the code which hopefully explain it better.

Perhaps your idea of hooking WaitForSingleObject could be used to replace the wait of the file handle with the wait of an event which the ReadFile hook would signal by calling SetEvent. What do you think?
dcsoft
 
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA

Re: How to signal file handle WaitForSingleObject

Postby iconic » Sat Dec 19, 2015 7:12 am

If the overlapped arg is definitely supplied I don't see why not ;) Should be as simple as SetEvent(hEvent). If It's null assign it one and replace the Wait(file_handle) with your newfound/created event_handle

--Iconic
Last edited by iconic on Sat Dec 19, 2015 7:29 am, edited 1 time in total.
iconic
Site Admin
 
Posts: 967
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Postby dcsoft » Sat Dec 19, 2015 7:21 am

Thank you! If my search for an API to signal a file handle comes up empty, and I'll do this.
dcsoft
 
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA

Re: How to signal file handle WaitForSingleObject

Postby iconic » Sat Dec 19, 2015 7:27 am

No problem, best of luck in your endeavors :D

--Iconic
iconic
Site Admin
 
Posts: 967
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Postby madshi » Sat Dec 19, 2015 8:44 am

@iconic,

thanks once again for your invaluable help on this forum, I really appreciate it! :D
madshi
Site Admin
 
Posts: 10268
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 26 guests

cron