MSDN系列(12)--KMD(Kernel Mode Driver)的编写安装与调试

创建: 2004-07-06 20:17
更新: 2004-07-12 14:47
链接: http://www.opencjk.org/~scz/windows/200407121605.txt

--------------------------------------------------------------------------

    ☆ 概述
    ☆ 编写loopback.c文件
         1) KdPrint
         2) 内部设备名、外部设备名
         3) 池(Pool)
         4) CRT/RTL
         5) Unload
         6) UNICODE_STRING
         7) 设备扩展
         8) IRP
         9) IoCompleteRequest
        10) DRIVER_OBJECT/DEVICE_OBJECT
        11) 内核态的结构化异常处理
        12) 丢弃初始化例程、控制驱动程序分页
    ☆ 编写dirs文件
    ☆ 编写sources文件
    ☆ 编写makefile文件
    ☆ 编译产生loopback.sys文件
    ☆ 编写loopback.inf文件
    ☆ 安装loopback.inf文件
    ☆ 卸载loopback.sys及相关设置
    ☆ installdriver.c
    ☆ 察看KdPrint输出
    ☆ loopbacktest.c
    ☆ 用SoftICE对loopback.sys进行源码级调试
    ☆ 后记
    ☆ 参考资源

--------------------------------------------------------------------------

☆ 概述

在<<MSDN系列(2)--学习写一个Hello World驱动>>中已经介绍过编写驱动的基本步骤。
当时那个hello.sys连个框架都算不上,这次的loopback.sys则是一个可加载、卸载
的框架。本文试图记录KMD(Kernel Mode Driver)的编写安装与调试过程,采用纯DDK
编程,以减少第三方工具封装后带来的困挠。

我的最终目的不是写硬件驱动,能摸到NDIS边上即可。更多时候可能仅仅是想利用驱
动进入Ring 0做一些实验或其他什么非常规主流动作。因此最普通的KMD足够了。现
在流行的驱动框架对我无用,不做深究,在下非学院派,只折腾能为我所用的东西,
也只在用到的时候才去折腾。

☆ 编写loopback.c文件

--------------------------------------------------------------------------
/*
* For x86/EWindows XP SP1 & VC 7 & Windows DDK 2600.1106
* build -cZ -x86
*/

/************************************************************************
*                                                                      *
*                               Head File                              *
*                                                                      *
************************************************************************/

/*
* #include <wdm.h>
*/
#include <NTDDK.h>

/************************************************************************
*                                                                      *
*                               Macro                                  *
*                                                                      *
************************************************************************/

/*
* 后面要追加DeviceNumber
*/
#define INTERNALNAME    L"//Device//LoopbackInternal"
/*
* DosDevices
*/
#define EXTERNALNAME    L"//??//LoopbackExternal"
/*
* 参ExAllocatePoolWithTag第三形参的DDK文档
*/
#define PRIVATETAG      'OFSN'

/*
* 设备扩展是自定义结构
*/
typedef struct _DEVICE_EXTENSION
{
    PDEVICE_OBJECT  DeviceObject;
    ULONG           DeviceNumber;
    PVOID           DeviceBuffer;
    ULONG           DeviceBufferSize;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

/************************************************************************
*                                                                      *
*                            Function Prototype                        *
*                                                                      *
************************************************************************/

/*
* 非Dispatch函数
*/
static NTSTATUS LoCreateDevice
(
    IN  PDRIVER_OBJECT  DriverObject,
    IN  ULONG           DeviceNumber
);
/*
* 非Dispatch函数
*/
static VOID     LoDeleteDevice
(
    IN  PDEVICE_OBJECT  DeviceObject
);
/*
* 在DDK文档中搜索DispatchClose
*/
static NTSTATUS LoDispatchClose
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
);
/*
* 在DDK文档中搜索DispatchCreate
*/
static NTSTATUS LoDispatchCreate
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
);
/*
* 在DDK文档中搜索DispatchRead
*/
static NTSTATUS LoDispatchRead
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
);
/*
* 在DDK文档中搜索DispatchWrite
*/
static NTSTATUS LoDispatchWrite
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
);
/*
* 非Dispatch函数,在DDK文档中搜索Unload
*/
static VOID     LoDriverUnload
(
    IN  PDRIVER_OBJECT  DriverObject
);
       NTSTATUS DriverEntry
(
    IN  PDRIVER_OBJECT  DriverObject,
    IN  PUNICODE_STRING RegistryPath
);

/*
* 参看<<The Windows 2000 Device Driver Book, Second Edition>>中5.2.6、
* 5.2.7小节。INIT、PAGE应该是大小写敏感的,可我居然看到过init、page,不清
* 楚怎么回事,稳妥起见还是用INIT、PAGE算了。
*/
#ifdef ALLOC_PRAGMA

#pragma alloc_text( INIT, LoCreateDevice    )
#pragma alloc_text( PAGE, LoDeleteDevice    )
#pragma alloc_text( PAGE, LoDispatchClose   )
#pragma alloc_text( PAGE, LoDispatchCreate  )
#pragma alloc_text( PAGE, LoDispatchRead    )
#pragma alloc_text( PAGE, LoDispatchWrite   )
#pragma alloc_text( PAGE, LoDriverUnload    )
#pragma alloc_text( INIT, DriverEntry       )

#endif

/************************************************************************
*                                                                      *
*                            Static Global Var                         *
*                                                                      *
************************************************************************/

/************************************************************************/

/*
* 非Dispatch函数。如果不做错误处理,函数将精简很多,实际上就是调用两个函
* 数,IoCreateDevice与IoCreateSymbolicLink,分别建立内部设备名、外部设备
* 名。
*/
static NTSTATUS LoCreateDevice
(
    IN  PDRIVER_OBJECT  DriverObject,
    IN  ULONG           DeviceNumber
)
{
    NTSTATUS            status;
    PDEVICE_OBJECT      DeviceObject;
    PDEVICE_EXTENSION   DeviceExtension;
    UNICODE_STRING      DeviceName;
    UNICODE_STRING      SymbolicLinkName;
    UNICODE_STRING      NumberUnicodeString;
    UNICODE_STRING      InternalNameUnicodeString;
    UNICODE_STRING      ExternalNameUnicodeString;

