Windows XP ??? ????? : Device Driver? ???

1
Windows XP ??? ????? Device Driver? ???

• Sep 5, 2008.
• CHONBUK NATIONAL UNIVERSITY
• Prof. Woonchul Ham

2
??

1. ???????
2. Device Driver ??????
3. Driver ? ??
4. Plug Play
5. Device Driver ???? UsbBulk.sys
6. Application Program

3
???????
? ???-gt??-gt ????-gt?????
4
??????? (USB)
??? ??
5
??????? (USB)
6
??????? (USB)
7
??????? (USB)

• USBSTOR.SYS ??? ???? ??? ??.
• ??? .SYS ??? ?? Device Driver ??, ? ????????
  ??? ??????(.exe) ? OS ?? ??? ??? ????? ??? ? ??
  ?? ???.

8
???????? (USB)
Applications
Win32 API
User Mode
Kernel Mode
Other Kernel Mode Driver
Operating System Kernel
File System Drivers
Hardware Abstraction layer(HAL)
Hardware
9
1. ???????
2. Device Driver ??????
3. Driver ? ??
4. Plug Play
5. Device Driver ???? UsbBulk.sys
6. Application Program
10
2. Device Driver ??????
1. Windbg ??
2. Windows Device Driver Tool kit ??
3. NULL Modem Cable ??
4. Target Computer, Host Computer
11
Windbg ??
2. Device Driver ??????

• ?? ? ?? ???? ? ?? ???? ??????? ???? ????? ????.
  (buadrate, no hardware? ???? ????, ?? ?? ?? ???
  ??? ?? ?? ?? ?? ?)
• Target ???? OS ???? ??? ????? (C)  ??? ??
  BOOT.INI ??? ??? ??? ?? ????. ?? baudrate?
  comport?? ???? ????? ??.
• boot loadertimeout10defaultmulti(0)disk(0)rd
  isk(0)partition(1)\WINNT
• operating systemsmulti(0)disk(0)rdisk(0)partiti
  on(1)\WINNT"Microsoft Windows 2000 Professional"
  /fastdetect /noguiboot
• multi(0)disk(0)rdisk(0)partition(1)\WINNT"MS Win
  2000 Professional-Prof.Ham" /fastdetect
  /noguiboot /debug /debugportcom1
  /baudrate115200

12
Windbg ??
2. Device Driver ??????

1. Host Computer? Windbg 6.0 ??? ????
2. Target ????? ??? .pdb ??? Host computer?
   c\winnt\ ?? (???? c\winnt\symbolham)? ??? ???
   ????.
3. Target ????? ???  .c,  .cpp ??? Host computer?
   c\winnt\ ??(???? c\winnt\symolsourceham)? ???
   ??? ????.
4. Null Modem Cable? ???? ??, Host Computer? Windbg?
   ????
5. Windbg? FILE-gtSymbol File Path? FILE-gtSource File
   Path? 4, 5??? ??? ????
6. Windbg? Kernel Debug? ????
7. ?? Target Computer? ????.
8. Windbg? Command ?? ?????? ?????? ????

13
Windbg ??
2. Device Driver ??????

1. ??? Windbg? Debug-gtSource Mode? ???? ?? ?? ????
2. Windbg? Command ?? " LM "???? ????, ?? Load?
   Module?? ?? ???? ????. ?? ????? ?? ?????? ??
   Symbol?? ? ??? ?? ?? ????
3. 12 ?? ??? ?? ?? " .reload " ???? ????, ???
   Symbol?? ?? ? ????, ??? ???? ??? ?? .pdb ????
   ??? Loading ??? ?? ????
4. WIndbg ? Command ???? ??? ????? Windbg?
   Help-gtContents? ???? ???? ?? ??
   Reference-gtDebugger Commands ??? ?? ?? ?? ? ??.

14
Windbg ??
2. Device Driver ??????

1. 16. Windbg? Command ?? " x i8042prt! " ????
   ????, i8042prt.sys ???? ??? ??? Symbols?? ?????
   ???. \
2. Windbg? Command ?? " bp i8042prt!I8042KeyboardInt
   erruptService " ???? ????, Debug Break Point?
   ??? ?, ? ??? ???? ???, " BL "???? ???? ??.  " BC
   ", " BD  ", " BE " ???? ???? Break Point?
   ????, Disable, Enable ???
3. Host Computer?? Break ?? ?????  Debug-gtBreak?
   ???? ??

