Writing drivers for KolibriOS

From KolibriOS wiki
Jump to: navigation, search

WARNING: This article is deprecated and in need of an update/rewrite. Latest kernels use PE format instead of MS COFF.

Driver development for KolibriOS

Introduction

Warning 1. Before writing a driver for KolibriOS think if you can gain your aims by application programming interfaces (API), in particular - hardware interface functions 41-46 and 62. There are several reasons to prefer an application to a driver. First of all, a bug in an application can hang this application only, and the operating system will continue working. But a bug in a driver can cause the entire system to crash. Though drivers are very critical for system stability it's difficult to debug them. Developing an application you can hunt for bugs using mtdbg, which is quite an advanced debugger; but you can't use it to debug a driver. Sometimes the embedded Bochs debugger would do, but, of course, it is useless if you work with real hardware. You can only send messages to the KolibriOS debug message board, which has many disadvantages.

Warning 2. It's clear that every driver depends on the kernel architecture very much. But KolibriOS kernel is modified several times a week. Of course, most of changes don't make sense to the driver subsystem, but sometimes important system functions exported to drivers are changed or destroyed, or new functions are created. So if you compile the code included in this article it's possible that it won't work "out of the box". So, read the text carefully - I'll try to note all possible reasons of future problems and the modifications necessary to fix them. My code is written for svn.450 revision, which is the newest one at the moment (so without modification it won't work in 0.6.5.0 distribution).

As a rule, the only reason we write drivers for is hardware interface. A real driver includes a huge mass of hardware-dependent code which has almost nothing to deal with the subject of this article - basic principles of KolibriOS kernel driver subsystem. The process of driver development is shown on the following example: we'll write a driver which catches and writes down all queries applications send to the filesystem, and a control application which receives data from the driver and displays them. FASM is used as the main development tool.

The Driver

KolibriOS kernel sources include a basic driver skeleton - sceletone.asm (it is placed in kernel/drivers in KolibriOS 0.6.5.0 kernel sources distribution or in svn://kolibrios.org/kernel/trunk/drivers on KolibriOS SVN repository). Let's have a look at it (it is svn.450 version):

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;                                                              ;;
;; Copyright (C) KolibriOS team 2004-2007. All rights reserved. ;;
;; Distributed under terms of the GNU General Public License    ;;
;;                                                              ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;driver sceletone
 
format MS COFF
 
include 'proc32.inc'
include 'imports.inc'

First of all (after several usual comments) we should tell the compiler which binary file format to use. Drivers must be compiled in COFF object file format (“MS” in the middle means that the driver uses a special extended version of COFF created by Microsoft. It allows to use “writeable” attributes for sections).

Then the driver plugs in additional files. proc32.inc includes macros for standard procedure definitions and calls (proc/endp, stdcall/ccall/invoke/cinvoke, local for local variables declaration), it is placed in the same folder as sceletone.asm. This file is optional, it's up to you to use it or not; in this article proc32.inc is used in order to make the code simlplier (generally, macros can be a bad idea if you need maximal efficiency, but it's not this article's subject).

imports.inc includes definitions for all exported kernel functions. Have a look at it, there's nothing special there, only a mess of trivial constructions. Actually (as it takes place when loading the driver) the list of all exported functions and data is placed in core/exports.inc (kernel_export label), so if you export something feel free to change this file. But don't forget to submit your changes to imports.inc to take care of others.

Be careful! A compatibility issue can occur here. If your driver uses a function which isn't declared in current kernel it will refuse to load the driver and write “unresolved” and the function name on the debug board.

Well, let's go forward.

OS_BASE       equ 0x80000000
new_app_base  equ 0x00000000
PROC_BASE     equ OS_BASE+0x0080000

OS_BASE means the kernel loading address. For the “old” kernel (for example, version 0.6.5.0) it is 0, for “flat kernel” (current kernel) it is 0x80000000.

The new_app_base constant means the linear address where the applications are loaded: all applications are loaded into the same address, but intersection doesn't occur because every process has its own page table and every application is sure that it's loaded into address 0. In ring 3 CS/DS/ES/SS selectors have new_app_base base, and in ring 0 (kernel and drivers) - base 0. So, to convert an application address into a kernel pointer it's necessary to add new_app_base to it (believe me if you don't understand it). new_app_base can cause an incompatibility issue: in 0.6.5.0 this constant is 0x60400000, in svn.450 - 0x80000000, and in “flat” kernel (current kernel) it is 0 (it is called “flat” because it uses a flat memory model). How can we get real values of OS_BASE and new_app_base for particular kernel? It's elementary - they're declared in const.inc (from kernel sources), so it's enough to find them there. And the KolibriOS memory map is placed in memmap.inc file from the kernel sources distribution.

