kosr wdm zelda - egloospds8.egloos.com/pds/200803/31/77/kosr_wdm_zelda.pdf · 2008-03-31 · -wdm...

Ahnlab.comClient Unit

12 2 t h K o r e a O p e r a t i n g S y s t e m S e m e n a r

KOSR 22차 세미나KOSR 22차 세미나

KOSR 연역 및 소개

http://www.kosr.org

Created with novaPDF Printer (www.novaPDF.com)

http://www.novapdf.com



KOSR 연혁과 이념KOSR 연혁과 이념

KOSR 연혁 (2001 ~ )

- 2001.11.02 : WSP(Windows System Programmer) 커뮤니티 Open

- 2003.01.19 : KSP(Korea System Programmer)로 독립

- 2004.12.01 : KOSR (Korea Operating System Research) 커뮤니티 이름 변경

- 회원수 : 7800명(2007. 03. 10일 기준)

- 세미나 : 총 21회 개최

- 현 SCA(Software Community Association : www.scakorea.org) Member

KOSR의 이념 : 실무 개발자들이 모여서 만든 비영리 커뮤니티- Open Source Project 지향

* Korea OS(Open Source ≒ Operating System) Research

- OS System Programming에 대한 기술 문서화 및 OPEN





세미나(¡02年 ~ ¡06年)세미나(¡02年 ~ ¡06年)

HONGIK UNIVERSITY

2121

2 times (¡03年,¡04年)

KOSR은 5년 동안 21회 세미나 개최

- 한국 주요 7개 대학교 및 Syskon conference





WDM BegginerWDM Begginer

안철수연구소 Application Unit

신 경 준





목 차목 차

-WDM Basic Information

-Demo and Debugging (use WinDbg)





Windows ArchitectureWindows Architecture





KernelKernelThe lowest layer of NTOSKRNL governs how OS uses the

processor/s. It provides for:Thread scheduling and context switchingInterrupt handling and exception dispatchingMultiprocessor synchronizationCPU Architecture functions: GDT and LDT manipulation on x86, CPU Cache SupportGeneric Wait OperationsProvides foundation synchronization primitives for use by the Executive

Kernel CodeMostly Resident (non pageable)Interruptible but sometimes non preemptibleSearch for functions beginning with Ke, Ki





System ProcessSystem ProcessRepresents the kernel (in a way)

Hosts kernel threads

Always run in kernel mode

Number of threads is not constant (drivers are free to add their own

threads under this process)

Process ID is constant

2 (NT 4), 8 (2000), 4 (XP)





The Kernel APIThe Kernel APIImplementation

Most of the Kernel code is in NtOsKrnl.Exe (single CPU) or

NtKrnlMp.Exe (Multi CPU)

Always called NtOsKrnl.Exe on the local hard disk (in

the System32 directory)

Some implementation is in Hal.Dll

The DDK documents about 1/3 of the exported functions

Most functions have a prefix suggesting origin





Kernel API PrefixesKernel API PrefixesEx - General executive routines

Exp - Executive private (not exported)

Cc - Cache Manager (Controller)

Mm - Memeory Manager

Rtl - General runtime library

FsRtl - file system runtime library

Ob - object management

Io - I/O subsystem

Se - Security

Ps - Process structure

Po - Power management

Wmi - Windows Management Instrumentation

Zw - File and registry access

Ke - General Kernel

Ki - Kernel internal (not available outside of kernel)

Hal- hardware abstraction layer

READ_xxx, WRITE_xxx - I/O port and register access (HAL)

Ex - General executive routines

Exp - Executive private (not exported)

Cc - Cache Manager (Controller)

Mm - Memeory Manager

Rtl - General runtime library

FsRtl - file system runtime library

Ob - object management

Io - I/O subsystem

Se - Security

Ps - Process structure

Po - Power management

Wmi - Windows Management Instrumentation

Zw - File and registry access

Ke - General Kernel

Ki - Kernel internal (not available outside of kernel)

Hal- hardware abstraction layer

READ_xxx, WRITE_xxx - I/O port and register access (HAL)





HALHALHardware Abstraction LayerPurpose

Isolates Kernel and Executive from hardware specificsPresents uniform model to ease device driver development and porting

HAL provides low level interface toI/O System Specifics (buses, DMA, ports and registers)Interrupt controllers and system timers MP CommunicationHardware interrupt priorities

Importance somewhat reduced in Windows 2000/XPBus drivers do some of these functions





Kernel Device DriverKernel Device Driver

?The only one that can touch hardware, handle

interrupts, etc.

