Windows Kernel Drivers 101

Work In Progress This living document captures some of the Kernel Driver and OS related concepts that I encounter as I study Windows kernel driver development.

Driver Types

There are many different types of drivers, but I am mostly interested in Sofware Drivers.

Software Driver

  • Not associated with any device

  • Useful for running code in the kernel mode

  • Can also be a user mode driver

  • Drivers can be developed with Kernel-Mode Driver Framework (KMDF) and Windows Driver Model (WDM)

KMDF vs WDM

  • WDM is very closely tied to the OS and interacts with the it calling system service routines directly

  • KMDF is a framework that abstracts a lot of driver development and allows the developer to focus on his/her driver rather than focusing on OS programming intricacies

  • KMDF is recommended and a preferred driver development model over WDM in most cases

I/O Manager

  • Is an interface enabling communication between userland applications and kernel drivers

  • Creates a driver object (DRIVER_OBJECT) for each installed and loaded driver

  • Defines a set of standard mandatory driver routines that drivers must support such as DriverEntry

  • Calls driver's DriverEntry routine, which supplies the driver's DRIVER_OBJECT address

  • Accepts I/O requests, which usually originate from user-mode applications

  • Creates IRPs to represent the I/O requests

  • Transfers IRPs to the appropriate drivers

Uncategorized Notes

  • All drivers contain DriverEntry routine - similary to main routine of an executable and DllMain of a DLL. This routine gets called once the driver is loaded and started by the OS.

  • Memory allocated in paged pool can be paged out to a disk, whereas memory allocated from a nonpaged pool cannot

  • Requests sent to drivers are encapsulated in I/O Request Packets (IRP)

  • DRIVER_OBJECT represents the image of a loaded kernel-mode driver:

    • typedef struct _DRIVER_OBJECT {
  CSHORT             Type;
  CSHORT             Size;
  PDEVICE_OBJECT     DeviceObject;
  ULONG              Flags;
  PVOID              DriverStart;
  ULONG              DriverSize;
  PVOID              DriverSection;
  PDRIVER_EXTENSION  DriverExtension;
  UNICODE_STRING     DriverName;
  PUNICODE_STRING    HardwareDatabase;
  PFAST_IO_DISPATCH  FastIoDispatch;
  PDRIVER_INITIALIZE DriverInit;
  PDRIVER_STARTIO    DriverStartIo;
  PDRIVER_UNLOAD     DriverUnload;
  PDRIVER_DISPATCH   MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
} DRIVER_OBJECT, *PDRIVER_OBJECT;

  • DRIVER_OBJECT contains references to entry points of driver's standard routines (i.e Unload)

  • Driver standard routines receive IRPs as input as well as a pointer to the target device object

  • Drivers must create at least one device object (DEVICE_OBJECT) for each device

  • Device objects serve as a target of operations performed on a the device

  • Software only drivers that only handle I/O requests and do not pass them to hardware, still must create a device object to represent the target of its operations

References

LogoPacket-Driven I/O with Reusable IRPs - Windows driversdocsmsft

PreviousSending Commands From Your Userland Program to Your Kernel Driver using IOCTLNextWindows x64 Calling Convention: Stack Frame

Last updated