none
How can I learn Windows Kernel Driver development? RRS feed

  • General discussion

  • Is there is any good latest books available for Windows Driver development ?

    I heard about some topics regarding driver development such as - WDM, KMDF, windows kernel development etc.

    I am so much confused where to start and what these all.

    Is this book is the best option - "Developing Drivers with the Windows Driver Foundation" ? But this book is written in 2007!!!

    Can anyone give me some good resources(especially latest good books) to learn deeply about windows kernel driver development ?

     


    Thursday, April 21, 2016 3:47 PM

All replies

  • If you can consider taking a class, both http://www.azius.com/ and http://www.osr.com/ have excellent classes.  The challenge of Windows driver writing is that there is a lot of material, a class can help you learn how to learn.

    The books that are good are:

    Developing Drivers with the Windows Driver Foundation - Yes it is old, but the basic information (at least for KMDF) is all valid.

    Programming the Windows Driver Model - This is the WDM equivalent of the above book.  Even if you use KMDF the underlying WDM model has value to understand, and at time dip into.

    Windows Internal - 6th Edition - This gives you the underlying basic of how the system works.

    On learning driver development, the first thing you need to decide, is what type of device or driver are you interested in?  There are a number of driver types in Windows and they use differing API's in many cases.  For example a storage controller driver uses a different set of services, than a network controller.  So by reducing your options to what you are interested in, you can start studying that driver type.

    Another resource to consider is https://channel9.msdn.com/  There are a number of good video's explaining topics for device drivers, search for "device drivers" and check out the videos.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, April 21, 2016 4:05 PM
  • On learning driver development, the first thing you need to decide, is what type of device or driver are you interested in?  There are a number of driver types in Windows and they use differing API's in many cases.  For example a storage controller driver uses a different set of services, than a network controller.  So by reducing your options to what you are interested in, you can start studying that driver type

    You cannot vote on your own post                            
                    

    I want to submit a seminar on "Rootkits".  So I thought to 1st study driver development then move to Rootkits.

    So for that which types of driver development knowledge is required? network controller driver ? or storage controller driver ?

    The seminars you mentioned are not for individual persons,  any other options?

    Thursday, April 21, 2016 4:26 PM
  • First the seminars are definitely for individuals, they are not cheap, but you get what you pay for.  If you are trying to learn how to write a rootkit then you probably will not get a lot of help on the forums, or in a class.  If you are trying to write anti-malware, then it really depends on how you intend to do that.  For example Microsoft has callbacks that allow for notification of a driver being loaded in the kernel, which some people use to determine if this is malware, others take the general approach of checking files as they are created/modified to see if any infection is occurring. 

    So asking about rootkits is pretty broad, there are a number of books on the subject, so you might start there, but be aware many of the techniques described are now blocked by Microsoft.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, April 21, 2016 4:39 PM
  • If you're looking to work with malware detection, then you want to understand the base driver model, known as WDM, because everything else is layered on top of that. There is plenty of documentation on WDM on Microsoft's web site

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, April 21, 2016 11:09 PM
    Moderator
  • If you're looking to work with malware detection, then you want to understand the base driver model, known as WDM, because everything else is layered on top of that. There is plenty of documentation on WDM on Microsoft's web site

    Thanks.

    Does this book is good - Programming the Microsoft Windows Driver Model (2nd Edition) (Developer Reference) ?

    But it is very old.

    Will it be a good start-

    https://msdn.microsoft.com/en-us/library/windows/hardware/ff565698(v=vs.85).aspx

    Can you please suggest some good books.

    Actually I can't read from computer more than 5 page, that's why I asked for book. Please help me. 

                                           

    Friday, April 22, 2016 3:56 PM
  • The book is still accurate.  Unfortunately, most of the later books on Windows Driver programming, are not very good.  There were several good books prior to plug and play, then the Programming the Microsoft Windows Driver Model is the only good book for WDM post PnP, then Developing Drivers with the Windows Driver Foundation is the one good KMDF book.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Friday, April 22, 2016 4:07 PM
  • I am reading - Developing Drivers with the Windows Driver Foundation.

    I finished reading 5 chapters. Still am not getting anything!!!

    Full of theory with a little bit of code. That is also not complete.!!!!!!!

    Please help me.

    I need some code and explanation.

    I downloaded - Windows-driver-samples-master for windows 10.Now I really have a doubt. Without a hardware how do I test these?

    If I wanna learn Software drivers or usb drivers or web camera drivers how can I do that?

    How do people do that?

    My main focus is learning kernel mode driver development.

    Please help me.

    Sunday, May 29, 2016 4:38 PM
  • For KMDF, take a look at the Samples under General.   The General\IOCTL\KMDF sample is fairly simple.  You should be able to make a copy of than sample, then build it and debug it.  Stepping through a relatively simple working driver is one way to understand what the book is trying to explain.  The Toaster sample under general is also outstanding, but it is several drivers and more complex than IOCTL. 


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Sunday, May 29, 2016 4:45 PM
  • For KMDF, take a look at the Samples under General.   The General\IOCTL\KMDF sample is fairly simple.  You should be able to make a copy of than sample, then build it and debug it.  Stepping through a relatively simple working driver is one way to understand what the book is trying to explain.  The Toaster sample under general is also outstanding, but it is several drivers and more complex than IOCTL. 


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    I went through the code. It doesn't contain that much explanation.

    If I take a Programming language book for C or java I get step by step instructions to each part of the language. I was expecting something like that.

    I didn't expect Windows driver development would be this much difficult.

