图解WinCE6.0下的内核驱动和用户驱动
在《WinCE驱动程序的分类》中曾提到,WinCE6.0的流驱动既可以加载到内核态也可以加载到用户态。下面通过一组图片简单说明一下这两种驱动的关系。
首先编写一个流驱动WCEDrv,代码如下。
代码 
extern "C"
BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
UNREFERENCED_PARAMETER(lpvReserved);
switch(dwReason) {
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls((HMODULE) hinstDLL);
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
extern "C"
DWORD Init(LPCTSTR pContext, DWORD dwBusContext)
{
RETAILMSG(1,(_T("Init(%s, %x)"),pContext,dwBusContext));
PBYTE pBuffer = new BYTE[4096*1024];
RETAILMSG(1,(TEXT("pBuffer(%x)\r\n"),pBuffer));
return (DWORD)pBuffer;
}
extern "C"
BOOL Deinit(DWORD hDeviceContext)
{
RETAILMSG(1,(_T("Deinit(%x)\r\n"),hDeviceContext));
PBYTE pBuffer = (PBYTE)hDeviceContext;
if (pBuffer)
{
delete[] pBuffer;
}
return TRUE;
}
extern "C"
void PowerUp(DWORD hDeviceContext)
{
}
extern "C"
void PowerDown(DWORD hDeviceContext)
{
}
extern "C"
DWORD Open(DWORD hDeviceContext, DWORD AccessCode, DWORD ShareMode)
{
RETAILMSG(1,(_T("Open(%x, 0x%x, 0x%x)\r\n"),hDeviceContext, AccessCode, ShareMode));
return hDeviceContext;
}
extern "C"
BOOL Close(DWORD hOpenContext)
{
RETAILMSG(1,(_T("Close(%x)\r\n"),hOpenContext));
return TRUE;
}
extern "C"
BOOL IOControl(DWORD hOpenContext, DWORD dwCode, PBYTE pBufIn, DWORD dwLenIn
, PBYTE pBufOut, DWORD dwLenOut, PDWORD pdwActualOut)
{
UNREFERENCED_PARAMETER(hOpenContext);
UNREFERENCED_PARAMETER(dwCode);
UNREFERENCED_PARAMETER(pBufIn);
UNREFERENCED_PARAMETER(dwLenIn);
UNREFERENCED_PARAMETER(pBufOut);
UNREFERENCED_PARAMETER(dwLenOut);
UNREFERENCED_PARAMETER(pdwActualOut);
SetLastError(ERROR_INVALID_FUNCTION);
return FALSE;
}
extern "C"
DWORD Read(DWORD hOpenContext, LPVOID pBuffer, DWORD Count)
{
RETAILMSG(1,(_T("Read(%x, %x, 0x%x)\r\n"),hOpenContext, pBuffer, Count));
return TRUE;
}
extern "C"
DWORD Write(DWORD hOpenContext, LPCVOID pBuffer, DWORD Count)
{
RETAILMSG(1,(_T("Write(%x, %x, 0x%x)\r\n"),hOpenContext, pBuffer, Count));
return TRUE;
}
extern "C"
DWORD Seek(DWORD hOpenContext, long Amount, WORD Type)
{
UNREFERENCED_PARAMETER(hOpenContext);
UNREFERENCED_PARAMETER(Amount);
UNREFERENCED_PARAMETER(Type);
SetLastError(ERROR_NOT_SUPPORTED);
return -1;
}
其对应的注册表文件内容如下。
注册表 "Prefix"="AAA"
"Dll"="WCEDrv.dll"
"Index"=dword:1
"Flags"=dword:8 ; DEVFLAGS_NAKEDENTRIES
"Order"=dword:0
[HKEY_LOCAL_MACHINE\Drivers\WCEDrv2]
"Prefix"="BBB"
"Dll"="WCEDrv.dll"
"Index"=dword:1
"Flags"=dword:8 ; DEVFLAGS_NAKEDENTRIES
"Order"=dword:0
[HKEY_LOCAL_MACHINE\Drivers\WCEDrv3]
"Prefix"="CCC"
"Dll"="WCEDrv.dll"
"Index"=dword:1
"Flags"=dword:18 ; DEVFLAGS_LOAD_AS_USERPROC | DEVFLAGS_NAKEDENTRIES
"Order"=dword:0
[HKEY_LOCAL_MACHINE\Drivers\WCEDrv4]
"Prefix"="DDD"
"Dll"="WCEDrv.dll"
"Index"=dword:1
"Flags"=dword:18 ; DEVFLAGS_LOAD_AS_USERPROC | DEVFLAGS_NAKEDENTRIES
"Order"=dword:0
通过驱动调试助手动态加载该驱动,在加载时,根据注册表中的设置,分别加载两个到内核空间和用户空间。
通过驱动调试助手导入注册表文件
用户态和内核态分别加载两个,共加载四个驱动
加载驱动过程时的串口打印
加载驱动成功后,HKEY_LOCAL_MACHINE\Drivers\Active下内核驱动对应的键
加载驱动成功后,HKEY_LOCAL_MACHINE\Drivers\Active下用户驱动对应的键 
通过远程堆查看器,查看内存的分配情况
通过远程进程查看器 ,查看wcedrv.dll加载为内核态驱动
通过远程进程查看器,查看wcedrv.dll加载为用户态驱动1
通过远程进程查看器,查看wcedrv.dll加载为用户态驱动2
WCEDRV的源代码下载地址:http://files.cnblogs.com/we-hjb/WCEDrv.rar