    KdPrint((  "Entering LoCreateDevice()/n" ));
    /*
     * If the string is NULL-terminated, Length does not include the
     * trailing NULL.
     */
    NumberUnicodeString.Length              = 0;
    /*
     * 0xFFFFFFFF转换成10进制是4294967295,最长10个字符,加上结尾的NUL,不
     * 超过11。
     */
    NumberUnicodeString.MaximumLength       = 16;
    /*
     * PVOID ExAllocatePoolWithTag
     * (
     *     IN  POOL_TYPE   PoolType,
     *     IN  SIZE_T      NumberOfBytes,
     *     IN  ULONG       Tag
     * );
     *
     * 这里分配了内存,记得在后面释放它。
     */
    NumberUnicodeString.Buffer              = ( PWSTR )ExAllocatePoolWithTag
    (
        PagedPool,
        NumberUnicodeString.MaximumLength,
        PRIVATETAG
    );
    if ( NULL == NumberUnicodeString.Buffer )
    {
        /*
         * DDK文档中指出,如果ExAllocatePool返回NULL,主调者应该返回
         * STATUS_INSUFFICIENT_RESOURCES。但是DDK文档中没有指出
         * ExAllocatePoolWithTag返回NULL时该如何,我只好类比一下,也返回
         * STATUS_INSUFFICIENT_RESOURCES。不知这里是否可以返回
         * STATUS_NO_MEMORY。
         */
        return( STATUS_INSUFFICIENT_RESOURCES );
    }
    /*
     * NTSTATUS RtlIntegerToUnicodeString
     * (
     *     IN      ULONG           Value,
     *     IN      ULONG           Base    OPTIONAL,
     *     IN OUT  PUNICODE_STRING String
     * );
     *
     * converts an unsigned integer value to a NULL-terminated string of one
     * or more Unicode characters in the specified base.
     */
    status                                  = RtlIntegerToUnicodeString
    (
        DeviceNumber,
        10,
        &NumberUnicodeString
    );
    if ( !NT_SUCCESS( status ) )
    {
        ExFreePoolWithTag
        (
            NumberUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &NumberUnicodeString,
            sizeof( NumberUnicodeString )
        );
        return( status );
    }
    /*
     * VOID RtlInitUnicodeString
     * (
     *     IN OUT  PUNICODE_STRING DestinationString,
     *     IN      PCWSTR          SourceString
     * );
     *
     * 这个函数没有动态分配内存
     */
    RtlInitUnicodeString( &DeviceName, INTERNALNAME );
    /*
     * 在后面追加DeviceNumber。没有wsprintf()可用,不得已,只好这样变态地
     * 处理。
     */
    InternalNameUnicodeString.Length        = DeviceName.Length + NumberUnicodeString.Length;
    InternalNameUnicodeString.MaximumLength = InternalNameUnicodeString.Length + 2;
    InternalNameUnicodeString.Buffer        = ( PWSTR )ExAllocatePoolWithTag
    (
        PagedPool,
        InternalNameUnicodeString.MaximumLength,
        PRIVATETAG
    );
    if ( NULL == InternalNameUnicodeString.Buffer )
    {
        /*
         * NTKERNELAPI VOID ExFreePoolWithTag
         * (
         *     IN  PVOID   P,
         *     IN  ULONG   Tag
         * );
         *
         * 需要释放NumberUnicodeString.Buffer
         */
        ExFreePoolWithTag
        (
            NumberUnicodeString.Buffer,
            PRIVATETAG
        );
        /*
         * VOID RtlZeroMemory
         * (
         *     IN  VOID UNALIGNED *Destination,
         *     IN  SIZE_T          Length
         * );
         */
        RtlZeroMemory
        (
            &NumberUnicodeString,
            sizeof( NumberUnicodeString )
        );
        return( STATUS_INSUFFICIENT_RESOURCES );
    }
    /*
     * VOID RtlCopyUnicodeString
     * (
     *     IN OUT  PUNICODE_STRING DestinationString,
     *     IN      PUNICODE_STRING SourceString
     * );
     */
    RtlCopyUnicodeString
    (
        &InternalNameUnicodeString,
        &DeviceName
    );
    /*
     * NTSTATUS RtlAppendUnicodeStringToString
     * (
     *     IN OUT  PUNICODE_STRING Destination,
     *     IN      PUNICODE_STRING Source
     * );
     */
    status                                  = RtlAppendUnicodeStringToString
    (
        &InternalNameUnicodeString,
        &NumberUnicodeString
    );
    /*
     * 已经不需要NumberUnicodeString.Buffer,趁早释放它。
     */
    ExFreePoolWithTag
    (
        NumberUnicodeString.Buffer,
        PRIVATETAG
    );
    RtlZeroMemory
    (
        &NumberUnicodeString,
        sizeof( NumberUnicodeString )
    );
    if ( !NT_SUCCESS( status ) )
    {
        ExFreePoolWithTag
        (
            InternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &InternalNameUnicodeString,
            sizeof( InternalNameUnicodeString )
        );
        return( status );
    }
    InternalNameUnicodeString.Buffer[ InternalNameUnicodeString.Length / 2 ]
                                            = UNICODE_NULL;
    /*
     * NTSTATUS IoCreateDevice
     * (
     *     IN  PDRIVER_OBJECT      DriverObject,
     *     IN  ULONG               DeviceExtensionSize,
     *     IN  PUNICODE_STRING     DeviceName  OPTIONAL,
     *     IN  DEVICE_TYPE         DeviceType,
     *     IN  ULONG               DeviceCharacteristics,
     *     IN  BOOLEAN             Exclusive,
     *     OUT PDEVICE_OBJECT     *DeviceObject
     * );
     */
    status                                  = IoCreateDevice
    (
        DriverObject,
        sizeof( DEVICE_EXTENSION ),
        &InternalNameUnicodeString,
        FILE_DEVICE_UNKNOWN,
        0,
        FALSE,
        &DeviceObject
    );
    if ( !NT_SUCCESS( status ) )
    {
        ExFreePoolWithTag
        (
            InternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &InternalNameUnicodeString,
            sizeof( InternalNameUnicodeString )
        );
        return( status );
    }
    DeviceObject->Flags                    |= DO_BUFFERED_IO;
    /*
     * Initialize the Device Extension
     *
     * 设备扩展的内存空间是由IoCreateDevice给予的
     */
    DeviceExtension                         = ( PDEVICE_EXTENSION )DeviceObject->DeviceExtension;
    DeviceExtension->DeviceObject           = DeviceObject;
    DeviceExtension->DeviceNumber           = DeviceNumber;
    DeviceExtension->DeviceBuffer           = NULL;
    DeviceExtension->DeviceBufferSize       = 0;
    /*
     * 下面开始处理SymbolicLink
     */
    NumberUnicodeString.Length              = 0;
    NumberUnicodeString.MaximumLength       = 16;
    /*
     * 这里分配了内存,记得在后面释放它。
     */
    NumberUnicodeString.Buffer              = ( PWSTR )ExAllocatePoolWithTag
    (
        PagedPool,
        NumberUnicodeString.MaximumLength,
        PRIVATETAG
    );
    if ( NULL == NumberUnicodeString.Buffer )
    {
        IoDeleteDevice( DeviceObject );
        DeviceObject    = NULL;
        ExFreePoolWithTag
        (
            InternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &InternalNameUnicodeString,
            sizeof( InternalNameUnicodeString )
        );
        return( STATUS_INSUFFICIENT_RESOURCES );
    }
    /*
     * 一般内部设备号从0计,外部设备号从1计
     */
    status                                  = RtlIntegerToUnicodeString
    (
        DeviceNumber + 1,
        10,
        &NumberUnicodeString
    );
    if ( !NT_SUCCESS( status ) )
    {
        IoDeleteDevice( DeviceObject );
        DeviceObject    = NULL;
        ExFreePoolWithTag
        (
            InternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &InternalNameUnicodeString,
            sizeof( InternalNameUnicodeString )
        );
        ExFreePoolWithTag
        (
            NumberUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &NumberUnicodeString,
            sizeof( NumberUnicodeString )
        );
        return( status );
    }
    RtlInitUnicodeString( &SymbolicLinkName, EXTERNALNAME );
    ExternalNameUnicodeString.Length        = SymbolicLinkName.Length + NumberUnicodeString.Length;
    ExternalNameUnicodeString.MaximumLength = ExternalNameUnicodeString.Length + 2;
    ExternalNameUnicodeString.Buffer        = ( PWSTR )ExAllocatePoolWithTag
    (
        PagedPool,
        ExternalNameUnicodeString.MaximumLength,
        PRIVATETAG
    );
    if ( NULL == ExternalNameUnicodeString.Buffer )
    {
        /*
         * VOID IoDeleteDevice
         * (
         *     IN  PDEVICE_OBJECT  DeviceObject
         * );
         *
         * 需要抵消IoCreateDevice
         */
        IoDeleteDevice( DeviceObject );
        DeviceObject    = NULL;
        ExFreePoolWithTag
        (
            InternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &InternalNameUnicodeString,
            sizeof( InternalNameUnicodeString )
        );
        ExFreePoolWithTag
        (
            NumberUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &NumberUnicodeString,
            sizeof( NumberUnicodeString )
        );
        return( STATUS_INSUFFICIENT_RESOURCES );
    }
    /*
     * VOID RtlCopyUnicodeString
     * (
     *     IN OUT  PUNICODE_STRING DestinationString,
     *     IN      PUNICODE_STRING SourceString
     * );
     */
    RtlCopyUnicodeString
    (
        &ExternalNameUnicodeString,
        &SymbolicLinkName
    );
    status                                  = RtlAppendUnicodeStringToString
    (
        &ExternalNameUnicodeString,
        &NumberUnicodeString
    );
    /*
     * 已经不需要NumberUnicodeString.Buffer,趁早释放它。
     */
    ExFreePoolWithTag
    (
        NumberUnicodeString.Buffer,
        PRIVATETAG
    );
    RtlZeroMemory
    (
        &NumberUnicodeString,
        sizeof( NumberUnicodeString )
    );
    if ( !NT_SUCCESS( status ) )
    {
        ExFreePoolWithTag
        (
            ExternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &ExternalNameUnicodeString,
            sizeof( ExternalNameUnicodeString )
        );
        IoDeleteDevice( DeviceObject );
        DeviceObject    = NULL;
        ExFreePoolWithTag
        (
            InternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &InternalNameUnicodeString,
            sizeof( InternalNameUnicodeString )
        );
        return( status );
    }
    ExternalNameUnicodeString.Buffer[ ExternalNameUnicodeString.Length / 2 ]
                                            = UNICODE_NULL;
    /*
     * NTSTATUS IoCreateSymbolicLink
     * (
     *     IN  PUNICODE_STRING SymbolicLinkName,
     *     IN  PUNICODE_STRING DeviceName
     * );
     */
    status                                  = IoCreateSymbolicLink
    (
        &ExternalNameUnicodeString,
        &InternalNameUnicodeString
    );
    /*
     * 已经不需要InternalNameUnicodeString.Buffer、ExternalNameUnicodeString.Buffer
     */
    ExFreePoolWithTag
    (
        ExternalNameUnicodeString.Buffer,
        PRIVATETAG
    );
    RtlZeroMemory
    (
        &ExternalNameUnicodeString,
        sizeof( ExternalNameUnicodeString )
    );
    ExFreePoolWithTag
    (
        InternalNameUnicodeString.Buffer,
        PRIVATETAG
    );
    RtlZeroMemory
    (
        &InternalNameUnicodeString,
        sizeof( InternalNameUnicodeString )
    );
    if ( !NT_SUCCESS( status ) )
    {
        IoDeleteDevice( DeviceObject );
        DeviceObject    = NULL;
    }
    return( STATUS_SUCCESS );
}  /* end of LoCreateDevice */

/*
* 非Dispatch函数。实际上就是调用两个函数,IoDeleteSymbolicLink与
* IoDeleteDevice。
*/
static VOID LoDeleteDevice
(
    IN  PDEVICE_OBJECT  DeviceObject
)
{
    NTSTATUS            status;
    PDEVICE_EXTENSION   DeviceExtension;
    UNICODE_STRING      SymbolicLinkName;
    UNICODE_STRING      NumberUnicodeString;
    UNICODE_STRING      ExternalNameUnicodeString;

