Updated on 03 Oct, 202511 mins read 529 views

In this chapter we will create a simple KMDF driver

Install Visual Studio and WDK

1 Install Visual Studio

Install visual studio (latest)

Choose the following components:

  • Desktop development with C++
  • Windows Driver Development

2 Install Windows Driver Kit (WDK)

Get the latest WDK from the Mircrosoft official website, match it to your version of Visual Studio.

Once installed, you will get:

  • Driver project templates
  • Access to libraries fwpkclnt.lib, fwpuclnt.lib, and header files

3 Setting Up a Testing Environment (VM)

Never test WFP drivers on your main OS. A bug in kernel code can BSOD your machine.

Create a dummy KMDF driver project

In Visual Studio → New Project → Kernel Mode Driver (KMDF)

Step 1: Kernel Driver (HelloDriver.c)

Driver Code:

// Include the basic NT Driver Development Kit header
// This provides core Windows kernel-mode definitions and functions
#include <ntddk.h>

// Include the Windows Driver Framework header (optional in this case, but required for KMDF drivers)
#include <wdf.h>

// ------------------------------------------------------
// DriverUnload: This function is called when the driver
// is being unloaded from the system.
// ------------------------------------------------------
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
    // This macro just tells the compiler we are not using this parameter
    UNREFERENCED_PARAMETER(DriverObject);

    // Print a debug message to the kernel debugger or DebugView
    DbgPrint("WFP Driver: Unload called.\n");
}

// ------------------------------------------------------
// DriverEntry: This is the main entry point for the driver.
// It is called by the OS when the driver is loaded.
// ------------------------------------------------------
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
    // We are not using the registry path in this driver, so we mark it as unreferenced
    UNREFERENCED_PARAMETER(RegistryPath);

    // Register the unload routine so Windows knows which function to call
    // when the driver is being removed
    DriverObject->DriverUnload = DriverUnload;

    // Print a message to the debugger to show that the driver has loaded
    DbgPrint("WFP Driver: Hello World from WFP driver!\n");

    // Return STATUS_SUCCESS to tell the OS the driver loaded successfully
    return STATUS_SUCCESS;
}

Step 2: Testing: Creating the service and starting it

Creation of the service:

sc create Hello-World type= kernel binPath= "C:\Windows-Driver-Development\1_Hello-World\1_Hello-World.sys"

Start the service:

sc start Hello-World
451a4d10-80b0-4364-9084-eb9cbaa95397.png

After starting the service we will see the debug message in the DbgView Debugger.

image-562.png

Step 4: Stopping and Unloading the driver

Run the following command to stop the driver:

sc stop Hello-World
40be4be1-8675-4359-ae0b-c14dfd56a799.png
4b30fb41-d7d0-4b6d-b4c1-d959b3774f0f.png

To delete the entry of the driver from the registry use the following command:

sc delete Hello-World
10f22672-4564-473e-af4e-3dd1b6a330db.png

View DbgPrint Output

Download DebugView from this link, it will provide you a zip file, extract it.

Run the Dbgview.exe from the extracted file as an Administrator.

Check the following options from the capture menu in top bar as shown in the below screenshot.

d1de2096-0dad-4fa8-9a43-c899136c4f80.png
Buy Me A Coffee

Leave a comment

Your email address will not be published. Required fields are marked *