What is a Windows Kernel Driver?
What is开发者_如何学Python Windows Kernel Driver written with the WDK?
What is different from normal app or service?
Kernel drivers are programs written against Windows NT's native API (rather than the Win32 Subsystem's API) and which execute in kernel mode on the underlying hardware. This means that a driver needs to be able to deal with switching virtual memory contexts between processes, and needs to be written to be incredibly stable -- because kernel drivers run in kernel mode, if one crashes, it brings down the entire system. Kernel drivers are unsuitable for anything but hardware devices because they require administrative access to install or start, and because they remove the security the kernel normally provides to programs that crash -- namely, that they crash themselves and not the entire system.
Long story short:
- Drivers use the native API rather than the Win32 API
- This means that drivers generally cannot display any UI.
- Drivers need to manage memory and how memory is paged explicitly -- using things like paged pool and nonpaged pool.
- Drivers need to deal with process context switching and not depend on which process happens to have the page table while they're running.
- Drivers cannot be installed into the kernel by limited users.
- Drivers run with privileged rights at the processor level.
- A fault in a user-level program results in termination of that program's process. A fault in a driver brings down the system with a Blue Screen of Death.
- Drivers need to deal with low level hardware bits like Interrupts and Interrupt Request Levels (IRQLs).
It is code that runs in kernel mode rather than user mode. Kernel mode code has direct access to the internals of the OS, hardware etc.
Invariably you write kernel mode modules to implement device drivers.
A kernel driver is a low-level implementation of an "application".
Because it runs in the kernel context, it has the ability to access the kernel API and memory directly.
For example, a kernel driver should be used to:
- Control access to files (password protection,hiding)
- Allow accessing non-standard filesystems (like ext, reiserfs, zfs and etc.) and devices
- True API hooks
- ...and for many other reasons
If you'd like to get know more, you can search for keyword "ring0" with your favorite search engine.
Others have explained the difference as the perspective of system level. If you are doing development in C++, there are below differences in User mode development and kernel-mode development.
- Unhandled exceptions crash the process in User mode, but in kernel mode, it crashes the whole system(face BSOD).
- When the user-mode process terminates without free private memory, the system implicitly free process memory. But in kernel mode, remaining memory free after system boot.
- The user-mode code is written and execute in PASSIVE_LEVEL. In kernel mode, there are more IRQL level.
- Kernel code debugging done using separate machines. But you can debug user mode on same machine.
- you can't use all C++ functionality in kernel-mode such as Exception handling and STL.
- Entry points are different, in user mode, you use the main as the entry point. But in kernel mode, we need to use DriverEntry.
- You can't use new operator in kernel mode, you need to overload it explictly.
精彩评论