15
1. ???????
2. Device Driver ??????
3. Driver ? ??
4. Plug Play
5. Device Driver ???? UsbBulk.sys
6. Application Program
16
Driver ? ??
Layered Driver Architecture
User Mode Client Driver
User Mode
Kernel Mode
Kernel Mode Client Driver
Operating System Kernel
File System Drivers
Class Driver
Port Driver
Hardware Bus driver
17
(No Transcript)
18
1. ???????
2. Device Driver ??????
3. Driver ? ??
4. Plug Play
5. Device Driver ???? UsbBulk.sys
6. Application Program
19
(No Transcript)
20
1. ???????
2. Device Driver ??????
3. Driver ? ??
4. Plug Play
5. Device Driver ???? UsbBulk.sys
6. Application Program
21
??? ??

• Bulkusb.c
• Bulkpnp.c
• Busbdbg.c
• Ioctlblk.c
• Ocrwblk.c
• Bulkpwr.c

22
Sources??
TARGETNAMEsecbulk TARGETTYPEDRIVER DRIVERTYPEWD
M TARGETPATHobj TARGETLIBS(DDK_LIB_PATH)\usbd
.lib USE_MAPSYM1 SOURCES \
BulkUsb.rc \ BusbDbg.c \
BulkUsb.c \ SBulkPnP.c \
BulkPwr.c \ IoctlBlk.c \
OcrwBlk.c
23
Bulkusb.c DriverEntry()
NTSTATUS DriverEntry( IN PDRIVER_OBJECT
DriverObject, IN PUNICODE_STRING
RegistryPath ) // Create dispatch
points for create, close, unload
DriverObject-gtMajorFunctionIRP_MJ_CREATE
BulkUsb_Create DriverObject-gtMajorFunctionIR
P_MJ_CLOSE BulkUsb_Close
DriverObject-gtDriverUnload BulkUsb_Unload
// User mode DeviceIoControl() calls will be
routed here DriverObject-gtMajorFunctionIRP_MJ
_DEVICE_CONTROL BulkUsb_ProcessIOCTL //
User mode ReadFile()/WriteFile() calls will be
routed here DriverObject-gtMajorFunctionIRP_MJ
_WRITE BulkUsb_Write DriverObject-gtMajorFu
nctionIRP_MJ_READ BulkUsb_Read //
routines for handling system PNP and power
management requests DriverObject-gtMajorFunctio
nIRP_MJ_SYSTEM_CONTROL BulkUsb_ProcessSysContr
olIrp DriverObject-gtMajorFunctionIRP_MJ_PNP
BulkUsb_ProcessPnPIrp DriverObject-gtMajorF
unctionIRP_MJ_POWER BulkUsb_ProcessPowerIrp
..
CreateFile()
CloseFile()
DeviceIOControl()
WriteFile()
ReadFile()
PowerManager
IoCallDriver()
PnPManager
24
Bulkusb.c
// DriverObject-gtDriverExtension-gtAddDevice
BulkUsb_PnPAddDevice BULKUSB_KdPrint(
DBGLVL_DEFAULT,("exiting DriverEntry (x)\n",
ntStatus)) return ntStatus
??? ??? ??? PnP Manager? ??? ??? ??.
25
Bulkusb.c BulkUsb_ProcessSysControlIrp
NTSTATUS BulkUsb_ProcessSysControlIrp( IN
PDEVICE_OBJECT DeviceObject, IN PIRP
Irp) Irp-gtIoStatus.Status STATUS_SUCCESS Irp-
gtIoStatus.Information 0 irpStack
IoGetCurrentIrpStackLocation (Irp) deviceExtensio
n DeviceObject-gtDeviceExtension stackDeviceObje
ct deviceExtension-gtTopOfStackDeviceObject Bul
kUsb_IncrementIoCount(DeviceObject) BULKUSB_ASSE
RT( IRP_MJ_SYSTEM_CONTROL irpStack-gtMajorFuncti
on ) IoCopyCurrentIrpStackLocationToNext(Irp) nt
Status IoCallDriver(stackDeviceObject,
Irp) BulkUsb_DecrementIoCount(DeviceObject)
return ntStatus
Next Lower Driver
Drivers that do not support WMI by registering as
a WMI data provider must pass IRP_MJ_SYSTEM_CONTRO
L requests to the next lower driver.
26
Bulkusb.c BulkUsb_Read
NTSTATUS BulkUsb_Read( IN PDEVICE_OBJECT
DeviceObject, IN PIRP Irp ) NTSTATUS
ntStatus BulkUsb_StagedReadWrite(DeviceObject,
Irp,
TRUE) // false to write,
true to read return ntStatus

