How to signal file handle WaitForSingleObject

c++ / delphi package - dll injection and api hooking
Post Reply
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

How to signal file handle WaitForSingleObject

Post by dcsoft »

Hello, I am hooking ReadFile() and the caller is basically doing something like:

Code: Select all

// Start reading file asynchronously
HANDLE hFile = CreateFile(..., FILE_FLAG_OVERLAPPED, ...);
BYTE bReadBuffer[10];
OVERLAPPED oRead = { 0 };
ReadFile(hFile, bReadBuffer, 10, NULL, &oRead);

// Thread continues to do work while file is being read
...

// Wait for read to finish
WaitForSingleObject(hFile, INFINITE);

// ReadFile has finished 
// bReadBuffer now contains data which can be used
...

In my API hook of ReadFile, I need to signal the caller the read is done. But I don't know of an API that will signal a File handle being WaitForSingleObject()'ed. I've tried ReleaseMutex, ReleaseSemaphore (with a count of 1), and SetEvent, and all have failed with Error 6 (handle is invalid). These are the API's Jeffrey Richter in his book Windows Via C/C++ says are called by SignalObjectAndWait(). What other API's work to release a handle kernel object, and which one works with a handle returned by CreateFile?

Thanks for any help,
David
Last edited by dcsoft on Sat Dec 19, 2015 6:59 am, edited 1 time in total.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Post by iconic »

Hi DcSoft,

According to the code (all that I can see of course) the hEvent member of the overlapped struct is not filled in, what happens is the kernel itself will actually signal its own assigned handle at this point in which it creates for the readfile operation, since one was not explicitly specified it creates its own internal kernel event handle. This would be different if say CreateEvent() was supplied from usermode within the overlapped struct. Not exactly sure what can be done here myself, at least from usermode... I don't think it will return until the kernel signals it directly by setting the event

--Iconic
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Post by iconic »

You could always hook the wait API and compare handles to whatever you're interested in within the readfile call, it's a hack but definitely possible, might also hook closehandle to ensure that the handle still references the same object you're interested in. Not pretty and a hack but definitely worst case scenario

--Iconic
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: How to signal file handle WaitForSingleObject

Post by dcsoft »

Hi Iconic. Yes, Windows allows waiting for the file handle itself and not an event. That is supported. If an event is provided in the OVERLAPPED, Windows will signal it by calling SetEvent. But it also somehow signals the file handle. And I don't know what API to use to do that.

I have looked through the NT/Zw Undocumented API and haven't found anything either. Perhaps it is a kernel mode API?

I don't understand how hooking WaitForSingleObject would help. The caller thread is blocking until the file handle is signaled. I can't understand why there are user API's to signal kernel objects like events, mutexes and semaphores but not file handles?

Thanks,
David
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Post by iconic »

Perhaps I didn't read the code well enough, I saw an ellipsis ... and assumed an overlapped result was retrieved (GetOverlappedResult). The hooking of the Wait function is to stop the 2nd argument (being INFINITE) based on a handle comparison, I don't see any other way to do so without, and since it's waiting directly on the handle (and not an event be it usermode created or kernel assigned) it then becomes a kernel object. All you can do is create a table of handles to compare to and hook the wait function to alter the wait timeout from what I see. Just my 2 and 1/2 pennies

P.S: CreateFile specified this flag and also input an overlapped var
FILE_FLAG_OVERLAPPED
0x40000000
The file or device is being opened or created for asynchronous I/O.
When subsequent I/O operations are completed on this handle, the event specified in the OVERLAPPED structure will be set to the signaled state.
--Iconic
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: How to signal file handle WaitForSingleObject

Post by dcsoft »

I added some comments in the code which hopefully explain it better.

Perhaps your idea of hooking WaitForSingleObject could be used to replace the wait of the file handle with the wait of an event which the ReadFile hook would signal by calling SetEvent. What do you think?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Post by iconic »

If the overlapped arg is definitely supplied I don't see why not ;) Should be as simple as SetEvent(hEvent). If It's null assign it one and replace the Wait(file_handle) with your newfound/created event_handle

--Iconic
Last edited by iconic on Sat Dec 19, 2015 7:29 am, edited 1 time in total.
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: How to signal file handle WaitForSingleObject

Post by dcsoft »

Thank you! If my search for an API to signal a file handle comes up empty, and I'll do this.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: How to signal file handle WaitForSingleObject

Post by iconic »

No problem, best of luck in your endeavors :D

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to signal file handle WaitForSingleObject

Post by madshi »

@iconic,

thanks once again for your invaluable help on this forum, I really appreciate it! :D
Post Reply