Windows Kernel Programming

There is nothing like the power of the kernel in Windows - but how do you write kernel drivers to take advantage of that power? This book will show you how.The book describes software kernel drivers programming for Windows. These drivers don't deal with hardware, but rather with the system processes, threads, modules, registry and more. Kernel code can be used for monitoring important events, preventing some from occurring if needed. Various filters can be written that can intercept calls that a driver may be interested in. Table of Contents......Page 3 Processes......Page 9 Virtual Memory......Page 11 System Memory......Page 13 Threads......Page 14 Thread Stacks......Page 15 System Services (a.k.a. System Calls)......Page 17 General System Architecture......Page 18 Handles and Objects......Page 21 Object Names......Page 22 Accessing Existing Objects......Page 25 Installing the Tools......Page 28 Creating a Driver Project......Page 29 The DriverEntry and Unload Routines......Page 30 Deploying the Driver......Page 33 Simple Tracing......Page 36 Summary......Page 39 General Kernel Programming Guidelines......Page 40 Termination......Page 41 C++ Usage......Page 42 Testing and Debugging......Page 43 The Kernel API......Page 44 Functions and Error Codes......Page 45 Strings......Page 46 Dynamic Memory Allocation......Page 48 Lists......Page 50 The Driver Object......Page 52 Device Objects......Page 53 Summary......Page 56 Introduction......Page 57 Driver Initialization......Page 58 Passing Information to the Driver......Page 60 Client / Driver Communication Protocol......Page 61 Creating the Device Object......Page 62 Client Code......Page 65 The Create and Close Dispatch Routines......Page 67 The DeviceIoControl Dispatch Routine......Page 68 Installing and Testing......Page 72 Summary......Page 75 Debugging Tools for Windows......Page 76 Introduction to WinDbg......Page 77 Tutorial: User mode debugging basics......Page 78 Kernel Debugging......Page 95 Local Kernel Debugging......Page 96 Local kernel Debugging Tutorial......Page 97 Full Kernel Debugging......Page 104 Configuring the Target......Page 105 Configuring the Host......Page 107 Kernel Driver Debugging Tutorial......Page 109 Summary......Page 112 Interrupt Request Level......Page 113 Raising and Lowering IRQL......Page 116 Thread Priorities vs. IRQLs......Page 117 Deferred Procedure Calls......Page 118 Using DPC with a Timer......Page 120 Asynchronous Procedure Calls......Page 121 Structured Exception Handling......Page 122 Using __try/__except......Page 124 Using __try/__finally......Page 126 Using C++ RAII Instead of __try / __finally......Page 127 System Crash......Page 130 Crash Dump Information......Page 132 Analyzing a Dump File......Page 136 System Hang......Page 139 Interlocked Operations......Page 141 Dispatcher Objects......Page 143 Mutex......Page 145 Fast Mutex......Page 148 Event......Page 150 Executive Resource......Page 151 High IRQL Synchronization......Page 152 The Spin Lock......Page 154 Work Items......Page 157 Summary......Page 159 Introduction to IRPs......Page 160 Device Nodes......Page 161 IRP Flow......Page 165 IRP and I/O Stack Location......Page 166 Viewing IRP Information......Page 170 Dispatch Routines......Page 171 Completing a Request......Page 173 Accessing User Buffers......Page 174 Buffered I/O......Page 175 Direct I/O......Page 179 User Buffers for IRP_MJ_DEVICE_CONTROL......Page 184 Putting it All Together: The Zero Driver......Page 185 Using a Precompiled Header......Page 186 The DriverEntry Routine......Page 188 The Read Dispatch Routine......Page 190 Test Application......Page 191 Summary......Page 193 Process Notifications......Page 194 Implementing Process Notifications......Page 197 The DriverEntry Routine......Page 200 Handling Process Exit Notifications......Page 202 Handling Process Create Notifications......Page 205 Providing Data to User Mode......Page 207 The User Mode Client......Page 