WorkItem in kernel

[Sn1p3r]

I am implementing network monitoring with WFP driver. in some situation i need create workitem and waiting for completing.i looking for some statndard sample code.i saw some code that use some trick for example use Kernel event (KEVENT) and then this changed in workitem when completed.
(using KeWaitForSingleObject and ....)
thank all of you.

 

[x BlueRobot]

This should help you - System Worker Threads - Windows drivers

 

[Sn1p3r]

I read this
and but my issue how(standard way)can we understand this worker are done!
i want to wait for work item to done
i know we must do this with KeInitializeEvent but how ?

 

[x BlueRobot]

i know we must do this with KeInitializeEvent but how ?

Why? Do you understand what event objects are and how they're used? You don't need to set up an event object to add an I/O work item to a worker queue. The queue is managed by the operating system, you merely add your item and register your callback routine.

I read this
and but my issue how(standard way)can we understand this worker are done!

What do you mean by understand how they're done? The documentation I provided you with, is step-by-step how to set-up a work item and allocate it. If you want to understand more of the internals, then this post is really good - Work Items & System Worker Threads - 'Practical Reverse Engineering' solutions - Part 3 :: — uf0

There's some more details here:

1. Waiting for a queued work item to complete before driver unload
2. Question about Workitems.

Otherwise, you're going to have to wait (like myself) for the 2nd Part to the Windows Internals book.

 

[Sn1p3r]

What do you mean by understand how they're done? The documentation I provided you with, is step-by-step how to set-up a work item and allocate it. If you want to understand more of the internals, then this post is really good - Work Items & System Worker Threads - 'Practical Reverse Engineering' solutions - Part 3 :: — uf0

good ref for deep dive into work item
i want to know because i have some other operation and i have to be sure that this(routine) operation is over
for example

size_calc(....){
    PIO_WORKITEM WorkItem;
    IoAllocateWorkItem(pDeviceObject);
    IoInitializeWorkItem(pDeviceObject,WorkItem;)
    IoQueueWorkItem(WorkItem, WorkItemRoutin, DelayedWorkQueue, Context);
....
....
...
}

WorkItemRoutin(....,PVOID Context)
{
    //do operation
    Context->size=10;//just example
}

processCreationcallback()
{
    int i=0;
    size_calc();
    if (Context->size > 0)
     {
        //do-some-operation  
            }
}

I hope I have conveyed what I mean

 

[x BlueRobot]

You shouldn't initialise a work item and then allocate it afterwards. The initialise function will construct a I/O work item for you and then allocate it to the specified device object.

From the documentation:

IoAllocateWorkItem both allocates and initializes a work item. A related routine, IoInitializeWorkItem, initializes a work item in storage that the driver has previously allocated. Do not call IoInitializeWorkItem to initialize a work item that was allocated by IoAllocateWorkItem.

Source: IoAllocateWorkItem function (wdm.h) - Windows drivers

Have you ensured that WorkItem variable is set correctly?

i want to know because i have some other operation and i have to be sure that this(routine) operation is over

Why use a work item for that? Have you checked that the WFP framework provides an event you can register a callback routine for? I should imagine that the sample code that you read, a thread is set to wait upon an event object to become signaled, and then a function is called from that. Could you please provide the documentation you were reading?

 

[Sn1p3r]

Hi,
I apologize for my late response. I was sick for a while,
I am a member of the team that reverse Sysmon and move forward accordingly. Exactly in Sysmon in process creation callback, work item is created just like that.
thank you