04/19/2304/19/23 11
Introduction to writing Introduction to writing device drivers for Windowsdevice drivers for Windows
Ben BernsteinBen Bernstein
04/19/2304/19/23 22
Device DriversDevice Drivers
Why do we need them ?Why do we need them ? The only way to connect IO devices to The only way to connect IO devices to
windows (hence the name).windows (hence the name). The only way to inject code into the windows The only way to inject code into the windows
kernel.kernel. Doing stuff in an utmost low levelDoing stuff in an utmost low level
• Firewall.Firewall.• AV.AV.• ID.ID.
04/19/2304/19/23 33
Device DriversDevice Drivers
Why I hate themWhy I hate them Mostly undocumented, very few web Mostly undocumented, very few web
resources.resources. Very primitive dev tools.Very primitive dev tools. No GUI – I cannot impress anyone.No GUI – I cannot impress anyone. The kernel never quite seems to forgives my The kernel never quite seems to forgives my
bugs.bugs. Lots of technical details – it’s a little boring.Lots of technical details – it’s a little boring. So much cryptic knowledge we cannot cover So much cryptic knowledge we cannot cover
the whole subject in two hours.the whole subject in two hours.
04/19/2304/19/23 44
Windows IOWindows IO
Windows uses the same mechanism for Windows uses the same mechanism for communicating with files, and communicating communicating with files, and communicating with devices.with devices. CreateFile CreateFile CloseHandleCloseHandle WriteFileWriteFile ReadFileReadFile DeviceIoControlDeviceIoControl
• Extension – Specific for every device.Extension – Specific for every device.
Main() exampleMain() example
04/19/2304/19/23 55
Calling DeviceIOControlCalling DeviceIOControl
User modeprogram
Libraries/Dlls
NtDll
ISR (ring 0)
SharedUserData!SystemCallStub:mov edx,espsysenter (int 0x2e)ret
ntdll!ZwDeviceIoControlFile:mov eax,0x42mov edx,0x7ffe0300call edx{SharedUserData!SystemCallStubret 0x28
IO manager(nt!NtDeviceIoControlFileand some other functions)
Your driver (dispatchfunctions)
04/19/2304/19/23 66
Windows IO - IRPsWindows IO - IRPs
Every IO request from a file or a device gets to Every IO request from a file or a device gets to the kernel – the IO manager.the kernel – the IO manager.
The IO manager creates an IRP and dispatches The IO manager creates an IRP and dispatches it to the proper driver(s) of the device.it to the proper driver(s) of the device.
The drivers may decide to make the request The drivers may decide to make the request pending and answer it after a while.pending and answer it after a while.
The driver may decide to pass the IRP to The driver may decide to pass the IRP to another driver.another driver.
A user-mode program may decide to call IO A user-mode program may decide to call IO functions asynchronously or synchronously. functions asynchronously or synchronously.
04/19/2304/19/23 77
PDO FDO FiDOPDO FDO FiDO
Fido(s)
Fido(s)
FDO
PDO
PDO, FDO, PDO, FDO,
Device Enumaration Device Enumaration
Plug & PlayPlug & Play
04/19/2304/19/23 88
A code that runs inside the kernel of A code that runs inside the kernel of windows.windows.
It’s a C/C+/C++ program!It’s a C/C+/C++ program!
Device Driver CodeDevice Driver Code#include "ntddk.h"#include "ntddk.h"
NTSTATUS NTSTATUS
DriverEntry(DriverEntry(
IN PDRIVER_OBJECT DriverObject, IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath IN PUNICODE_STRING RegistryPath
))
{{
////
// I wish I could hello world you// I wish I could hello world you
////
return STATUS_SUCCESS;return STATUS_SUCCESS;
}}
04/19/2304/19/23 99
Few questions?!Few questions?!(The MS driver rules)(The MS driver rules)
You have to order the DDK.You have to order the DDK. Compiling:Compiling:
No IDE - just BUILD.EXE.No IDE - just BUILD.EXE. no Makefile – just dirs, sources,. no Makefile – just dirs, sources,. DBG/FRE dos build environments DBG/FRE dos build environments
The .SYS filesThe .SYS files Export and import, DriverEntry is the entry pointExport and import, DriverEntry is the entry point
Weird typesWeird types UNICODE_STRING, NTSTATUS, some UNICODE_STRING, NTSTATUS, some
undocumented.undocumented.
04/19/2304/19/23 1010
04/19/2304/19/23 1111
DriverEntryDriverEntry
The DriverEntry RegistryPath parameter.The DriverEntry RegistryPath parameter. Points to the registry.Points to the registry. The registry info is usually created by an INF file The registry info is usually created by an INF file
The DriverEntry DriverObject parameter.The DriverEntry DriverObject parameter. Used to return callbacks to the OS.Used to return callbacks to the OS.