27
Bulkusb.c BulkUsb_StagedReadWrite
NTSTATUS BulkUsb_StagedReadWrite( IN
PDEVICE_OBJECT DeviceObject, IN PIRP Irp,
IN BOOLEAN Read ) PDEVICE_EXTENSION
deviceExtension DeviceObject-gtDeviceExtension
if ( Irp-gtMdlAddress ) // could be NULL for
0-len request totalLength MmGetMdlByteCount(Ir
p-gtMdlAddress) if ( totalLength lt
deviceExtension-gtMaximumTransferSize ) // for
short or zero-len transfers, no need to do the
staging do it in a single request return
BulkUsb_SingleUrbReadWrite( DeviceObject, Irp,
Read )
Maximum TransferSize4096
28
Bulkusb.c BulkUsb_SingleUrbReadWrite()-1
NTSTATUS BulkUsb_SingleUrbReadWrite( IN
PDEVICE_OBJECT DeviceObject, IN PIRP Irp,
IN BOOLEAN Read) Irp-gtIoStatus.Information
0 siz sizeof(struct _URB_BULK_OR_INTERRUPT
_TRANSFER) irpStack IoGetCurrentIrpStackLoc
ation (Irp) fileObject irpStack-gtFileObject
pipeHandle fileObject-gtFsContext
.. if ( Irp-gtMdlAddress ) // could be NULL
for 0-len request totalLength
MmGetMdlByteCount(Irp-gtMdlAddress) urb
BulkUsb_BuildAsyncRequest(DeviceObject, Irp,
pipeHandle, Read) deviceExtension-gtBaseUrb
urb nextStack IoGetNextIrpStackLocation(Irp)
nextStack-gtParameters.Others.Argument1 urb

29
Bulkusb.c BulkUsb_SingleUrbReadWrite()-2
nextStack-gtMajorFunction IRP_MJ_INTERNAL_DEVICE_
CONTROL nextStack-gtParameters.DeviceIoControl
.IoControlCode IOCTL_INTERNAL_USB_SUBMIT
_URB IoSetCompletionRoutine(
Irp, // irp to use
BulkUsb_SimpleReadWrite_Complete, //
routine to call when irp is done
DeviceObject, // we pass
our FDO as context to pass routine
TRUE, // call on success
TRUE, // call
on error TRUE)
BulkUsb_IncrementIoCount(DeviceObject) ntStatu
s IoCallDriver(deviceExtension-gtTopOfStackDevice
Object, Irp ) return ntStatus
30
Data Structure IRP
typedef struct _IRP . . PMDL MdlAddress
ULONG Flags union struct _IRP MasterIrp
. . PVOID SystemBuffer AssociatedIrp . .
IO_STATUS_BLOCK IoStatus .. PDRIVER_CANCEL
CancelRoutine PVOID UserBuffer .. Tail
IRP, PIRP
Pointer to an MDL describing a user buffer for an
IRP_MJ_READ or IRP_MJ_WRITE request if the driver
set up its device object(s) for direct I/O .
AssociatedIrp.SystemBuffer Pointer to a
system-space buffer for one of the following (1)
a transfer request to a driver that set up its
device object(s) requesting buffered I/O (2) an
IRP_MJ_DEVICE_CONTROL request, (3) an
IRP_MJ_INTERNAL_DEVICE_CONTROL request with an
I/O control code that was defined with
METHOD_BUFFERED
31
Data Structure IO_STACK_LOCATION
typedef struct _IO_STACK_LOCATION UCHAR
MajorFunction UCHAR MinorFunction UCHAR
Flags UCHAR Control union //
Parameters for IRP_MJ_CREATE struct
PIO_SECURITY_CONTEXT SecurityContext
ULONG Options USHORT
POINTER_ALIGNMENT FileAttributes
USHORT ShareAccess ULONG
POINTER_ALIGNMENT EaLength Create
// Parameters for IRP_MJ_READ struct ULONG
Length ULONG POINTER_ALIGNMENT Key
LARGE_INTEGER ByteOffset Read
. PDEVICE_OBJECT DeviceObject PFILE_OBJECT
FileObject . . IO_STACK_LOCATION,
PIO_STACK_LOCATION
32
Data Structure FILE_OBJECT
Accessible Fields PDEVICE_OBJECT DeviceObject
Pointer to the device object on which the file
is opened. PVOID FsContext Pointer to whatever
optional state a driver maintains about the file
object otherwise, NULL. PVOID FsContext2
Pointer to whatever additional state a driver
maintains about the file object otherwise, NULL.
UNICODE_STRING FileName Is the name of the file
opened on the device, or the Length of the string
is zero if the device represented by DeviceObject
is being opened.
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
1. ???????
2. Device Driver ??????
3. Driver ? ??
4. Plug Play
5. Device Driver ???? UsbBulk.sys
6. Application Program
37
Application Program

