[Windows driver development] (four) the Windows Driver Framework

Recommended for you: Get network issues from WhatsUp Gold. Not end users.


The basic routine of a, NT type drive
The 1 drive entrance function-DriverEntry
[cpp] view plaincopy

// The general definition of NTSTATUS DriverEntry driver(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath); //

The main job of the DriverEntry is to initialize driver. The system processes the call to System. Driving loaded creates an object driven, query registry key for this driver corresponding.
DriverEntry is called the time will pass two parameters. They are the key string pointer just created the driver object pointers and pointing device key services. This string is generally\The RESGISTRY\MACHINE\SYSTEM\ControlSet\Services\[service name]. In the driver, the string is generally in the form of UNICODE:
Note: service key key sometimes needs to be preserved, when the function returns the value may be empty;. DriverEntry kernel function returns value general is of type NTSTATUS. The use of macro NT_SUCCESS (NTSTATUS status) can detect whether successful return status.
In DriverEntry, the general need to do a few things:
A. drivers unload routine
Distribution function of B. IRP
C. to create a device object
Among them, driving the unload routine and IRP distribution function is set to drive object. A MajorFunction object used to store the digital equipment, brother IRP distribution function pointer.
In the NT driver, you can call IoCreateDevice to create a device object:
[cpp] view plaincopy

// IoCreateDevice definitions in WDK NTKERNELAPI NTSTATUS IoCreateDevice( __in PDRIVER_OBJECT DriverObject, __in ULONG DeviceExtensionSize, __in_opt PUNICODE_STRING DeviceName, __in DEVICE_TYPE DeviceType, __in ULONG DeviceCharacteristics, __in BOOLEAN Exclusive, __out __drv_out_deref( __drv_allocatesMem(Mem) __drv_when((((inFunctionClass$("DRIVER_INITIALIZE")) ||(inFunctionClass$("DRIVER_DISPATCH")))), __drv_aliasesMem) __on_failure(__null)) PDEVICE_OBJECT *DeviceObject ); //

DriverObject: The drive object pointer.

DeviceExtensionSize: The size of the device extension. The IO manager will create a device the size in memory extension according to, and drive the object association.
DeviceName: The name of the device object.
DeviceCharacteristics: Characteristics of device object.
Exclusive: The device object is used as the kernel mode, general fixed TRUE.
DeviceObject: Create a device object pointer.
Note: device name string must be a \Device\[device name] form.

Let the application user mode can identify devices generally have two kinds of methods:
The A. symbolic link B. device interface (in the NT drive is rarely used) symbolic links can be understood as the name of the device object in the user mode. Namely: the equipment used in kernel mode, the symbolic link used in user mode.
Create a symbolic link can use IoCreateSymbolicLink:
[cpp] view plaincopy

// IoCreateSymbolicLink definitions in WDK NTKERNELAPI NTSTATUS IoCreateSymbolicLink( __in PUNICODE_STRING SymbolicLinkName, __in PUNICODE_STRING DeviceName ); //

SymbolicLinkName: Symbolic link name. DeviceName: The device object name.
Note: in the kernel mode, a symbolic link to "\?? \" or "\DosDevices\" at the beginning of the. While in user mode is based on "\.\" at the beginning of the.

Device extension in use can use the following code:

[cpp] view plaincopy

// Using the extended PDEVICE_EXTENSION pDeviceExtension Code: equipment = (PDEVICE_EXTENSION)pDeviceObject->DeviceExtension; //

2 DriverUnload routine-DriverUnload
This routine is invoked when driving unloading. In the NT driver is responsible for removing created in DriverEntry device object, and delete the related symbolic links. Recovery is also responsible for certain resources.
Function to delete the device object is IoDeleteDevice
[cpp] view plaincopy

// IoDeleteDevice definitions in WDK NTKERNELAPI VOID IoDeleteDevice( __in __drv_mustHold(Memory) __drv_freesMem(Mem) PDEVICE_OBJECT DeviceObject ); //

DeviceObject: To be deleted device object pointer.
Function to delete the symbolic link is IoDeleteSymbolicLink
[cpp] view plaincopy

// IoDeleteSymbolicLink definitions in WDK NTKERNELAPI NTSTATUS IoDeleteSymbolicLink( __in PUNICODE_STRING SymbolicLinkName ); //
SymbolicLinkName: Symbolic links have been registered, to be deleted.

According to the drive object can traverse all by the drive to create device object. Through the DeviceObject domain driven object can be found in the first device object, then according to the NextDevice domain device object, can other device objects found equipment list.

