Storage filter drivers's implementation and installation

Some questions about storage filter drivers’s implementation and installation.

I am a newbie to windows driver implementation and it is my first time to post a question here.
I want to make a storage filter driver(SFD) to capture commands sent to the hard disk in Windows 10.
And some how the disk become non-functional after I installed my SFD.

My question are:
Could there be any problem in my implementation?
Did I install the driver the correct way?

About my implementation:

I have made a simple SFD driver, based on the study of MS sample DiskPerf sample
https://github.com/uri247/wdk80/tree/master/DiskPerf%20Storage%20Filter%20Driver

My driver just forward all the request to the next lower driver and print out some debug message
This is the code
https://github.com/noguxun/StorTrace/blob/master/DiskTrace/DiskTrace.c

About driver installation:

I run “addfilter” tool to install the driver.
https://github.com/Microsoft/Windows-driver-samples/tree/master/storage/filters/addfilter

after I run below commands (copy sys file to system driver folder and run “addfilter”)

set DEVICE=\0000006a
copy /y “.\x64\Debug\DiskTrace.sys” c:\windows\system32\drivers*
addfilter.exe /device %DEVICE% /add DiskTrace

(I am following an example at https://github.com/asnyatkov/difi/blob/master/support/instdififilt.bat)

Then I got my harddisk (of name /Device/0000006a) not functional anymore. From device manager I see that device has a yellow triangle with exclamation mark.

Very appreciate your help!

Well… sigh. My first point would be that you should almost certainly be writing a WDF driver, not a WDM driver. Your work will be completed more quickly, it’ll be easier, and you’ll be a happier person at the end of the day.

Really.

I don’t see anything obviously wrong in the driver code you posted. But it’s a WDM driver, and reviewing WDM code is notoriously error prone and difficult. As one of the Windows developers said to me one day over a beer about WDM:

“When an experienced dev can’t cut a chunk of code out of a working driver, and paste it into another driver he’s working on and know in advance if it has a good chance of being correct, SOMEthing is wrong with the driver model.”

OK… so now that I’ve complained about that… I’d say your problem PROBABLY lies in your installation process. I’m not familiar with AddFilter… maybe somebody else can help you there.

I wish I could give you more help. But the best help I can give you is to use WDF not WDM…

Peter
OSR
@OSRDrivers

xxxxx@gmail.com wrote:

About driver installation:

I run “addfilter” tool to install the driver.
https://github.com/Microsoft/Windows-driver-samples/tree/master/storage/filters/addfilter

after I run below commands (copy sys file to system driver folder and run “addfilter”)

set DEVICE=\0000006a
copy /y “.\x64\Debug\DiskTrace.sys” c:\windows\system32\drivers*
addfilter.exe /device %DEVICE% /add DiskTrace

That tool does not create a “services” registry entry for your driver. 
Did you do that?  Remember that drivers in the kernel are not referenced
by file name.  They are always referenced by service name, and the
service points to the binary.  Try this in a command shell:

    sc query DiskTrace

If it says the service does not exist, then you need to create it.

    sc  create  binPath=  \SystemRoot\System32\Drivers\DiskTrace.sys 
type=  kernel  start=  demand

Note that the spacing there is critical, and unusual.  The “=” must be
attached to the parameter name, and must be followed by a space.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

This is a bad analogy. Any experienced dev will certainly know in advance that cutting and pasting any WDM code from one code base to another is highly unlikely to work. Maybe he already had some of the beer ???

Sent from Mailhttps: for Windows 10

From: xxxxx@osr.commailto:xxxxx
Sent: February 22, 2018 11:58 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Storage filter drivers’s implementation and installation

Well… sigh. My first point would be that you should almost certainly be writing a WDF driver, not a WDM driver. Your work will be completed more quickly, it’ll be easier, and you’ll be a happier person at the end of the day.

Really.

I don’t see anything obviously wrong in the driver code you posted. But it’s a WDM driver, and reviewing WDM code is notoriously error prone and difficult. As one of the Windows developers said to me one day over a beer about WDM:

“When an experienced dev can’t cut a chunk of code out of a working driver, and paste it into another driver he’s working on and know in advance if it has a good chance of being correct, SOMEthing is wrong with the driver model.”

OK… so now that I’ve complained about that… I’d say your problem PROBABLY lies in your installation process. I’m not familiar with AddFilter… maybe somebody else can help you there.

I wish I could give you more help. But the best help I can give you is to use WDF not WDM…

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:>

Thank you all! Problem solved and this IS a installation problem!

@Peter Thanks for the advice about using WDF. Since I cannot find WDF SFD example to start with, so I stick to WDM, in which framework I can find two examples on internet.

@Tim, after I installed the service with command you suggested, I could now see the dbg message now when the disk is accessed.
sc create DiskTrace binPath= \SystemRoot\System32\Drivers\DiskTrace.sys type= kernel start= demand

This is great community!

