创建一个基础WDM驱动，并使用MFC调用驱动

首先参考文章：如何使用WinDbg和Virtual Box进行Windows驱动debug，搭建开发环境。

创建一个Empty WDM项目，在solution下添加一个MFC项目：

其中FirstDriver是一个简单的WDM驱动项目，而App是一个MFC程序，用于调用驱动。

Source.c是驱动源码：

#include "ntddk.h"

#define DEVICE_SEND CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_WRITE_DATA)
#define DEVICE_REC CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_READ_DATA)

UNICODE_STRING DeviceName = RTL_CONSTANT_STRING(L"\\Device\\mydevice123");
UNICODE_STRING SymLinkName = RTL_CONSTANT_STRING(L"\\??\\mydevicelink123");
PDEVICE_OBJECT DeviceObject = NULL;

VOID Unload(IN PDRIVER_OBJECT DriverObject) {
    
	IoDeleteSymbolicLink(&SymLinkName);
	IoDeleteDevice(DeviceObject);
	DbgPrint("Driver unload\r\n");
}

NTSTATUS DispatchPassThru(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
    
   PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
   NTSTATUS status = STATUS_SUCCESS;

   switch (irpsp->MajorFunction) {
    
   case IRP_MJ_CREATE:
      DbgPrint("Create request\r\n");
      /*KdPrint(("Create request\r\n"));*/
      break;
   case IRP_MJ_CLOSE:
      DbgPrint("Close request\r\n");
      /*KdPrint(("Close request\r\n"));*/
      break;
   //case IRP_MJ_READ:
   // DbgPrint("Read request\r\n");
   // KdPrint(("Read request\r\n"));
   // break;
   default:
      status = STATUS_INVALID_PARAMETER;
      break;
   }

   Irp->IoStatus.Information = 0;
   Irp->IoStatus.Status = status;
   IoCompleteRequest(Irp, IO_NO_INCREMENT);
   return status;
}

NTSTATUS DispathDevCTL(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
    
   PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
   NTSTATUS status = STATUS_SUCCESS;
   ULONG returnLength = 0;

   PVOID buffer = Irp->AssociatedIrp.SystemBuffer;
   ULONG inLength = irpsp->Parameters.DeviceIoControl.InputBufferLength;
   ULONG outLength = irpsp->Parameters.DeviceIoControl.OutputBufferLength;

   WCHAR *demo = L"sample return from driver";

   switch (irpsp->Parameters.DeviceIoControl.IoControlCode) {
    
   case DEVICE_SEND:
      DbgPrint("Send data is %ws \r\n", buffer);
      returnLength = (wcsnlen(buffer, 511) + 1) * 2;
      break;
   case DEVICE_REC:
      wcsncpy(buffer, demo, 511);
      returnLength = (wcsnlen(buffer, 511) + 1) * 2;
      DbgPrint("receive data is %ws \r\n", buffer);
      break;
   default:
      status = STATUS_INVALID_PARAMETER;
   }

   Irp->IoStatus.Status = status;
   Irp->IoStatus.Information = returnLength;
   IoCompleteRequest(Irp, IO_NO_INCREMENT);
   return status;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) // main
{
    
	DriverObject->DriverUnload = Unload;

	UNICODE_STRING string = RTL_CONSTANT_STRING(L"hello driver\r\n");
	DbgPrint("%wZ", &string); // printf()

	NTSTATUS status = IoCreateDevice(DriverObject, 0, &DeviceName,
		FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN,
		FALSE, &DeviceObject);

	if (!NT_SUCCESS(status)) {
    
		DbgPrint("Create device failed\r\n");
		return status;
	}

	status = IoCreateSymbolicLink(&SymLinkName, &DeviceName);

	if (!NT_SUCCESS(status)) {
    
		DbgPrint("create symbolic link failed\r\n");
		IoDeleteDevice(DeviceObject);
		return status;
	}

   for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; ++i) {
    
      DriverObject->MajorFunction[i] = DispatchPassThru;
   }

   DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispathDevCTL;

	DbgPrint("Driver load\r\n");

	return STATUS_SUCCESS;
}

程序完成了几项工作：

1. 定义了Device Control Code，读写code分别为0x801和0x802，微软为用户开放了0x800~0xfff的control code；
2. 定义了DeviceName和SymbolLinkName，device/symbolink name一旦创建成功，可以通过WinObj查看，这个工具可以查看系统中的Device和用于用户调用(File IO) device别名symbolink name：
   
   
3. DriverEntry入口函数创建了device和symbolink，并配置了分派函数用于响应用户的各种请求。
4. DispatchPassThru函数响应IRP，处理了Device open和close请求。
5. DispatchDevCTL函数响应用户的IO请求。具体是指读写请求，这里会用到之前定义的Device Control Code。
6. Unload函数删除symbolink和device对象。

MFC应用程序
界面：

一共4个按钮，分别执行device open/close，以及通过IO发送和接收数据。

#include "winioctl.h"

#define DEVICE_SEND CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_WRITE_DATA)
#define DEVICE_REC CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_READ_DATA)

HANDLE devicehandle = NULL;

void CAppDlg::OnBnClickedButton1()
{
    
   // TODO: Add your control notification handler code here
   devicehandle = CreateFile(L"\\\\.\\mydevicelink123", 
      GENERIC_ALL, 0, 0, 
      OPEN_EXISTING, 
      FILE_ATTRIBUTE_SYSTEM,
      0);
   if (devicehandle == INVALID_HANDLE_VALUE) {
    
      MessageBox(L"Not valid value", 0, 0);
      return;
   }

   MessageBox(L"valid value", 0, 0);
}


void CAppDlg::OnBnClickedButton2()
{
    
   // TODO: Add your control notification handler code here
   if (devicehandle != INVALID_HANDLE_VALUE) {
    
      CloseHandle(devicehandle);
   }
}


void CAppDlg::OnBnClickedButton3()
{
    
   // TODO: Add your control notification handler code here
   WCHAR *message = L"send sample from mfc";
   WCHAR returnMessage[1024] = {
     0 };
   ULONG returnLength = 0;
   char wr[4] = {
     0 };
   if (devicehandle != NULL && devicehandle != INVALID_HANDLE_VALUE) {
    

      if (!DeviceIoControl(devicehandle, DEVICE_SEND, message,
         (wcslen(message) + 1) * 2,
         returnMessage,
         1024,
         &returnLength,
         0)) {
    
         MessageBox(L"Device io control failed", 0, 0);
      }
      else {
    
         MessageBox(returnMessage, 0, 0);
         _itoa_s(returnLength, wr, 10);
         MessageBoxA(0, wr, 0, 0);
      }
   }
}


void CAppDlg::OnBnClickedButton4()
{
    
   // TODO: Add your control notification handler code here
   WCHAR message[1024] = {
     0 };
   ULONG returnLength = 0;

   if (devicehandle != NULL && devicehandle != INVALID_HANDLE_VALUE) {
    

      if (!DeviceIoControl(devicehandle, DEVICE_REC, NULL,
         0,
         message,
         1024,
         &returnLength,
         0)) {
    
         MessageBox(L"Device io control failed", 0, 0);
      }
      else {
    
         MessageBox(message, 0, 0);
      }
   }
}

需要注意的是，这里要使用DeviceIoControl函数用于和device进行IO控制，所以include头文件winioctl.h，并且Device control code要和WDM驱动里的code一致。
将编译好的driver.sys和App放入虚拟机，以管理员权限打开OSRLOADER，Register Service和Start Service，以管理员权限打开App，点击4个按钮，依次显示如下：