The third constant (PROC_BASE) means nothing in our case, it isn't used at all.

struc IOCTL
{  .handle     dd ?
   .io_code    dd ?
   .input      dd ?
   .inp_size   dd ?
   .output     dd ?
   .out_size   dd ?
}
 
virtual at 0
   IOCTL IOCTL
end virtual

It's simply a structure definition (speculations with VIRTUAL are common for FASM).

public START
public service_proc
public version

We've already imported necessary functions from kernel (imports.inc). And now we let the kernel know about the driver. Let's start from the end. The version variable which is declared in the following text is not actually the driver version. It is the version of the interface this driver works with. In particular, two version codes are encoded in one DWORD. The lower WORD makes no sense in current kernel version, but you should put there the version number of the interface which is “native” for the driver. The upper WORD means minimal version the driver requires to work with. It must be in the interval between DRV_COMPAT and DRV_CURRENT constants which are defined in core/dll.inc file in kernel sources distribution. In 0.6.5.0 both of them are 3. But unil svn.450 the interface has been changed and the constants have been made equal to 4. What is this stuff necessary for? It's made to solve the following problem. All changes in driver subsystem can be divided into several groups: 1) full or partial modification of basic principles; 2) deletion of one or more exported kernel functions; 3) function interface modification (parameters in stack/register, additional arguments, arguments order, etc); 4) new functions. As a rule, in the situations 1-3 you'll have to change your drivers by hand. But it's not a very good thing to recompile all drivers after adding a new kernel function though they don't need it. So the kernel supports loading “not very old” drivers.

version   dd 0x00030003

The driver skeleton is made for version 3, so it won't work with current kernel. It hasn't been updated since 0.6.5.0 (besides the copyright), so new_app_base and version are old. By the way, keep in mind that the upper WORD consists of the first 3 bytes of DWORD, and the lower one consists of the second 3 bytes because bytes in WORD and words in DWORD are placed in reverse order (of course, I'm sure you know it, but just in case...)

The START procedure is called by the system when loading the driver and when closing it. In the first situation it initializes the driver, in the second - finishes its work. You don't need to export the service_proc procedure - there are other methods to let the kernel know about it. We'll talk about it later. And finally, the last portion of constants in sceletone.asm:

DEBUG      equ 1
 
DRV_ENTRY  equ 1
DRV_EXIT   equ -1
STRIDE     equ 4    ;size of row in devices table

The first of them turns on debug output in the blocks if DEBUG/end if. DRV_ENTRY and DRV_EXIT define possible values of the START procedure argument. The last constant is necessary for beauty. Now we see the first executable code. The line

section '.flat' code readable align 16

means the very thing which is written. Then come more interesting things.

proc START stdcall, state:dword
   cmp [state], 1
   jne .exit
.entry:
   if DEBUG
      mov esi, msgInit
      call SysMsgBoardStr
   end if
   stdcall RegService, my_service, service_proc
   ret
.fail:
.exit:
   xor eax, eax
   ret
endp

This is the code of the procedure of initialization/finalization. When loading the driver it is called with argument DRV_ENTRY = 1 and it must return a non-zero value if there are no problems. When halting the system START is called with argument DRV_EXIT = -1. In particular case or driver doesn't work with any hardware, so there's no hardware initialization or finalization code. The procedure includes only minimally required actions necessary to complete the driver loading. It is registration. The RegisterService function is exported by kernel. It accepts two arguments: driver name (up to 16 symbols including the terminating zero) and the pointer to the procedure handling the I/O. RegisterService returns 0 when registration is failed or a non-zero registered handler if everything is well.

By the way, you may ask how to learn what a particular kernel function does. For example, we need to allocate several pages of kernel memory. To get the reference we open core/exports.inc in kernel sources, look through exported names (they're quite human-readable) and notice szKernelAlloc. We page down until kernel_export label and look for szKernelAlloc - it is assigned to a procedure kernel_alloc. Now look for the implementation of this procedure - it is placed in core/heap.inc. There are no comments, but there's a definition which makes clear that this function accepts one argument called size of DWORD type. It's clear that kernel_alloc allocates as much kernel memory as the single argument tells to. And the very first lines of its code show that the size of allocated memory is aligned up to 4096 (i. e. the size of a page), so it's clear that it allocates an integer number of pages, and size is given in bytes. After such a lyric digression let's leturn to our driver.

