Reputation: 21
Windows XP: Have my program run in kernel mode?
I'm currently learning about the different modes the Windows operating system runs in (kernel mode vs. user mode), device drivers, their respective advantages and disadvantages and computer security in general.
I would like to create a practical example of what a faulty device driver that runs in kernel mode can do to the system, by for example corrupting memory used for critical OS-processes.
- How can I execute my code in kernel mode instead of user mode, directly?
Do I have to write a dummy device driver and install it to do this?
Where can I read more about kernel and user mode in Windows?
I know the dangers of this and will do all of the experiments on a virtual machine running Windows XP only
Upvotes: 2
Views: 4629
Answers (3)
Reputation: 21269
The "Windows Internals" book is rather shallow on the topic at question.
First I should note that any program also runs in kernel mode (KM). This is due to the fact that - not unlike in unixoid systems - for system calls the calling thread transitions into KM where the kernel itself or one of the drivers services the request and then returns to user mode (UM).
A first step to get started would be to download the latest Windows Driver Kit (WDK) and start reading the documentation. If you want a more digestive book, go for one of these:
- Windows NT Device Driver Development - though an old title, many of the basics still apply.
- Programming the Windows Driver Model (by Oney) - WDM programming in particular, also covers basics, has some errors (as most books).
- Undocumented Windows 2000 Secrets (by Schreiber) - contains plenty of information about all kinds of internals at a more technical level than the book mentioned before.
- Undocumented Windows NT - contains a more generic part about internals on a technical level followed by a reference of some native API functions.
- Windows NT/2000 Native API - the classic, but it's more of a reference. Nevertheless there are several gems (and examples) in it.
Since you want to use Windows XP, many of the techniques described over at rootkit.com (even from some years ago) should work. They also got plenty of samples.
And as you notice by the name of the referenced website, you are in fact in what I'd call a gray area with that question ;)
Upvotes: 3
Reputation: 1319
You will need a good understanding of Windows Internals:
http://technet.microsoft.com/en-us/sysinternals
and yes they have a book: Windows Internals
http://technet.microsoft.com/en-us/sysinternals/bb963901
http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Developer/dp/0735625301
Basically your questions are all answered in this book (and it even comes with samples and hands-on labs).
Upvotes: 0
Reputation: 612954
It's a simple answer, and as you suspect, you do need to write a device driver in order to run in kernel mode. I'm afraid I don't know of a particularly good reference for kernel mode programming but a quick websearch reveals:
- en.wikibooks.org/wiki/Windows_Programming/User_Mode_vs_Kernel_Mode
- http://www.netomatix.com/Development/Kernelmode.aspx
- http://technet.microsoft.com/en-us/library/cc750820.aspx
- http://msdn.microsoft.com/en-us/library/ff553208(VS.85).aspx
Upvotes: 0
Related Questions
- Kernel mode for user program
- Entering protected mode from a DOS program
- Switch from protected mode to real mode in a DOS EXE program
- Is it possible to allow a particular user-level application to run in kernel-mode?
- Executing a user-mode executable from kernel-mode
- Can I run assembly program that switches to protected mode in dosbox?
- How to turn an app into a kernel-mode running code?
- How can i elevate my process at runtime under win xp
- Running in kernel mode on x86 W7
- Networking from a Kernel Mode Driver