    KdPrint((  "Entering LoDeleteDevice()/n" ));
    DeviceExtension                         = ( PDEVICE_EXTENSION )DeviceObject->DeviceExtension;
    NumberUnicodeString.Length              = 0;
    NumberUnicodeString.MaximumLength       = 16;
    /*
     * 这里分配了内存,记得在后面释放它。
     */
    NumberUnicodeString.Buffer              = ( PWSTR )ExAllocatePoolWithTag
    (
        PagedPool,
        NumberUnicodeString.MaximumLength,
        PRIVATETAG
    );
    if ( NULL == NumberUnicodeString.Buffer )
    {
        /*
         * 考虑输出一些调试信息
         *
         * This routine is defined in ntddk.h, wdm.h, and ndis.h.
         * A call to this macro requires double parentheses.
         */
        KdPrint((  "ExAllocatePoolWithTag() for NumberUnicodeString.Buffer failed/n" ));
        return;
    }
    /*
     * 一般内部设备号从0计,外部设备号从1计
     */
    status                                  = RtlIntegerToUnicodeString
    (
        DeviceExtension->DeviceNumber + 1,
        10,
        &NumberUnicodeString
    );
    if ( !NT_SUCCESS( status ) )
    {
        ExFreePoolWithTag
        (
            NumberUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &NumberUnicodeString,
            sizeof( NumberUnicodeString )
        );
        KdPrint((  "RtlIntegerToUnicodeString() failed/n" ));
        return;
    }
    RtlInitUnicodeString( &SymbolicLinkName, EXTERNALNAME );
    ExternalNameUnicodeString.Length        = SymbolicLinkName.Length + NumberUnicodeString.Length;
    ExternalNameUnicodeString.MaximumLength = ExternalNameUnicodeString.Length + 2;
    ExternalNameUnicodeString.Buffer        = ( PWSTR )ExAllocatePoolWithTag
    (
        PagedPool,
        ExternalNameUnicodeString.MaximumLength,
        PRIVATETAG
    );
    if ( NULL == ExternalNameUnicodeString.Buffer )
    {
        ExFreePoolWithTag
        (
            NumberUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &NumberUnicodeString,
            sizeof( NumberUnicodeString )
        );
        KdPrint((  "ExAllocatePoolWithTag() for ExternalNameUnicodeString.Buffer failed/n" ));
        return;
    }
    /*
     * VOID RtlCopyUnicodeString
     * (
     *     IN OUT  PUNICODE_STRING DestinationString,
     *     IN      PUNICODE_STRING SourceString
     * );
     */
    RtlCopyUnicodeString
    (
        &ExternalNameUnicodeString,
        &SymbolicLinkName
    );
    status                                  = RtlAppendUnicodeStringToString
    (
        &ExternalNameUnicodeString,
        &NumberUnicodeString
    );
    /*
     * 已经不需要NumberUnicodeString.Buffer,趁早释放它。
     */
    ExFreePoolWithTag
    (
        NumberUnicodeString.Buffer,
        PRIVATETAG
    );
    RtlZeroMemory
    (
        &NumberUnicodeString,
        sizeof( NumberUnicodeString )
    );
    if ( !NT_SUCCESS( status ) )
    {
        ExFreePoolWithTag
        (
            ExternalNameUnicodeString.Buffer,
            PRIVATETAG
        );
        RtlZeroMemory
        (
            &ExternalNameUnicodeString,
            sizeof( ExternalNameUnicodeString )
        );
        KdPrint((  "RtlAppendUnicodeStringToString() failed/n" ));
        return;
    }
    ExternalNameUnicodeString.Buffer[ ExternalNameUnicodeString.Length / 2 ]
                                            = UNICODE_NULL;
    /*
     * NTSTATUS IoDeleteSymbolicLink
     * (
     *     IN  PUNICODE_STRING SymbolicLinkName
     * );
     */
    status                                  = IoDeleteSymbolicLink
    (
        &ExternalNameUnicodeString
    );
    /*
     * 已经不需要ExternalNameUnicodeString.Buffer
     */
    ExFreePoolWithTag
    (
        ExternalNameUnicodeString.Buffer,
        PRIVATETAG
    );
    RtlZeroMemory
    (
        &ExternalNameUnicodeString,
        sizeof( ExternalNameUnicodeString )
    );
    if ( !NT_SUCCESS( status ) )
    {
        KdPrint((  "IoDeleteSymbolicLink() failed/n" ));
        return;
    }
    /*
     * VOID IoDeleteDevice
     * (
     *     IN  PDEVICE_OBJECT  DeviceObject
     * );
     */
    IoDeleteDevice( DeviceObject );
    return;
}  /* end of LoDeleteDevice */

/*
* Handles call from Win32 CloseHandle request. For loopback driver, frees
* any buffer.
*/
static NTSTATUS LoDispatchClose
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
)
{
    /*
     * Dig out the Device Extension from the Device Object
     */
    PDEVICE_EXTENSION   DeviceExtension;

    KdPrint((  "Entering LoDispatchClose()/n" ));
    DeviceExtension             = ( PDEVICE_EXTENSION )DeviceObject->DeviceExtension;
    if ( DeviceExtension->DeviceBuffer )
    {
        ExFreePoolWithTag
        (
            DeviceExtension->DeviceBuffer,
            PRIVATETAG
        );
        DeviceExtension->DeviceBuffer       = NULL;
        DeviceExtension->DeviceBufferSize   = 0;
    }
    Irp->IoStatus.Status        = STATUS_SUCCESS;
    Irp->IoStatus.Information   = 0;
    IoCompleteRequest( Irp, IO_NO_INCREMENT );
    return( STATUS_SUCCESS );
}  /* end of LoDispatchClose */

/*
* Handles call from Win32 CreateFile request. For loopback driver, does
* nothing.
*/
static NTSTATUS LoDispatchCreate
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
)
{
    KdPrint((  "Entering LoDispatchCreate()/n" ));
    /*
     * 尽管IRP对于驱动是串行传输的,但是I/O管理器会并行使用IRP。一般而言,
     * Dispatch例程需要修改IRP中成员时,应该在栈上或设备扩展中建立一个副本。
     */
    Irp->IoStatus.Status        = STATUS_SUCCESS;
    /*
     * report that no bytes were transfered
     */
    Irp->IoStatus.Information   = 0;
    /*
     * VOID IoCompleteRequest
     * (
     *     IN  PIRP    Irp,
     *     IN  CCHAR   PriorityBoost
     * );
     *
     * IoCompleteRequest indicates the caller has completed all processing
     * for a given I/O request and is returning the given IRP to the I/O
     * Manager.
     *
     * PriorityBoost is IO_NO_INCREMENT if the original thread requested
     * an operation the driver could complete quickly or if the IRP is
     * completed with an error.
     *
     * Mark the IRP as "complete" - no further processing, no priority
     * increment.
     */
    IoCompleteRequest( Irp, IO_NO_INCREMENT );
    /*
     * 调用IoCompleteRequest()之后,I/O管理器可以从非分页池中释放IRP,因此
     * 不能出现return( Irp->IoStatus.Status )这样的代码。
     */
    return( STATUS_SUCCESS );
}  /* end of LoDispatchCreate */

/*
* Handles call from Win32 ReadFile request. For loopback driver, transfers
* pool buffer to user.
*/
static NTSTATUS LoDispatchRead
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
)
{
    PIO_STACK_LOCATION  IrpStackLocation;
    PDEVICE_EXTENSION   DeviceExtension;
    ULONG               TransferSize;
    PVOID               DestinationBuffer;

    KdPrint((  "Entering LoDispatchRead()/n" ));
    DeviceExtension                     = ( PDEVICE_EXTENSION )DeviceObject->DeviceExtension;
    /*
     * PIO_STACK_LOCATION IoGetCurrentIrpStackLocation
     * (
     *     IN  PIRP    Irp
     * );
     *
     * 假设从用户态到最终设备要经过Driver0、Driver1、Driver2,则IRP中头部
     * 之后顺序出现IrpStackLocation0、IrpStackLocation1、IrpStackLocation2。
     * 这是我的理解,不清楚是否正确。
     */
    IrpStackLocation                    = IoGetCurrentIrpStackLocation( Irp );
    TransferSize                        = IrpStackLocation->Parameters.Read.Length;
    /*
     * Irp->AssociatedIrp.SystemBuffer由I/O管理器在非分页池中分配获得,I/O
     * 管理器负责该缓冲区与用户态缓冲区之间的传输,Dispatch例程无需关心。
     */
    DestinationBuffer                   = Irp->AssociatedIrp.SystemBuffer;
    /*
     * Don't transfer more than the user's request
     */
    TransferSize                        =
    ( TransferSize < DeviceExtension->DeviceBufferSize ) ?
    TransferSize :
    DeviceExtension->DeviceBufferSize;
    /*
     * VOID RtlCopyMemory
     * (
     *     IN  VOID UNALIGNED         *Destination,
     *     IN  CONST VOID UNALIGNED   *Source,
     *     IN  SIZE_T                  Length
     * );
     *
     * DestinationBuffer是内核态地址,至于这批数据最终如何到达用户态,由
     * I/O管理器负责处理。
     */
    RtlCopyMemory
    (
        DestinationBuffer,
        DeviceExtension->DeviceBuffer,
        TransferSize
    );
    ExFreePoolWithTag
    (
        DeviceExtension->DeviceBuffer,
        PRIVATETAG
    );
    DeviceExtension->DeviceBuffer       = NULL;
    DeviceExtension->DeviceBufferSize   = 0;
    /*
     * Now complete the IRP
     */
    Irp->IoStatus.Status                = STATUS_SUCCESS;
    Irp->IoStatus.Information           = TransferSize;
    IoCompleteRequest( Irp, IO_NO_INCREMENT );
    return( STATUS_SUCCESS );
}  /* end of LoDispatchRead */

/*
* Handles call from Win32 WriteFile request. For loopback driver,
* allocates new pool buffer then transfers user data to pool buffer
*/
static NTSTATUS LoDispatchWrite
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
)
{
    NTSTATUS            status;
    PIO_STACK_LOCATION  IrpStackLocation;
    PDEVICE_EXTENSION   DeviceExtension;
    ULONG               TransferSize;
    PVOID               SourceBuffer;

    KdPrint((  "Entering LoDispatchWrite()/n" ));
    status                              = STATUS_SUCCESS;
    DeviceExtension                     = ( PDEVICE_EXTENSION )DeviceObject->DeviceExtension;
    IrpStackLocation                    = IoGetCurrentIrpStackLocation( Irp );
    TransferSize                        = IrpStackLocation->Parameters.Write.Length;
    SourceBuffer                        = Irp->AssociatedIrp.SystemBuffer;
    /*
     * free up any old buffer
     */
    if ( DeviceExtension->DeviceBuffer )
    {
        ExFreePoolWithTag
        (
            DeviceExtension->DeviceBuffer,
            PRIVATETAG
        );
        DeviceExtension->DeviceBuffer       = NULL;
        DeviceExtension->DeviceBufferSize   = 0;
    }
    DeviceExtension->DeviceBuffer       = ExAllocatePoolWithTag
    (
        PagedPool,
        TransferSize,
        PRIVATETAG
    );
    if ( NULL == DeviceExtension->DeviceBuffer )
    {
        TransferSize                        = 0;
        status                              = STATUS_INSUFFICIENT_RESOURCES;
    }
    else
    {
        DeviceExtension->DeviceBufferSize   = TransferSize;
        RtlCopyMemory
        (
            DeviceExtension->DeviceBuffer,
            SourceBuffer,
            TransferSize
        );
    }
    /*
     * Now complete the IRP
     */
    Irp->IoStatus.Status                = status;
    Irp->IoStatus.Information           = TransferSize;
    IoCompleteRequest( Irp, IO_NO_INCREMENT );
    return( status );
}  /* end of LoDispatchWrite */

static VOID LoDriverUnload
(
    IN  PDRIVER_OBJECT  DriverObject
)
{
    PDEVICE_OBJECT      NextDeviceObject;
    PDEVICE_EXTENSION   DeviceExtension;