After the described code of startup procedure these lines follow. It's service_proc procedure - the queries handler.

handle    equ IOCTL.handle
io_code   equ IOCTL.io_code
input     equ IOCTL.input
inp_size  equ IOCTL.inp_size
output    equ IOCTL.output
out_size  equ IOCTL.out_size
 
align 4
proc service_proc stdcall, ioctl:dword
 
;  mov edi, [ioctl]
;  mov eax, [edi+io_code]
 
   xor eax, eax
   ret
endp
 
restore   handle
restore   io_code
restore   input
restore   inp_size
restore   output
restore   out_size

service_proc is called when somebody tries to communicate with the driver. It can be another driver (a driver can call itself through the I/O mechanism, but it's unnecessary) which has got the handler somewhere and called ServiceHandler, it can be even Its Majesty the Kernel (srv_handler, srv_handlerEx from core/dll.inc), or, finally, an application using function 68.17 (it can get the handler when loading the driver with 68.16). A zero return value means success, a non-zero value - an error.

First of all we define shortened names for the members of structure which describes the query. In the handle field the driver handler is placed, io_code - the DWORD-typed query identifier, the other fields should be clear. The returned value is passed to the code which has called the driver (another driver/the kernel/an application). Finally the program restores the values which have been resigned to shortened names of structure's fields. In the particular case it is useless, but in more complex drivers such common name as “input” may be used many times.

The next portion of code in sceletone.asm looks for the specified hardware on the PCI bus. We don't need it, so we shan't describe it here. You'll certainly get dealt with it if you like.

Now we can start writing our own driver. The beginning is trivial.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;                                                              ;;
;; Copyright (C) KolibriOS team 2004-2007. All rights reserved. ;;
;; Distributed under terms of the GNU General Public License    ;;
;;                                                              ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;FileMon: driver part
 
format MS COFF
 
include 'proc32.inc'
include 'imports.inc'

Write for svn.450 (for 0.6.5.0 you should write new_app_base equ 0x60400000):

OS_BASE       equ 0;
new_app_base  equ 0x80000000

Several definitions:

struc IOCTL
{  .handle     dd ?
   .io_code    dd ?
   .input      dd ?
   .inp_size   dd ?
   .output     dd ?
   .out_size   dd ?
}
 
virtual at 0
   IOCTL IOCTL
end virtual
 
public START
public version
 
DRV_ENTRY  equ 1
DRV_EXIT   equ -1
 
section '.flat' code readable align 16

There's nothing special in this code. But now we're starting to implement the functions our driver carries. Wait a little! Before putting fingers on keyboard let's think what we want our driver to do.

Our driver will accept 4 codes of I/O query. Let's describe each of them.

Code 0 is always used to get the driver version (now it is the version of the driver, but not of the driver interface). The handler of this request is not required because the kernel is not interested in driver version at all; but a driver always can be updated, and any code which works with our driver may need its version number. It can be returned in any format, in our example we'll return only a DWORD value equal to 1.

Code 1 means “start logging”, code 2 - “return the log till current moment and reset it”, code 3 - “stop logging”. The log will be stored in an internal 16K-sized buffer (we'll call the driver once a second, so it should be enough. If an overflow occurs we'll note it but extra log records will be rejected). The returned log information will have the following format: the entire size of recorded log data; a byte equal to 0 or 1, 1 means that some records haven't fit into the buffer; and, finally, the log data - an array of dynamically sized structures. The first byte of every structure contains the number of called kernel function, it will determine the latter contents of the structure.

The START procedure in our example is trivial because we don't need to initalize anything in it:

proc START stdcall, state:dword
   cmp [state], 1
   jne .exit
.entry:
   if DEBUG
      mov esi, msgInit
      call SysMsgBoardStr
   end if
   stdcall RegService, my_service, service_proc
   ret
.fail:
.exit:
   xor eax, eax
   ret
endp

Query handlers:

handle     equ  IOCTL.handle
io_code    equ  IOCTL.io_code
input      equ  IOCTL.input
inp_size   equ  IOCTL.inp_size
output     equ  IOCTL.output
out_size   equ  IOCTL.out_size
 
