Windows Driver Model (WDM)

⊕ 教學說明
‐ 1. 驅動程式進入點DriverEntry()
‐ 2. 系統透過呼叫AddDevice()來新增裝置
‐ 3. 系統透過呼叫DriverUnload()來卸載驅動程式
‐ 4. User Application透過File跟驅動程式溝通
‐ 5. File Buffer的使用策略
‐ 6. User Application透過IOCTL跟驅動程式溝通
‐ 7. IOCTL Buffer的使用策略
‐ 8. Queue Irp的操作步驟
‐ 9. Cancel Irp的操作步驟
‐ 10. 同步化物件的使用說明
⊕ 使用範例 - Assembly (ObjAsm)
‐ 開發環境
⊕ 使用範例 - Assembly (MASM32)
‐ 開發環境
‐ make.bat
‐ main.inf
‐ Hello, world!
‐ Handle File IRP
‐ Choose DO_BUFFERED_IO for File IRP
‐ Choose DO_DIRECT_IO for File IRP
‐ Choose DO_NEITHER_IO for File IRP
‐ Handle IOCTL IRP
‐ Choose METHOD_BUFFERED for IOCTL IRP
‐ Choose METHOD_IN_DIRECT、METHOD_OUT_DIRECT for IOCTL IRP
‐ Choose METHOD_NEITHER for IOCTL IRP
‐ Use Thread
‐ Use I/O Timer
‐ Use DPC Timer
‐ Handle StartIo IRP
‐ Queue IRP
‐ Cancel IRP
‐ Use Cancel-Safe IRP Queue(CSQ)
‐ Use Spin Lock
‐ Use Event
‐ Use Mutex
‐ Use Semaphore
⊕ 使用範例 - BASIC (FreeBASIC)
‐ 開發環境
‐ Hello, world!
⊕ 使用範例 - C/C++ (DDK)
‐ 開發環境
‐ main.inf
‐ sources
‐ makefile
‐ Hello, world!
⊕ File
∗ IRP
∗ DO_BUFFERED_IO
∗ DO_DIRECT_IO(PIO)
∗ DO_DIRECT_IO(DMA)
∗ DO_NEITHER_IO
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ StartIO
∗ Queue IRP
∗ Cancel IRP
∗ Cancel-Safe IRP Queue(CSQ)
⊕ Synchronization
∗ Spin Lock
∗ Event
∗ Mutex
∗ Semaphore
∗ Deferred Procedure Call(DPC)
∗ Asynchronous Procedure Call(APC)
∗ PsSetCreateThreadNotifyRoutine()
∗ PsSetCreateProcessNotifyRoutine()
⊕ 使用範例 - C/C++ (DriverWorks)
‐ 開發環境
‐ main.inf
‐ sources
‐ makefile
‐ Hello, world!
⊕ 使用範例 - Pascal (DDDK)
‐ 開發環境
‐ main.inf
‐ make.bat
‐ Hello, world!
⊕ File
∗ IRP
∗ DO_BUFFERED_IO
∗ DO_DIRECT_IO(PIO)
∗ DO_DIRECT_IO(DMA)
∗ DO_NEITHER_IO
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ StartIO
∗ Queue IRP
∗ Cancel IRP
∗ Cancel-Safe IRP Queue(CSQ)
⊕ Synchronization
∗ Spin Lock
∗ Event
∗ Mutex
∗ Semaphore
∗ WinDbg Symbol路徑
∗ 停止Win7數位簽章檢查
∗ 停止Win10數位簽章檢查
∗ 使用私人憑證加簽驅動程式
∗ 使用Verifier驗證驅動程式
∗ 如何移除已經簽章的驅動程式
∗ 關閉WinXP數位簽章警告視窗
∗ 解決DbgView輸出訊息的問題
∗ 解決DbgView的Dbgv.sys問題
∗ ZwQueryValueKey()使用方式
∗ Namespace("\\.\"、"\??\")
∗ __try __except在使用上的限制
∗ Multi-core上的DISPATCH_LEVEL
∗ 如何使用rundll32.exe安裝驅動程式
∗ ProbeForRead()、ProbeForWrite()
∗ RtlQueryRegistryValues()使用方式
∗ 解決"INF does not contain digital ..."問題
∗ 解決"unresolved symbol _DriverEntry@8"問題
∗ 解決"unresolved symbol SDDL_DEVOBJ..."問題
∗ 為何ZwAllocateVirtualMemory無法配置超過0x80000000位址
∗ 如何在User Mode開啟"\Device\"下的驅動程式(非Symbolic Link)

Windows NT Driver (Legacy)

⊕ Assembly
‐ 開發環境
∗ DriverEntry()
∗ DriverUnload()
∗ Hello, world!
⊕ File
∗ IRP
∗ DO_BUFFERED_IO
∗ DO_DIRECT_IO(PIO)
∗ DO_DIRECT_IO(DMA)
∗ DO_NEITHER_IO
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ StartIO
∗ Queue IRP
∗ Cancel IRP
∗ Cancel-Safe IRP Queue(CSQ)
⊕ Pascal
‐ 開發環境
∗ DriverEntry()
∗ DriverUnload()
∗ Hello, world!
⊕ File
∗ IRP
∗ DO_BUFFERED_IO
∗ DO_DIRECT_IO(PIO)
∗ DO_DIRECT_IO(DMA)
∗ DO_NEITHER_IO
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ StartIO
∗ Queue IRP
∗ Cancel IRP
∗ Cancel-Safe IRP Queue(CSQ)
⊕ C/C++
‐ 開發環境
∗ DriverEntry()
∗ DriverUnload()
∗ Hello, world!
⊕ File
∗ IRP
∗ DO_BUFFERED_IO
∗ DO_DIRECT_IO(PIO)
∗ DO_DIRECT_IO(DMA)
∗ DO_NEITHER_IO
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ StartIO
∗ Queue IRP
∗ Cancel IRP
∗ Cancel-Safe IRP Queue(CSQ)
∗ Share Memory
⊕ BASIC
‐ 開發環境
‐ Hello, world!

