Controlling a Windows Driver in C
C Windows driver tutorial, controlling the driver from usermode.
Sanctum concept design document
This section is currently out of date - I have rewritten the project in Rust from C; the below concepts still apply, and I will update this page in due time, and perhaps add a new post about doing this in Rust :).
The way I want this project to work is eventually a GUI will be the front end responsible for how the user uses the Sanctum application. They should be able to do all usermode actions you would expect (configure, deploy, stop, scan etc) from this GUI. The GUI will either directly load in the engine as a DLL (written in C, you can find the engine here) or communicate with it via IPC.
The GUI is only to be a nice interface for the engine. The engine itself can communicate with the driver via IOCTLs, and as it stands, I think it will receive input directly from other userland application which have Sanctum’s DLL loaded into them for function hooking etc. At the moment I’m unsure whether that communication should route via the driver, or whether it should communicate directly to the engine.
The engine I envisage to be the core data processor for events taking place which is why I want the direct communication between DLL and engine.
The design for this can be pictured:
Setting up the engine
The first steps for the engine is to allow it to install, uninstall, start and stop the driver. This is implemented now in my GitHub project using a public and private API. In C, I do like to prefix private functions with a _. The ‘public’ entry to the driver manager is via the manage_driver function, which takes in an integer of which mode it is to run as (AKA these constants here) the desired service name (which i may make _Inopt_ in the future as it is not required in all function calls) and the path to where the .sys file is.
This function will then use ‘private’ functions of the driver manager to control the service. The key functions here are:
- CreateServiceW
- StartService
- DeleteService
- ControlService (passing in the constant SERVICE_CONTROL_STOP)
You can find my implementation of the above here.
To show what these controls look like side by side:
Next steps
This has been a short blog post, but next is to setup some IOCTL between the engine and kernel driver.
If there’s anything you’d like to see as part of this project, please let me know via Twitter! Whether that is features in the driver, showing you how to do something with Windows Driver Development in C or a YouTube post / series.
Ciao.