    KdPrint((  "Entering LoDriverUnload()/n" ));
    /*
     * Loop through each device controlled by driver
     */
    NextDeviceObject    = DriverObject->DeviceObject;
    /*
     * 这是个单向非循环链表
     */
    while ( NextDeviceObject )
    {
        /*
         * Dig out the Device Extension from the Device Object
         */
        DeviceExtension     = ( PDEVICE_EXTENSION )NextDeviceObject->DeviceExtension;
        /*
         * Free up any buffer still held by this device
         */
        if ( DeviceExtension->DeviceBuffer )
        {
            ExFreePoolWithTag
            (
                DeviceExtension->DeviceBuffer,
                PRIVATETAG
            );
            DeviceExtension->DeviceBuffer       = NULL;
            DeviceExtension->DeviceBufferSize   = 0;
        }
        NextDeviceObject    = NextDeviceObject->NextDevice;
        LoDeleteDevice( DeviceExtension->DeviceObject );
    }  /* end of while */
    return;
}  /* end of LoDriverUnload */

/*
* DriverEntry is the first routine called after a driver is loaded, and
* is responsible for initializing the driver.
*
* you'll find a list of NTSTATUS status codes in the DDK header
* ntstatus.h (/WINDDK/2600.1106/inc/ddk/wxp/)
*/
NTSTATUS DriverEntry
(
    IN  PDRIVER_OBJECT  DriverObject,
    IN  PUNICODE_STRING RegistryPath
)
{
    NTSTATUS    status;

    /*
     * kernel-mode functions and the functions in your driver use the
     * __stdcall calling convention when compiled for an x86 computer.
     * This shouldn't affect any of your programming, but it's something
     * to bear in mind when you're debugging
     *
     * This routine has no effect if compiled in a free build environment.
     * You should compiled in a checked build environment.
     */
    KdPrint((  "Entering DriverEntry()/n" ));

    /*
     * If this driver controlled real hardware, code would be placed here
     * to locate it. Using IoReportDetectedDevice, the ports, IRQs, and
     * DMA channels would be "marked" as "in use" and under the control of
     * this driver. This Loopback driver has no HW, so...
     */

    /*
     * Announce other driver entry points
     */
    DriverObject->DriverUnload                  = LoDriverUnload;
    /*
     * This includes Dispatch routines for Create, Write & Read
     */
    DriverObject->MajorFunction[IRP_MJ_CREATE]  = LoDispatchCreate;
    DriverObject->MajorFunction[IRP_MJ_READ  ]  = LoDispatchRead;
    DriverObject->MajorFunction[IRP_MJ_WRITE ]  = LoDispatchWrite;
    DriverObject->MajorFunction[IRP_MJ_CLOSE ]  = LoDispatchClose;
    /*
     * 参<<Programming the Microsoft Windows Driver Model, 2nd Ed>>第三章
     * 中"Error Handling"小节。
     *
     * Which Exceptions Can Be Trapped
     *
     * Gary Nebbett researched the question of which exceptions can be
     * trapped with the structured exception mechanism and reported his
     * results in a newsgroup post several years ago. In summary, the
     * following exceptions will be caught when they occur at IRQL less
     * than or equal to DISPATCH_LEVEL (note that some of these are
     * specific to the Intel x86 processor):
     *
     * a. Anything signaled by ExRaiseStatus and related functions
     * b. Attempt to dereference invalid pointer to user-mode memory
     * c. Debug or breakpoint exception
     * d. Integer overflow (INTO instruction)
     * e. Invalid opcode
     *
     * Note that a reference to an invalid kernel-mode pointer leads
     * directly to a bug check and can’t be trapped. Likewise, a
     * divide-by-zero exception or a BOUND instruction exception leads to
     * a bug check.
     *
     * 稳妥起见,还是使用SEH机制吧,尽量避免调试时重启。
     */
    __try
    {
        KdPrint((  "You should see this message [0]/n" ));
        /*
         * For each physical or logical device detected that will be under
         * this Driver's control, a new Device Object must be created.
         *
         * This call would be repeated until all devices are created.
         *
         * 我们这里只创建了一个设备对象
         */
        status  = LoCreateDevice
        (
            DriverObject,
            0
        );
        KdPrint((  "You should see this message [1]/n" ));
    }
    __except ( EXCEPTION_EXECUTE_HANDLER )
    {
        KdPrint((  "__except{}/n" ));
        status  = STATUS_UNSUCCESSFUL;
    }
    KdPrint((  "Exiting DriverEntry()/n" ));
    return( status );
}  /* end of DriverEntry */

/************************************************************************/

--------------------------------------------------------------------------

loopback.c源自[2]中1至7章的内容,区别在于我采用纯C语言,抛弃了一个Unicode
相关的C++类。

下面是一些备忘记录:

1) KdPrint

调用KdPrint时应该指定两层圆括号,像这样:

KdPrint((  "Entering DriverEntry()/n" ));

这个宏只在调试版本中有意义,NTDDK.h中定义如下:

#if DBG
#define KdPrint(_x_) DbgPrint _x_
#else
#define KdPrint(_x_)
#endif

最开始我没注意这点,用Win XP Free Build Environment编译,结果死活看不到调
试信息输出。应该用Win XP Checked Build Environment编译。

2) 内部设备名、外部设备名

相关四个函数是IoCreateDevice、IoCreateSymbolicLink、IoDeleteSymbolicLink、
IoDeleteDevice。Win32 API要通用外部设备名访问设备。

一般内部设备号从0计,外部设备号从1计,比如:

/Device/LoopbackInternal0
/??/LoopbackExternal1

3) 池(Pool)

驱动编程中没有常规的malloc、free、new、delete可用,内核态的池就相当于用户
态的堆(Heap),操作函数换成了ExAllocatePoolWithTag、ExFreePoolWithTag等等。

池是有限的内核资源,不再使用时要趁早释放它。

DDK文档中指出,如果ExAllocatePool返回NULL,主调者应该返回
STATUS_INSUFFICIENT_RESOURCES。但是DDK文档中没有指出ExAllocatePoolWithTag
返回NULL时该如何,我只好类比一下,也返回STATUS_INSUFFICIENT_RESOURCES。不
知这里是否可以返回STATUS_NO_MEMORY。

4) CRT/RTL

用户态编程时所用的那些C运行时库函数统统不要想当然地用于内核态,在DDK文档中
查看Rtl*(),这是内核态正经可用的运行时库函数。由于没有wsprintf()可用,程序
中用了很变态的办法构造内部设备名、外部设备名。

5) Unload

假设驱动程序支持动态卸载,当I/O管理器调用DriverObject->DriverUnload时,该
函数"必须"完成正确的卸载相关动作,它不能在被调用之后选择拒绝卸载。一旦该函
数返回,驱动被无条件地卸载。如果该函数没有完成正确的卸载相关动作就返回了,
结果是灾难性的。参[1]中12章的"Dynamic Unloading"小节。

LoDriverUnload的返回值类型是VOID,与上述描述相符。有鉴于此,LoDeleteDevice
中虽然检查了各个函数的返回值,但只能简单输出调试信息,并无其它有意义的针对
性的动作,换句话说,此时只能祈祷不要出错。

6) UNICODE_STRING

驱动编程中大量使用UNICODE_STRING结构,其成员Length不包括结尾的NUL字符(如果
有的话)。

7) 设备扩展

设备扩展的内存空间是由IoCreateDevice给予的,由IoDeleteDevice释放,不要调用
其它函数释放设备扩展。

设备扩展与设备对像都位于非分页池中。参[1]中9章"Device Objects"小节。

8) IRP

尽管IRP对于驱动是串行传输的,但是I/O管理器会并行使用IRP。一般而言,
Dispatch例程需要修改IRP中成员时,应该在栈上或设备扩展中建立一个副本。

假设从用户态到最终设备要经过Driver0、Driver1、Driver2,则IRP中头部之后顺序
出现IrpStackLocation0、IrpStackLocation1、IrpStackLocation2。这是我的理解,
不清楚是否正确。在[7]中3.6.2小节有一个示意图,印证了我的理解。

Irp->AssociatedIrp.SystemBuffer由I/O管理器在非分页池中分配获得,I/O管理器
负责该缓冲区与用户态缓冲区之间的传输,Dispatch例程无需关心。

9) IoCompleteRequest

调用IoCompleteRequest()之后,I/O管理器可以从非分页池中释放IRP,因此不能出
现这样的代码:

--------------------------------------------------------------------------
static NTSTATUS LoDispatchCreate
(
    IN  PDEVICE_OBJECT  DeviceObject,
    IN  PIRP            Irp
)
{
    Irp->IoStatus.Status        = STATUS_SUCCESS;
    Irp->IoStatus.Information   = 0;
    IoCompleteRequest( Irp, IO_NO_INCREMENT );
    /*
     * Error!!!
     */
    return( Irp->IoStatus.Status )
}  /* end of LoDispatchCreate */
--------------------------------------------------------------------------

10) DRIVER_OBJECT/DEVICE_OBJECT

DRIVER_OBJECT中DeviceObject成员对应一条单向非循环链表,结点由DEVICE_OBJECT
组成。KMD动态卸载时需要遍历该链表:

--------------------------------------------------------------------------
static VOID LoDriverUnload
(
    IN  PDRIVER_OBJECT  DriverObject
)
{
    PDEVICE_OBJECT      NextDeviceObject;
    ... ...

