Baby Steps in Windows Device Driver Development: Part 2, “Hello World” Driver

June 4, 2011

3 comments

In this installment, we will compile and deploy our first driver. You should have all the tools installed already.

Windows device drivers are reactive programs—all they really do is respond to events, somewhat similar to GUI programs. The kinds of events drivers recognize include:

  • Loading the driver into memory and unloading it from memory
  • Adding a new hardware device for which the driver is responsible
  • Transitioning to a power-savings mode
  • Reading and writing from a device
  • Handling an interrupt arriving from a device

A driver handles these events by registering functions that Windows invokes. In this post, we will use only two of these functions, invoked when a driver is loaded and unloaded.

Type the following into your favorite code editor and save it as HelloWorldDriver.c:

#include <ntddk.h>

void DriverUnload(
    PDRIVER_OBJECT pDriverObject)
{
    DbgPrint("Driver unloading\n");
}

NTSTATUS DriverEntry(
    PDRIVER_OBJECT DriverObject,
    PUNICODE_STRING RegistryPath)
{
    DriverObject->DriverUnload = DriverUnload;
    DbgPrint("Hello, World\n");
    return STATUS_SUCCESS;
}

This is your first driver. Very simple indeed—all this driver does is print a couple of debugging messages when you load it and unload it. You will need a couple of build files that tell the build engine what to do with your sources. Here are the files:

File name: SOURCES

TARGETNAME = HelloWorldDriver
TARGETPATH = obj
TARGETTYPE = DRIVER

INCLUDES = %BUILD%\inc
LIBS = %BUILD%\lib

SOURCES = HelloWorldDriver.c

File name: makefile.def

!INCLUDE $(NTMAKEENV)\makefile.def

To compile the driver, open the build environment for your target OS from the Windows Driver Kits start menu folder. The “checked” build is akin to Debug mode, and the “free” build is equivalent to Release mode.

image

All that’s left now is to compile the driver. In the WDK build environment command prompt, navigate to the directory containing your driver’s source code, the SOURCES and makefile.def files, and then run the build command. If there have been no errors, you should see a .pdb file and a .sys file created in a subdirectory.

And now—deployment time. Copy your files over to the target system (preferably a virtual machine) and run the OSR Driver Loader. Point it to your driver’s location, click “Register Service” and then “Start Service”. Your driver should be running!

image

If you want to see the debugger output, you need to use a utility like Sysinternals DebugView. In DebugView, hit Ctrl+K to enable kernel debug spew, and then start/stop your driver a few times. You should see load and unload messages pile up in the DebugView window.

How far is this driver of ours from being useful? From talking to actual hardware? Quite far, and I’m not sure we’ll make it that far 🙂 However, in the near future we sure are going to run some interesting code in kernel mode and in the somewhat farther future see how rootkits use drivers to hide processes and files.

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

3 comments

  1. RajJune 7, 2011 ב 8:55 PM

    this seems like easy to do, however first part seems difficult, why to have a com port for debugging? I am sure thee must be some valid reason for that, will try it out.
    If i can make Hello World then i guess all other things would be really simple.

    Reply
  2. RomaJune 22, 2013 ב 10:29 PM

    Thank you a Lot !!!!
    I am new to windows kernel and I made driver for our
    Device (mostly relied on msdn ).

    Now I am having troubled to compile it .

    When I use include ntddk it returns like 100 errors
    I succeed to build but nothing happened .

    This turorial was really helpful since I had no idea abou source files etc

    Reply
  3. JQOctober 26, 2013 ב 7:47 AM

    To anyone who is going through these tutorials in 2013 I recommend VirtualKD which makes kernel debugging a breeze on VirtualBox. It only works with 4.1.* versions of VirtualBox, but makes it tremendously easy once you have it set up. Also, I was unable to get OSR Loader to work on Windows 7 x64, but I imagine this has to do with driver signing. You can install your driver simply by going to Device Manager->Right click on computer->Add legacy hardware and select your .sys — everything else works great! Thanks for tutorial!

    Reply