An up to date (or almost) book for KMDF development

Hi there !

I’m about to start working on a project that involves in building a software driver (mostly playing with Ob callbacks and file system minifilters) for Windows 10. As I love reading, I checked some websites that sell books… but I really have the feeling that they have all been written in XP/Win7-era.

Can anyone recommend a good book to start off drivers development that introduce the concepts in the recent framework (KMDF) ? Otherwise, do other supports are better adapted to quickly gain knowledge about drivers development ? I checked the documentation provided by Microsoft (which is quite extensive!), but I’m more looking for a resource that introduces kernel concepts as well (as I’m currently only a user-mode developer).

Many thanks for your kind help <3

As I see it, KMDF may be extremely useful if you are writting driver for a physical or virtual device. In that case, the framework handles many difficult or tricky cases for you (PnP, power management…). The framework kind of expects your driver is serving a device.

However, File System Minifilters and Ob Callbacks are not contained within the framework. Of course, you may still use KMDF e.g. to handle communication with your control device (in case the wolrd will communicate with your driver through IOCTLs or other requests) but you can usually easily do this also in WDM. Furthermode, FltMgr exposes APIs to implement the communication through ALPC ports.

File System Minifilters and Ob callbacks are quite old beasts now. New versions of Windows introduce new APIs but the principles are still the same.

Hello Martin, thanks for your answer !

From what I could understand of the documentation of Microsoft, the “trendy” way to develop drivers is to base them on KMDF (moreover, Visual Studio does not seem to mention another built-in template, except UMDF). Does WDM have a VS template as well ?

Regarding the fact that Ob callbacks and FS minifilters are old techno, do you mean there is a new API to hook the FS and handles creation of processes/threads I should rather use ? Indeed, I have planned to communicate with a software in user-mode using IOCTL. Do you think this is the good way of doing it in 2019?

Many thanks !

Hello,

From what I could understand of the documentation of Microsoft, the “trendy” way to develop drivers is to base them on KMDF (moreover, Visual Studio does not seem to mention another built-in template, except UMDF). Does WDM have a VS template as well ?

I am using Visual Studio 2017 and it has a template named Empty WDM Driver. I am not sure, however, with which version of WDK it came.

Regarding the fact that Ob callbacks and FS minifilters are old techno, do you mean there is a new API to hook the FS and handles creation of processes/threads I should rather use ?

As far as I know there is nothing newer/better for that purposes. My point was that you may of course use KMDF but it will not help you much since you will not (and in practice, cannot) benefit from its killer features.

From what I could understand of the documentation of Microsoft, the “trendy” way to develop drivers is to base them on KMDF

“Trendy”. KMDF was released 15 years ago. There is no other object or technology from 2005 that you would even THINK of labeling “trendy”. Would you call Vista “trendy”?

KMDF is the baseline.

If you’re writing a file system minifilter just use a FltMgr Communication Port to talk user mode. It’s a very convenient API that uses IOCTLs underneath, so building your own interface using KMDF (or WDM) is just more work for yourself.

Thanks for your answers !

I have to decide what driver model I should pick for writing my driver. Typically, I plan to manage process authorization access using Ob callbacks and a FS minifilter to intercept the access of dependencies to those processes. After reading the very nicely written Getting Started Writing Windows Drivers from OSR, I realize there are two models that I can use. In my case, should I start off the driver model of FS minifilter and add the ob callbacks thingy from it, or should I start off the general KMDF model and implement the ob callback and the FS minifilter on it ?

Intuitively, I would say I should go for the FS minifilter and add the ob callbacks on top of it, but as I don’t have much experience in driver development, I think asking you is a smart move, rather than picking one and realizing afterwards that the choice was wrong.

Thanks!

The FS filter will be significantly more complicated than an Ob callback. I’d entirely forget about the Ob callback for now.

Hey Scott, thanks for your reply.

I took the time to create a sample driver today to echo some values in the debugging output. I also created a file system driver by using the template conveniently provided by Microsoft in Visual Studio.

In your first post, you mentioned I should use FltMgr Communication Port when developing a file system driver. Is it because something prevents me to rely on ioctl ? From what I could see, creating a FS driver is the same as creating a KMDF driver, except that a bunch of structures/initialization code is already written for me. Is there a fundamental difference between a generic KMDF and a FS driver ?

Thanks !

Is there a fundamental difference between a generic KMDF and a FS drive

First, you mean “File System FILTER driver”… right?

KMDF and File System Filters use fundamentally different models. They have different initialization sequences, they have different entry points, they call different support routines.

Actually… they’re not very similar at all.

Peter

Hey Peter,

I’m referring to File System minifilter drivers. Is it what you meant ?

A file system minifilter is its own beast. It certainly is not like KMDF.

Hey Don,

I had a deeper look to the template code and made some researches on the subject and effectively, I have been too quick in my assumption: they are different. Since I require to both develop a fs minifilter and rely on ob callbacks, do you suggest me to develop two different drivers and create a communication channel between the two, or is there a more idiomatic approach for such requirements ?

Many thanks !

I’m referring to File System minifilter drivers. Is it what you meant ?

File System Minifilters are a type of File System Filter. So, I asked generically.

You could incorporate Ob callback notification into your Minifilter. The Ob filtering is sufficiently simple and self contained that it’s not likely to complicate your overall Minifilter — and it certainly won’t interfere with it in any way.

Peter

File System Minifilters are a type of File System Filter. So, I asked generically.

Oh I’m sorry! I was not sure it was based on the same technology. I’m still a bit confused by all the different models we can base our drivers on!

Thanks for your confirmation. I’m going to start off from the file system filter template.

I was not sure it was based on the same technology

The driver development models available in Windows are… well… more than just a little confusing. And, you ARE right: File System Minifilters are a category File System Filters, but they DO use a different technology than the (much older and more annoying) alternative which are called Legacy File System Filters.

Anyhow… neither is related to KMDF in any way. But you know that by now.

Starting from the File System Minifilter Template will put you on the right road at least. Once you have some of that working, you can “jam in” your Ob Callback monitoring stuff.

Since this thread has wandered all over the planet, I’m going to close it. That’s not intended as anything negative Mr. @Keterna . Just an attempt to make sure the topic name reflects the content of the thread. Feel free to create a new thread to ask any additional questions you may have.

Peter