WDM

(Windows Driver Model)

Y.C. Hua
2005-04-29

1
 Requirements

• Familiar with c, c++ programming

• Somewhat familiar with windows programming

2
 Driver Model used on various OS

• NT4
KMD (Kernel Model Driver)

• Win95
VxD (Virtual Device Driver)

• Win98/Me
VxD, WDM

• Win2000/XP
KMD, WDM

3
 Use driver to access hardware

User mode application

Kernel mode driver

hardware I/O port Physical memory

4
 Driver building environment

• Visual studio 6
compiler, linker, editor

• Win98/Me/2000/XP DDK
library, header file for driver

5
 Driver loading

• Static load, boot-time load

- Load driver when os booting
- Win98/Me only

• Dynamic load, run-time load

- Load driver when application open driver
- Win2k/Xp can static or dynamic

6
 Static load
1. Copy driver to <windir>\system32\drivers
98/Me/XP <windir> = c:\windows, 2k <windir> = c:\winnt

2. Add Registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TESTDRV

3. Add Registry value under added TESTDRV key

ErrorControl = 1 (DWORD)
Type = 1 (DWORD)
Start = 1 (DWORD)

4. Restart computer

7
 Service

• Only on win2k/xp.
• Service is a special program independent from multi-user
session.
• It can be running before user login.
• 2 kind of service. Application service and driver service.
• Driver service is for dynamic load.

8
 Application call driver

main()
{
CreateDriverService(); // for dynamic load only
HANDLE h=OpenDriver();

DeviceIoControl(h,,,); // ask driver do something

CloseHandle(h);
DeleteDriverService(); // for dynamic load only
}

Green color is Win32 API.

Yellow color is sub function.

9
 DeviceIoControl()
BOOL DeviceIoControl(
HANDLE hDevice, // in - handle to device
DWORD dwIoControlCode, // in - operation control code
LPVOID lpInBuffer, // in - input data buffer
DWORD nInBufferSize, // in - size of input data buffer
LPVOID lpOutBuffer, // out - output data buffer
DWORD nOutBufferSize, // in - size of output data buffer
LPDWORD lpBytesReturned, // out - byte count
LPOVERLAPPED lpOverlapped // in - overlapped information
);

Control code : ask driver to do different work

Input buffer : data for driver
Output buffer : result return from driver
Bytes returned : result byte count return from driver

10
 Prepare driver file

• makefile : same for all drivers

• sources
• driver source code

11
 Build driver

• Launch Build Environment of DDK

• Change to the folder containing driver source files
• Type 'build'.

12
Launch build environment of DDK

13
Type ‘build’ command

14
 Contains of sources

TARGETNAME=TESTDRV
TARGETTYPE=DRIVER
DRIVERTYPE=WDM
TARGETPATH=.

SOURCES = prog.cpp

Check documents or samples of DDK for more detailed information.

15
 Control code in devio.h
#define CTL_CODE( DeviceType,Function,Method,Access ) \
(((DeviceType) << 16) | ((Access) << 14) | \
((Function) << 2) | (Method))

#define DEVIO_CallInt15 CTL_CODE( \

FILE_DEVICE_UNKNOWN, \
0x801, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)

#define DEVIO_Test CTL_CODE( \

FILE_DEVICE_UNKNOWN, \
0x802, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)

16
 DriverEntry (main of the driver)

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,

IN PUNICODE_STRING RegistryPath)
{
1. Create device
2. Create symbolic link
3. Set major function
}

17
 Create device/symbolic link in DriverEntry

UNICODE_STRING uniNtNameString;
UNICODE_STRING uniWin32NameString;

// create device
RtlInitUnicodeString(&uniNtNameString, L"\\Device\\TESTDRV");
IoCreateDevice(DriverObject, 0, &uniNtNameString,
FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject);

// create symbolic link

RtlInitUnicodeString(&uniWin32NameString,
L"\\DosDevices\\TESTDRV");
IoCreateSymbolicLink(&uniWin32NameString, &uniNtNameString);

18
 Set major function in DriverEntry

// set major function

DriverObject->MajorFunction[IRP_MJ_CREATE] = A::Create;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =
A::DeviceControl;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = A::Close;
DriverObject->DriverUnload = A::Unload;

OS load driver  DriverEntry

application open driver  A::Create
application call DeviceIoControl  A::DeviceControl
application close driver  A::Close
OS unload driver  A::Unload

19
 Unload function

UNICODE_STRING uniWin32NameString;

RtlInitUnicodeString(&uniWin32NameString,
L"\\DosDevices\\TESTDRV");
IoDeleteSymbolicLink( &uniWin32NameString );
IoDeleteDevice( DriverObject->DeviceObject );

20
 DeviceControl funciton
NTSTATUS A::DeviceControl(IN PDEVICE_OBJECT fdo, IN PIRP irp)
{
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(irp);
ULONG ControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
ULONG InputLength = irpStack->
Parameters.DeviceIoControl.InputBufferLength;
ULONG OutputLength = irpStack->
Parameters.DeviceIoControl.OutputBufferLength;
PVOID WorkBuffer = (PVOID)irp->AssociatedIrp.SystemBuffer;

switch(ControlCode)
{
case DEVIO_CallInt15: return DoCallInt15(irp);
case DEVIO_Test: return DoTest(irp);
default:
irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
irp->IoStatus.Information = 0; // return byte information
IoCompleteRequest(irp,IO_NO_INCREMENT);
return STATUS_INVALID_DEVICE_REQUEST;
}
}
21
 Buffer flow
User mode Kernel mode

Application
Input buffer

Driver
Work buffer

Application
Output buffer

22
 Last

• Can not use run-time library in Driver

• The sample is in wdmprog.zip

Wdmprog.zip

23