Execute user code from kernel

Discussion:

(too old to reply)

Giuseppe

2010-07-01 09:45:36 UTC

To make more accurate the system should call a function from kernel -->
DpcForIsr (IRQL = DISPATCH_LEVEL) to user-level function.

If you can, what limitations are there?

Thanks

__________ Information from ESET NOD32 Antivirus, version of virus signature database 5242 (20100701) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Don Burn

2010-07-01 11:57:31 UTC

Permalink

You cannot execute code in user space at any level but PASSIVE.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
Posted At: Thursday, July 01, 2010 5:46 AM
Posted To: microsoft.public.win32.programmer.kernel
Conversation: Execute user code from kernel
Subject: Execute user code from kernel
To make more accurate the system should call a function from kernel -->
DpcForIsr (IRQL = DISPATCH_LEVEL) to user-level function.
If you can, what limitations are there?
Thanks
__________ Information from ESET NOD32 Antivirus, version of virus

signature

database 5242 (20100701) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus

signature

database 5242 (20100701) __________
The message was checked by ESET Smart Security.
http://www.eset.com

Krzysztof Uchronski

2010-07-01 12:00:59 UTC

Permalink

This is bad idea. By doing that you are not only creating potential
security hole (imagine that your UM code you want to run from kernel has
been replaced with something else) but also destabilize the whole system
(again your UM code may be trashed and system crash is almost
guaranteed). On top of it there is of course a problem of context
DpcForIsr is running in (it's arbitrary), basically its code runs in the
context of whatever process happened to be an active one (and no you
can't switch contexts when you are at DISPATCH_LEVEL) - so you are
usually not in the right UM address space hence you can't safely access
your UM code.

Anyway, I would suggest to use inverted calls technique (there's nice
article from OSR guys) where one can "notify" UM mode component (from
KM) to do some work.

And the major question here is: what are you actually trying to do?

Kris

-----Original Message-----
From: Giuseppe [mailto:***@hi-net.it]
Posted At: Thursday, July 01, 2010 10:46 AM
Posted To: microsoft.public.win32.programmer.kernel
Conversation: Execute user code from kernel
Subject: Execute user code from kernel

To make more accurate the system should call a function from kernel -->
DpcForIsr (IRQL = DISPATCH_LEVEL) to user-level function.

If you can, what limitations are there?

Thanks

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5242 (20100701) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Giuseppe

2010-07-01 17:08:40 UTC

Permalink

I have to acquire an analog signal through A/D converter board, to perform
the operations and write the value in the D/A Converter board.
This should be done approximately every millisecond.
Currently the function is written in the kernel and works correctly even if
windows is loaded to 100%.

To increase flexibility and use floating point operations, I would transport
the user-level function.
I did not want to use real-time operating systems due to their complexity
and also can not integrate standard Windows applications.

Thanks.

Post by Krzysztof Uchronski
This is bad idea. By doing that you are not only creating potential
security hole (imagine that your UM code you want to run from kernel has
been replaced with something else) but also destabilize the whole system
(again your UM code may be trashed and system crash is almost
guaranteed). On top of it there is of course a problem of context
DpcForIsr is running in (it's arbitrary), basically its code runs in the
context of whatever process happened to be an active one (and no you
can't switch contexts when you are at DISPATCH_LEVEL) - so you are
usually not in the right UM address space hence you can't safely access
your UM code.
Anyway, I would suggest to use inverted calls technique (there's nice
article from OSR guys) where one can "notify" UM mode component (from
KM) to do some work.
And the major question here is: what are you actually trying to do?
Kris
-----Original Message-----
Posted At: Thursday, July 01, 2010 10:46 AM
Posted To: microsoft.public.win32.programmer.kernel
Conversation: Execute user code from kernel
Subject: Execute user code from kernel
To make more accurate the system should call a function from kernel -->
DpcForIsr (IRQL = DISPATCH_LEVEL) to user-level function.
If you can, what limitations are there?
Thanks
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5242 (20100701) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5243 (20100701) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature database 5243 (20100701) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Don Burn

2010-07-01 17:31:22 UTC

Permalink

You cannot get this to work, in fact you are lucky with current in
kernel setup, enough interrupts and DPC stuff can occur to cause you a
problem.

I'd suggest leaving this in the kernel, if you need floating point set
up your own worker thread with floating point. Then use an interlocked
list to insert requests into a queue that the thread processes.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
Posted At: Thursday, July 01, 2010 1:09 PM
Posted To: microsoft.public.win32.programmer.kernel
Conversation: Execute user code from kernel
Subject: Re: Execute user code from kernel
I have to acquire an analog signal through A/D converter board, to

perform the

operations and write the value in the D/A Converter board.
This should be done approximately every millisecond.
Currently the function is written in the kernel and works correctly even if
windows is loaded to 100%.
To increase flexibility and use floating point operations, I would transport
the user-level function.
I did not want to use real-time operating systems due to their

complexity and

also can not integrate standard Windows applications.
Thanks.

whole

Post by Krzysztof Uchronski
system (again your UM code may be trashed and system crash is almost
guaranteed). On top of it there is of course a problem of context
DpcForIsr is running in (it's arbitrary), basically its code runs in
the context of whatever process happened to be an active one (and no
you can't switch contexts when you are at DISPATCH_LEVEL) - so you

are

Post by Krzysztof Uchronski
usually not in the right UM address space hence you can't safely
access your UM code.
Anyway, I would suggest to use inverted calls technique (there's nice
article from OSR guys) where one can "notify" UM mode component (from
KM) to do some work.
And the major question here is: what are you actually trying to do?
Kris
-----Original Message-----
microsoft.public.win32.programmer.kernel
Conversation: Execute user code from kernel
Subject: Execute user code from kernel
To make more accurate the system should call a function from kernel -->
DpcForIsr (IRQL = DISPATCH_LEVEL) to user-level function.
If you can, what limitations are there?
Thanks
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5242 (20100701) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5243 (20100701) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus

signature

database 5243 (20100701) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus

signature

database 5244 (20100701) __________
The message was checked by ESET Smart Security.
http://www.eset.com

Pavel A.

2010-07-01 13:18:31 UTC

Permalink

Post by Giuseppe
To make more accurate the system should call a function from kernel -->
DpcForIsr (IRQL = DISPATCH_LEVEL) to user-level function.
If you can, what limitations are there?

Then, your "user" code must run in a special environment such as Windows
real-time add-on
(proprietary, costly, but perhaps exactly what you want).

-- pa

Continue reading on narkive:

Search results for 'Execute user code from kernel' (newsgroups and mailing lists)

replies

Multiple WinXP kernel vulns can give user mode programs kernel mode privileges

started 2004-02-18 22:15:20 UTC

full-disclosure@lists.grok.org.uk

replies

Can we force a KVM VCPU in Guest Mode to Exit to User Mode From User Mode ?

started 2012-07-26 09:38:54 UTC

kvm@vger.kernel.org

replies

Load and execute PRU code from bare-metal application