proc service_proc stdcall, ioctl:dword
        mov     edi, [ioctl]
        mov     eax, [edi+io_code]
        test    eax, eax
        jz      .getversion
        dec     eax
        jz      .startlog
        dec     eax
        jz      .getlog
        dec     eax
        jz      .endlog
        xor     eax, eax
        ret
.getversion:
        cmp     [edi+out_size], 4
        jb      .err
        mov     edi, [edi+output]
        mov     dword [edi], 1          ; version of driver
.ok:
        xor     eax, eax
        ret
.err:
        or      eax, -1
        ret
.startlog:
        mov     al, 1
        xchg    al, [bLogStarted]
        test    al, al
        jnz     .ok
        mov     [logptr], logbuf
        call    hook
        jnc     .ok
        mov     [bLogStarted], 0
        jmp     .err
.getlog:
        cli
        mov     esi, logbuf
        mov     ecx, [logptr]
        sub     ecx, esi
        add     ecx, 5
        cmp     ecx, [edi+out_size]
        jbe     @f
        mov     ecx, [edi+out_size]
        mov     [bOverflow], 1
@@:
        sub     ecx, 5
        xor     eax, eax
        xchg    al, [bOverflow]
        mov     edi, [edi+output]
        mov     [edi], ecx
        add     edi, 4
        stosb
        rep     movsb
        mov     [logptr], logbuf
        sti
        xor     eax, eax
        ret
.endlog:
        xchg    al, [bLogStarted]
        test    al, al
        jz      @f
        call    unhook
@@:
        xor     eax, eax
        ret
endp
 
restore   handle
restore   io_code
restore   input
restore   inp_size
restore   output
restore   out_size

Our driver doesn't require any input data, so we don't use the fields input/inp_size. In out_size field the calling code must place the size of the output buffer. If the driver is called by an application the address translations are performed by the kernel. So ioctl contains correct pointers.

We've done everything necessary for communicating with the driver subsystem, and now we can feel free to write something more interesting. We catch the filesystem kernel fuctions 6, 32, 33, 58, 70. The system call handler - int 0x40 - calls a concrete kernel function through servetable (the code of the system call handler can be found in core/syscall.inc). We can make 0x40 to call our code instead of system functions by replacing several items of this table with addresses of our handlers. The address of servetable can be got by scanning the code of int 0x40 function. Its address can be easily got from IDT, and the call command currently looks like call dword[servetable+edi*4], or in machine code - FF 14 BD <servetable> (of course nobody can guarantee that it will always stay like this, for example, edi can be potentially changed to eax).

hook:
        cli
        sub     esp, 6
        sidt    [esp]
        pop     ax      ; limit
        pop     eax     ; base
        mov     edx, [eax+40h*8+4]
        mov     dx, [eax+40h*8]
; edx contains address of i40
        mov     ecx, 100
.find:
        cmp     byte [edx], 0xFF
        jnz     .cont
        cmp     byte [edx+1], 0x14
        jnz     .cont
        cmp     byte [edx+2], 0xBD
        jz      .found
.cont:
        inc     edx
        loop    .find
        sti
        mov     esi, msg_failed
        call    SysMsgBoardStr
        stc
        ret
.found:
        mov     eax, [edx+3]
; eax contains address of servetable
        mov     [servetable_ptr], eax
        mov     edx, newfn06
        xchg    [eax+6*4], edx
        mov     [oldfn06], edx
        mov     edx, newfn32
        xchg    [eax+32*4], edx
        mov     [oldfn32], edx
        mov     edx, newfn33
        xchg    [eax+33*4], edx
        mov     [oldfn33], edx
        mov     edx, newfn58
        xchg    [eax+58*4], edx
        mov     [oldfn58], edx
        mov     edx, newfn70
        xchg    [eax+70*4], edx
        mov     [oldfn70], edx
        sti
        clc
        ret
 
unhook:
        cli
        mov     eax, [servetable_ptr]
        mov     edx, [oldfn06]
        mov     [eax+6*4], edx
        mov     edx, [oldfn32]
        mov     [eax+32*4], edx
        mov     edx, [oldfn33]
        mov     [eax+33*4], edx
        mov     edx, [oldfn58]
        mov     [eax+58*4], edx
        mov     edx, [oldfn70]
        mov     [eax+70*4], edx
        sti
        ret

Two additional functions:

write_log_byte:
; in: al=byte
        push    ecx
        mov     ecx, [logptr]
        inc     ecx
        cmp     ecx, logbuf + logbufsize
        ja      @f
        mov     [logptr], ecx
        mov     [ecx-1], al
        pop     ecx
        ret
@@:
        mov     [bOverflow], 1
        pop     ecx
        ret
 
write_log_dword:
; in: eax=dword
        push    ecx
        mov     ecx, [logptr]
        add     ecx, 4
        cmp     ecx, logbuf + logbufsize
        ja      @f
        mov     [logptr], ecx
        mov     [ecx-4], eax
        pop     ecx
        ret
@@:
        mov     [bOverflow], 1
        pop     ecx
        ret

Writing the handlers be aware that the registers are moved in a cycle in comparison with the case of calling 0x40 from an application and all pointers belong to the 3rd ring.

