The Windows Driver Model (WDM) has been the foundation of modern driver development since Windows 98.

While Windows Driver Framework (WDF) has simplified many aspects of driver writing, WDM remains relevant for low-level and legacy hardware support.

What is WDM?

WDM (Windows Driver Model) was introduced to unify driver development across Windows versions.

Before WDM, Windows 9x used VxDs, while Windows NT had a completely different driver model.

VERY VERY DIFFFERENT!!!!!!!!!

WDM provided a single driver framework that worked across all modern Windows versions, making it easier for developers to write cross-compatible drivers.

The Evolution of WDM

1. WDM in Windows 98/2000/XP

• Introduced structured layers: Bus Drivers, Function Drivers, Filter Drivers.
• Provided a unified driver model for consumer and enterprise Windows.
• Required extensive knowledge of kernel memory management and synchronization.

2. WDM in Windows Vista/7

• Improved Plug and Play (PnP) support.
• Added better power management.
• Introduced Windows Driver Framework (WDF) to simplify driver development.

3. WDM in Windows 10/11

• Still supports legacy drivers but encourages KMDF (Kernel-Mode Driver Framework).
• Improved security with stricter driver signing requirements.
• Added better debugging tools like WinDbg Preview and Verifier.

Why WDM is Still Relevant

Despite the introduction of WDF, some scenarios still require pure WDM development:

• Legacy Hardware Support – Older devices without WDF support still need WDM drivers.
• Real-Time Performance – WDM gives more direct control over kernel resources.
• Custom Power Management – WDM allows for fine-tuned power control, useful for battery-sensitive devices.
• Low-Level System Components – Security software and monitoring tools may need deep kernel access.

Writing a Modern WDM Driver

If you’re still writing a WDM driver, make sure to follow best practices to avoid crashes, memory leaks, and BSODs.

Tools You’ll Need:

• Windows Driver Kit (WDK) – The essential toolkit for writing and testing drivers.
• Visual Studio – Fully integrated with WDK.
• WinDbg – The debugger you’ll love (or hate).
• Driver Verifier – Helps catch bad behavior before deployment.

A Simple WDM Driver Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

#include <ntddk.h>

void DriverUnload(PDRIVER_OBJECT DriverObject)
{
    DbgPrint("WDM Driver Unloaded!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
    DbgPrint("Hello from the WDM driver!\n");
    DriverObject->DriverUnload = DriverUnload;
    return STATUS_SUCCESS;
}

What This Code Does:

• Loads a minimal WDM driver.
• Prints a message to the Windows debug console.
• Unloads without crashing the system (very important).

Best Practices for WDM Development

1. Use Windows Driver Framework (WDF) When Possible

WDM is complex. If your hardware supports it, use KMDF or UMDF instead.

2. Always Implement Proper Memory Management

• Use ExAllocatePoolWithTag instead of raw pointers.
• Free all allocated memory to avoid leaks.

3. Handle Plug and Play Events Correctly

• Register proper IRP_MJ_PNP handlers.
• Implement Start, Stop, Remove device callbacks.

4. Test Your Driver with Verifier

Run Driver Verifier to detect memory leaks and crashes:

1

verifier /standard /driver MyDriver.sys

5. Debug Using WinDbg and !analyze -v

When a driver crashes (and it will crash), analyze the crash dump with:

1

!analyze -v

6. Sign Your Driver for Windows 10/11

Windows requires signed drivers for security. To enable test signing for development:

1

bcdedit /set testsigning on

Common WDM Driver Issues (And Fixes)

1. BSOD on Driver Load

Fix: Check memory access and function pointers.

2. Driver Doesn’t Load

Fix: Make sure it’s properly signed or use Test Mode.

3. Memory Leaks

Fix: Use Driver Verifier and ensure proper deallocation.

4. System Freeze on Device Removal

Fix: Handle IRP_MJ_PNP properly and return correct status codes.

Windows Driver Framework (WDF): Modernizing Windows Driver Development

WDF is a modern, structured approach to driver development, designed to handle the complexities of kernel-mode and user-mode drivers while improving stability and security.