209 Thread Notifications......Page 212 Image Load Notifications......Page 215 Summary......Page 217 Object Notifications......Page 218 Pre-Operation Callback......Page 220 Post-Operation Callback......Page 223 The Process Protector Driver......Page 224 Object Notification Registration......Page 225 Managing Protected Processes......Page 226 The Pre-Callback......Page 230 The Client Application......Page 231 Registry Notifications......Page 234 Handling Post-Operations......Page 236 Implementing Registry Notifications......Page 237 Handling Registry Callback......Page 239 Modified Client Code......Page 241 Summary......Page 243 Chapter 10: Introduction to File System Mini-Filters......Page 244 Introduction......Page 245 Loading and Unloading......Page 246 Initialization......Page 248 Operations Callback Registration......Page 251 The Altitude......Page 255 INF Files......Page 258 Pre Operation Callbacks......Page 266 Post Operation Callbacks......Page 269 The Delete Protector Driver......Page 271 Handling Pre-Create......Page 272 Handling Pre-Set Information......Page 277 Some Refactoring......Page 280 Generalizing the Driver......Page 283 Testing the Modified Driver......Page 289 File Names......Page 290 File Name Parts......Page 292 RAII FLT_FILE_NAME_INFORMATION wrapper......Page 295 The Alternate Delete Protector Driver......Page 297 Handling Pre-Create and Pre-Set Information......Page 304 Contexts......Page 307 Managing Contexts......Page 309 Initiating I/O Requests......Page 311 The File Backup Driver......Page 312 The Post Create Callback......Page 315 The Pre-Write Callback......Page 320 The Post-Cleanup Callback......Page 327 Testing the Driver......Page 328 Restoring Backups......Page 329 Creating the Communication Port......Page 331 User Mode Connection......Page 333 Sending and Receiving Messages......Page 334 Enhanced File Backup Driver......Page 335 The User Mode Client......Page 338 Debugging......Page 340 Exercises......Page 343 Summary......Page 344 Driver Signing......Page 345 Driver Verifier......Page 350 Example Driver Verifier Sessions......Page 354 Using the Native API......Page 360 Filter Drivers......Page 361 Filter Driver Implementation......Page 363 Attaching Filters......Page 364 Attaching Filters at Arbitrary Time......Page 366 Filter Cleanup......Page 368 More on Hardware-Based Filter Drivers......Page 369 Device Monitor......Page 370 Adding a Device to Filter......Page 372 Removing a Filter Device......Page 375 Initialization and Unload......Page 377 Handling Requests......Page 379 Testing the Driver......Page 382 Results of Requests......Page 386 Driver Hooking......Page 388 Kernel Libraries......Page 391 Summary......Page 392 Table of Contents 3 Chapter 1: Windows Internals Overview 9 Processes 9 Virtual Memory 11 Page States 13 System Memory 13 Threads 14 Thread Stacks 15 System Services (a.k.a. System Calls) 17 General System Architecture 18 Handles and Objects 21 Object Names 22 Accessing Existing Objects 25 Chapter 2: Getting Started with Kernel Development 28 Installing the Tools 28 Creating a Driver Project 29 The DriverEntry and Unload Routines 30 Deploying the Driver 33 Simple Tracing 36 Exercises 39 Summary 39 Chapter 3: Kernel Programming Basics 40 General Kernel Programming Guidelines 40 Unhandled Exceptions 41 Termination 41 Function Return Values 42 IRQL 42 C++ Usage 42 Testing and Debugging 43 Debug vs. Release Builds 44 The Kernel API 44 Functions and Error Codes 45 Strings 46 Dynamic Memory Allocation 48 Lists 50 The Driver Object 52 Device Objects 53 Summary 56 Chapter 4: Driver from Start to Finish 57 Introduction 57 Driver Initialization 58 Passing Information to the Driver 60 Client / Driver Communication Protocol 61 Creating the Device Object 62 Client Code 65 The Create and Close Dispatch Routines 67 The DeviceIoControl Dispatch Routine 68 Installing and Testing 72 Summary 75 Chapter 5: Debugging 76 Debugging Tools for Windows 76 Introduction to WinDbg 77 