Convert DLL Plugin Architecture To Driver Architecture

[tarterp]

Converting to a Driver Plugin brings a simpler architecture:

1. Drivers are loaded and unloaded using ZwLoadDriver and ZwUnloadDriver
2. No manual mapping required which makes symbolic debugging easier
3. Still use export functions, this requires custom GetProcAddress
4. Simpler interfaces from kernel to plugin
5. No more programming as a user dll, but run in kernel.

Architecture Decisions

1. Keep exports, other ideas that were investigate: Driver Callbacks, Calling Drivers
2. Minimize Plugin API functions
3. ZwLoadDriver and ZwUnloadDriver require a Registry path. Since STrace is a single plugin architecture the plugin will always be Registry\Machine\System\CurrentControlSet\Services\StracePlugin, with a binary path of \\systemroot\\system32\drivers\StracePlugin.sys. It will be the responsibility of the CLI to rename the plugin chosen as done prior and copy it to StracePlugin.sys. When debugging the symbols will remain the original binary to help distinguish. Possibly add an IOCTL that returns the plugin name.

[stevemk14ebr]

Encountered an unexpected issue importing some c++ headers like type_traits. @tarterp had the idea of making a static lib that wraps up this C++ code and link that to the driver. This seems to be suitable for us.

[stevemk14ebr]

This is a known issue it seems microsoft/STL#4208