Has a SYS extension

Its routines always run in kernel mode

Also called ¡Privileged mode¡

Ring 0 on 80x86

Always uses the kernel mode stack

Limited in size: 12KB (2000/XP), 8KB (98/ME)

No documented way to enlarge it

Unhandled exceptions will crash the system

Producing the infamous ¡Blue Screen of Death¡





Interrupt Request Level (IRQL)Interrupt Request Level (IRQL)





IRQL LevelsIRQL LevelsPASSIVE_LEVEL (0)

The ¡normal¡ IQRL levelUser mode code always runs at this level

APC_LEVEL (1)Used for special kernel APCsNot really interesting for driver writers

DISPATCH_LEVEL or DPC_LEVEL (2)Many driver routines run at this IRQLThe kernel scheduler runs at this level

If the CPU runs code at this (or higher) level, no context switching will occur on that CPU until IRQL drops below this levelAlso no waiting on kernel objects (requires scheduler)

Page fault handling also occurs at this levelCode running at this or higher IRQL must always access non-paged memory





System Memory PoolsSystem Memory PoolsThe kernel provides two general memory pools for use by the kernel

itself and device driversNon-paged pool

Memory always resides in RAM (never paged out)Can be accessed at any IRQL

Paged poolMemory can be swapped to diskShould be accessed at IRQL < DPC_LEVEL (2) only

Pool sizes are depend on the amount of RAM and the OS type (Professional vs. Servers)

Can be altered (up to some maxima) in registryHKLM\System\CurrentControlSet\Control\Session Manager\Executive

Task Manager displays current sizes





DriverObjectDriverObjectRepresents the driver for the I/O system

Includes dispatch routine pointers, AddDevice routine

pointer, Unload routine pointer, etc.

Created by the Kernel, passed to driver and filled by it

I/O Manager는 서로다른 Device에 대해서 서로다른 Driver Object를 이용하여, I/O 요청을 처리한다. Driver Object는 여러가지 Driver 함수들로 이루어져있다.

I/O Manager는 Driver가 Load될 때 driver object를 만든다. 초기화 과정중, DriverEntry 루틴은 Driver Object안의 여러다른 함수 포인터를 Load한다.IRP가 특정 디바이스로 전달되면 I/O Manager는 Driver Object를 이용하여 올바른 Dispatch routine을 찾는다.만약 I/O Request가 실제 device operation이 필요하다면, I/O Manager는 Diver의 Start I/O routine을 찾기 위해서 Driver Object를 사용한다.





Layout of a Driver ObjectLayout of a Driver Object





Device objectDevice object

Device object (DEVICE_OBJECT)

Defines a specific device (usually hardware)

Associated with File objects

Allows for driver-defined extensions

Provides a DPC object for after Interrupt processing

Created by the driver using IoCreateDevice

Several may be created

운영체제에서 장치 마다 초기화를 실행한다 즉, DeviceObject를 생성해 주어야 한다.





Device NodeDevice Node

Represents a stack of devices

PDO: Physical Device Object

Created by the bus driver

FiDO: Filter Device Object

Optional lower/upper device

objects

FDO: Functional Device Object

The ¡actual¡ WDM driver

created device object

FiDOs

FDO

FiDOs

PDO





What is an IRP?What is an IRP?The IRP structure is defined in <wdm.h>

Contains all details needed to handle the request (codes,

buffers, sizes, etc.)

Accompanied by a set of structures of type

IO_STACK_LOCATION

Number of structures is the number of the devices in

this DevNode

Complements the data in the IRP

Broadly speaking, the data needed for handling the

request is ¡split¡ between the actual IRP object and the

¡current¡ I/O stack location

다른 드라이버와 통신하기 위한 구조체이다. 그리고 이 구조

체는 NonPagePool에 할당된다.





IRP(IO_STACK_LOCATION)IRP(IO_STACK_LOCATION)





IRP FlowIRP Flow

I/O ManagerI/O Manager

IRPIRP

FDO

PDO

FiDO

FiDO

FiDO

FiDO

Complete request

Register completion routine

Register completion routine

Call completion

routine

Call completion

routine

Processing on the way downProcessing on the way down

Processing on the way up

Processing on the way up





WDM 드라이버 기본 구조

DriverEntry Routine

AddDevice Routine

IRP Dispatch Routine

DriverUnload Routine





Driver Entry & AddDevie RoutineDriver Entry & AddDevie Routine





Dispatch & Unload RoutineDispatch & Unload Routine





How to make Device Driver?How to make Device Driver?

1. Get Wdk ->http://blog.naver.com/process3/20033597491

2. Get WinDbg -> http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

3. Get Virtual Pc Setting-> http://blog.naver.com/process3/20031131320

4. Set Symbol ->http://blog.naver.com/process3/20023393545

5. Build Source code -> http://blog.naver.com/process3/20031266400

http://blog.naver.com/process3/20031377259

6. Let¡s Do IT





Do you Make KB Filter Driver with me?Do you Make KB Filter Driver with me?



kosr wdm zelda - egloospds8.egloos.com/pds/200803/31/77/kosr_wdm_zelda.pdf · 2008-03-31 · -wdm...

Documents