I am writing a driver (legacy I believe) that creates a virtual hard drive from a file, however when I try to unload my driver some times it and most times it hangs. The driver unloads cleanly if it hasn't received any irps yet but as soon as it does I can't unload it. have read that the unload routine isn't called unless the driver has nothing referencing it. I believe there may be another driver(a file system driver) referencing it however I don't know which driver it is. How can I see if my driver is getting referenced and if so how can i stop that driver from referencing mine?
Check the "HandleCount" and "PointerCount" of your driver's "DriverObject" and "DeviceObject" using windbg.
Useful Windbg commands are: !drvobj and !devobj.
Related
I have a custom windows kernel driver I have compiled. I sign it with a test cert, create the cat file from the cdf, stamp the inx into a inf file, then load it with pnputil. I then create a software device with SwDeviceCreate so the OS will pair my driver and the driver. This works fine.
The problem is if i screw up something in the compilation and get something like an error code 39 (viewable in device manager), I do not see that error. Instead the OS seems to try to fix the error by loading the previously working version of the driver. In order to see that error, I have to purge the driver and device using pnputil /d oem42.inf along with a pnputil /remove-device, then restart my PC, that seems to fix the issue. This is difficult because it means i have to restart my PC every time i run a test. I know crashing a kernel driver can cause a panic anyway and cause me to restart, but there seems to be instances where this is not the case and the OS tries to rectify the issue without me (as it probably should).
So my question is this. Is there a way to completely purge my driver without a complete restart in-between installations/tests so I can correctly break it. I know I am suppose to use another machine and remote debug kernel drivers, but i do not have access to another machine right now that can support windows 11.
Here is the scenario.
I am on windows 8 Machine/ Also have tried this on windows 7 machine.
I working on a driver(mirror driver/Remote display Driver). I should say I am going to start working on it as I am stuck.
So I followed the MSDN example of KmdfSmall
http://msdn.microsoft.com/en-us/library/windows/hardware/hh439665(v=vs.85).aspx
I got the driver code compiled. Got the remote debugging also going.
I do not see any of the debug messages on the host( I have set the register IHVDRIVER to 0x8
I also set the DEFAULT to 0xf to be able to use DbgPrint
Further more. My real goal is start my driver as a service
http://www.codeproject.com/Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers
And I want to test it on the LOCAL machine. I do not want to have a target and host to debug. Plain oldschool single machine.
Questions
1) When service starts the driver via CreateService and OpenService, does it call the DriverEntry function or does it wait until someone user level app uses the driver.
2) When I run the app to load the driver as a server where would the DbgPrintEx suppose to print
DebugView or WinDbg or else where.
3) If I am using
CreateService
does my sys file has to be in windows/system32/drivers folder ? I read somewhere that in 64 bit machine CreateService only loads from system folder.
4) when I start it as a service am I suppose to see it on the task Manager
5)If DriverEntry is called to init a driver, can it be called again or it has to wait until it unloads ? So I load my driver and forget to gracefully unload it and run my program again will it call DriverEntry ?
I know there are a lot of questions here. Thanks in advance
KMDF driver cannot be installed using old style API. Check this sample from MSDN.
You also need to think about what kind of driver it is, filter driver or actual device driver etc.
1) When service starts the driver via CreateService and OpenService,
does it call the DriverEntry function or does it wait until someone
user level app uses the driver.
As soon as the driver is loaded, its DriverEntry routine is called.
2) When I run the app to load the driver as a server where would the
DbgPrintEx suppose to print DebugView or WinDbg or else where.
When none of DebugView or WinDbg is running, the output is lost and not printed/logged anywhere.
3) If I am using CreateService does my sys file has to be in windows/system32/drivers
folder ? I read somewhere that in 64 bit machine CreateService only
loads from system folder.
Newer windows has such kind of restriction.
4) when I start it as a service am I suppose to see it on the task
Manager
Kernel drivers are not listed in task manager as they are actually part of OS not a separate application. However, if you have user level service, it will be listed in task manager when its running.
5)If DriverEntry is called to init a driver, can it be called again or
it has to wait until it unloads ? So I load my driver and forget to
gracefully unload it and run my program again will it call DriverEntry ?
DriverEntry is called each time the driver is loaded. If the driver is demand load, it will run each time the driver is loaded/started, even if driver does not unload gracefully (e.g. leaking memory/locks etc). But you may end up in unstable system and BSOD if driver doesn't unload neatly.
I made a device driver. But my system crashed at the moment when it was deleting the device object. I think the symbolic link was deleted and it crashed after it was trying to delete the device as I can't see the symbolic link in the Global.
How do I delete this device now. It also gives me a error popup(system cannot find the file specified Device\Mydriver) when I try to open the listed Mydriver under devices from Winobj.
I tried starting the driver's service again. I do get a handle back when opening the service. But it wont start now. giving the error value of Cannot find the file specified. I was working fine, i mean starting the driver before this crash.
I am a beginner with drivers and doing this to learn, please guide.
I have taken this from : Programming microsoft windows driver 2nd edition by woney
I hope this helps.
Removability of devices in a Plug and Play environment is the ultimate source of the early-unload problem
mentioned in the text. it’s your responsibility to avoid sending an IRP to a driver that might no longer be in memory
and to prevent the PnP manager from unloading a driver that’s still processing an IRP you’ve sent to that driver.
One aspect of how you fulfill that responsibility is shown in the text: take an extra reference to the file object
returned by IoGetDeviceObjectPointer around the call to IoCallDriver. In most drivers, you’ll probably need the
extra reference only when you’re sending an asynchronous IRP. In that case, the code that ordinarily
dereferences the file object is likely to be in some other part of your driver that runs asynchronously with the
call to IoCallDriver—say, in the completion routine you’re obliged to install for an asynchronous IRP. If you send
a synchronous IRP, you’re much more likely to code your driver in such a way that you don’t dereference the file
object until the IRP completes.
Use the interactive boot option and don't load the troublesome driver. Then you can experiment perhaps by adding diagnostic instrumentation to the driver or other debugging techniques to determine the underlying problem.
Given that unloading a file system filter driver requires a reboot, what is the best way to test one?
Is there a better/less painful way than rebooting a VM every single time?
This might be helpful: File System Filter Driver Tutorial
Set driver unload routine
The last part of the driver initialization sets an unload routine.
Setting the driver unload routine makes the driver unloadable, and you
can load/unload it multiple times without system restart. However,
this driver is made unloadable only for debugging purpose, because
file system filters can’t be unloaded safely. Never do this in
production code.
im writing a driver and I have a problem
everytime I try to open a handle to my driver using CreateFile, I get bsod (Access Violation)
It's important to mention that my driver loads successfuly and I dont get any errors
does someone knows how to handle it ?
Thanks in advance!
!analyze -v is your friend.
Turn on creating Kernel Dump in Windows settings and then analyze dump in WinDbg.
Are you using ZwCreateFile or Createfile? You can't use CreateFile in a driver because that is a usermode function and drivers run in kernel mode. Instead call ZwCreateFile which is the kernel mode version of CreateFile.
Another possible fault source: the driver-internal function for handling IRP_MJ_CREATE is either incorrectly assigned or faulty.
But you can only guess without analyzing the dump (maybe in conjunction with the symbols database of your driver [the PDB files]).