    NextDeviceObject    = DriverObject->DeviceObject;
    while ( NextDeviceObject )
    {
        ... ...
        NextDeviceObject    = NextDeviceObject->NextDevice;
        ... ...
    }  /* end of while */
    return;
}  /* end of LoDriverUnload */
--------------------------------------------------------------------------

11) 内核态的结构化异常处理

参[3]中第三章"Error Handling"小节。这段我原文照录:

--------------------------------------------------------------------------
Which Exceptions Can Be Trapped

Gary Nebbett researched the question of which exceptions can be trapped
with the structured exception mechanism and reported his results in a
newsgroup post several years ago. In summary, the following exceptions
will be caught when they occur at IRQL less than or equal to
DISPATCH_LEVEL (note that some of these are specific to the Intel x86
processor):

a. Anything signaled by ExRaiseStatus and related functions
b. Attempt to dereference invalid pointer to user-mode memory
c. Debug or breakpoint exception
d. Integer overflow (INTO instruction)
e. Invalid opcode

Note that a reference to an invalid kernel-mode pointer leads directly to
a bug check and can’t be trapped. Likewise, a divide-by-zero exception or
a BOUND instruction exception leads to a bug check.
--------------------------------------------------------------------------

引用一个无效的内核态地址,直接导致KeBugCheck/KeBugCheckEx,无法利用SEH机制
挽救,这与用户态不同。

12) 丢弃初始化例程、控制驱动程序分页

参看[2]中5.2.6、5.2.7小节。INIT、PAGE应该是大小写敏感的,可我居然看到过
init、page,不清楚怎么回事,稳妥起见还是用INIT、PAGE算了。

--------------------------------------------------------------------------
#ifdef ALLOC_PRAGMA

#pragma alloc_text( INIT, LoCreateDevice    )
#pragma alloc_text( PAGE, LoDeleteDevice    )
#pragma alloc_text( PAGE, LoDispatchClose   )
#pragma alloc_text( PAGE, LoDispatchCreate  )
#pragma alloc_text( PAGE, LoDispatchRead    )
#pragma alloc_text( PAGE, LoDispatchWrite   )
#pragma alloc_text( PAGE, LoDriverUnload    )
#pragma alloc_text( INIT, DriverEntry       )

#endif
--------------------------------------------------------------------------

☆ 编写dirs文件

与用户空间编程不同,只有loopback.c不足以方便地产生loopback.sys,一般还需要
三个辅助文件:

dirs、sources、makefile

DDK文档"Running the Build Utility"小节对此有详细解释。build根据dirs文件遍
历目录树,在子目录中发现dirs时继续遍历,发现sources时build开始为调用nmake
做准备。nmake使用makefile,最终调用cl进行真正的编译。

假设将来目录/文件布局如下:

loopback/ --+-- dirs
            |
            +-- code/ --+-- loopback.c
                        |
                        +-- sources
                        |
                        +-- makefile


这里只列举了手工创建的目录/文件,不包括编译过程产生的目录/文件。

此时dirs文件内容很简单,就一行:

--------------------------------------------------------------------------
DIRS=code
--------------------------------------------------------------------------

☆ 编写sources文件

--------------------------------------------------------------------------
#
# Use the TARGETNAME macro to specify the name of the library to be built.
# Do not include the file name extension
#
TARGETNAME=loopback

#
# All build products (such as .exe, .dll, and .lib files) will be placed
# in this directory
#
# BUILD_ALT_DIR的值会被追加在TARGETPATH之后,如果你嫌BUILD_ALT_DIR太碍眼,
# 可以删除该环境变量。
#
TARGETPATH=obj

#
# Use the TARGETTYPE macro to specify the type of product being built.
# TARGETTYPE gives the Build utility clues about some of the input files
# that it should expect. You must include this macro in your sources file.
#
TARGETTYPE=DRIVER

#
# Use the USE_PDB macro if your debug symbolic files will use a VC4 PDB.
# This is the default in the Windows XP build environment.
#
USE_PDB=1

#
# Use the INCLUDES macro to indicate the location of the headers to be
# included in your build
#
INCLUDES=

#
# Use the MSC_WARNING_LEVEL macro to set the warning level to use on the
# compiler. The default is /W3.
#
# After your code builds without errors, you might want to change
# MSC_WARNING_LEVEL to /W3 /WX. Setting this value causes warnings to show
# as errors.
#
MSC_WARNING_LEVEL=-W3 -WX

#
# The SOURCES macro specifies the files to be compiled. The SOURCES macro
# is required by the Build utility. This macro must be placed in your
# sources file. All files specified by this macro must reside in the
# directory containing the sources file.
#
SOURCES=loopback.c
--------------------------------------------------------------------------

假设进入了"Win XP Checked Build Environment":

J:/source/driver/loopback> set BUILD_ALT_DIR
BUILD_ALT_DIR=chk_wxp_x86
J:/source/driver/loopback> build -cZ -x86
J:/source/driver/loopback> tree /f /a
loopback
|   buildchk_wxp_x86.log
|   dirs
|
/---code
    |   loopback.c
    |   loopback.inf
    |   makefile
    |   sources
    |
    /---objchk_wxp_x86
        |   _objects.mac
        |
        /---i386
                loopback.obj
                loopback.pdb
                loopback.sys

☆ 编写makefile文件

--------------------------------------------------------------------------
!INCLUDE $(NTMAKEENV)/makefile.def
--------------------------------------------------------------------------

J:/source/driver/loopback> set NTMAKEENV
NTMAKEENV=J:/WINDDK/2600~1.110/bin

☆ 编译产生loopback.sys文件

在dirs文件所在目录里执行"build -cZ -x86":

J:/source/driver/loopback> build -cZ -x86
BUILD: Adding /Y to COPYCMD so xcopy ops won't hang.
BUILD: Object root set to: ==> objchk_wxp_x86
BUILD: Compile and Link for i386
BUILD: Examining j:/source/driver/loopback directory tree for files to compile.
BUILD: Compiling j:/source/driver/loopback/code directory
Compiling - code/loopback.c for i386
BUILD: Linking j:/source/driver/loopback/code directory
Linking Executable - code/objchk_wxp_x86/i386/loopback.sys for i386
BUILD: Done

    2 files compiled
    1 executable built

☆ 编写loopback.inf文件

; ------------------------------------------------------------------------

;
; Copyright to satisfy the CHKINF utility
;

[Version]
Signature           = "$Windows NT$"
Class               = %ClassName%
;
; For a new device setup class, the INF must specify a newly generated
; ClassGuid value
;
; 用/WINDDK/2600.1106/tools/other/i386/guidgen.exe生成的是
; {5675F8A0-FB7C-40cf-BA53-9233A183BD7E},中间两个字母是小写,不清楚为什么,
; 我换成全大写了。
;
ClassGuid           = {5675F8A0-FB7C-40CF-BA53-9233A183BD7E}
Provider            = %INFCreator%
DriverVer           = 07/06/2004,1.00.1993.9

; ------------------------------------------------------------------------

[ClassInstall32.ntx86]
AddReg              = ClassInstall32Reg

[ClassInstall32Reg]
HKR,,,,%ClassName%

; ------------------------------------------------------------------------

[Manufacturer]
%INFCreator%        = LoopbackSection

; ------------------------------------------------------------------------

[LoopbackSection]
%DESCRIPTION%       = DDInstall,*LOOPBACKDRIVER1993

; ------------------------------------------------------------------------

[SourceDisksNames.x86]
1                   = %DiskDescription%,,,

[SourceDisksFiles.x86]
loopback.sys        = 1

[DestinationDirs]
DefaultDestDir      = 10,system32/drivers
FileList            = 10,system32/drivers

; ------------------------------------------------------------------------

[DDInstall.ntx86]
Copyfiles           = FileList

[FileList]
loopback.sys,,,0x00000002

; ------------------------------------------------------------------------

[DDInstall.ntx86.Services]
AddService          = Loopback,0x00000002,ServiceInstall

[ServiceInstall]
DisplayName         = %FriendlyName%                   ; friendly name
ServiceType         = 0x00000001                       ; SERVICE_KERNEL_DRIVER
StartType           = 0x3                              ; SERVICE_DEMAND_START
ErrorControl        = 0x1                              ; SERVICE_ERROR_NORMAL
ServiceBinary       = %10%/system32/drivers/loopback.sys

; ------------------------------------------------------------------------

[DDInstall.ntx86.LOOPBACK]
AddReg              = DDInstallRegLOOPBACK

[DDInstallRegLOOPBACK]
HKR,,LoopbackInfo,,%DESCRIPTION%

; ------------------------------------------------------------------------

[Strings]
ClassName           = "LoopbackClass"
INFCreator          = "The Loopback Software"
DESCRIPTION         = "The Loopback Driver"
DiskDescription     = "The Loopback Software Disk"
FriendlyName        = "Loopback"

; ------------------------------------------------------------------------

如果安装loopback.inf文件时出了问题,请先查看%systemroot%/setupapi.log。更
多关于INF文件的讨论参看<<MSDN系列(2)--学习写一个Hello World驱动>>。

☆ 安装loopback.inf文件

->控制面板
->添加硬件(或者直接在cmd中运行hdwwiz.cpl)
->是,硬件已联接好
->添加新的硬件设备
->安装我手动从列表选择的硬件(高级)
->显示所有设备
->从磁盘安装
->完成

hello.c最后故意失败返回,安装虽然完成,但加载驱动必然失败。在设备管理器中(
直接在cmd中运行devmgmt.msc)可以看到黄色惊叹号,表示无法成功加载驱动程序。
但loopback.sys不同,可以成功加载,设备管理器中无异常。

这次安装过程导致如下一些结果:

1)

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}]
"Class"="LoopbackClass"
@="LoopbackClass"

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}/0000]
"InfPath"="oem8.inf"
"InfSection"="DDInstall"
"InfSectionExt"=".NTx86"
"ProviderName"="The Loopback Software"
"DriverDateData"=hex:00,40,31,2e,ec,62,c4,01
"DriverDate"="7-6-2004"
"DriverVersion"="1.0.1993.9"
"MatchingDeviceId"="*loopbackdriver1993"
"DriverDesc"="The Loopback Driver"
--------------------------------------------------------------------------

2)

