• windows内核驱动开发

    友链

    hellodriver

    使用VS2019

    项目地址

    代码

    // I don't like NTSTATUS, it like shit
typedef NTSTATUS _nt;

/*
your driver must implement two basic event callback fucnions at least
which is:
 - DRIVER_INITIALIZE DriverEntry
 - EVT_WDF_DRIVER_DEVICE_ADD KmdfHelloWorldEvtDeviceAdd
*/

// these two head files must be included in your driver code
// contains win kernel definitions for all drivers
#include 	
// contains win kernel definitions for drivers those who are based on WDF
#include 

// both DRIVER_INITIALIZE and EVT_WDF_DRIVER_DEVICE_ADD are function type with parameter and return value declared, see this:  https://blog.csdn.net/ma_de_hao_mei_le/article/details/126246225
DRIVER_INITIALIZE DriverEntry;
EVT_WDF_DRIVER_DEVICE_ADD KmdfHelloWorldEvtDeviceAdd;

// then DriverEntry function
// this is the main function in user mode code
// everytime we want to analyse a drvier, we need to check this function to know how does it work
_nt DriverEntry(
	_In_ PDRIVER_OBJECT		DriverObject,
	_In_ PUNICODE_STRING	RegistryPath
)
{
	// this is the return value
	// well STATUS_SUCCESS macro sucks, it is too long, I prefer to use 0
	_nt status = 0;

	// idk what the fuck is this
	// the document from MS says it is driver configuration object, which indeed is a struct
	WDF_DRIVER_CONFIG config;

	// let's print some thing, only visible for debugger
	// idk what is the usage of commentid and level
	KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "KmdfHelloWorld: DriverEntry\n"));

	// initialize driver configuration object to register entry point for one of the call back function we mentioned at the beginning
	// the other call back is EntryPoint
	// it doesn't need to be registered
	// it will be called automatically if certain event comes
	WDF_DRIVER_CONFIG_INIT(&config,
		KmdfHelloWorldEvtDeviceAdd);

	// at last, we create driver object
	status = WdfDriverCreate(
		DriverObject,
		RegistryPath,
		WDF_NO_OBJECT_ATTRIBUTES,
		&config,
		WDF_NO_HANDLE);
	return status;
}

// now we need to implement our KmdfHelloWorldEvtDeviceAdd callback function
// EvtDeviceAdd will be invoked by system when your device has arrived
// what does the doc mean when it say "your device"?
// what the fuck is "your device"? 
// idk what is my device and how it arrives
// this function will initialize structures and resources that this device will use, and create device object for it
// MS doc recommends to name this EvtDeviceAdd function with a prefix, and the driver name should be this prefix
// now I understand, device arriving when you click enable in devmanager
_nt KmdfHelloWorldEvtDeviceAdd(
	_In_	WDFDRIVER			Driver,
	_Inout_ PWDFDEVICE_INIT		DeviceInit
)
{
	// the first parameter is useless because we're not going to use it
	// so we need to mark it as unreferenced
	// I'm not sure what is the point to do this
	// because I've never seen this in user mode C code
	UNREFERENCED_PARAMETER(Driver);

	// allocate device object
	// here is how WDFDEVICE is declared https://blog.csdn.net/ma_de_hao_mei_le/article/details/126247434
	WDFDEVICE hDevice;

	// print some thing in debugger so we know that this function is executed
	KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "KmdfHelloWorld: KmdfHelloWorldEvtDeviceAdd\n"));

	_nt status = WdfDeviceCreate(
		&DeviceInit,
		WDF_NO_OBJECT_ATTRIBUTES,
		&hDevice);
	return status;
}

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89

    构建完成后在项目目录下可以找到以下几个文件
    在这里插入图片描述
    sys是驱动文件,inf是安装驱动的时候用的文件,cat是installer用于验证驱动的测试签名的文件

    部署驱动

    本来VS是有自动化部署的功能的,但是我玩不明白,所以只能用笨方法,手动部署

    把签名给禁了先

    bcdedit /set testsigning on

    • 1

    然后重启

    把vs生成的三个文件全拖到测试机上,然后把开发机上的devcon.exe拷到测试机,注意devcon.exe的位数,要和测试机一样

    然后执行如下命令进行安装即可

    devcon install hellodriver.inf root\hellodriver

    • 1

    在这里插入图片描述
    在这里插入图片描述

    调试驱动程序

    微软官方给了例子

    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers—step-by-step-lab–echo-kernel-mode-#connectto

    例子的代码可以在这里下载

    这个项目会生成两个驱动程序,echo和echo_2,我们只需要看echo就行了,echo_2不用管

    使用devcon把echo装上去之后,在debugger机器上把内核调试弄好,然后把echo.pdb文件的路径加到符号路径即可

    .symfix
.sympath+ /path/to/echo.pdb
!sym noisy
.reload /f
 lmvm echo

    • 1
    • 2
    • 3
    • 4
    • 5

    如果可以查看到如下信息,说明就成功了

    在这里插入图片描述
    可以使用!devnode 0 1命令来显示设备节点树,如果你的设备没有出现在里面,那说明你安装失败了

    可以看到我们的设备是可以显示在这里面的
    在这里插入图片描述
    上面输出中的PDO是一个地址,我们可以使用!devobj PDO来查看与该驱动关联的即插即用设备信息

    在这里插入图片描述
    pdo地址是和驱动运行实例相关联的,使用!devstack pdo可以查看一驱动栈信息

    在这里插入图片描述

    源码调试

    .srcpath+ 驱动程序的源代码所在路径。

    在evtdeviceadd函数下断点
    然后在debugee中禁用设备,然后再启用设备即可触发该断点

  • 相关阅读:
    B - Influence on Social media ,素因子分解,思维,unordered_map
    云渲染为设计行业带来哪些福利?
    promise执行顺序面试题令我头秃,你能作对几道
    ANSYS mechanical如何在Workbench环境中使用高性能计算
    Linux---(二)基本认识与安装
    mysql事务测试
    四十六、AJAX
    李宏毅机器学习第一课(结尾附作业模型详细分析)
    最新版:RadSystems Studio:Crack
    TorchVision Transforms API 大升级,支持目标检测、实例/语义分割及视频类任务
  • 原文地址:https://blog.csdn.net/ma_de_hao_mei_le/article/details/126248117