Programming in ring0 for Windows: introductory article

On duty, I had to deal with driver programming under Windows. People who have never encountered this task may suggest that drivers are something very complex and directly interacting with hardware. Partly they are right, and partly not. In this article I will try to tell about what Windows drivers are from the inside and what I had to face. The article is some introduction and does not contain "pieces of code."


So, let's begin. First I’ll say that a Windows driver is any code that runs in kernel space ( kernel-space ). All application programs run in user space ( userspace ).

What is special about kernel space? It's simple: when an application is executed, the system imposes a number of restrictions on its capabilities, for example, an application can always be interrupted and given some processor time to another application, an application cannot just take and access the memory of another process, and the collapse of one application does not "hang" the modern system.
')
In the space of the nucleus, everything is different, it is like an “adult life” after childhood: there are incomparably more opportunities, but there are also plenty of responsibilities. In the driver, we can directly access the hardware, we can make the process "uninterrupted" for some period of time, in a word, determine the fate of the entire user (and not only) space, on the other hand, a simple and fairly common error lead to the collapse of the system ( BSoD , ie, Blue Screen of Death - the blue screen of death, now people encounter it quite rarely, but earlier it was quite common).

The driver does not have to interact with the hardware, but it is quite possible that it can do something else equally useful, in the simplest case - to be a window into kernel space, that is, to provide access to application applications to certain system functions that are not accessible from user mode. A logical question may arise here, saying that kernel space is nice, but everyone is used to working with user space, and how will the driver interact with the application? There are several ways to interact, the most common is the IOCTL mechanism, when a driver is opened like a file and the data is written and read into it in a special way. Another mechanism is the event variant. In this approach, the driver generates some events to which the user application responds and thus receives some necessary information from the driver.

The kernel space provides great opportunities not only for useful user applications, but also for malicious viruses. Indeed, imagine a virus that can prevent killing intrusive Kaspersky or Dr.Web from killing itself, which can hide itself from the list of processes or simply prevent it from deleting the data it needs. disk. Do not despair, not everything is so bad: it is quite difficult to get into an external process in the kernel space, and antiviruses are trying to make this task even more difficult.

Drivers are special components of the system, so they cannot be assembled using standard Visual Studio delivery, drivers have come up with a separate set of tools containing a compiler, header files, libraries, documentation and examples, it is called Windows Driver Kit ( WDK ), formerly known as DDK . I note one feature that I encountered myself: the WDK for newer systems, such as Windows Vista and 2008, allows you to compile drivers for earlier versions of Windows, such as XP and 2000, therefore it is best (of course IMHO) to take the latest stable versions of the WDK.

Another thing I would like to mention in the introductory article is to name the guru in this area: when someone talks about C ++, this is in most cases associated with the name Straustrup, so here: programming at the kernel level for Windows is associated with names of Mark Russinovich (Mark Russinovich) and Bruce Cogswell (Bryce Cogswell), who wrote a large number of useful utilities, as well as essential for the developer driver book. Details can be found at sysinternals.com .

So, I would like to know if the habrovchan is interested in the topic of programming drivers for Windows and is it worth writing further articles? What to look for in the first place?
Thank you so much for your attention :)