newfn06:
        cli
        push    [logptr]
        push    eax
        mov     al, 6           ; function 6
        call    write_log_byte
        mov     eax, ebx        ; start block
        call    write_log_dword
        mov     eax, ecx        ; number of blocks
        call    write_log_dword
        mov     eax, edx        ; output buffer
        call    write_log_dword
        pop     eax
        push    eax
        push    esi
        lea     esi, [eax+new_app_base] ; pointer to file name
@@:
        lodsb
        call    write_log_byte
        test    al, al
        jnz     @b
        pop     esi
        pop     eax
        cmp     [bOverflow], 0
        jz      .nooverflow
        pop     [logptr]
        jmp     @f
.nooverflow:
        add     esp, 4
@@:
        sti
        jmp     [oldfn06]
 
newfn32:
        cli
        push    [logptr]
        push    eax
        mov     al, 32          ; function 32
        call    write_log_byte
        pop     eax
        push    eax
        push    esi
        lea     esi, [eax+new_app_base] ; pointer to file name
@@:
        lodsb
        call    write_log_byte
        test    al, al
        jnz     @b
        pop     esi
        pop     eax
        cmp     [bOverflow], 0
        jz      .nooverflow
        pop     [logptr]
        jmp     @f
.nooverflow:
        add     esp, 4
@@:
        sti
        jmp     [oldfn32]
 
newfn33:
        cli
        push    [logptr]
        push    eax
        mov     al, 33          ; function 33
        call    write_log_byte
        mov     eax, ebx        ; input buffer
        call    write_log_dword
        mov     eax, ecx        ; number of bytes
        call    write_log_dword
        pop     eax
        push    eax
        push    esi
        lea     esi, [eax+new_app_base] ; pointer to file name
@@:
        lodsb
        call    write_log_byte
        test    al, al
        jnz     @b
        pop     esi
        pop     eax
        cmp     [bOverflow], 0
        jz      .nooverflow
        pop     [logptr]
        jmp     @f
.nooverflow:
        add     esp, 4
@@:
        sti
        jmp     [oldfn33]
 
newfn58:
        cli
        push    [logptr]
        push    eax
        push    ebx
        lea     ebx, [eax+new_app_base]
        mov     al, 58          ; function 58
        call    write_log_byte
; dump information structure
        mov     eax, [ebx]
        call    write_log_dword
        mov     eax, [ebx+4]
        call    write_log_dword
        mov     eax, [ebx+8]
        call    write_log_dword
        mov     eax, [ebx+12]
        call    write_log_dword
        push    esi
        lea     esi, [ebx+20]           ; pointer to file name
@@:
        lodsb
        call    write_log_byte
        test    al, al
        jnz     @b
        pop     esi
        pop     ebx
        pop     eax
        cmp     [bOverflow], 0
        jz      .nooverflow
        pop     [logptr]
        jmp     @f
.nooverflow:
        add     esp, 4
@@:
        sti
        jmp     [oldfn58]
 
newfn70:
        cli
        push    [logptr]
        push    eax
        push    ebx
        lea     ebx, [eax+new_app_base]
        mov     al, 70          ; function 70
        call    write_log_byte
; dump information structure
        mov     eax, [ebx]
        call    write_log_dword
        mov     eax, [ebx+4]
        call    write_log_dword
        mov     eax, [ebx+8]
        call    write_log_dword
        mov     eax, [ebx+12]
        call    write_log_dword
        mov     eax, [ebx+16]
        call    write_log_dword
        push    esi
        lea     esi, [ebx+20]           ; pointer to file name
        lodsb
        test    al, al
        jnz     @f
        lodsd
        lea     esi, [eax+new_app_base+1]
@@:
        dec     esi
@@:
        lodsb
        call    write_log_byte
        test    al, al
        jnz     @b
        pop     esi
        pop     ebx
        pop     eax
        cmp     [bOverflow], 0
        jz      .nooverflow
        pop     [logptr]
        jmp     @f
.nooverflow:
        add     esp, 4
@@:
        sti
        jmp     [oldfn70]

That's all with the code. Now we supply the data:

version         dd      0x00040004
my_service      db      'fmondrv',0
 
msg_failed      db      'Cannot hook required functions',13,10,0
 
section '.data' data readable writable align 16
 
servetable_ptr  dd      ?
 
oldfn06         dd      ?
oldfn32         dd      ?
oldfn33         dd      ?
oldfn58         dd      ?
oldfn70         dd      ?
 
logptr          dd      ?
logbufsize = 16*1024
logbuf          rb      logbufsize
 
bOverflow       db      ?
bLogStarted     db      ?

