Windows software drivers(part2 Structure of a driver)

Categories Development, kernel

“Practical Reverse Engineering” is a great book on windows reverse engineering. In this part, the structure of a driver is noted for later reference.

The I/O manager create and init the DRIVER_OBJECT and point driver_init to the DriverEntry, Driver entry initialize driver specific settings, register IRP dispatch routines(which are stored in the MajorFunction array), create device objects(through IoCreateDevice API).

Windows has a pre-defined set of IRP major functions to generically describe every I/O request. The following  list associates each MajorFunction with a unique number.

A driver can have multiple device objects. DeviceExtension points to device-specific data stored in non-paged pool. It is important to recover this structure in the analysis of a driver.

No Comments

Leave a Reply