0

I was shocked that I got the same PID between User mode and Kernel mode in an IOCTL request from my application to my kernel driver(WDM) via DeviceIoControl() Win32 API.

As far as I know, drivers have its own PID in kernel mode; applications own its PID in user mode, they were separated, can be communicated through IOCTL. But today, I got the same PID between user/kernel mode in an IOCTL request. I got PID via GetCurrentProcessId() function in user mode; and got PID via PsGetCurrentProcessId() function in kernel mode, showing the result in user mode application, those two PID are the same.

Does anyone know why?

dougpuob
  • 23
  • 1
  • 7

1 Answers1

1

What you saw is normal. In Windows, it is normal that a thread spent part of its time running user mode codes and part of its time running kernel mode codes. In your case, after a thread executed your application which made a call to execute IOCTL, Windows kernel used this same thread to execute your kernel mode driver codes to handle this IOCTL.

Hope this helps.

thtse
  • 154
  • 6
  • Hi @thtse , thank you :) how does Windows kernel take the same thread again? Application send an IOCTL to kernel by system call, kernel handles the request then returns result, there are two processes, one in user mode, another in kernel mode. Or Windows do it with different way? Is there any document mentioning about it? I am interested in the mechanism of it. – dougpuob Jul 05 '17 at 01:50
  • @dougpuob - every process and thread while running have some ID. no different from user or kernel mode this queried - result of course will be the same for same thread or process. and "there are two processes, one in user mode, another in kernel mode" - this absolute false. processes not related to mode at all. thread in some process call your driver. it go from user mode to kernel. but this is the same thread (with same id) and within same process (so and process id the same) – RbMm Jul 05 '17 at 14:52
  • @RbMm, thank you. After I got your message I went to trace `DeviceIoControl()` function of ractos project. It is the same as your said that It goes from user mode to kernel. Please give me a hand to clarify my conception. As far as I know, Windows kernel is executed at Ring 0, the following call stack from application (user mode at Ring 3) by `DeviceIoControl()`, when it changes to Ring 0, or this call stack always is executed in Ring 3? [**The calling stack**](http://i.imgur.com/uBIZPRZ.png) – dougpuob Jul 06 '17 at 04:10
  • @dougpuob - the `DeviceIoControl` - user mode api from `kernel32.dll` or `kernelbase.dll` it call `NtDeviceIoControlFile` in `ntdll.dll` - here was switch to kernel mode and again called `NtDeviceIoControlFile` already from `ntoskrnl.exe` - all next stack from kernel mode. however all this in same single thread and in same single process – RbMm Jul 06 '17 at 06:39
  • @RbMm, According to your reply, I read several documents on MSDN, now I know what is going on. Thank you :) – dougpuob Jul 06 '17 at 07:58