windows 内核驱动开发笔记:入门篇

1
2
3

系统 :windows 7 x64  + vs 2008
测试 :vmware  windows xp
调试 :windbg 双机调试

wdk 安装

地址:http://download.microsoft.com/download/4/A/2/4A25C7D5-EFBE-4182-B6A9-AE6850409A78/GRMWDK_EN_7600_1.ISO
添加安装目录到环境变量

配置 vs 2008

添加文件

选工具(T)→选项(O)….→项目→VC++目录→
a 在可执行文件目录中添加：
C:\DDK\BIN\X86

b 在包含文件目录添加如下路径
C:\DDK\inc\wdf\kmdf\1.9
C:\DDK\inc\api
C:\DDK\inc\crt
C:\DDK\inc\ddk

c 在库文件目录中添加：
C:\DDK\lib\wdf\kmdf\i386\1.9
C:\DDK\lib\wxp\i386

安装 ddkwizard

下载地址: http://ddkwizard.assarbad.net/

默认安装ddkwizard_setup.exe 复制 ddtbuild.cmd 到wdk 安装目录

hellodrive

第一个驱动

重启 vs 2008 新建项目 driver 配置对应信息
调试语句

入口点:DriverEntry 
KdPrint(("[+] DriverEntry\n"));
卸载:HELLODRIVE_DriverUnload
KdPrint(("[+] Driver Unload\n"));

wxp check F7 编译

1>------ 已启动生成: 项目: HelloDrive.WXP, 配置: WXP checked Win32 ------
1>正在执行生成文件项目操作
1>OSR DDKBUILD.CMD V7.4/r60 (2009-11-28) - OSR, Open Systems Resources, Inc.
1>Launching OACR monitor
1>OACR NOTE : Not starting monitor (oacr running in job that doesn't allow break-away)
1>DDKBLD: New build number is 5 ...
1>DDKBLD: WXP (checked) using the Windows XP DDK and %WXPBASE%
1>DDKBLD: Directory: f:\Program\Windows\Project\HELLOD~1\HELLOD~1\HELLOD~1
.............
1>    2 files compiled - 2 Warnings
1>    1 executable built
1>DDKBLD: Build complete
1>DDKBLD: Building browse information files
1>生成日志保存在“file://f:\Program\Windows\Project\HelloDrive\HelloDrive\HelloDrive\BuildLog.htm”
1>HelloDrive.WXP - 0 个错误，个警告
========== 生成: 成功1 个，失败0 个，最新0 个，跳过0 个==========

F:\Program\Windows\Project\HelloDrive\HelloDrive\HelloDrive\objchk_win7_x86\i386 生成 HelloDrive.sys

windbg vmware 双机调试

虚拟机vmware 创建管道

\.\pipe\com_1

虚拟机增加 boot.ini

1	multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /debug /debugport=com1 /baudrate=115200

需要注意一问题 debugport=com1 这里需要看vmware 的显示串行1 还是 2
物理机连接 windbg.exe -b -k com:port=\.\pipe\com_1,baud=115200,pipe

调试 HelloDrive.sys

windbg 连接启动 int3 断点时输入 g 命令继续

 Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Fri Nov  1 02:20:26.215 2013 (UTC + 8:00)), ptr64 FALSE
Kernel Debugger connection established.  (Initial Breakpoint requested)
Symbol search path is: *** Invalid ***
........
** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlpa.exe - 
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp2_rtm.040803-2158
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x805541a0
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlpa.exe - 
nt!DbgBreakPointWithStatus+0x4:
80527da8 cc              int     3
kd> g

加载驱动

驱动加载工具 insdrv 加载 HelloDrive.sys (ctrl+break 和 g 命令切换)

[+] DriverEntry
.....
nt!DbgBreakPointWithStatus+0x4:
80527da8 cc              int     3
kd> ls
No current source file
kd> lm
start    end        module name
.........
bf9c1000 bf9d2580   dxg        (deferred)             
bf9d3000 bfb6e300   vmx_fb     (deferred)             
Unloaded modules:
b0c7f000 b0ca9000   kmixer.sys
babb0000 babb7000   HelloDrive.sys
b11ed000 b1217000   kmixer.sys
bae9f000 baea0000   drmkaud.sys
b12b7000 b12da000   aec.sys 
b138f000 b139c000   DMusic.sys
b139f000 b13ad000   swmidi.sys
bae44000 bae46000   splitter.sys
babb0000 babb5000   Cdaudio.SYS
ba510000 ba513000   Sfloppy.SYS
kd> g
[+] Driver Unload

参考链接

insdrv :http://wangpan.baidu.com/share/link?shareid=167829&uk=721906645
windbg:http://blog.csdn.net/ithzhang/article/details/8630429
win2008+wdk:http://www.cnblogs.com/Jesses/articles/1636331.html