# 20180626-27

\# 主要工作：

## 完善R0和R3之间的交互工作

### 驱动初始化

> R3收到开始监控的指令后，通过指定的受保护的进程名（此处为TdxW\.exe）查找进程ID，并发送到R0端
>
> R0收到受保护进程ID后，存储该PID为全局变量，并以此初始化各种监控及保护例程

### 驱动监控

> 初始化驱动后，R0进入阻塞态（DeviceIoControl 阻塞），等待驱动发回监控事件，并将收到的事件打印（无进一步操作）
>
> 驱动开始监控后，如果检测到特定事件（目前为线程注入），根据该事件构造事件节点，并加入到消息事件的队列中，并激活同步事件(KeSetEvent)
>
> 驱动收到R3接收事件的请求后，从消息队列中取出事件发回到R3，如果消息队列为空，则驱动的处理线程阻塞（WaitForSingleObject），等待 KeSetEvent的触发


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://m0uk4.gitbook.io/notebooks/mouka/driverdevelopment/20180626-27.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.