Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

An up to date (or almost) book for KMDF development

KeternaKeterna Member Posts: 13

Hi there !

I'm about to start working on a project that involves in building a software driver (mostly playing with Ob callbacks and file system minifilters) for Windows 10. As I love reading, I checked some websites that sell books... but I really have the feeling that they have all been written in XP/Win7-era.

Can anyone recommend a good book to start off drivers development that introduce the concepts in the recent framework (KMDF) ? Otherwise, do other supports are better adapted to quickly gain knowledge about drivers development ? I checked the documentation provided by Microsoft (which is quite extensive!), but I'm more looking for a resource that introduces kernel concepts as well (as I'm currently only a user-mode developer).

Many thanks for your kind help <3

Comments

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 73

    As I see it, KMDF may be extremely useful if you are writting driver for a physical or virtual device. In that case, the framework handles many difficult or tricky cases for you (PnP, power management...). The framework kind of expects your driver is serving a device.

    However, File System Minifilters and Ob Callbacks are not contained within the framework. Of course, you may still use KMDF e.g. to handle communication with your control device (in case the wolrd will communicate with your driver through IOCTLs or other requests) but you can usually easily do this also in WDM. Furthermode, FltMgr exposes APIs to implement the communication through ALPC ports.

    File System Minifilters and Ob callbacks are quite old beasts now. New versions of Windows introduce new APIs but the principles are still the same.

    Martin Dráb

  • KeternaKeterna Member Posts: 13

    Hello Martin, thanks for your answer !

    From what I could understand of the documentation of Microsoft, the "trendy" way to develop drivers is to base them on KMDF (moreover, Visual Studio does not seem to mention another built-in template, except UMDF). Does WDM have a VS template as well ?

    Regarding the fact that Ob callbacks and FS minifilters are old techno, do you mean there is a new API to hook the FS and handles creation of processes/threads I should rather use ? Indeed, I have planned to communicate with a software in user-mode using IOCTL. Do you think this is the good way of doing it in 2019?

    Many thanks !

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 73

    Hello,

    From what I could understand of the documentation of Microsoft, the "trendy" way to develop drivers is to base them on KMDF (moreover, Visual Studio does not seem to mention another built-in template, except UMDF). Does WDM have a VS template as well ?

    I am using Visual Studio 2017 and it has a template named Empty WDM Driver. I am not sure, however, with which version of WDK it came.

    Regarding the fact that Ob callbacks and FS minifilters are old techno, do you mean there is a new API to hook the FS and handles creation of processes/threads I should rather use ?

    As far as I know there is nothing newer/better for that purposes. My point was that you may of course use KMDF but it will not help you much since you will not (and in practice, cannot) benefit from its killer features.

    Martin Dráb

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,159

    From what I could understand of the documentation of Microsoft, the "trendy" way to develop drivers is to base them on KMDF

    "Trendy". KMDF was released 15 years ago. There is no other object or technology from 2005 that you would even THINK of labeling "trendy". Would you call Vista "trendy"?

    KMDF is the baseline.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198

    If you're writing a file system minifilter just use a FltMgr Communication Port to talk user mode. It's a very convenient API that uses IOCTLs underneath, so building your own interface using KMDF (or WDM) is just more work for yourself.

    -scott
    OSR

  • KeternaKeterna Member Posts: 13

    Thanks for your answers !

    I have to decide what driver model I should pick for writing my driver. Typically, I plan to manage process authorization access using Ob callbacks and a FS minifilter to intercept the access of dependencies to those processes. After reading the very nicely written Getting Started Writing Windows Drivers from OSR, I realize there are two models that I can use. In my case, should I start off the driver model of FS minifilter and add the ob callbacks thingy from it, or should I start off the general KMDF model and implement the ob callback and the FS minifilter on it ?

    Intuitively, I would say I should go for the FS minifilter and add the ob callbacks on top of it, but as I don't have much experience in driver development, I think asking you is a smart move, rather than picking one and realizing afterwards that the choice was wrong.

    Thanks!

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198

    The FS filter will be significantly more complicated than an Ob callback. I'd entirely forget about the Ob callback for now.

    -scott
    OSR

  • KeternaKeterna Member Posts: 13

    Hey Scott, thanks for your reply.

    I took the time to create a sample driver today to echo some values in the debugging output. I also created a file system driver by using the template conveniently provided by Microsoft in Visual Studio.

    In your first post, you mentioned I should use FltMgr Communication Port when developing a file system driver. Is it because something prevents me to rely on ioctl ? From what I could see, creating a FS driver is the same as creating a KMDF driver, except that a bunch of structures/initialization code is already written for me. Is there a fundamental difference between a generic KMDF and a FS driver ?

    Thanks !

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,507

    Is there a fundamental difference between a generic KMDF and a FS drive

    First, you mean "File System FILTER driver"... right?

    KMDF and File System Filters use fundamentally different models. They have different initialization sequences, they have different entry points, they call different support routines.

    Actually... they're not very similar at all.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • KeternaKeterna Member Posts: 13
    edited November 1

    Hey Peter,

    I'm referring to File System minifilter drivers. Is it what you meant ?

  • Don_BurnDon_Burn Member - All Emails Posts: 1,661

    A file system minifilter is its own beast. It certainly is not like KMDF.

  • KeternaKeterna Member Posts: 13

    Hey Don,

    I had a deeper look to the template code and made some researches on the subject and effectively, I have been too quick in my assumption: they are different. Since I require to both develop a fs minifilter and rely on ob callbacks, do you suggest me to develop two different drivers and create a communication channel between the two, or is there a more idiomatic approach for such requirements ?

    Many thanks !

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,507

    I'm referring to File System minifilter drivers. Is it what you meant ?

    File System Minifilters are a type of File System Filter. So, I asked generically.

    You could incorporate Ob callback notification into your Minifilter. The Ob filtering is sufficiently simple and self contained that it’s not likely to complicate your overall Minifilter — and it certainly won’t interfere with it in any way.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • KeternaKeterna Member Posts: 13

    File System Minifilters are a type of File System Filter. So, I asked generically.

    Oh I'm sorry! I was not sure it was based on the same technology. I'm still a bit confused by all the different models we can base our drivers on!

    Thanks for your confirmation. I'm going to start off from the file system filter template.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,507

    I was not sure it was based on the same technology

    The driver development models available in Windows are... well... more than just a little confusing. And, you ARE right: File System Minifilters are a category File System Filters, but they DO use a different technology than the (much older and more annoying) alternative which are called Legacy File System Filters.

    Anyhow... neither is related to KMDF in any way. But you know that by now.

    Starting from the File System Minifilter Template will put you on the right road at least. Once you have some of that working, you can "jam in" your Ob Callback monitoring stuff.

    Since this thread has wandered all over the planet, I'm going to close it. That's not intended as anything negative Mr. @Keterna . Just an attempt to make sure the topic name reflects the content of the thread. Feel free to create a new thread to ask any additional questions you may have.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

This discussion has been closed.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE