Using NtKernLoadDriver in Windows 98 VxDs

0 Likes

Problem:

How do I access NtKern services ?

Resolution:

Windows 98 has over 150 new services for VxD writers. Notable among them are the services of NtKern, the driver that provides most of the Win32 Driver Model calls on Windows 98. Some of NtKern's services map closely on to the ZwXxxx system calls available in WDM. For example, NtKernCreateFile, has the same 11 parameters as the documented service ZwCreateFile.

Another interesting case is NtKernLoadDriver, a service that a VxD can call to cause the system to load a kernel mode driver. It eventually calls ZwLoadDriver, which has the following prototype:

NTSTATUS __stdcall ZwLoadDriver( PUNICODE_STRING ServiceKeyPath )

Note that the parameter is not a pointer to the file name. Rather, it points to the path in system registry where information about the driver is stored. For example, if the driver name is MyDriver, then the path passed to ZwLoadDriver would be:

\Registry\Machine\System\CurrentControlSet\Services\MyDriver

The values under this key inform the system about the driver. The values are the same as those used in the Service Control Manager's registry database on Windows NT. Generally, they include at least the following:

Value Typical Value Purpose

Type 1 A value of 1 indicates a kernel mode driver

Start 2 2 means start at system initialization; 3 means manual start

ImagePath Identifies the driver file

DisplayName Name of the driver as seen by system utilties

One note about ImagePath. On Windows 98, the system prefixes the system root directory (e.g. C:\WINDOWS\) to any path string that does not begin with a backslash '\' (hex 5C). (The only exception is '\systemroot', which is converted to the system root directory.) What this means is that if the driver file is not under the system root, you have to use the UNC name of the file in order to load it, e.g. \\MyComputer\C\testdriver\i386\checked\foo.sys.

A kernel mode driver loaded by NtKernLoadDriver can create device objects in its DriverEntry routine. However, it's important to remember that a driver loaded in this fashion is not a WDM driver. The system will not send it any PnP or power requests, and its AddDevice entry point will not be called. It bears the same relationship to a WDM driver that a statically loaded VxD bears to a VxD dynamically loaded by the Configuration Manager.

Note that there is no NtKernUnloadDriver. Unloading the driver requires special techniques.

Old KB# 11310
Comment List
Anonymous
Related Discussions
Recommended