What is Windows Driver Framework (WDF)?

Windows Driver Framework (WDF) is a collection of libraries that simplifies Windows driver development by abstracting much of the complexity associated with WDM.

Instead of manually handling Plug and Play (PnP) requests, power management, and IRPs, WDF provides a structured way to build drivers with minimal boilerplate code.

WDF is split into two major frameworks:

• Kernel-Mode Driver Framework (KMDF) – For drivers that need kernel access.
• User-Mode Driver Framework (UMDF) – For drivers that can run in user space.

Why WDF is Better than WDM

1. Simplified Driver Development

• WDF removes the need to manually process IRPs, reducing complexity.
• Built-in event-driven model handles PnP and power management automatically.

2. Improved Stability and Security

• KMDF provides better memory protection, reducing system crashes.
• UMDF isolates drivers from the kernel, preventing BSODs.

3. Built-in Power and PnP Management

• No need to manually write IRP_MJ_PNP or IRP_MJ_POWER handlers.
• Automatically supports modern Windows power management features.

4. Easier Debugging and Maintenance

• WDF provides structured logging and debugging tools.
• WinDbg and WDF Verifier simplify troubleshooting.

Choosing Between KMDF and UMDF

Writing a Basic WDF Driver

If you’re transitioning from WDM to WDF, you’ll notice how much cleaner WDF code is. Let’s write a simple Hello World KMDF driver.

Tools You’ll Need:

• Windows Driver Kit (WDK) – Required for compiling drivers.
• Visual Studio – Provides a built-in driver development environment.
• WinDbg – Debugging tool for kernel-mode drivers.
• WDF Verifier – Ensures compliance with WDF best practices.

A Simple WDF (KMDF) Driver

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

#include <ntddk.h>
#include <wdf.h>

VOID DriverUnload(WDFDRIVER Driver)
{
    KdPrint(("WDF Driver Unloaded!\n"));
}

NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
    WDF_DRIVER_CONFIG config;
    WDFDRIVER driver;
    
    WDF_DRIVER_CONFIG_INIT(&config, WDF_NO_EVENT_CALLBACK);
    
    NTSTATUS status = WdfDriverCreate(DriverObject, RegistryPath, WDF_NO_OBJECT_ATTRIBUTES, &config, &driver);
    if (!NT_SUCCESS(status)) {
        return status;
    }
    
    KdPrint(("Hello from the WDF driver!\n"));
    return STATUS_SUCCESS;
}

Key Differences from WDM

• No IRP handling required – WDF handles it for you.
• Built-in PnP and power management – No need for complex code.
• Cleaner, modular structure – Easier to maintain.

Installing and Testing a WDF Driver

1. Build the driver using Visual Studio with the WDK.
2. Sign the driver – Windows requires kernel drivers to be signed.
3. Install using pnputil:

   1	pnputil -i -a MyDriver.inf

4. Enable test mode (for unsigned drivers):

   1	bcdedit /set testsigning on

5. Debug with WinDbg:

   1	!analyze -v

Best Practices for WDF Development

1. Use KMDF for Kernel Drivers, UMDF for User-Space Drivers

• Use KMDF if you need low-level hardware access.
• Use UMDF if security and stability are priorities.

2. Let WDF Handle PnP and Power Management

• Avoid manually writing IRP_MJ_PNP handlers.
• Use WDF event callbacks for device state changes.

3. Enable WDF Verifier

• Run WDF Verifier to catch common issues before deployment.

4. Follow Windows Security Guidelines

• Sign your drivers – Unsigned drivers won’t load in Windows 10/11.
• Avoid direct kernel memory access whenever possible.

Common WDF Issues (And Fixes)

1. Driver Doesn’t Load

Fix: Check signature status, enable test signing mode.

2. BSOD on Device Removal

Fix: Ensure proper EvtDeviceReleaseHardware and EvtDeviceD0Exit handlers.

3. System Performance Drops

Fix: Optimize memory usage, avoid excessive kernel calls.

References

• Microsoft Docs: Windows Driver Framework
• KMDF vs UMDF
• Windows Driver Kit (WDK)
• Debugging WDF Drivers