Introduction
Welcome to my kernel programming tutorial document. Be sure to read these notes before starting.
Important notes
Kernel programming is not anything like user mode programming, information about its structure is very limited and most of the time you have to dig very deep into MSDN documentation to understand where you need to start.
Kernel mode codes have to be perfect, any flaw in them will cause serious problems and most of the time lead to BSOD ( blue screen of death) if they are not treated perfectly.
For the structure without any documentation you have to do the dirty work yourself and RE (reverse engineering) OS files yourself and extract documentation yourself which I will explain later in this document.
This page is your main resource, stick to it and spend most of your hours here. I highly suggest going through the Kernel-Mode Driver Architecture Design Guide. Read it slowly and try to digest it and practice alongside it and get back to it when you need to. For kernel mode API, always go here first.
Sometimes you want to do something in kernel mode and you just do not know which function will do the job for you. In such situations I highly recommend you to visit API reference docs for Windows Driver Kit and try to go to the logical part of it and read APIs descriptions. It will help you a lot. I will show you with some real examples how to do this.
Always and always treat every single warning as an error and fix it.
Usually you won’t find examples for kernel functions. The best solution is read documentation in your IDE header files and try to figure it out yourself. It’s not easy at first but it will get easier when you get used to kernel functions. You can use this website to see if there is an example of a key function that you are looking for, you can also check github as well.
You need a virtual machine to practice kernel programming. I also recommend this(also saved in case of broken link in same directory) website for windbg and virtual machine synchronization.
In order to be able to compile kernel mode codes, you have to download visual studio C++ workstation, windows SDK and finally windows WDK and install them in order respectively. Also I highly recommend installing all of them in the default path, because I changed the default paths and that led to failure. Do it at your own risk.
I suggest compiling code on your main OS and then running .sys on your VM.
You can alos use Windows-driver-samples to find out what you need to do.
You need to run your drivers on the test mode to disable driver signature check to enable test mode open cmd as administrator and run below instruction and then reboot your system you have to see test mode on the right corner side of your windows after it. If you want to run you code without test mode you have to use other signed driver vulnerability which we will discuss later on you can read more about it here and here and also here. (pages saved in case of broken link)
bcdedit /set testsigning on
Remember that some specific hardware on your virtual machine will be treated differently, If you want to work with real hardware the best option is use a real computer and debug it over the network with windbg.
For some functions you are going to use internal .lib functions and when you use the header file you will get a linker error. For example FltGetVolumeGuidName function, you will get linker error if you just include fltkernel.h in your source code to fix this problem you find .lib name which is FltMgr.lib in our case then head to Linker->Input->Additional Dependencies and add $(DDK_LIB_PATH)\fltMgr.lib to resolve issue.
After working and testing VMWare and Hyper-V, I can say in my experience Hyper-V works much much better for Windows kernel experiments. I had multiple problems with VMWare in last few experiments. As a result, I am no longer using VMWare.