Driver development model for Windows
This article is excerpted from the book "Hanjiang standalone fishing: Windows Kernel security programming"
The driver "model" developed in different versions of Windows (the word "model" should come from the word "mode ". On Windows NT, a driver is called a kernel driver mode driver. I think this mode is a kind of driver structure and operation specification), there are different names. For example, drivers on Windows 9x are all called VxD, while drivers on Windows NT are called KDM drivers, Windows 98 ~ 2000 the new model emerged in this period is WDM.
The concept of Driver Model in Windows is originally about driver behavior. For example, a WDM driver must meet N required features (such as power management and plug-and-play. If these functions are not provided, they are called NT-type drivers. Similarly, the WDF driver has a series of its specifications.
However, this book uses a simple differentiation method. Keep everything in Windows 2000 ~ Drivers that can run normally in Windows Vista and do not call WDF-related kernel API functions are called traditional drivers (including NT-type and WDM ). If the WDF-related kernel API is called, it is called the WDF driver.
Note: The WDF driver can call the kernel API called by the traditional driver. The WDF driver can be regarded as an upgraded version.
The development of the model is not just in step with the upgrade of the operating system version, but a process of gradual substitution. For example, Windows 98 supports some WDM drivers, but some VxD drivers. In Windows 2000, VxD drivers were completely eliminated. KDM is the predecessor of WDM. Based on kdm, WDM adds some new features and develops some new specifications. Most function calls are generic. Of course, Windows 9x series kernels are completely different, so no kernel API function is the same as VxD.
As a result, VxD cannot escape the fate of being completely eliminated because Windows 9x is out of favor. Windows NT was developed into a later version of Windows, and KDM also became a WDM version. Of course, Microsoft will not be idle, and now it has launched a new WDF. Readers have to worry: Is this book written using WDM or WDF? Will it be eliminated after learning?
Different from VxD, kdm, WDM, and WDF are in the same line. Basically, kdm Programmers take advantage of WDM learning. WDF is no exception. WDF is not so much a new driver development model as it is based on the existing kernel API and data structure, it also encapsulates a set of Apis starting with WDF-that make users feel simpler and easier to use. Therefore, readers do not have to worry that the development of WDF will let the previous efforts to learn traditional drivers go far. A typical example is: the first version of Hard Disk upper-layer Filtering diskperf code was released between 1991 and 1992, 18 years later, it can still be compiled and run normally on the latest version of Vista today.
This book uses traditional drivers to describe most of the chapters that cannot find WDF instances. Such as disk filtering, file system filtering, and network middle layer driver. In addition, in order to start with simple, two entry-level examples (Serial Port and keyboard) also use traditional drivers. However, the examples of Virtual Disks and virtual NICs (Chapter 2 and Chapter 5th) use the WDF version.