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/UNKNOWN/0000]
"ClassGUID"="{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}"
"ConfigFlags"=dword:00000004
"Driver"="{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}//0000"
"Class"="LoopbackClass"
"Mfg"="The Loopback Software"
"HardwareID"=hex(7):2a,00,6c,00,6f,00,6f,00,70,00,62,00,61,00,63,00,6b,00,64,/
  00,72,00,69,00,76,00,65,00,72,00,31,00,39,00,39,00,33,00,00,00,00,00
"Service"="Loopback"
"DeviceDesc"="The Loopback Driver"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/UNKNOWN/0000/LogConf]

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/UNKNOWN/0000/Control]
"ActiveService"="Loopback"
--------------------------------------------------------------------------

3)

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,/
  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6c,00,6f,00,6f,00,70,00,62,00,61,/
  00,63,00,6b,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="Loopback"

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback/Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,/
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,/
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,/
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,/
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,/
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,/
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback/Enum]
"0"="ROOT//UNKNOWN//0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
--------------------------------------------------------------------------

安装loopback.inf文件之后,无论是否重启,注册表中都只有这三处与loopback.sys
相关。

4)

复制loopback.sys到%systemroot%/system32/drivers/目录下。查看setupapi.log文
件:

--------------------------------------------------------------------------
[2004/07/09 14:31:09 1592.430]
#-198 处理的命令行: "X:/WINDOWS/system32/rundll32.exe" shell32.dll,Control_RunDLL "X:/WINDOWS/System32/hdwwiz.cpl",添加硬件
#I140 正在安装设备类别: "LoopbackClass" {5675F8A0-FB7C-40CF-BA53-9233A183BD7E}。
#I141 类别安装已结束,没有出错。
[2004/07/09 14:30:20 1592.427 Driver Install]
#-198 处理的命令行: "X:/WINDOWS/system32/rundll32.exe" shell32.dll,Control_RunDLL "X:/WINDOWS/System32/hdwwiz.cpl",添加硬件
#I393 更改过的 INF 缓存 "X:/WINDOWS/inf/INFCACHE.1"。
#-124 正在做“仅复制”安装 "ROOT/UNKNOWN/0000"。
#E360 驱动程序 "The Loopback Driver" 的一个未经过签署或签署不正确的文件 "x:/loopback.inf" 将得到安装(策略=忽略)。 错误 0xe000022f: 第三方 INF 不包含数字签名信息。
#W187 安装失败,试图还原源文件。
#E360 驱动程序 "The Loopback Driver" 的一个未经过签署或签署不正确的文件 "x:/loopback.inf" 将得到安装(策略=忽略)。 错误 0xe000022f: 第三方 INF 不包含数字签名信息。
#-024 正在将文件 "c:/onlytemp/loopback.sys" 复制到 "X:/WINDOWS/system32/drivers/loopback.sys"。
#E360 驱动程序 "The Loopback Driver" 的一个未经过签署或签署不正确的文件 "x:/loopback.inf" 将得到安装(策略=忽略)。 错误 0xe000022f: 第三方 INF 不包含数字签名信息。
#-166 设备安装函数: DIF_REGISTER_COINSTALLERS。
#I056 注册了共同安装程序。
#-166 设备安装函数: DIF_INSTALLINTERFACES。
#-011 正在从 "x:/loopback.inf" 安装段 [DDInstall.NTx86.Interfaces]。
#I054 安装接口。
#-166 设备安装函数: DIF_INSTALLDEVICE。
#I123 进行 "ROOT/UNKNOWN/0000" 的完整安装。
#E360 驱动程序 "The Loopback Driver" 的一个未经过签署或签署不正确的文件 "x:/loopback.inf" 将得到安装(策略=忽略)。 错误 0xe000022f: 第三方 INF 不包含数字签名信息。
#I121 "ROOT/UNKNOWN/0000" 的设备安装成功完成。
--------------------------------------------------------------------------

不要在资源管理器中右键选中loopback.inf,点击菜单里的"安装/Install"。

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet只是到ControlSet<nnn>的符号链接,
HKEY_LOCAL_MACHINE/SYSTEM/Select用于具体确定是到谁的符号链接。启动时F8菜单
有一个选项对应最近一次成功引导所用设置,就是由LastKnownGood决定的。参看[4]
的5.2.6小节。

☆ 卸载loopback.sys及相关设置

1)

完全手工卸载,从注册表中删除前述三处内容,从drivers中删除loopback.sys。

2)

执行"sc delete Loopback":

> sc delete Loopback
[SC] DeleteService SUCCESS

此时设备管理器中仍有相应显示,"重启后"注册表中还有如下内容,需要手工删除。

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}]
"Class"="LoopbackClass"
@="LoopbackClass"

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}/0000]
"InfPath"="oem8.inf"
"InfSection"="DDInstall"
"InfSectionExt"=".NTx86"
"ProviderName"="The Loopback Software"
"DriverDateData"=hex:00,40,31,2e,ec,62,c4,01
"DriverDate"="7-6-2004"
"DriverVersion"="1.0.1993.9"
"MatchingDeviceId"="*loopbackdriver1993"
"DriverDesc"="The Loopback Driver"
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/UNKNOWN/0000]
"ClassGUID"="{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}"
"ConfigFlags"=dword:00000004
"Driver"="{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}//0000"
"Class"="LoopbackClass"
"Mfg"="The Loopback Software"
"HardwareID"=hex(7):2a,00,6c,00,6f,00,6f,00,70,00,62,00,61,00,63,00,6b,00,64,/
  00,72,00,69,00,76,00,65,00,72,00,31,00,39,00,39,00,33,00,00,00,00,00
"Service"="Loopback"
"DeviceDesc"="The Loopback Driver"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/UNKNOWN/0000/LogConf]

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/UNKNOWN/0000/Control]
--------------------------------------------------------------------------

drivers/loopback.sys也未删除,需要手工删除。对比卸载hello.sys时的情形,区
别较大,不过当时hello.sys加载失败,这回loopback.sys加载成功。

"sc delete"只处理了"Services/Loopback"子键!

3)

通过设备管理器(devmgmt.msc)卸载,系统提示重启,之后注册表中还有如下内容,
需要手工删除。

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{5675F8A0-FB7C-40CF-BA53-9233A183BD7E}]
"Class"="LoopbackClass"
@="LoopbackClass"
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,/
  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6c,00,6f,00,6f,00,70,00,62,00,61,/
  00,63,00,6b,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="Loopback"

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback/Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,/
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,/
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,/
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,/
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,/
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,/
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
--------------------------------------------------------------------------

> del %systemroot%/system32/drivers/loopback.sys

☆ installdriver.c

通过INF文件安装loopback.sys之后,有很多不爽的事情。

> drivers.exe | find "loopback"
loopback.sys     128       0       0    1536    1920  Fri Jul 09 13:10:00 2004

执行上述命令确认loopback.sys已经成功加载。但是不能动态卸载:

> net stop Loopback
The requested pause or stop is not valid for this service.
> net start Loopback
The requested service has already been started.

在devmgmt.msc中对"The Loopback Driver"选择停用、启用、卸载均提示要重启才行,
显然这与我初始愿望相违背。最终从设备管理器中卸载了"The Loopback Driver",
重启后从注册表中删除残留内容,手工删除drivers/loopback.sys文件,恢复到初始
状态。

参<<MSDN系列(8)--学习写一个Hello World服务(Service)>>。installservice.c用
于安装loopback.sys再好不过,不过得作一处小改动,上次是针对服务,这次是针对
驱动。

--------------------------------------------------------------------------
/*
* Version  : 1.02
* Compile  : For x86/EWindows XP SP1 & VC 7
*          : cl installdriver.c /nologo /Os /G6 /Gz /Gs65536 /W3 /WX /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /link /RELEASE
*          :
* Create   : 2003-12-08 16:47
* Modify   : 2004-07-09 17:33
*/

/************************************************************************
*                                                                      *
*                               Head File                              *
*                                                                      *
************************************************************************/

/*
* #define _WIN32_WINNT 0x0501
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>

/************************************************************************
*                                                                      *
*                               Macro                                  *
*                                                                      *
************************************************************************/

#pragma comment( linker, "/INCREMENTAL:NO"    )
#pragma comment( linker, "/subsystem:console" )
#pragma comment( lib,    "kernel32.lib"       )
#pragma comment( lib,    "advapi32.lib"       )

#define VERSION "1.00"

/************************************************************************
*                                                                      *
*                            Function Prototype                        *
*                                                                      *
************************************************************************/

static void PrintWin32ErrorCLI
(
    char   *message,
    DWORD   dwMessageId
);
static void usage
(
    char   *arg
);

/************************************************************************
*                                                                      *
*                            Static Global Var                         *
*                                                                      *
************************************************************************/

/************************************************************************/

static void PrintWin32ErrorCLI ( char *message, DWORD dwMessageId )
{
    char   *errMsg;

