Windows kernel programming

101
Presented by
Japneet Singh
 Agenda
Kernel mode and user mode
Memory view
Execution view
Basics of kernel programming
Demo
 Useful information
Discussion only Wintel x86
Minimal discussion of concepts enough for
writing a basic kernel program
User mode and Kernel mode
 System architecture
MEMORY
I/O

CPU
I/O

I/O
 No separation of KM and UM
MEMORY
I/O

CPU
I/O Process P1
Kernel

Driver D1

Process P2
Driver
D2
I/O
 Problems
Accidental/malicious modification of one
address space by another
Accidental/malicious modification of device
memory/registers by a process
 Separation of KM and UM
MEMORY
I/O

CPU Driver D1
I/O
Kernel

Driver
D2

Process P1 Process P2

Privileged
instructions
I/O
Non-Privileged
instructions
 KM only privileged operations
Access to I/O devices
Modifying Kernel mode memory
Modifying critical CPU registers
Thread Switching / Scheduling
Enabling / disabling interrupts
 Protection rings

Windows uses only Ring 0 and Ring 3

 Anatomy of System call
Call ReadFile() Application

ReadFile
Call NtReadFile() Kernel32.dll
Return to caller

NtReadFile
Int 2E Ntdll.dll
Return to caller
User mode

KiSysremService Kernel mode

Call NtReadFile() Ntoskrnl.exe
Dismiss interrupt

NtReadFile Ntoskrnl.exe
Invoke driver
Whether to wait depends Wait or return
on overlapped flag to caller

Initiate I/O Driver.sys

operation
Return to caller
Memory view of User mode and
Kernel mode
 An example

Process P1 Process P2 Driver D1 Driver D2

 P1 view of Virtual memory

User mode VM (2GB)

Process P1
 P2 view of Virtual memory

User mode VM (2GB)

Process P2
 P1s Page Table

Process P1 Windows kernel

Driver D1 Driver D2
 P2s Page Table

Process P2 Windows kernel

Driver D1 Driver D2
 Physical Memory view
Process P1 Windows kernel

Process P2 Pagefile

Driver D1 Driver D2
Execution view of User mode and
Kernel mode
 Boot time
System boots in Ring 0
Boot loader loads Windows Kernel and
transfers control
Windows kernel sets up Ring 3 and transfers
control
 Run time
I/O

Driver D1
I/O
Kernel

Driver
D2

Process P1

Process P2
I/O
Basics of Windows kernel
programming
1 I/O request passes Environment
through subsystem DLL
subsystem or
DLL 7 Complete IRP and return
NtWriteFile(file_handle,, success or error status
2
char_buffer)
User mode
Kernel mode
Services
I/O manager
3 Create IRP and send IRP
6 Handle interrupt and
it to device driver
return success or
IRP error status
Device
driver
4 Tranfer data
specified in IRP
5 Perform I/O and interrupt

Queuing and completing a synchronous request

 I/O Manager
Manages the communication between
applications and device drivers
Packet based asynchronous communication
Layered model
 I/O Request Packet
Operation Read/Write/IOCTL
Data in and out
Status
Call Stack
 Context
Context is an assumption of which Page table
is in use
Different contexts
User Process context
System Process context
Arbitrary context
 A metaphor - Driver is a DLL
DLL
Loaded/Unloaded dynamically within
process space
DllMain (PROCESS_ATTACH)
DllMain (PROCESS_DETACH)
Visibility of full process memory
Coexist with other DLLs
Allocate memory dynamically from
process heap
Accidental / malicious fiddling with
other DLLs data / execution has
harmful impact on the process
Driver
Loaded/Unloaded dynamically within
kernel space
DriverEntry
DriverUnload
Visibility of full Kernel + current Process
memory
Coexist with other drivers and Kernel
Allocate memory dynamically from
System pool
Accidental / malicious fiddling with
other drivers and Kernel data /
execution has harmful impact on the
System
 Driver functions and structures
Functions
DriverEntry
DriverUnload
Dispatch functions
Structures
DRIVER_OBJECT represents the Driver itself
DEVICE_OBJECT represents logical or physical dev
IRP
 Dispatch functions
CreateFile IRP_MJ_CREATE
ReadFile IRP_MJ_READ
WriteFile IRP_MJ_WRITE
CloseFile IRP_MJ_CLOSE
DeviceIoControl IRP_MJ_IOCTL
Demo