Windows generally uses system processes to load kernel modules.

Ubiquitous kernel module

This article is excerpted from the book Hanjiang standalone fishing

 

Operating system kernel located in a high space of 2 GB is not a huge program. Because of the wide variety of computer hardware, it is impossible to make a huge kernel that supports all hardware.
The kernel has interfaces. Microsoft provides the required format for hardware-driven programmers to write "drivers" in the required format ". These drivers can be loaded into the kernel as modules and become part of the kernel. In this way, the kernel can adapt to different hardware by simply installing the driver.
Most examples in this book are compiled into kernel modules, which can also be called driver ). However, most of them do not drive any hardware, which is called "software-driven ". But I think this is not appropriate, so this book uses the name of Linux programmers, called the kernel module ). It may be more appropriate to see the driver as a kernel module (except for a small number of application-layer drivers ).
The kernel module is already in the kernel space and is executed as R0 code. Therefore, the kernel can be modified without any restrictions. Therefore, many functions that cannot be implemented by applications can be implemented by writing kernel modules.
In the first Windows, it seems that there is no intention of programmers of application software to provide kernel modules. However, programmers of some special application software first broke these limitations. They wrote special kernel modules that do not drive any hardware, such as virtual optical drives, real-time monitoring of anti-virus software, and firewalls. In the end, microsoft realized that kernel programming is also very useful for software. Therefore, more interfaces are provided in the kernel, such as new interfaces that facilitate file filtering and network filtering, these are specifically provided to non-hardware-driven software programmers.
Wdk is the latest driver development kit provided by Microsoft. It also includes all interfaces and examples provided for software kernel programming. The hardware driver and software kernel programming are not strictly separated at present. The technology and many codes of both sides are the same.
When writing a kernel module, beginners often have the following question: in which process space does the code run?
The kernel module is located in the kernel space, and the kernel space is shared by all processes. Therefore, the kernel module is actually located in any process space. However, any code execution must be in a process space. Which process is this? This depends on the request source and processing process. The psgetcurrentprocessid function can get the process Number of the current process. The prototype of this function is as follows:
Handle
Psgetcurrentprocessid (
);
Handle returned by this function is actually a process ID. This number is the same as the PID we saw when we opened the task manager.
Some readers may mistakenly think that all kernel code runs in the system process.
The so-called system process in Windows is a process named "system", which is a special process generated by Windows itself. The PID in Windows XP is always 4. When you call psgetcurrentprocessid, you will find that the current process is generally not a system process when distributing function calls in the kernel module. However, when the DriverEntry function is called, it is usually in the system process. This is because Windows generally uses system processes to load kernel modules. It does not mean that kernel code is always running in the system process.