Linux Device Driver(LDD)

⊕ Assembly (ARM)
∗ 開發環境
∗ hello, world!
∗ gpio output
∗ mod_timer
∗ gpio input
∗ request_irq
∗ softirq
∗ tasklet
∗ workqueue
∗ kthread
⊕ chrdev
∗ mknod
∗ device
∗ read、write
∗ ioctl
⊕ Assembly (MIPSel)
∗ 開發環境
∗ hello, world!
⊕ C/C++
∗ 開發環境
∗ hello, world!
∗ gpio output
∗ mod_timer
∗ gpio input
∗ request_irq
∗ softirq
∗ tasklet
∗ workqueue
∗ kthread
⊕ chrdev
∗ mknod
∗ device
∗ read、write
∗ ioctl
⊕ Falco
∗ 架構簡介
∗ install falco
∗ build ebpf
∗ build pdig
∗ build kernel
∗ build plugins/k8saudit
∗ build libscap、libsinsp
∗ 如何開啟k8saudit rule
∗ 如何載入modern bpf driver
∗ 如何讓k8saudit plugin直接讀取audit log檔案
∗ 解決"Cannot find source file: ../libs/userspace/libscap/scap_udig.c"問題
⊕ eBPF
∗ 開發環境
∗ 解決"cannot import name BPF from bcc"問題
⊕ SystemTap
∗ 開發環境
∗ overview
∗ event(sync、async)
∗ hello, world!
∗ 解析oneshot執行流程
∗ oneshot、begin的差異
∗ 解決"module version mismatch"問題
∗ 解決"while resolving probe point"問題
⊕ fanotify
∗ 監看某個特定資料夾的OPEN事件
∗ using sysfs
∗ build sysdig
∗ tainted flags
∗ pr_xxx()、dev_xxx()
∗ cdev_add()、register_chrdev()
∗ dma_mmap_coherent()、remap_pfn_range()
∗ Kernel command line(CONFIG_CMDLINE)加上"--"
∗ 列印時間
∗ 如何取得目前PID
‐ 如何取得API Function在Kernel版本的變動
∗ 如何控制背光亮度
∗ 如何替換開機圖片
∗ 如何調整fbcon的字型
∗ 如何開啟dynamic debug
∗ 如何取得目前task struct
∗ 如何取得目前cgroup_path
∗ 如何取得系統上的Export Symbols
∗ 如何產生全部選項為no的.config檔案
∗ 如何知道目前process是否位於container裡面
∗ 如何知道container需要的kernel config選項
∗ 解決"module_put"問題
∗ 解決"unknown relocation: 10"問題
∗ 解決"scripts/mod/modpost: not found"問題
∗ 解決"error: test_attr__enabled undeclared"問題
∗ 解決"fatal error: asm/rwonce.h file not found"問題

Kernel Mode Driver Framework (KMDF)

⊕ Assembly (PNP)
∗ 開發環境
∗ DriverEntry()
∗ AddDevice()
∗ DriverUnload()
∗ Hello, world!
⊕ File
∗ IRP
∗ WdfDeviceIoBuffered
∗ WdfDeviceIoDirect(PIO)
∗ WdfDeviceIoDirect(DMA)
∗ WdfDeviceIoNeither
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ WDF
⊕ Pascal (PNP)
∗ 開發環境
∗ DriverEntry()
∗ AddDevice()
∗ DriverUnload()
∗ Hello, world!
⊕ File
∗ IRP
∗ WdfDeviceIoBuffered
∗ WdfDeviceIoDirect(PIO)
∗ WdfDeviceIoDirect(DMA)
∗ WdfDeviceIoNeither
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ WDF
⊕ C/C++ (PNP)
∗ 開發環境
∗ DriverEntry()
∗ AddDevice()
∗ DriverUnload()
∗ Hello, world!
⊕ File
∗ IRP
∗ WdfDeviceIoBuffered
∗ WdfDeviceIoDirect(PIO)
∗ WdfDeviceIoDirect(DMA)
∗ WdfDeviceIoNeither
⊕ IOCTL
∗ IRP
∗ METHOD_BUFFERED
∗ METHOD_IN_DIRECT、METHOD_OUT_DIRECT
∗ METHOD_NEITHER
∗ Thread
⊕ Timer
∗ I/O
∗ DPC
∗ WDF
∗ WHQL測試流程
∗ WDFAPI定義值
∗ 淺談WDFFunctions
∗ 淺談Digital Signature、Timestamp、Certificate
∗ 如何在Pascal中取得WDFFunction和WdfDriverGlobals
∗ 解決"Failed to connect to OM"問題

MS-DOS Device Driver (MDD)

⊕ Assembly
⊕ Basic
∗ 開發環境
∗ 基本觀念
∗ I/O Request Packet(IRP)
⊕ Advanced
⊕ Char
⊕ Hello, world!
⊕ Block
∗ Hello, world!

VxWorks

‐ 23.09
‐ C/C++
‐ 開發環境
‐ Hello, world!
‐ File
‐ IOCTL
‐ Select
‐ MUX Binding
‐ Watchdog
‐ Pipe
‐ Task Hook
‐ RTP Hook
‐ Module Hook
‐ Syscall Hook (Group)
‐ Syscall Hook (Entry and Exit)