I'm remote-debugging a Windows kernel-mode driver using WinDbg. The driver has issues in the initialization routine, leading to a bugcheck/crash when installing the device driver. When I detach the debugger, the target PC reboots and runs again into the same bugcheck.
In order to test a new version of the driver, I therefore have to boot into safe mode, uninstall the device using device manager and reboot into normal mode.
Is there any way to simplify this workflow so that the device driver is automatically removed upon rebooting after a bugcheck?
Additional infos:
I'm using dpinst to install the driver on the target PC
use .Kdfiles to pull a replacement driver during boot
Documentation From MS
Write Up in Nt Insider From Osr Online
if you are using windows 10 then you can leverage the -m option to provide a partial name
and forego the dospath C:\ NtPath \.\xx , %SystemRoot%
confusions in the map file formats ,
or as described here
When I want to enable ETW tracing to receive driver events, I do such:
logman start "NT Kernel Logger" -p "Windows Kernel Trace" (driver) -o s.etl -ets
So on some machine, after running the above command, the computer crashes. After analyzing the memory dump, I figured out that the problem was caused by "TAOKernel64.sys" which is developed by a Chinese company named "Tencent". After removing a program which installed that driver (QQ PC Manager), the problem resolves.
I had two major questions:
1-
Does receiving driver events from ETW require all drivers to work properly? So can we have a buggy driver installed and enabled (but not used) and use ETW without causing BSOD? Or I had faced a completely different problem?
2-
Can we filter out some of these drivers in ETW (either real-time or offline)? For example, telling ETW not to collect driver events from that .sys file?
I have created a fake usb flash driver driver in Windows that will fake Windows into thinking that a new hardware device is attached. I have also found the APIs that allow me to enumerate the hardware attached (so I know which device is my fake driver).
The problem is I only want to attach the hardware when my program is running, and I don't want it to be accessible when my program is not running.
How can I programmatically add this hardware or enable/disable this driver? Someone suggested the right nomenclature is "load/unload".
Using VC++ with Windows APIs on Windows 7 and higher.
Try the C++ class wrapper to load/unload device drivers from code project.
What is Windows Kernel Driver written with the WDK?
What is different from normal app or service?
Kernel drivers are programs written against Windows NT's native API (rather than the Win32 Subsystem's API) and which execute in kernel mode on the underlying hardware. This means that a driver needs to be able to deal with switching virtual memory contexts between processes, and needs to be written to be incredibly stable -- because kernel drivers run in kernel mode, if one crashes, it brings down the entire system. Kernel drivers are unsuitable for anything but hardware devices because they require administrative access to install or start, and because they remove the security the kernel normally provides to programs that crash -- namely, that they crash themselves and not the entire system.
Long story short:
Drivers use the native API rather than the Win32 API
This means that drivers generally cannot display any UI.
Drivers need to manage memory and how memory is paged explicitly -- using things like paged pool and nonpaged pool.
Drivers need to deal with process context switching and not depend on which process happens to have the page table while they're running.
Drivers cannot be installed into the kernel by limited users.
Drivers run with privileged rights at the processor level.
A fault in a user-level program results in termination of that program's process. A fault in a driver brings down the system with a Blue Screen of Death.
Drivers need to deal with low level hardware bits like Interrupts and Interrupt Request Levels (IRQLs).
It is code that runs in kernel mode rather than user mode. Kernel mode code has direct access to the internals of the OS, hardware etc.
Invariably you write kernel mode modules to implement device drivers.
A kernel driver is a low-level implementation of an "application".
Because it runs in the kernel context, it has the ability to access the kernel API and memory directly.
For example, a kernel driver should be used to:
Control access to files (password protection,hiding)
Allow accessing non-standard filesystems (like ext, reiserfs, zfs and etc.) and devices
True API hooks
...and for many other reasons
If you'd like to get know more, you can search for keyword "ring0" with your favorite search engine.
Others have explained the difference as the perspective of system level.
If you are doing development in C++, there are below differences in User mode development and kernel-mode development.
Unhandled exceptions crash the process in User mode, but in kernel mode, it crashes the whole system(face BSOD).
When the user-mode process terminates without free private memory, the system implicitly free process memory. But in kernel mode, remaining memory free after system boot.
The user-mode code is written and execute in PASSIVE_LEVEL. In kernel mode, there are more IRQL level.
Kernel code debugging done using separate machines. But you can debug user mode on same machine.
you can't use all C++ functionality in kernel-mode such as Exception handling and STL.
Entry points are different, in user mode, you use the main as the entry point. But in kernel mode, we need to use DriverEntry.
You can't use new operator in kernel mode, you need to overload it explictly.
I was wondering how I could check if a device driver is loaded using Perl? The operating system is Windows Server 2003, and I'm interested in seeing if the driver for a particular video card is loaded correctly or not.
One way, lookup required Win32 API calls on MSDN, then use Win32::API,
or use sysinternals program Listdlls.exe
http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx#ListDLLs v2.25