Introduction to writing device drivers for Windows

04/19/2304/19/23 11

Introduction to writing Introduction to writing device drivers for Windowsdevice drivers for Windows

Ben BernsteinBen Bernstein

[email protected]

04/19/2304/19/23 22

Device DriversDevice Drivers

Why do we need them ?Why do we need them ? The only way to connect IO devices to The only way to connect IO devices to

windows (hence the name).windows (hence the name). The only way to inject code into the windows The only way to inject code into the windows

kernel.kernel. Doing stuff in an utmost low levelDoing stuff in an utmost low level

• Firewall.Firewall.• AV.AV.• ID.ID.

04/19/2304/19/23 33

Device DriversDevice Drivers

Why I hate themWhy I hate them Mostly undocumented, very few web Mostly undocumented, very few web

resources.resources. Very primitive dev tools.Very primitive dev tools. No GUI – I cannot impress anyone.No GUI – I cannot impress anyone. The kernel never quite seems to forgives my The kernel never quite seems to forgives my

bugs.bugs. Lots of technical details – it’s a little boring.Lots of technical details – it’s a little boring. So much cryptic knowledge we cannot cover So much cryptic knowledge we cannot cover

the whole subject in two hours.the whole subject in two hours.

04/19/2304/19/23 44

Windows IOWindows IO

Windows uses the same mechanism for Windows uses the same mechanism for communicating with files, and communicating communicating with files, and communicating with devices.with devices. CreateFile CreateFile CloseHandleCloseHandle WriteFileWriteFile ReadFileReadFile DeviceIoControlDeviceIoControl

• Extension – Specific for every device.Extension – Specific for every device.

Main() exampleMain() example

04/19/2304/19/23 55

Calling DeviceIOControlCalling DeviceIOControl

User modeprogram

Libraries/Dlls

NtDll

ISR (ring 0)

SharedUserData!SystemCallStub:mov edx,espsysenter (int 0x2e)ret

ntdll!ZwDeviceIoControlFile:mov eax,0x42mov edx,0x7ffe0300call edx{SharedUserData!SystemCallStubret 0x28

IO manager(nt!NtDeviceIoControlFileand some other functions)

Your driver (dispatchfunctions)

04/19/2304/19/23 66

Windows IO - IRPsWindows IO - IRPs

Every IO request from a file or a device gets to Every IO request from a file or a device gets to the kernel – the IO manager.the kernel – the IO manager.

The IO manager creates an IRP and dispatches The IO manager creates an IRP and dispatches it to the proper driver(s) of the device.it to the proper driver(s) of the device.

The drivers may decide to make the request The drivers may decide to make the request pending and answer it after a while.pending and answer it after a while.

The driver may decide to pass the IRP to The driver may decide to pass the IRP to another driver.another driver.

A user-mode program may decide to call IO A user-mode program may decide to call IO functions asynchronously or synchronously. functions asynchronously or synchronously.

04/19/2304/19/23 77

PDO FDO FiDOPDO FDO FiDO

Fido(s)

Fido(s)

FDO

PDO

PDO, FDO, PDO, FDO,

Device Enumaration Device Enumaration

Plug & PlayPlug & Play

04/19/2304/19/23 88

A code that runs inside the kernel of A code that runs inside the kernel of windows.windows.

It’s a C/C+/C++ program!It’s a C/C+/C++ program!

Device Driver CodeDevice Driver Code#include "ntddk.h"#include "ntddk.h"

NTSTATUS NTSTATUS

DriverEntry(DriverEntry(

IN PDRIVER_OBJECT DriverObject, IN PDRIVER_OBJECT DriverObject,

IN PUNICODE_STRING RegistryPath IN PUNICODE_STRING RegistryPath

))

{{

////

// I wish I could hello world you// I wish I could hello world you

////

return STATUS_SUCCESS;return STATUS_SUCCESS;

}}

04/19/2304/19/23 99

Few questions?!Few questions?!(The MS driver rules)(The MS driver rules)

You have to order the DDK.You have to order the DDK. Compiling:Compiling:

No IDE - just BUILD.EXE.No IDE - just BUILD.EXE. no Makefile – just dirs, sources,. no Makefile – just dirs, sources,. DBG/FRE dos build environments DBG/FRE dos build environments

The .SYS filesThe .SYS files Export and import, DriverEntry is the entry pointExport and import, DriverEntry is the entry point

Weird typesWeird types UNICODE_STRING, NTSTATUS, some UNICODE_STRING, NTSTATUS, some

undocumented.undocumented.

04/19/2304/19/23 1010

04/19/2304/19/23 1111

DriverEntryDriverEntry

The DriverEntry RegistryPath parameter.The DriverEntry RegistryPath parameter. Points to the registry.Points to the registry. The registry info is usually created by an INF file The registry info is usually created by an INF file

The DriverEntry DriverObject parameter.The DriverEntry DriverObject parameter. Used to return callbacks to the OS.Used to return callbacks to the OS.

