Pavel Yosifovich - Windows Kernel Programming, Second Edition

Windows kernel programming is considered by many a dark art, available to select few that manage to somehow unlock the mysteries of the Windows kernel. Kernel development, however, is no different than user-mode development, at least in general terms. In both cases, a good understanding of the platform is essential for producing high quality code.

The book is a guide to programming within the Windows kernel, using the well-known Visual Studio integrated development environment (IDE). This environment is familiar to many developers in the Microsoft space, so that the learning curve is restricted to kernel understanding, coding and debugging, with less friction from the development tools.

The book targets software device drivers, a term I use to refer to drivers that do not deal with hardware. Software kernel drivers have full access to the kernel, allowing these to perform any operation allowed by the kernel. Some software drivers are more specific, such as file system mini filters, also described in the book.

The book is intended for software developers that target the Windows kernel, and need to write kernel drivers to achieve their goals. Common scenarios where kernel drivers are employed are in the Cyber Security space, where kernel drivers are the chief mechanism to get notified of important events, with the power to intercept certain operations. The book uses C and C++ for code examples, as the kernel API is all C. C++ is used where it makes sense, where its advantages are obvious in terms of maintenance, clarity, resource management, or any combination of these. The book does not use complex C++ constructs, such as template metaprogramming. The book is not about C++, its about Windows kernel drivers.

Readers should be very comfortable with the C programming language, especially with pointers, structures, and its standard library, as these occur very frequently when working with kernel APIs. Basic C++ knowledge is highly recommended, although it is possible to traverse the book with C proficiency only.

Here is a quick rundown of the chapters in the book:

• Chapter 1 (Windows Internals Overview) provides the fundamentals of the internal workings of the Windows OS at a high level, enough to get the fundamentals without being bogged down by too many details.
• Chapter 2 (Getting Started with Kernel Development) describes the tools and procedures needed to set up a development environment for developing kernel drivers. A very simple driver is created to make sure all the tools and procedures are working correctly.
• Chapter 3 (Kernel Programming Basics) looks at the fundamentals of writing drivers, including bssic kernel APIs, handling of common programming tasks involving strings, linked lists, dynamic memory allocations, and more.
• Chapter 4 (Driver from Start to Finish) shows how to build a complete driver that performs some useful functionality, along with a client application to drive it.

If you are new to Windows kernel development, you should read chapters 1 to 7 in order. Chapter 8 contains some advanced material you may want to go back to after you have built a few simple drivers. Chapters 9 onward describe specialized techniques, and in theory at least, can be read in any order.

All the sample code from the book is freely available on the books Github repository at https://github.com/zodiacon/windowskernelprogrammingbook2e. Updates to the code samples will be pushed to this repository. Its recommended the reader clone the repository to the local machine, so its easy to experiment with the code directly.

All code samples have been compiled with Visual Studio 2019. Its possible to compile most code samples with earlier versions of Visual Studio if desired. There might be few features of the latest C++ standards that may not be supported in earlier versions, but these should be easy to fix.

Happy reading!

Pavel Yosifovich
June 2022

Chapter 1: Windows Internals Overview

This chapter describes the most important concepts in the internal workings of Windows. Some of the topics will be described in greater detail later in the book, where its closely related to the topic at hand. Make sure you understand the concepts in this chapter, as these make the foundations upon any driver and even user mode low-level code, is built.

---

In this chapter:

• Processes
• Virtual Memory
• Threads
• System Services
• System Architecture
• Handles and Objects

---

Processes

A process is a containment and management object that represents a running instance of a program. The term process runs which is used fairly often, is inaccurate. Processes dont run processes manage. Threads are the ones that execute code and technically run. From a high-level perspective, a process owns the following:

• An executable program, which contains the initial code and data used to execute code within the process. This is true for most processes, but some special ones dont have an executable image (created directly by the kernel).
• A private virtual address space, used for allocating memory for whatever purposes the code within the process needs it.
• An access token (called primary token), which is an object that stores the security context of the process, used by threads executing in the process (unless a thread assumes a different token by using impersonation).
• A private handle table to executive objects, such as events, semaphores, and files.
• One or more threads of execution. A normal user-mode process is created with one thread (executing the classic main/WinMain function). A user mode process without threads is mostly useless, and under normal circumstances will be destroyed by the kernel.

These elements of a process are depicted in figure 1-1.

Figure 1-1: Important ingredients of a process

A process is uniquely identified by its Process ID, which remains unique as long as the kernel process object exists. Once its destroyed, the same ID may be reused for new processes. Its important to realize that the executable file itself is not a unique identifier of a process. For example, there may be five instances of notepad.exe running at the same time. Each of these Notepad instances has its own address space, threads, handle table, process ID, etc. All those five processes are using the same image file (