    FormatMessage
    (
        FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
        NULL,
        dwMessageId,
        MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
        ( LPTSTR )&errMsg,
        0,
        NULL
    );
    fprintf( stderr, "%s: %s", message, errMsg );
    LocalFree( errMsg );
    return;
}  /* end of PrintWin32ErrorCLI */

static void usage ( char *arg )
{
    fprintf
    (
        stderr,
        "Usage: %s [-h] [-v] [-t target] [-s servicename] [-d displayname] [-c cmdline]/n",
        arg
    );
    exit( EXIT_FAILURE );
}  /* end of usage */

int __cdecl main ( int argc, char * argv[] )
{
    SC_HANDLE       scm         = ( SC_HANDLE )NULL,
                    sc_handle   = ( SC_HANDLE )NULL;
    unsigned char  *target      = NULL,
                   *servicename = NULL,
                   *displayname = NULL,
                   *cmdline     = NULL;
    int             c,
                    ret         = EXIT_FAILURE;

    if ( 1 == argc )
    {
        usage( argv[0] );
    }
    /*
     * 从argv[1]开始循环处理命令行参数
     */
    for ( c = 1; c < argc; c++ )
    {
        /*
         * 同时支持-和/两种引入命令行参数的方式
         */
        if ( ( ( argv[c][0] != '-' ) && ( argv[c][0] != '/' ) ) || ( strlen( argv[c] ) < 2 ) )
        {
            usage( argv[0] );
        }
        else
        {
            /*
             * 在这个字节上,大小写不敏感
             */
            switch ( tolower( argv[c][1] ) )
            {
            case 'c':
                if ( ( c + 1 ) >= argc )
                {
                    usage( argv[0] );
                }
                cmdline     = argv[++c];
                break;
            case 'd':
                if ( ( c + 1 ) >= argc )
                {
                    usage( argv[0] );
                }
                displayname = argv[++c];
                break;
            case 's':
                if ( ( c + 1 ) >= argc )
                {
                    usage( argv[0] );
                }
                servicename = argv[++c];
                break;
            case 't':
                if ( ( c + 1 ) >= argc )
                {
                    usage( argv[0] );
                }
                target      = argv[++c];
                break;
            case 'v':
                fprintf( stderr, "%s ver "VERSION"/n", argv[0] );
                return( EXIT_SUCCESS );
            case 'h':
            case '?':
            default:
                usage( argv[0] );
                break;
            }  /* end of switch */
        }
    }  /* end of for */
    /*
     * 检查参数有效性
     */
    if ( NULL == servicename )
    {
        fprintf( stderr, "Checking your [-s servicename]/n" );
        return( EXIT_FAILURE );
    }
    if ( NULL == displayname )
    {
        fprintf( stderr, "Checking your [-d displayname]/n" );
        return( EXIT_FAILURE );
    }
    if ( NULL == cmdline )
    {
        fprintf( stderr, "Checking your [-c cmdline]/n" );
        return( EXIT_FAILURE );
    }
    /*
     * Header : Declared in Winsvc.h; include Windows.h.
     * Library: Use Advapi32.lib.
     *
     * SC_HANDLE OpenSCManager
     * (
     *     LPCTSTR lpMachineName,      // computer name
     *     LPCTSTR lpDatabaseName,     // SCM database name
     *     DWORD   dwDesiredAccess     // access type
     * );
     *
     * 第一形参可以用target,也可用//<target>。还应该尝试unicodeserver。
     */
    scm         = OpenSCManager
    (
        target,
        SERVICES_ACTIVE_DATABASE,
        SC_MANAGER_CREATE_SERVICE
    );
    if ( NULL == scm )
    {
        PrintWin32ErrorCLI( "OpenSCManager() failed", GetLastError() );
        goto main_exit;
    }
    /*
     * SC_HANDLE CreateService
     * (
     *     SC_HANDLE   hSCManager,         // handle to SCM database
     *     LPCTSTR     lpServiceName,      // name of service to start
     *     LPCTSTR     lpDisplayName,      // display name
     *     DWORD       dwDesiredAccess,    // type of access to service
     *     DWORD       dwServiceType,      // type of service
     *     DWORD       dwStartType,        // when to start service
     *     DWORD       dwErrorControl,     // severity of service failure
     *     LPCTSTR     lpBinaryPathName,   // name of binary file
     *     LPCTSTR     lpLoadOrderGroup,   // name of load ordering group
     *     LPDWORD     lpdwTagId,          // tag identifier
     *     LPCTSTR     lpDependencies,     // array of dependency names
     *     LPCTSTR     lpServiceStartName, // account name
     *     LPCTSTR     lpPassword          // account password
     * );
     */
    sc_handle   = CreateService
    (
        scm,
        servicename,
        displayname,
        SERVICE_ALL_ACCESS,
        SERVICE_KERNEL_DRIVER,
        SERVICE_DEMAND_START,
        SERVICE_ERROR_NORMAL,
        cmdline,
        NULL,
        NULL,
        NULL,
        NULL,
        NULL
    );
    if ( NULL == sc_handle )
    {
        PrintWin32ErrorCLI( "CreateService() failed", GetLastError() );
        goto main_exit;
    }
    ret         = EXIT_SUCCESS;

main_exit:

    if ( NULL != sc_handle )
    {
        CloseServiceHandle( sc_handle );
        sc_handle = ( SC_HANDLE )NULL;
    }
    if ( NULL != scm )
    {
        CloseServiceHandle( scm );
        scm = ( SC_HANDLE )NULL;
    }
    return( ret );
}  /* end of main */

/************************************************************************/

--------------------------------------------------------------------------

参看<<MSDN系列(8)--学习写一个Hello World服务(Service)>>了解更多讨论。这次
在本地使用installdriver.exe,注意要指定loopback.sys的绝对路径,观察注册表
中ImagePath键值的数据,一般是system32/drivers/loopback.sys。

> installdriver.exe -s Loopback -d Loopback -c <Absolute Path>/loopback.sys
> net start Loopback
The Loopback service was started successfully.
> drivers.exe | findstr /I loopback
loopback.sys       0       0       0       0       0

此时注册表中新增了两处内容:

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_LOOPBACK]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_LOOPBACK/0000]
"Service"="Loopback"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Loopback"

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_LOOPBACK/0000/Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="Loopback"
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,63,00,3a,00,5c,00,6f,00,6e,00,6c,00,/
  79,00,74,00,65,00,6d,00,70,00,5c,00,6c,00,6f,00,6f,00,70,00,62,00,61,00,63,/
  00,6b,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="Loopback"

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback/Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,/
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,/
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,/
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,/
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,/
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,/
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Loopback/Enum]
"0"="Root//LEGACY_LOOPBACK//0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
--------------------------------------------------------------------------

ImagePath键值的数据现在是"/??/c:/onlytemp/loopback.sys"。

另有一处一直存在非新增但相关的内容:

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{8ECC055D-047F-11D1-A537-0000F8753ED1}]
"Class"="LegacyDriver"
@="Non-Plug and Play Drivers"
"NoDisplayClass"="1"
"SilentInstall"="1"
"NoInstallClass"="1"
"EnumPropPages32"="SysSetup.Dll,LegacyDriverPropPageProvider"
"Icon"="-19"

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{8ECC055D-047F-11D1-A537-0000F8753ED1}/0000]
--------------------------------------------------------------------------

> net stop Loopback
The Loopback service was stopped successfully.
> sc delete Loopback
[SC] DeleteService SUCCESS

这样省事得多,不过前面的loopback.inf文件还是保留备忘,那是WDM驱动正宗安装
方案,我们这次是KMD。

☆ 察看KdPrint输出

启动DebugView([5]),在Capture菜单里勾中Capture kernel、Pass-Through、
Capture Events即可,扔到一边别理它。

也可以启动DriverStudio所带DriverMonitor。

☆ loopbacktest.c

--------------------------------------------------------------------------
/*
* For x86/EWindows XP SP1 & VC 7
* cl loopbacktest.c /nologo /Os /G6 /Gz /Gs65536 /W3 /WX /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /link /RELEASE
*/

/************************************************************************
*                                                                      *
*                               Head File                              *
*                                                                      *
************************************************************************/

/*
* #define _WIN32_WINNT 0x0501
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>

/************************************************************************
*                                                                      *
*                               Macro                                  *
*                                                                      *
************************************************************************/

#pragma comment( linker, "/INCREMENTAL:NO"    )
#pragma comment( linker, "/subsystem:console" )

#define VERSION         "1.00"
#define DEFAULTMESSAGE  "LOOPBACK"
#define EXTERNALNAME    "////.//LoopbackExternal1"

/************************************************************************
*                                                                      *
*                            Function Prototype                        *
*                                                                      *
************************************************************************/

static void PrintWin32ErrorCLI
(
    char   *message,
    DWORD   dwMessageId
);
static void usage
(
    char   *arg
);

/************************************************************************
*                                                                      *
*                            Static Global Var                         *
*                                                                      *
************************************************************************/

/************************************************************************/

static void PrintWin32ErrorCLI ( char *message, DWORD dwMessageId )
{
    char   *errMsg;

    FormatMessage
    (
        FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
        NULL,
        dwMessageId,
        MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
        ( LPTSTR )&errMsg,
        0,
        NULL
    );
    fprintf( stderr, "%s: %s", message, errMsg );
    LocalFree( errMsg );
    return;
}  /* end of PrintWin32ErrorCLI */

static void usage ( char *arg )
{
    fprintf
    (
        stderr,
        "Usage: %s [-h] [-v] [-m message]/n",
        arg
    );
    exit( EXIT_FAILURE );
}  /* end of usage */

int __cdecl main ( int argc, char * argv[] )
{
    unsigned char  *message = DEFAULTMESSAGE;
    unsigned int    length;
    unsigned char  *buf     = NULL;
    int             c,
                    ret     = EXIT_FAILURE;
    HANDLE          Device  = INVALID_HANDLE_VALUE;
    DWORD           NumberOfBytes;