The entire code of the driver is placed in fmondrv.asm which is supplied with this article. Then we compile it with

fasm fmondrv.asm

Then we can package it with kpack and decrease its size from 1850 to 750 bytes. The kernel loads kpacked files perfectly. By the way, in +4 shift a timestamp of compilation is placed in the object file. The kernel isn't interested in it, so you can fill it with zeros and save a byte of storage. To install the driver copy it to /rd/1/drivers - now it's ready for loading.

The operating application

The operating program will write text data to console and finish working on Esc. It will require the console library version 3 or newer, 0.6.5.0 is supplied with version 2, so you'll have to download the last version: http://diamondz.land.ru/console.7z. We use testcon.asm as a template (testcon2.asm is suitable, too) with the following changes: in REQ_DLL_VER we put 3 and in the import table (the myimport label) delete con_write_asciiz and add con_printf, con_kbhit, con_getch2 and, of course, write our code after “Now do some work” comment.

use32
        db      'MENUET01'
        dd      1
        dd      start
        dd      i_end
        dd      mem
        dd      mem
        dd      0
        dd      0
 
 
REQ_DLL_VER = 3
DLL_ENTRY = 1
 
start:
; First 3 steps are intended to load/init console DLL
; and are identical for all console programs
 
; load DLL
        mov     eax, 68
        mov     ebx, 19
        mov     ecx, dll_name
        int     0x40
        test    eax, eax
        jz      exit
 
; initialize import
        mov     edx, eax
        mov     esi, myimport
import_loop:
        lodsd
        test    eax, eax
        jz      import_done
        push    edx
import_find:
        mov     ebx, [edx]
        test    ebx, ebx
        jz      exit;import_not_found
        push    eax
@@:
        mov     cl, [eax]
        cmp     cl, [ebx]
        jnz     import_find_next
        test    cl, cl
        jz      import_found
        inc     eax
        inc     ebx
        jmp     @b
import_find_next:
        pop     eax
        add     edx, 8
        jmp     import_find
import_found:
        pop     eax
        mov     eax, [edx+4]
        mov     [esi-4], eax
        pop     edx
        jmp     import_loop
import_done:
 
; check version
        cmp     word [dll_ver], REQ_DLL_VER
        jb      exit
        cmp     word [dll_ver+2], REQ_DLL_VER
        ja      exit
        push    DLL_ENTRY
        call    [dll_start]
 
; yes! Now do some work (say helloworld in this case).
        push    caption
        push    -1
        push    -1
        push    -1
        push    -1
        call    [con_init]

Loading the driver. In case of an error write it on the console and exit.

        mov     eax, 68
        mov     ebx, 16
        mov     ecx, drivername
        int     0x40
        mov     [hDriver], eax
        test    eax, eax
        jnz     @f
loaderr:
        push    aCantLoadDriver
        call    [con_printf]
        add     esp, 4
        push    0
        call    [con_exit]
        jmp     exit
@@:

Check the driver version number by sending it query with code 0.

        and     [ioctl_code], 0
        and     [inp_size], 0
        mov     [outp_size], 4
        mov     [output], driver_ver
        mov     eax, 68
        mov     ebx, 17
        mov     ecx, ioctl
        int     0x40
        test    eax, eax
        jnz     loaderr
        cmp     [driver_ver], 1
        jnz     loaderr

Starting logging:

        mov     [ioctl_code], 1
        and     [inp_size], 0
        and     [outp_size], 0
        mov     eax, 68
        mov     ebx, 17
        mov     ecx, ioctl
        int     0x40
        test    eax, eax
        jnz     loaderr

The driver has been loaded and is logging now. Let's tell the user about it:

        push   str0
        call    [con_printf]
        add    esp, 4

Now we enter the main cycle. Once a second the program checks if there are any events. Generally, the driver can wake up the application stream itself when a filesystem event occurs, but filesystem function calls can occur very often and it's hardly useful to wake up the application for each of them. The processing of data is a long, but quite easy process (the arguments for different sysfunctions differ from each other, so we need to process every case).