#include "ntddk.h"#include "ntddk.h"

NTSTATUS NTSTATUS

DriverEntry(DriverEntry(



))

{{

////

// I wish I could hello world you// I wish I could hello world you

////

return STATUS_SUCCESS;return STATUS_SUCCESS;

}}

04/19/2304/19/23 1212

Device Driver – Device Driver – Initializing Callbacks Initializing Callbacks

NTSTATUS DriverEntry(NTSTATUS DriverEntry(



) {) {

DriverObject->DriverUnload = MyUnload;DriverObject->DriverUnload = MyUnload;

DriverObject->MajorFunction[IRP_MJ_CREATE] = MyCreate;DriverObject->MajorFunction[IRP_MJ_CREATE] = MyCreate;

DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyClose;DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyClose;

DriverObject->MajorFunction[IRP_MJ_CLEANUP] = MyCleanup;DriverObject->MajorFunction[IRP_MJ_CLEANUP] = MyCleanup;

DriverObject->MajorFunction[IRP_MJ_READ] = MyRead;DriverObject->MajorFunction[IRP_MJ_READ] = MyRead;

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=MyCtrl;DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=MyCtrl;

DriverObject->DriverExtension->AddDevice = MyPnpAddDeviceDriverObject->DriverExtension->AddDevice = MyPnpAddDevice

IoCreateDevice( … , “device name”, …)IoCreateDevice( … , “device name”, …)

……

return STATUS_SUCCESS;}return STATUS_SUCCESS;}

04/19/2304/19/23 1313

Device Driver – Device Driver – Dispatch Functions Dispatch Functions

IOCtrl dispatch functionIOCtrl dispatch function All in the form of:All in the form of:

NTSTATUS MyDispatchFunc( NTSTATUS MyDispatchFunc( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )

Enables the user of the driver to communicate with the driver.Enables the user of the driver to communicate with the driver. Filemon ExampleFilemon Example

DriverUnload dispatchDriverUnload dispatch Does driver cleanupDoes driver cleanup

One can support some and set other to NULL.One can support some and set other to NULL. DriverExtension->AddDevice vs. DriverEntryDriverExtension->AddDevice vs. DriverEntry

04/19/2304/19/23 1414

Device Driver – Device Driver – Dispatch Functions Dispatch Functions

What can the driver functions do ? Call the kernel apis What can the driver functions do ? Call the kernel apis for instance.for instance.

Ex ( Executive)Ex ( Executive) Mm (Memory manager)Mm (Memory manager) Rtl (Run time library)Rtl (Run time library) FsRtl (File system runtime library)FsRtl (File system runtime library) Ob ( Object management)Ob ( Object management) Io (I/O)Io (I/O) Hal (Hardware abstraction level)Hal (Hardware abstraction level) Zw (File & Registry)Zw (File & Registry) Ke (General kernel)Ke (General kernel)

Use DMA to talk to the deviceUse DMA to talk to the device

04/19/2304/19/23 1515

Device Driver - InterruptsDevice Driver - Interrupts

Interrupts – The way the actual device Interrupts – The way the actual device “dispatches” the OS.“dispatches” the OS.

In order to register to a certain Interrupt In order to register to a certain Interrupt one uses the IoConnectInterrupt API.one uses the IoConnectInterrupt API. Easier with PNP support.Easier with PNP support.

A completion function is passed to the A completion function is passed to the IoConnectInterrupt .IoConnectInterrupt .

04/19/2304/19/23 1616

Device Driver - InterruptsDevice Driver - Interrupts

Usually looking like this:Usually looking like this:BOOLEAN InterruptIsrBOOLEAN InterruptIsr((IN PKINTERRUPT Interrupt, IN IN PKINTERRUPT Interrupt, IN

OUT PVOID ContextOUT PVOID Context)){{

… … (few commands if any)(few commands if any)IoRequestDpcIoRequestDpc((DeviceObject,DeviceObject,

DeviceObjectDeviceObject-->CurrentIrp,>CurrentIrp, NULLNULL));;

return TRUE;return TRUE;}}

04/19/2304/19/23 1717

Device Driver - InterruptsDevice Driver - Interrupts What is a DPC?What is a DPC?

Deffered procedure call.Deffered procedure call. Used to postpone the driver calculation to enable Used to postpone the driver calculation to enable

receiving other interrupts.receiving other interrupts. The DPC is processed only after all interrupt are The DPC is processed only after all interrupt are

processed.processed. All interrupts service routines do almost nothing other All interrupts service routines do almost nothing other

then queuing DPCs.then queuing DPCs. Each device object has a DPC inside it, A driver can Each device object has a DPC inside it, A driver can

allocate more DPCs if he believes he’ll get lots of allocate more DPCs if he believes he’ll get lots of interrupts.interrupts.

Interrupt ExampleInterrupt Example

04/19/2304/19/23 1818

Other important issues Other important issues (that were not quite covered)(that were not quite covered)

IRQL & Interrupts.IRQL & Interrupts. DDK API calls and IRQLDDK API calls and IRQL Class Filter driverClass Filter driver Spin locksSpin locks NPPNPP WinDBG/SoftIceWinDBG/SoftIce FastIoDispatchFastIoDispatch IFSIFS Filter DriversFilter Drivers PNP dispatch functions.PNP dispatch functions.

04/19/2304/19/23 1919

Bibliography Bibliography

httphttp://://wwwwww..sysinternalssysinternals..comcom// - - Mark Mark RussinovichRussinovich

MS DDK.MS DDK. http://www.beyondlogic.orghttp://www.beyondlogic.org Inside Windows 2000.Inside Windows 2000.

04/19/2304/19/23 2020

Documents

Introduction to writing device drivers for Windows