Two basic routines, WDM driven

// In the WDM model, an operation of the device requires at least two device objects together to complete the. One is the physical device object (Physical Device Object, referred to as PDO), is a functional device object (Function Device Object, referred to as FDO). When the computer into a device, the bus driver will automatically create PDO. PDO alone cannot operate the equipment, must be used together with the FDO. When Windows prompts you to install the driver, in fact is installed the WDM drivers, responsible for creating FDO, and added to the PDO.
When a FDO is added to PDO, PDO AttachedDevice will record the position of the FDO. PDO is the underlying driving (lower), FDO is the top drive (the driver).
Between FDO and PDO will be the existence of the filter driver. In the upper filter drivers called FDO above, in what was called the lower filter driver FDO layer. A WDM driver can have many upper and lower filter driver filter driver. The StackSize subdomain device object indicates the device object to the middle of the bottom there is a physical device number of device objects.
Entrance function 1 WDM driver-DriverEntry
And NT driver, WDM driver and DriverEntry entrance program. But to create a device object function is not implemented in DriverEntry, but to the new routine -- AddDevice; at the same time, increased the distribution function of IRP_MJ_PNP processing.
The AddDevice routine is specific to WDM, set the AddDevice routine function address in DriverEntry. The way is to save the AddDevice actual routines in the AddDevice subfield DriverExtension subfield driving of the object function. AddDevice routine name can have any name.
[cpp] view plaincopy

// The AddDevice function NTSTAUS MyAddDevice (IN PDRIVER_OBJECT pDriverObject statement, IN PDEVICE_OBJECT PhysicalDeviceObject) // set the AddDevice address pDriverObject- the actual routines>DriverExtension-> AddDevice = MyAddDevice; //
2 DriverUnload routine-DriverUnload()

In the WDM driver, the unloading work is IRP_MN_REMOVE_DEVICE corresponds to the distribution function, where DriverUnload is the application in DriverEntry memory.

Driving around the interior is driven by IRP, IRP_MN_REMOVE_DEVICE the IRP is when a device needs to be unloaded, the plug in manager to create, and sent to the driver. IRP generally consists of two numbers to specify the specific meaning of the IRP, the main one is IRP (Major IRP), an auxiliary IRP(Minor IRP).
When the equipment needs to be unloaded, will have a more IRP_MJ_PNP. Auxiliary IRP, these IRP will be different. One of the IRP_MN_REMOVE_DEVICE.
In the WDM driver, the device is in the export unloading unloading function in IRP_MN_REMOVE_DEVICE. In addition, the need to remove, cancel the symbolic link, also need to remove the FDO from the PDO stack. Call IoDetachDevice:
[cpp] view plaincopy

// IoDetachDevice definitions in WDK: NTKERNELAPI VOID IoDetachDevice (__inout PDEVICE_OBJECT TargetDevice // layer stack device object); //
At this time, FDO is removed from the device on the chain, but PDO still. The operating system is responsible for deleting PDO.

AddDevice basic steps:
1 AddDevice by IoCreateDevice function to create the FDO, create symbolic links FDO
2 extended saved just created FDO in drive device address.
The 3 call to IoAttachDeviceToDeviceStack (FDO) will be added to the PDO.
[cpp] view plaincopy

// IoAttachDeviceToDeviceStack definitions in WDK NTKERNELAPI PDEVICE_OBJECT IoAttachDeviceToDeviceStack( __in __drv_mustHold(Memory) __drv_when(return!=0, __drv_aliasesMem) PDEVICE_OBJECT SourceDevice, __in PDEVICE_OBJECT TargetDevice ); //
SourceDevice: FDO is added to PDO, this parameter represents the FDO.
TargetDevice: Attached equipment. If the existence of the filter driver between FDO and PDO, then FDO is actually attached to the filter driver, filter driver is added in the PDO.
Return: return value SourceDevice lower equipment.

[cpp] view plaincopy

// According to an equipment on the extended definition typedef struct _DEVICE_EXTENSION { PDEVICE_OBJECT pFunctionDeviceObject; // The device object(FDO) UNICODE_STRING ustrDeviceName; // The device name UNICODE_STRING ustrSymbolicLinkName; // Symbolic link name PDEVICE_OBJECT pNextStackDevice; // The device object a(FDO)的地址 } DEVICE_EXTENSION, *PDEVICE_EXTENSION; //

The 4 set of extended pFunctionDeviceObject->Flags.
DO_BUFFERED_IO: Buffer memory device
~DO_DEVICE_INITIALIZING: This must be set, indicating the completion of the initialization of Flags.
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Frederick at December 02, 2013 - 5:57 AM