mainloop:
        mov     eax, 5
        mov     ebx, 100
        int     0x40
        mov     [ioctl_code], 2
        and     [inp_size], 0
        mov     [outp_size], 1+16*1024
        mov     [output], logbuf
        mov     eax, 68
        mov     ebx, 17
        mov     ecx, ioctl
        int     0x40
        push    eax
        mov     ecx, dword [logbuf]
        mov     esi, logbuf+5
message:
        test    ecx, ecx
        jz      done
        movzx   eax, byte [esi]
        push    eax
        push    str1
        call    [con_printf]
        add     esp, 8
        lodsb
        cmp     al, 6
        jz      fn06
        cmp     al, 32
        jz      fn32
        cmp     al, 33
        jz      fn33
        cmp     al, 58
        jz      fn58
        sub     ecx, 1+4*5      ; size of log data for fn70 (excluding filename)
        lodsd
        cmp     eax, 10
        jae     fn70unk
        jmp     [fn70+eax*4]
fn70unk:
        push    dword [esi+12]
        push    dword [esi+8]
        push    dword [esi+4]
        push    dword [esi]
        push    eax
        push    str2
        call    [con_printf]
        add     esp, 6*4
        add     esi, 16
        jmp     print_name
fn70readfile:
        push    dword [esi+12]
        push    dword [esi+8]
        push    dword [esi]
        push    str3
        call    [con_printf]
        add     esp, 4*4
        add     esi, 16
        jmp     print_name
fn70readfolder:
        mov     eax, str41
        test    byte [esi+4], 1
        jz      @f
        mov     eax, str42
@@:
        push    dword [esi+12]
        push    dword [esi+8]
        push    dword [esi]
        push    eax
        push    str4
        call    [con_printf]
        add     esp, 5*4
        add     esi, 16
        jmp     print_name
fn70create:
        push    dword [esi+12]
        push    dword [esi+8]
        push    str5
        call    [con_printf]
        add     esp, 3*4
        add     esi, 16
        jmp     print_name
fn70write:
        push    dword [esi+12]
        push    dword [esi+8]
        push    dword [esi+4]
        push    str6
        call    [con_printf]
        add     esp, 4*4
        add     esi, 16
        jmp     print_name
fn70setsize:
        push    dword [esi]
        push    str7
        call    [con_printf]
        add     esp, 4*2
        add     esi, 16
        jmp     print_name
fn70getattr:
        push    dword [esi+12]
        push    str8
        call    [con_printf]
        add     esp, 4*2
        add     esi, 16
        jmp     print_name
fn70setattr:
        push    dword [esi+12]
        push    str9
        call    [con_printf]
        add     esp, 4*2
        add     esi, 16
        jmp     print_name
fn70execute:
        push    str10
        call    [con_printf]
        add     esp, 4
        lodsd
        test    al, 1
        jz      @f
        push    str10_1
        call    [con_printf]
        add     esp, 4
@@:
        lodsd
        test    eax, eax
        jz      @f
        push    eax
        push    str10_2
        call    [con_printf]
        add     esp, 8
@@:
        add     esi, 8
        jmp     print_name
fn70delete:
        push    str11
        call    [con_printf]
        add     esp, 4
        add     esi, 16
        jmp     print_name
fn70createfolder:
        push    str12
        call    [con_printf]
        add     esp, 4
        add     esi, 16
        jmp     print_name
fn58:
        sub     ecx, 1+4*4      ; size of log data for fn58 (excluding filename)
        lodsd
        test    eax, eax
        jz      fn58read
        cmp     eax, 1
        jz      fn58write
        cmp     eax, 8
        jz      fn58lba
        cmp     eax, 15
        jz      fn58fsinfo
fn58unk:
        push    dword [esi+8]
        push    dword [esi+4]
        push    dword [esi]
        push    eax
        push    str13
        call    [con_printf]
        add     esp, 5*4
        add     esi, 12
        jmp     print_name
fn58read:
        push    dword [esi+8]
        mov     eax, [esi+4]
        shl     eax, 9
        push    eax
        mov     eax, [esi]
        shl     eax, 9
        push    eax
        push    str3
        call    [con_printf]
        add     esp, 4*4
        add     esi, 12
        jmp     print_name
fn58write:
        push    dword [esi+8]
        push    dword [esi+4]
        push    str5
        call    [con_printf]
        add     esp, 3*4
        add     esi, 12
        jmp     print_name
fn58lba:
        push    dword [esi+8]
        push    dword [esi]
        push    str14
        call    [con_printf]
        add     esp, 3*4
        add     esi, 12
        jmp     print_name
fn58fsinfo:
        push    str15
        call    [con_printf]
        add     esp, 4
        add     esi, 12
        jmp     print_name
fn33:
        sub     ecx, 1+2*4      ; size of log data for fn33
        lodsd
        push    eax
        lodsd
        push    eax
        push    str5
        call    [con_printf]
        add     esp, 3*4
        push    aRamdisk
        call    [con_printf]
        add     esp, 4
        jmp     print_name
fn32:
        dec     ecx             ; only filename is logged
        push    str11
        call    [con_printf]
        push    aRamdisk
        call    [con_printf]
        add     esp, 4+4
        jmp     print_name
fn06:
        sub     ecx, 1+3*4      ; size of log data for fn06
        push    dword [esi+8]
        mov     eax, [esi+4]
        test    eax, eax
        jnz     @f
        inc     eax
@@:
        shl     eax, 9
        push    eax
        lodsd
        test    eax, eax
        jnz     @f
        inc     eax
@@:
        dec     eax
        shl     eax, 9
        push    eax
        push    str3
        call    [con_printf]
        add     esp, 4*4
        push    aRamdisk
        call    [con_printf]
        add     esp, 4
        add     esi, 8
print_name:
        push    esi
        push    str_final
        call    [con_printf]
        add     esp, 8
@@:
        lodsb
        test    al, al
        jnz     @b
        jmp     message
done:
        cmp     byte [logbuf+4], 0
        jz      @f
        push    str_skipped
        call    [con_printf]
@@:
; we has output all driver data, now check console (did user press Esc?)
        call    [con_kbhit]
        test    al, al
        jz      mainloop
        call    [con_getch2]
        cmp     al, 27
        jnz     mainloop