Tutorial: User mode debugging basics 78 Kernel Debugging 95 Local Kernel Debugging 96 Local kernel Debugging Tutorial 97 Full Kernel Debugging 104 Configuring the Target 105 Configuring the Host 107 Kernel Driver Debugging Tutorial 109 Summary 112 Chapter 6: Kernel Mechanisms 113 Interrupt Request Level 113 Raising and Lowering IRQL 116 Thread Priorities vs. IRQLs 117 Deferred Procedure Calls 118 Using DPC with a Timer 120 Asynchronous Procedure Calls 121 Critical Regions and Guarded Regions 122 Structured Exception Handling 122 Using __try/__except 124 Using __try/__finally 126 Using C++ RAII Instead of __try / __finally 127 System Crash 130 Crash Dump Information 132 Analyzing a Dump File 136 System Hang 139 Thread Synchronization 141 Interlocked Operations 141 Dispatcher Objects 143 Mutex 145 Fast Mutex 148 Semaphore 150 Event 150 Executive Resource 151 High IRQL Synchronization 152 The Spin Lock 154 Work Items 157 Summary 159 Chapter 7: The I/O Request Packet 160 Introduction to IRPs 160 Device Nodes 161 IRP Flow 165 IRP and I/O Stack Location 166 Viewing IRP Information 170 Dispatch Routines 171 Completing a Request 173 Accessing User Buffers 174 Buffered I/O 175 Direct I/O 179 User Buffers for IRP_MJ_DEVICE_CONTROL 184 Putting it All Together: The Zero Driver 185 Using a Precompiled Header 186 The DriverEntry Routine 188 The Read Dispatch Routine 190 The Write Dispatch Routine 191 Test Application 191 Summary 193 Chapter 8: Process and Thread Notifications 194 Process Notifications 194 Implementing Process Notifications 197 The DriverEntry Routine 200 Handling Process Exit Notifications 202 Handling Process Create Notifications 205 Providing Data to User Mode 207 The User Mode Client 209 Thread Notifications 212 Image Load Notifications 215 Exercises 217 Summary 217 Chapter 9: Object and Registry Notifications 218 Object Notifications 218 Pre-Operation Callback 220 Post-Operation Callback 223 The Process Protector Driver 224 Object Notification Registration 225 Managing Protected Processes 226 The Pre-Callback 230 The Client Application 231 Registry Notifications 234 Handling Pre-Notifications 236 Handling Post-Operations 236 Performance Considerations 237 Implementing Registry Notifications 237 Handling Registry Callback 239 Modified Client Code 241 Exercises 243 Summary 243 Chapter 10: Introduction to File System Mini-Filters 244 Introduction 245 Loading and Unloading 246 Initialization 248 Operations Callback Registration 251 The Altitude 255 Installation 258 INF Files 258 Installing the Driver 266 Processing I/O Operations 266 Pre Operation Callbacks 266 Post Operation Callbacks 269 The Delete Protector Driver 271 Handling Pre-Create 272 Handling Pre-Set Information 277 Some Refactoring 280 Generalizing the Driver 283 Testing the Modified Driver 289 File Names 290 File Name Parts 292 RAII FLT_FILE_NAME_INFORMATION wrapper 295 The Alternate Delete Protector Driver 297 Handling Pre-Create and Pre-Set Information 304 Testing the Driver 307 Contexts 307 Managing Contexts 309 Initiating I/O Requests 311 The File Backup Driver 312 The Post Create Callback 315 The Pre-Write Callback 320 The Post-Cleanup Callback 327 Testing the Driver 328 Restoring Backups 329 User Mode Communication 331 Creating the Communication Port 331 User Mode Connection 333 Sending and Receiving Messages 334 Enhanced File Backup Driver 335 The User Mode Client 338 Debugging 340 Exercises 343 Summary 344 Chapter 11: Miscellaneous Topics 345 Driver Signing 345 Driver Verifier 350 Example Driver Verifier Sessions 354 Using the Native API 360 Filter Drivers 361 Filter Driver Implementation 363 Attaching Filters 364 Attaching Filters at Arbitrary Time 366 Filter Cleanup 368 More on Hardware-Based Filter Drivers 369 Device Monitor 370 Adding a Device to Filter 372 Removing a Filter Device 375 Initialization and Unload 377 Handling Requests 379 Testing the Driver 382 Results of Requests 386 Driver Hooking 388 Kernel Libraries 391 Summary 392