the most basic way to call kernel mode code from user mode application is via system call. This mechanism uses native support in CPU to implement the trasnition. One drawback of this mechanism is that it relies on a hard-coded table of well known executive service routines to dispatch the request from the client code to the target kernel routine. This does not extend well to extension like drivers.
For those cases, another mechanism called I/O control commands (IOCTL) via the generic kernel32!DeviceControl API, is used. The API taks the user-defined IOCTL identifier as one of its parameters and also a handle to the devfice object to dispatch the request. The transition of kernel mode is still performed in NTDLL layer (ntdll!NtDeviceControlFile) and internally also uses the system call mechanism. So IOCTL is a higher level communication protocol built on the top of system call.
I/O control command are processed by the I/O manager of executive which builds an I/O request packet (IRP) that it then routes to the device object requested by the user mode caller. The device has an associated device stack that handles their requests. The IRP will filter down the stack to give each driver a chance to either process or ignore the request. In fact, IRP is also used by driver to send request to other drivers
No comments:
Post a Comment