Rootkits

Windows Drivers

WDK- Windows Driver Kit

Windows Driver Kit gives you the tools you need to develop, build, package, deploy, test, and debug drivers. You can run many basic certification tests in the integrated environment. The Windows Driver Kit (WDK) includes templates for several technologies and driver models, including Windows Driver Frameworks (WDF), Universal Serial Bus (USB), print, networking, and file system filters.

 

WDM – Windows Driver Model

To allow driver developers to write device drivers that are source-code compatible across all Microsoft Windows operating systems, the Windows Driver Model (WDM) was introduced. Kernel-mode drivers that follow WDM rules are called WDM drivers.

There are three kinds of WDM drivers:

  • A bus driver drives an individual I/O bus device and provides per-slot functionality that is device-independent. Bus drivers also detect and report child devices that are connected to the bus.

  • A function driver drives an individual device.

  • A filter driver filters I/O requests for a device, a class of devices, or a bus.

All WDM drivers must do the following:

  • Include Wdm.h, not Ntddk.h. (Note that Wdm.h is a subset of Ntddk.h.)

  • Be designed as a bus driver, a function driver, or a filter driver, as described in Types of WDM Drivers.

  • Create device objects as described in WDM Device Objects and Device Stacks.

  • Support Plug and Play (PnP).

  • Support power management.

  • Support Windows Management Instrumentation (WMI).

 

WDF – Windows Driver Frameworks

Windows Driver Frameworks (WDF) is a set of libraries that you can use to develop device drivers that are inter-operable with Windows.

WDF is comprised of:

  • Kernel-Mode Driver Framework (KMDF).

  • User-Mode Driver Framework (UMDF).

WDF provides object-based interfaces for drivers.

 

KMDF – Kernel-Mode Driver Framework

It is one of the frameworks included in the Windows Driver Foundation. KMDF is object-based and built on top of WDM. It provides an object-based perspective to WDM, following the architectural mandate of its superset, WDF. The functionality is contained in different types of objects. Since more features like power management and plug and play are handled by the framework, a KMDF driver is less complicated and has less code than an equivalent WDM driver.

KMDF implementation consists of:

  • plug and play and power management
  • I/O queues
  • Direct memory access (DMA)
  • Windows Management Instrumentation (WMI)
  • Synchronization

 

UMDF – User-Mode Driver Framework

UMDF is essentially a subset of KMDF. UMDF is a framework for the creation of user-mode drivers.

Like Kernel-Mode Driver Framework (KMDF), UMDF provides an abstraction layer from WDM, handling much of the Plug and Play (PnP) and power management functionality, and allowing the driver to opt in for specific functionality and event handling.

Standard device drivers can be difficult to write because they must handle a very wide range of system and device states, particularly in a multithreaded software environment. Badly written device drivers can cause severe damage to a system (e.g., BSOD and data corruption) since all standard drivers have high privileges when accessing the kernel directly.

The User-Mode Driver Framework insulates the kernel from the problems of direct driver access, instead providing a new class of driver with a dedicated application programming interface at the user level of interrupts and memory management. If an error occurs, the new framework allows for an immediate driver restart without impacting the system. This is particularly useful for devices that are intermittently connected to the system or support hot swapping via a bus technology such as USB or Firewire.

UMDF drivers are simpler to write and debug than kernel-mode drivers. Now UMDF is typically used for devices that are packet based (i.e. things like USB and 1394) where you are sending data across a bus. However, UMDF has additional overhead meaning it should not be used for performance-intensive or highly stateful devices.

References

Microsoft MSDN

Wikipedia WDK

Wikipedia WDF