7

What is Windows Kernel Driver written with the WDK?

What is different from normal app or service?

Billy ONeal
  • 104,103
  • 58
  • 317
  • 552
userbb
  • 2,148
  • 5
  • 30
  • 53
  • Please read the [Wikipedia entry on Kernel](http://en.wikipedia.org/wiki/Kernel_(computing)). That should make the difference pretty obvious. – DarkDust May 15 '11 at 07:53

4 Answers4

20

Kernel drivers are programs written against Windows NT's native API (rather than the Win32 Subsystem's API) and which execute in kernel mode on the underlying hardware. This means that a driver needs to be able to deal with switching virtual memory contexts between processes, and needs to be written to be incredibly stable -- because kernel drivers run in kernel mode, if one crashes, it brings down the entire system. Kernel drivers are unsuitable for anything but hardware devices because they require administrative access to install or start, and because they remove the security the kernel normally provides to programs that crash -- namely, that they crash themselves and not the entire system.

Long story short:

  • Drivers use the native API rather than the Win32 API
    • This means that drivers generally cannot display any UI.
  • Drivers need to manage memory and how memory is paged explicitly -- using things like paged pool and nonpaged pool.
  • Drivers need to deal with process context switching and not depend on which process happens to have the page table while they're running.
  • Drivers cannot be installed into the kernel by limited users.
  • Drivers run with privileged rights at the processor level.
  • A fault in a user-level program results in termination of that program's process. A fault in a driver brings down the system with a Blue Screen of Death.
  • Drivers need to deal with low level hardware bits like Interrupts and Interrupt Request Levels (IRQLs).
Billy ONeal
  • 104,103
  • 58
  • 317
  • 552
  • Can I use Win32 API from native drivers programm? There is example in WDK for getting name of process. I do this same in WinAPI. – userbb May 15 '11 at 08:06
  • 1
    @userbb: No. A driver cannot call the Windows Subsystem -- it runs at a lower level than that subsystem. (And in fact, is usually loaded before the Windows Subsystem is started) You can get the name of a process in both Windows programs and Native programs. In Native programs you can use only the Native API, while in Windows programs you can use either the Native API or the Windows API. – Billy ONeal May 15 '11 at 08:08
  • 1
    @userbb: That is, a driver must call `ZwQueryInformationProcess` in order to get the process name. An application can call `ZwQueryInformationProcess`, `NtQueryInformationProcess`, or `EnumProcessModules`. – Billy ONeal May 15 '11 at 08:11
2

It is code that runs in kernel mode rather than user mode. Kernel mode code has direct access to the internals of the OS, hardware etc.

Invariably you write kernel mode modules to implement device drivers.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
1

A kernel driver is a low-level implementation of an "application".
Because it runs in the kernel context, it has the ability to access the kernel API and memory directly.

For example, a kernel driver should be used to:

  • Control access to files (password protection,hiding)
  • Allow accessing non-standard filesystems (like ext, reiserfs, zfs and etc.) and devices
  • True API hooks
  • ...and for many other reasons

If you'd like to get know more, you can search for keyword "ring0" with your favorite search engine.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Vladimir Protasov
  • 262
  • 4
  • 13
0

Others have explained the difference as the perspective of system level. If you are doing development in C++, there are below differences in User mode development and kernel-mode development.

  1. Unhandled exceptions crash the process in User mode, but in kernel mode, it crashes the whole system(face BSOD).
  2. When the user-mode process terminates without free private memory, the system implicitly free process memory. But in kernel mode, remaining memory free after system boot.
  3. The user-mode code is written and execute in PASSIVE_LEVEL. In kernel mode, there are more IRQL level.
  4. Kernel code debugging done using separate machines. But you can debug user mode on same machine.
  5. you can't use all C++ functionality in kernel-mode such as Exception handling and STL.
  6. Entry points are different, in user mode, you use the main as the entry point. But in kernel mode, we need to use DriverEntry.
  7. You can't use new operator in kernel mode, you need to overload it explictly.
rajatV
  • 99
  • 1
  • 2
  • 10