    May be not that much difficult but there is no enough source for beginners.

    I wonder how the people learn to code driver in windows.

    I searched http://www.osr.com/ for training but I didn't see any training for individuals.

    And seminar is of above $3000!!!!OMG!!!

    Monday, May 30, 2016 4:17 PM
  • There are two approaches here, one is to learn by taking a class, yes they seem expensive for an individual, but think about the amount of work it takes to teach especially on a subject that is not going to have a lot of students a year.

    The other approach is to work through the samples.   The IOCTL sample is pretty simple, it shows you how to have a driver accept a request to do something, and to return the result.   All drivers start at DriverEntry, start walking through that function, when you see if call a kernel API look up the API and understand what is going on.  Actually, the DriverEntry from the IOCTL sample (given below) is pretty well commented on what it does:

    NTSTATUS
    DriverEntry(
        IN OUT PDRIVER_OBJECT   DriverObject,
        IN PUNICODE_STRING      RegistryPath
        )
    /*++
    
    Routine Description:
        This routine is called by the Operating System to initialize the driver.
    
        It creates the device object, fills in the dispatch entry points and
        completes the initialization.
    
    Arguments:
        DriverObject - a pointer to the object that represents this device
        driver.
    
        RegistryPath - a pointer to our Services key in the registry.
    
    Return Value:
        STATUS_SUCCESS if initialized; an error otherwise.
    
    --*/
    {
        NTSTATUS                       status;
        WDF_DRIVER_CONFIG              config;
        WDFDRIVER                      hDriver;
        PWDFDEVICE_INIT                pInit = NULL;
        WDF_OBJECT_ATTRIBUTES          attributes;
    
        KdPrint(("Driver Frameworks NONPNP Legacy Driver Example\n"));
    
    
        WDF_DRIVER_CONFIG_INIT(
            &config,
            WDF_NO_EVENT_CALLBACK // This is a non-pnp driver.
            );
    
        //
        // Tell the framework that this is non-pnp driver so that it doesn't
        // set the default AddDevice routine.
        //
        config.DriverInitFlags |= WdfDriverInitNonPnpDriver;
    
        //
        // NonPnp driver must explicitly register an unload routine for
        // the driver to be unloaded.
        //
        config.EvtDriverUnload = NonPnpEvtDriverUnload;
    
        //
        // Register a cleanup callback so that we can call WPP_CLEANUP when
        // the framework driver object is deleted during driver unload.
        //
        WDF_OBJECT_ATTRIBUTES_INIT(&attributes);
        attributes.EvtCleanupCallback = NonPnpEvtDriverContextCleanup;
    
        //
        // Create a framework driver object to represent our driver.
        //
        status = WdfDriverCreate(DriverObject,
                                RegistryPath,
                                &attributes,
                                &config,
                                &hDriver);
        if (!NT_SUCCESS(status)) {
            KdPrint (("NonPnp: WdfDriverCreate failed with status 0x%x\n", status));
            return status;
        }
    
        //
        // Since we are calling WPP_CLEANUP in the DriverContextCleanup
        // callback we should initialize WPP Tracing after WDFDRIVER
        // object is created to ensure that we cleanup WPP properly
        // if we return failure status from DriverEntry. This
        // eliminates the need to call WPP_CLEANUP in every path
        // of DriverEntry.
        //
        WPP_INIT_TRACING( DriverObject, RegistryPath );
    
        //
        // On Win2K system,  you will experience some delay in getting trace events
        // due to the way the ETW is activated to accept trace messages.
        //
        KdPrint(("NonPnp: DriverEntry: tracing enabled\n"));
    
        TraceEvents(TRACE_LEVEL_VERBOSE, DBG_INIT,
                       "Driver Frameworks NONPNP Legacy Driver Example");
    
        //
        //
        // In order to create a control device, we first need to allocate a
        // WDFDEVICE_INIT structure and set all properties.
        //
        pInit = WdfControlDeviceInitAllocate(
                                hDriver,
                                &SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RW_RES_R
                                );
    
        if (pInit == NULL) {
            status = STATUS_INSUFFICIENT_RESOURCES;
            return status;
        }
    
        //
        // Call NonPnpDeviceAdd to create a deviceobject to represent our
        // software device.
        //
        status = NonPnpDeviceAdd(hDriver, pInit);
        
        return status;
    }
    

    If you have specific questions on this routine ask, but really this is not that hard.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, May 30, 2016 4:43 PM
  • If you have specific questions on this routine ask, but really this is not that hard.

    Thanks a lot. I will try it.
    Monday, May 30, 2016 5:26 PM
  • As of this moment, no Google search will yield a result like a "beginners tutorial for Windows drivers".
    Books on the subject are either old or aimed towards experienced system programmers, so is the MSDN kernel documentation.
    To be able to understand how to write device drivers you must first make sure that you have sufficient knowledge in the following topics:

    C, C++ programming languages.

    Windows user mode programming and related concepts such as processes, threads and synchronization between them.

    Some theoretical knowledge about computer architecture at the hardware level might be of use - CPU, RAM, buses and peripheral and how they communicate at the lowest level (machine code).

    CPU modes, Virtual memory (CPU and OS parts of the mechanism, page tables, pagefile, page fault), CPU context, Context switch.

    Understanding system operating concepts: hardware interrupts, processor exceptions and system calls, synchronous vs asynchronous in/out . objects and file management.

    Windows architecture - Classification of the windows source code into distinct areas, or components (each offers a different functionality) and how code written in each component communicates with code in other components.

    Wednesday, June 1, 2016 10:35 AM