#include "ntddk.h"#include "ntddk.h"
NTSTATUS NTSTATUS
DriverEntry(DriverEntry(
IN PDRIVER_OBJECT DriverObject, IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath IN PUNICODE_STRING RegistryPath
))
{{
////
// I wish I could hello world you// I wish I could hello world you
////
return STATUS_SUCCESS;return STATUS_SUCCESS;
}}
04/19/2304/19/23 1212
Device Driver – Device Driver – Initializing Callbacks Initializing Callbacks
NTSTATUS DriverEntry(NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject, IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath IN PUNICODE_STRING RegistryPath
) {) {
DriverObject->DriverUnload = MyUnload;DriverObject->DriverUnload = MyUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = MyCreate;DriverObject->MajorFunction[IRP_MJ_CREATE] = MyCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyClose;DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyClose;
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = MyCleanup;DriverObject->MajorFunction[IRP_MJ_CLEANUP] = MyCleanup;
DriverObject->MajorFunction[IRP_MJ_READ] = MyRead;DriverObject->MajorFunction[IRP_MJ_READ] = MyRead;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=MyCtrl;DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=MyCtrl;
DriverObject->DriverExtension->AddDevice = MyPnpAddDeviceDriverObject->DriverExtension->AddDevice = MyPnpAddDevice
IoCreateDevice( … , “device name”, …)IoCreateDevice( … , “device name”, …)
……
return STATUS_SUCCESS;}return STATUS_SUCCESS;}
04/19/2304/19/23 1313
Device Driver – Device Driver – Dispatch Functions Dispatch Functions
IOCtrl dispatch functionIOCtrl dispatch function All in the form of:All in the form of:
NTSTATUS MyDispatchFunc( NTSTATUS MyDispatchFunc( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
Enables the user of the driver to communicate with the driver.Enables the user of the driver to communicate with the driver. Filemon ExampleFilemon Example
DriverUnload dispatchDriverUnload dispatch Does driver cleanupDoes driver cleanup
One can support some and set other to NULL.One can support some and set other to NULL. DriverExtension->AddDevice vs. DriverEntryDriverExtension->AddDevice vs. DriverEntry
04/19/2304/19/23 1414
Device Driver – Device Driver – Dispatch Functions Dispatch Functions
What can the driver functions do ? Call the kernel apis What can the driver functions do ? Call the kernel apis for instance.for instance.
Ex ( Executive)Ex ( Executive) Mm (Memory manager)Mm (Memory manager) Rtl (Run time library)Rtl (Run time library) FsRtl (File system runtime library)FsRtl (File system runtime library) Ob ( Object management)Ob ( Object management) Io (I/O)Io (I/O) Hal (Hardware abstraction level)Hal (Hardware abstraction level) Zw (File & Registry)Zw (File & Registry) Ke (General kernel)Ke (General kernel)
Use DMA to talk to the deviceUse DMA to talk to the device
04/19/2304/19/23 1515
Device Driver - InterruptsDevice Driver - Interrupts
Interrupts – The way the actual device Interrupts – The way the actual device “dispatches” the OS.“dispatches” the OS.
In order to register to a certain Interrupt In order to register to a certain Interrupt one uses the IoConnectInterrupt API.one uses the IoConnectInterrupt API. Easier with PNP support.Easier with PNP support.
A completion function is passed to the A completion function is passed to the IoConnectInterrupt .IoConnectInterrupt .
04/19/2304/19/23 1616
Device Driver - InterruptsDevice Driver - Interrupts
Usually looking like this:Usually looking like this:BOOLEAN InterruptIsrBOOLEAN InterruptIsr((IN PKINTERRUPT Interrupt, IN IN PKINTERRUPT Interrupt, IN
OUT PVOID ContextOUT PVOID Context)){{
… … (few commands if any)(few commands if any)IoRequestDpcIoRequestDpc((DeviceObject,DeviceObject,
DeviceObjectDeviceObject-->CurrentIrp,>CurrentIrp, NULLNULL));;
return TRUE;return TRUE;}}
04/19/2304/19/23 1717
Device Driver - InterruptsDevice Driver - Interrupts What is a DPC?What is a DPC?
Deffered procedure call.Deffered procedure call. Used to postpone the driver calculation to enable Used to postpone the driver calculation to enable
receiving other interrupts.receiving other interrupts. The DPC is processed only after all interrupt are The DPC is processed only after all interrupt are
processed.processed. All interrupts service routines do almost nothing other All interrupts service routines do almost nothing other
then queuing DPCs.then queuing DPCs. Each device object has a DPC inside it, A driver can Each device object has a DPC inside it, A driver can
allocate more DPCs if he believes he’ll get lots of allocate more DPCs if he believes he’ll get lots of interrupts.interrupts.
Interrupt ExampleInterrupt Example
04/19/2304/19/23 1818
Other important issues Other important issues (that were not quite covered)(that were not quite covered)
IRQL & Interrupts.IRQL & Interrupts. DDK API calls and IRQLDDK API calls and IRQL Class Filter driverClass Filter driver Spin locksSpin locks NPPNPP WinDBG/SoftIceWinDBG/SoftIce FastIoDispatchFastIoDispatch IFSIFS Filter DriversFilter Drivers PNP dispatch functions.PNP dispatch functions.
04/19/2304/19/23 1919
Bibliography Bibliography
httphttp://://wwwwww..sysinternalssysinternals..comcom// - - Mark Mark RussinovichRussinovich
MS DDK.MS DDK. http://www.beyondlogic.orghttp://www.beyondlogic.org Inside Windows 2000.Inside Windows 2000.
04/19/2304/19/23 2020
Top Related