Haha, finally time to write another blog. I’ve been having too much fun messing around in kernel mode and getting random BSOD’s because I messed something up.

Anyway, this blog will teach you the very basics of writing kernel mode drivers for windows 2000 / XP.

Note: Kernel-Mode Drivers will NOT work on Windows Vista because of it’s security!

//=====================
// Writing a driver for windows
//=====================

* Tools Needed:

Windows Driver Development Kit

Driver Tools
A Text Editor (For writing the source code)
Medium level C knowledge

* Win DDK


Before you start creating drivers you will need to understand the DDK - What it is and how to use it.
By now I hope you have already installed the DDK and have it ready for use.

The Driver Development Kit coontains all the header files needed to compile your kernel driver and it also compiles your source. For example: In a normal Windows Usermode application you would be a custom to including windows.h as a header file. In kernel mode this is replaced by ntddk.h. The kernel mode “version” of windows.h.

ntddk.h is where most kernel mode API are declared.

Later, after you learn the skeleton of a driver source, I will explain how to compile a driver with the DDK.

* The Source

Now I am going to show you how a basic driver should look. Think of this as the drivr version of the “hello world” program. Infact, I think we should make our driver print hello world!

Now, as I stated in the DDK explanation, the header file ntddk.h MUST be included at the top of your source:

Code:
#include "ntddk.h"

If you have already programmed for the console in C / C++, i’ll assume that you know about the int main() function. Well the driver equivalent to that is DriverEntry:

Code:
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
Treat this exaclty as you would int main(). But as you can see, DriverEntry is type NTSTATUS which means it will return NTSTATUS. So in the body of DriverEntry we will put:

Code:
return STATUS_SUCCESS;
And this will tell the Operating system that the function succeeded.

Here is an example of what your driver source should look like at the moment:

Code:
#include “ntddk.h”

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath )
{

return STATUS_SUCCESS;
}
It might seem too simple to be a kernel mode driver but this will compile and can be loaded successfully.

* DbgPrint(”Noz3001”);


If you have written C / C++ programs in the past, you might have found yourself in a situation where you need to print information to the screen for debugging or other purposes. If you use C, you will probably be familiar with using the printf() function to print information.
There is an equivalent function in kernel mode. It takes the same paramaters and is just as easy to call! The only problem is that viewing the output is not as simple as using printf. This function is DbgPrint();.

We are going to make our driver print “hello world” when it’s run by using DbgPrint. An example of doing so is shown below:

Code:
DbgPrint("Hello World!");
If you place this code in the DriverEntry function, the driver will print our string when it is run. The only problem is that we have nothing to view the string with! Don’t worry, thats why I made you download the “driver tools” at the beginning og this article. Extract them to your computer using WinRAR and open the file called “Dbgview”.

It should look like this:




This program catches all the strings “DbgPrinted” and display them to you! This is how you are going to view your hello world string later on.

Now add your DbgPrint() code to your source. My source looks like this:

Code:
#include “ntddk.h

”NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath )
{
 
DbgPrint(”Hello World!”);
 
DriverObject->DriverUnload; // Unload the driver.
return STATUS_SUCCESS;

}

Note the line DriverObject->DriverUnload; // Unload the driver. You always need to unload your driver so the user doesn’t have to restart to unload it!

* Compiling your first Driver

This is the fun part!! Getting to use the DDK!!
Firsly, I hope you have created your source file on the same drive as you installed the DDK! If not, copy it over.

Note: Make sure the folder / source name have NO spaces in them!

There are two more small files you need to create before the DDK will compile your source. SOURCES and MAKEFILE.

Both have NO file extension and MAKEFILE is always the same.

MAKEFILE
!INCLUDE $(NTMAKEENV)\makefile.def

SOURCES
TARGETNAME=Noz3001_Driver

TARGETPATH=Release

TARGETTYPE=DRIVER

SOURCES=DriverMain.c

In SOURCES, TARGETNAME is the filename of the compiled driver. TARGETPATH is the folder where the driver will be put. TARGETTYPE is pretty self-explanatory and SOURCES is your source file.

Ok now we can open the DDK compiler. Click Start->Development Kits and look for “Windows XP Free Build Environment”
once here type “cd..” and press enter until the current directory cant get any lower. Eg “C:/>”.

Now type CD again and after it put the full path to the folder where your 3 files are. Now type “build” (without the ” ’s) and press enter. You should see something like this:



Note: If you get any errors, review your source and try to find what you did wrong.

If your DDK screen looks like mine, CONGRATULATIONS! You just created your first Kernel-Mode driver!
But wait, thats not all! You still have to make sure it works.

Make sure you still have DbgView open so ou can see the result of your DbgPrint. Now it’s time o use the other program i included in my “driver tools” file, “INSTDRV”. This program can load your driver for you! It saves you a lot of time when you are still testing your driver so keep it handy!

Once opened it will look like this:



Now enter the full path to your driver in the pathname text box and click install. Once the status says “Operation successful”, click the start button to start your driver.

Now go back to DbgView. If your driver has worked you will see something like this:


WELL DONE!! You just created a working kernel mode driver AND used a kernel mode function!

I think you should give yourself a pat on the back!