Tell the driver to stop logging on pressing Esc.

        mov     [ioctl_code], 3
        and     [inp_size], 0
        and     [outp_size], 0
        mov     eax, 68
        mov     ebx, 17
        mov     ecx, ioctl
        int     0x40

Close console:

        push   1
        call   [con_exit]

And finish the program:

exit:
        or     eax, -1
        int    0x40

The program data:

dll_name db '/rd/1/console.obj',0
caption db 'FileMon',0
drivername db 'fmondrv',0
aCantLoadDriver db "Can't load driver",13,10,0
 
str0 db 'Monitoring file system calls... Press Esc to exit',10,0
 
str1 db 'Fn%2d: ',0
str2 db 'unknown subfunction %d, parameters: 0x%X, 0x%X, 0x%X, 0x%X, name ',0
str3 db 'read file, starting from 0x%X, %d bytes, to 0x%X; name ',0
str4 db 'read folder (%s version), starting from %d, %d blocks, to 0x%X; name ',0
str41 db 'ANSI',0
str42 db 'UNICODE',0
str5 db 'create/rewrite file, %d bytes from 0x%X; name ',0
str6 db 'write file, starting from 0x%X, %d bytes, from 0x%X; name ',0
str7 db 'set file size to %d bytes; name ',0
str8 db 'get file attributes to 0x%X; name ',0
str9 db 'set file attributes from 0x%X; name ',0
str10 db 'execute ',0
str10_1 db '(in debug mode) ',0
str10_2 db '(with parameters 0x%X) ',0
str11 db 'delete ',0
str12 db 'create folder ',0
str13 db 'unknown subfunction %d, parameters: 0x%X, 0x%X, 0x%X, name ',0
str14 db 'LBA read sector 0x%X to 0x%X from device ',0
str15 db '(obsolete!) query fs information of ',0
aRamdisk db '/rd/1/',0
str_final db '%s',10,0
str_skipped db '[Some information skipped]',10,0
 
align 4
label fn70 dword
        dd      fn70readfile
        dd      fn70readfolder
        dd      fn70create
        dd      fn70write
        dd      fn70setsize
        dd      fn70getattr
        dd      fn70setattr
        dd      fn70execute
        dd      fn70delete
        dd      fn70createfolder
 
align 4
myimport:
dll_start       dd      aStart
dll_ver         dd      aVersion
con_init        dd      aConInit
con_printf      dd      aConPrintf
con_exit        dd      aConExit
con_kbhit       dd      aConKbhit
con_getch2      dd      aConGetch2
                dd      0
 
aStart          db      'START',0
aVersion        db      'version',0
aConInit        db      'con_init',0
aConPrintf      db      'con_printf',0
aConExit        db      'con_exit',0
aConKbhit       db      'con_kbhit',0
aConGetch2      db      'con_getch2',0
 
i_end:
 
align 4
ioctl:
hDriver         dd      ?
ioctl_code      dd      ?
input           dd      ?
inp_size        dd      ?
output          dd      ?
outp_size       dd      ?
 
driver_ver      dd      ?
logbuf          rb      16*1024+5
 
align 4
rb 2048 ; stack
mem:

Interrupts

If your writing a driver that works with actual hardware, it's likely that you'll want to use interrupts at one point. To use interrupts, the kernel exports the function AttachIntHandler.

    stdcall AttachIntHandler, int_number, int_handler_proc, dword 0

The int handler itself is expected to report whether the interrupt was for the expected device or not.
(This can likely be verified by checking your hardware's status register)
If the interrupt was handled by the driver, return 1 in eax, otherwise return 0.
Registers ebx, esi, edi and ebp should be preserved. At the end, a simple ret must be used (no iret)