#if 0
    if ( 1 == argc )
    {
        usage( argv[0] );
    }
#endif
    /*
     * 从argv[1]开始循环处理命令行参数
     */
    for ( c = 1; c < argc; c++ )
    {
        /*
         * 同时支持-和/两种引入命令行参数的方式
         */
        if ( ( ( argv[c][0] != '-' ) && ( argv[c][0] != '/' ) ) || ( strlen( argv[c] ) < 2 ) )
        {
            usage( argv[0] );
        }
        else
        {
            /*
             * 在这个字节上,大小写不敏感
             */
            switch ( tolower( argv[c][1] ) )
            {
            case 'm':
                if ( ( c + 1 ) >= argc )
                {
                    usage( argv[0] );
                }
                message = argv[++c];
                break;
            case 'v':
                fprintf( stderr, "%s ver "VERSION"/n", argv[0] );
                return( EXIT_SUCCESS );
            case 'h':
            case '?':
            default:
                usage( argv[0] );
                break;
            }  /* end of switch */
        }
    }  /* end of for */
    /*
     * HANDLE CreateFile
     * (
     *     LPCTSTR                 lpFileName,             // file name
     *     DWORD                   dwDesiredAccess,        // access mode
     *     DWORD                   dwShareMode,            // share mode
     *     LPSECURITY_ATTRIBUTES   lpSecurityAttributes,   // SD
     *     DWORD                   dwCreationDisposition,  // how to create
     *     DWORD                   dwFlagsAndAttributes,   // file attributes
     *     HANDLE                  hTemplateFile           // handle to template file
     * );
     *
     * If the function fails, the return value is INVALID_HANDLE_VALUE. To
     * get extended error information, call GetLastError.
     */
    Device  = CreateFile
    (
        EXTERNALNAME,
        GENERIC_READ | GENERIC_WRITE,
        0,
        NULL,           // If lpSecurityAttributes is NULL, the handle cannot be inherited
        OPEN_EXISTING,  // The function fails if the file does not exist
        FILE_ATTRIBUTE_NORMAL,
        NULL
    );
    if ( INVALID_HANDLE_VALUE == Device )
    {
        PrintWin32ErrorCLI( "CreateFile() failed", GetLastError() );
        goto main_exit;
    }
    length  = strlen( message ) + 1;
    /*
     * BOOL WriteFile
     * (
     *     HANDLE          hFile,                  // handle to file
     *     LPCVOID         lpBuffer,               // data buffer
     *     DWORD           nNumberOfBytesToWrite,  // number of bytes to write
     *     LPDWORD         lpNumberOfBytesWritten, // number of bytes written
     *     LPOVERLAPPED    lpOverlapped            // overlapped buffer
     * );
     */
    if
    (
        FALSE == WriteFile
        (
            Device,
            message,
            length,
            &NumberOfBytes,
            NULL
        )
    )
    {
        PrintWin32ErrorCLI( "WriteFile() failed", GetLastError() );
        goto main_exit;
    }
    /*
     * 分配缓冲区
     *
     * HANDLE GetProcessHeap ( VOID );
     *
     * The handle obtained by calling this function should not be used in
     * calls to the HeapDestroy function.
     *
     * Header : Declared in Winnls.h; include Windows.h.
     * Library: Use Kernel32.lib.
     *
     * LPVOID HeapAlloc
     * (
     *     HANDLE hHeap,    // handle to private heap block
     *     DWORD  dwFlags,  // heap allocation control
     *     SIZE_T dwBytes   // number of bytes to allocate
     * );
     *
     * If the function fails, it does not call SetLastError. An
     * application cannot call GetLastError for extended error information.
     */
    buf     = ( unsigned char * )HeapAlloc
    (
        GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        length
    );
    if ( NULL == buf )
    {
        PrintWin32ErrorCLI( "HeapAlloc() failed for buf", ERROR_NOT_ENOUGH_MEMORY );
        goto main_exit;
    }
    /*
     * BOOL ReadFile
     * (
     *     HANDLE       hFile,                 // handle to file
     *     LPVOID       lpBuffer,              // data buffer
     *     DWORD        nNumberOfBytesToRead,  // number of bytes to read
     *     LPDWORD      lpNumberOfBytesRead,   // number of bytes read
     *     LPOVERLAPPED lpOverlapped           // overlapped buffer
     * );
     */
    if
    (
        FALSE == ReadFile
        (
            Device,
            buf,
            length,
            &NumberOfBytes,
            NULL
        )
    )
    {
        PrintWin32ErrorCLI( "ReadFile() failed", GetLastError() );
        goto main_exit;
    }
    if ( length == NumberOfBytes )
    {
        printf( "[%s]/n", buf );
    }
    ret     = EXIT_SUCCESS;

main_exit:

    if ( NULL != buf )
    {
        HeapFree( GetProcessHeap(), 0, buf );
        buf     = NULL;
    }
    if ( INVALID_HANDLE_VALUE != Device )
    {
        CloseHandle( Device );
        Device  = INVALID_HANDLE_VALUE;
    }
    return( ret );
}  /* end of main */

/************************************************************************/

--------------------------------------------------------------------------

> loopbacktest.exe -m "NSFOCUS"
[NSFOCUS]

☆ 用SoftICE对loopback.sys进行源码级调试

下述步骤是充分非必要的,换句话说,我是这样做的,并且成功了,但不是必须这样
操作。

一定要用"Win XP Checked Build Environment"编译。编译前先确认两个环境变量的
设置,第二个可以设置成"NTDEBUGTYPE=windbg",也可以保持不变。

> set NTDEBUG
NTDEBUG=ntsd
NTDEBUGTYPE=both

我的DDK开发环境在VMware Host上,调试环境则在VMware Guest上。将loopback.c、
loopback.pdb、loopback.sys复制到VMware Guest上同一目录下,比如onlytemp下。
用installdriver.exe安装loopback.sys。VMware Guest上PATH环境变量已经包含
"C:/Program Files/Compuware/DriverStudio/SoftICE",其下含有nmsym.exe。

--------------------------------------------------------------------------
onlytemp> installdriver.exe -s Loopback -d Loopback -c c:/onlytemp/loopback.sys

onlytemp> nmsym.exe /translate:always,source,package /output:loopback.nms loopback.sys

Compuware NM32 Symbol Translator/Loader version 1.24
(C) Compuware  Technologies, 1996-2001

MODULE=loopback.sys
OUTPUT=loopback.nms
PROMPT=OFF
Translation of C:/onlytemp/loopback.sys successfully completed

onlytemp> nmsym.exe /symload:loopback.nms

Compuware NM32 Symbol Translator/Loader version 1.24
(C) Compuware  Technologies, 1996-2001

SYMLOAD=loopback.nms
PROMPT=OFF
Symbols for loopback.nms successfully loaded

onlytemp> nmsym.exe /unload:loopback.nms

Compuware NM32 Symbol Translator/Loader version 1.24
(C) Compuware  Technologies, 1996-2001

UNLOAD=loopback.nms
PROMPT=OFF
Error removing symbol table loopback.nms: Item not found (status)
--------------------------------------------------------------------------

在命令行上用nmsym.exe卸载loopback.nms时会看到一条错误信息,不要理会它,进
SoftICE用table命令确认已经卸载成功。重新加载loopback.nms,在DriverEntry处
设置断点"bpx loopback!DriverEntry",在VMware Guest中加载loopback.sys,远程
SoftICE弹出。

onlytemp> net start Loopback

在SoftICE中执行如下操作:

:file *
loopback.c
:file loopback.c
:wc
:.

现在代码窗口中是loopback.c源代码,光条停留在DriverEntry的左花括号上。用src
命令或F3快捷键可以切换代码窗口的显示方式,有三种方式,纯源代码显示、混合显
示、汇编显示。有时切换显示方式时无法回到纯源代码显示,可再次使用"file .c"
恢复正常。顺便说一句,远程SoftICE的代码窗口可以看到中文注释,只要siremote
这边可以显示中文即可,本地SoftICE就没这好事了。

至此可以用SoftICE对loopback.sys进行源码级调试。KdPrint输出直接在SoftICE命
令窗口中显示,可以用F10、F8这些快捷键。

onlytemp> loopbacktest -m NSFOCUS

上述测试程序将激活LoDispatchCreate(),在SoftICE中下断点:

:bpx loopback!LoDispatchCreate
:bl
00)   BPX DriverEntry
01)   BPX LoDispatchCreate
:g
Break due to BP 01: BPX LoDispatchCreate
:p

最后这个P命令不可缺少,否则EBP尚未设置好,而形参、局部变量靠EBP定位,在混
合显示中很明显。现在可以用watch命令观察形参DeviceObject、Irp:

:watch Irp
:watch DeviceObject

选中那些带+号的条目,用回车展开后查看更详细的内容。不想观察时可用DEL删除相
应条目。

loopback.sys本身没有什么好调试的,只是通过这个例子感性地说明如何用SoftICE
对驱动进行源码级调试。loopback.sys是手工加载的,可以这样调试。对于那些启动
时加载的驱动程序,需要动用Initialization设置以及icepack.exe,没这需求,就
不去测试了。

☆ 后记

驱动相关结构的描述未出现在文中,那不是重点。工欲善其事必先利其器,重点是建
立感性认识、介绍调试步骤。有了这个基础,剩下的事属于八仙过海了。至少可在本
文基础上编译别人的源代码、进行常规测试以及简单调试。否则给你源代码,也是老
虎吃天的架势。

估计我适合做一些面向与我一样低智商的人群的计算机科普工作。比如以前没干过某
事,又一直很想感性地接触一下,需要一些"Step By Step"教程。记录这个过程,因
为想到肯定有人一样不务正业之余想折腾一下这个方向,但又找不到一条龙式的教程。
我承认这篇水文没有技术含量,但所写下的每一个字都是急于入门时切身体会下的字,
想必还是对另一些人有些微用处。如果真是那样,我将非常开心。

在Google中可以找到大量收费的驱动开发学习班,但甚少入门级教程。驱动开发的门
槛是人为抬高的,这么说,肯定有人不高兴了,觉得我连边都没摸着就狂得下这个结
论,嘿嘿。真是不好意思,我虽然没吃过天鹅肉,但肯定在广州动物园看见过天鹅。
所以对某些人的心性还是有所了解的。再说我也相信rain说的话,都是死框架加硬件
规范。话分两头,那些不是业余折腾驱动的人,不妨有骨气些,别个掖着不露就自己
看文档呗,瞎子摸象摸十年也该有个轮廓了,求人不如自力更生。当然,有得可求教
之人,不求教是白不求教。

下面这些参考资源是上周写本文时用到的。一般有URL的,绝不会故意漏去,只是这
次比较特殊,有四本是纸版书([1]、[2]、[4]、[7]),无从列出URL啊。

结语是这样的,在"三个代表"的指引下,我编写驱动的能力有了很大提高,!@#$%^&*

☆ 参考资源

[ 1] <<Windows NT Device Driver Development>> - P. Viscarola, W. Mason

[ 2] <<The Windows 2000 Device Driver Book, Second Edition>> - Art Baker, Jerry Lozano

[ 3] <<Programming the Microsoft Windows Driver Model, 2nd Ed>> - Walter Oney

[ 4] <<Inside Microsoft Windows 2000 Third Edition>> - David A. Solomon, Mark E. Russinovich

[ 5] DebugView
     http://www.sysinternals.com

[ 6] <<MSDN系列(2)--学习写一个Hello World驱动>>
     <<MSDN系列(8)--学习写一个Hello World服务(Service)>>

[ 7] <<Writing Windows WDM Device Drivers>> - Chris Cant

[ 8] Using SoftICE.pdf

你可能感兴趣的:(object,String,service,null,Build,extension)