• ??????? ???? 2410 ?? CD ? ?? ?? rwbulk.exe ( Web
  Disk ?? ?? ?? ? ?)
• MBA 2440 ??? ??? ???? ??
• ???????? DNW.exe ? ???? MBA ? ???? 18? ??? ??? ??
  ?? 1? ??? ???? target MBA 2440 ??? USB Client
  (Device) ??? ?????.
• ??? ???? rwbulk.exe ? ??? ? rwbulk r 128 ?
  ???? ?? MBA2440 ???? USB ? ??? data ? ??????.
• 3. ??? ? ?? ?? ??, dnw.exe ? USB Port-gt Rx Test ?
  ???? ?? MBA2440 ???? USB ? ??? data ? ? ?????
  ??????.

38
Application Program
DNW.exe ????? ?? USB Port-gt Rx Test
39
Application Program
Rwbulk.exe ????? ?? rwbulk r 128
40
Application Program
Rwbulk.exe ????? ??? ?, dnw.exe ? MBA2440 ???
USB Device ? ???? ?? ??? ????? ??, ??? 18? ??? ??
?? 1? ??? ????? ??. ??? ??? ???? MBA2440 ??? usb
Device ? ????, ??? ? ? dnw.exe ? USB Port -gt Rx
Test ? ???? MBA2440 ??? USB Device ??? ? ??????
????. ?? ????? SECBULK.SYS ? ???? ??? ??? ?????
? ? ???, ??? DNW.exe ? ?? ??? rwbulk.exe ?
SECBULK.SYS ? ???? ???? ??? ???? ??. USBPDO-12
41
Application Program
USB Client ? ??? 2?? ???? ??.
42
Application Program
rwbulk.c ? ??? MS Visual C ? ????? ?? ??

1. rwbulk.c ? MS Visual C  tool? ???? open ??.
2. Visual C ???? Build-gtRebuild ALL? ???? ??.  ? ?
   Project ?  ?? ???? ??? ???? yes? ????.
3. ?? Visual C ???? Build-gtRebuild ALL? ???? ??. 
   ??? ERROR ? ????. ERROR ? ??? ?? ??? ???
4. Tools-gtOptions ? ???? Build Directory ?? ????
   include files ? ?? directory? D\WINDDK\2600.1106
   \INC\DDK\WXP ? ????.
5. Project-gtSettings? ?????? ???? ??????  Link ??
   ????. ??? ?? Object/Library modules  ???
   setupapi.lib usbd.lib? ?? ??.
6. Tools-gtOptions ? ???? Build Directory ?? ????
   library files ? ?? directory?
   D\WINDDK\2600.1106\LIB\WXP\I386? ????.

43
Application Program
rwbulk.c ? ??? MS Visual C ? ????? ?? ??

1. Project-gtSettings ? Debug ?? ???? Program
   Argument ? r 128 ? ????.
2. Rwbulk.c ? main() ??? parse() ??? debug break ?
   ???? ?? build-gtStart debug ? ????? ????? ??.

44
Application Program
45
Application Program
??? ?? ??? main() ??? dump() ? ???? USB Device ?
?? ??? ??? command ?? ????.
printf("ltsgt R (04.4d) request 06.6d
bytes -- 06.6d bytes read\n",
inPipe, i, ReadLen, nBytesRead) //HAM printf("Dum
ping read buffer\n") dump( pinBuf, nBytesRead
) //HAM if (fWrite) ..
46
Application Program
47
Application Program
TIP ??? ???? ????? ??? ?? ??? ????? ????. ???
USB read ???? ??? ???? Test ? ?? ??? ????? ????.
48
- END -