Windows kernel analysis index directory : https: //www.cnblogs.com/onetrainee/p/11675224.html
First, knowledge points to explain
1. Device Object
When we developed the program's window, the message is packaged into a structure: MSG, during kernel development, a message is encapsulated into another structure: IRP (I / O Request Package I / O request packet).
In the window procedure, it is only capable of receiving a message window object (object by the window message distributed to the window procedure).
In the kernel, the message can be received only when the device IRP objects.
2. Create a device object
IoCreateDevice API call to create a device object, which need to pass the device name (R3 according to this find), requires initialization string.
1 // Create the name of the device 2 the UNICODE_STRING Devicename; . 3 the RtlInitUnicodeString (& Devicename, L " \\ \\ MyDevice Device " ); . 4 . 5 // Create apparatus . 6 the IoCreateDevice ( . 7 pDriver, // the device is currently driven . 8 0 , 9 Devicename &, // the name of the device object 10 FILE_DEVICE_UNKNOWN, . 11 the FILE_DEVICE_SECURE_OPEN, 12 is FALSE, 13 is & pDeviceObj // device object pointer 14 );
3. Set the data interactively
pDeviceObj-> Flags | = DO_BUFFERED_IO ( Note: the I = represents a bitwise or meaning )
There are three ways that the reader:
1) read-write buffer (DO_BUFFERED_IO): the operating system will provide a copy of the application data buffer address to the kernel mode.
2) direct mode read and write (DO_DIRECT_IO): the buffer in the operating system will lock the user mode. The operating system then this will be a buffer in kernel mode address mapping over again. Thus, when the same region of physical memory buffers in the buffer mode and kernel-mode user pointing. Drawback is to take up physical page alone.
3) other ways to read and write (not set Flags): very dangerous, directly read and write buffer address, it is easy to blue screen appears and likely loss of data (read page hangs during replacement).
4. Create a symbolic link
// create a symbolic link name
RtlInitUnicodeString(&SymbolicLinkName,L"\\??\\MyTestDriver");
// create a symbolic link
IoCreateSymbolicLink(&SymbolicLinkName,&Devicename);
Special Note:
1) the role of the device name is used to kernel objects, if you want to access in R3, there must be a symbolic link. It is actually an alias, not the alias, not visible in R3 .
2) in kernel mode, the symbolic link is '\ ?? \' at the beginning, if the C drive is "\ ?? \ C:"
3) in user mode, is based on '\\ \' at the beginning, and if the C drive is "\\ \ C:."
5. IRP dispatch function and
Below, the level at R3, which is responsible for the window object sends a message to the corresponding callback function; in the core layer, the device transmits to the IRP objects are forwarded to the corresponding device object dispatch function.
6, IRP type
Microsoft document : IRP structure
1) When the application layer is opened by CreateFile, ReadFile, WriteFile, CloseHandle function, etc., read the data from, writing data to the device, when the closing device, when the operating system will produce different IRP IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_CLOSE like.
2) Other types of IRP
IRP_MJ_DEVICE_CONTROL DeviceControl function will produce this IRP
IRP_MJ_POWER power when the operating system message processing, produce sub IRP
This IRP will have shut down the system before IRP_MJ_SHUTDOWN
7, dispatch function where registered yet?
Which last array _DRIVER_OBJECT function. Sending the type and limited its function (IRP limited by the type of message), it can be seen a total of 29 species.
About _DRIVER_OBJECT before you can view this blog: kernel space and kernel address
8. Registration dispatch function
The following diagram, we take the direct assignment of an array to set the dispatch function.
9. dispatch function format
Be sure to set its return to state NTSTATUS, tricyclic API calls to determine whether the program is based on the success of this state, if not set, it may be wrong.