For those newbies who might have same installation problem, here are some tips.

Install

copy driver to system driver folder

copy /y “.\x64\Debug\DiskTrace.sys” c:\windows\system32\drivers*

display disk ids

addfilter.exe /listdevices

create service

sc create DiskTrace binPath= \SystemRoot\System32\Drivers\DiskTrace.sys type= kernel start= demand

add the filter to disk device

addfilter.exe /device \0000006a /add DiskTrace

Uninstall

addfilter.exe /device \0000006a /remove DiskTrace
sc delete DiskTrace

Having written multiple WDM storage filters, I would never do one again
after WDF. If you cannot figure out how to take a basic WDF filter (such as
from Toaster) and make it work in the storage stack, then you have no
business being in the storage stack period.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, February 22, 2018 10:22 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Storage filter drivers’s implementation and installation

Thank you all! Problem solved and this IS a installation problem!

@Peter Thanks for the advice about using WDF. Since I cannot find WDF SFD
example to start with, so I stick to WDM, in which framework I can find two
examples on internet.

@Tim, after I installed the service with command you suggested, I could now
see the dbg message now when the disk is accessed.
sc create DiskTrace binPath= \SystemRoot\System32\Drivers\DiskTrace.sys
type= kernel start= demand

This is great community!

For those newbies who might have same installation problem, here are some
tips.

Install
===========
# copy driver to system driver folder
copy /y “.\x64\Debug\DiskTrace.sys” c:\windows\system32\drivers*

# display disk ids
addfilter.exe /listdevices

# create service
sc create DiskTrace binPath= \SystemRoot\System32\Drivers\DiskTrace.sys
type= kernel start= demand

# add the filter to disk device
addfilter.exe /device \0000006a /add DiskTrace
===========

Uninstall
===========
addfilter.exe /device \0000006a /remove DiskTrace
sc delete DiskTrace
===========


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

>so I stick to WDM, in which framework I can find two examples on internet.

The problem with WDM is that you won’t know if the two sample you’ve found are CORRECT.

But… whatever. Just know that you’re spending your time learning and debugging a technology that is old, deprecated, annoying, and highly prone to error. Conservatively speaking, I’ve worked on well over 100 WDM drivers in my career… and – except for some very specific cases (software only drivers, drivers that are very “IRP-oriented”) I hope to never work on a WDM driver ever again.

P

Peter, Don, Thanks for pointing to the WDF direction. I am checking if I could make a project working based on Toaster filter sample, based on WDF framework.

On my WDM driver I can capture the IRP_MJ_SCSI (same as IRP_MJ_INTERNAL_DEVICE_CONTROL) event in the dispatch callback function. I set the filter as a lower filter of device, and when disk is being read/write, I can see the IRP_MJ_SCSI got captured and CDB is correctly set as a read/write as the SCSI command.
the code:
https://github.com/noguxun/StorTrace/blob/master/DiskTrace/DiskTrace.c

However things are not so smooth on the WDF driver.
On the WDF driver I assume I should set a Queue’s EvtIoInternalDeviceControl callback to get the IRP_MJ_INTERNAL_DEVICE_CONTROL event, however, from the log, seems I did not get them.
This is how I set the callback of the queue dispatch function

queueConfig.EvtIoInternalDeviceControl = StorTraceEvtIoInternalDeviceControl;

this is the full code of the queue setup for WDF
https://github.com/noguxun/StorTrace/blob/master/StorTrace/Queue.c

Did I set any thing wrong?

Yes, that should be all you need to do. Anything failing during initialization? Are you being called at EvtDriverDeviceAdd?

-scott
OSR
@OSRDrivers

When you asked earlier questions you were using the DiskPerf sample and
AddFilter, these are for an upper filter to the disk driver. An upper
filter will not be seeing IRP_MJ_SCSI, it will see Read, Write and IOCTL
IRP’s.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, February 23, 2018 11:16 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Storage filter drivers’s implementation and installation

On my WDM driver I can capture the IRP_MJ_SCSI (same as
IRP_MJ_INTERNAL_DEVICE_CONTROL) event in the dispatch callback function. I
set the filter as a lower filter of device, and when disk is being
read/write, I can see the IRP_MJ_SCSI got captured and CDB is correctly set
as a read/write as the SCSI command.
the code:
https://github.com/noguxun/StorTrace/blob/master/DiskTrace/DiskTrace.c

However things are not so smooth on the WDF driver.
On the WDF driver I assume I should set a Queue’s EvtIoInternalDeviceControl
callback to get the IRP_MJ_INTERNAL_DEVICE_CONTROL event, however, from the
log, seems I did not get them.
This is how I set the callback of the queue dispatch function

queueConfig.EvtIoInternalDeviceControl =
StorTraceEvtIoInternalDeviceControl;

this is the full code of the queue setup for WDF
https://github.com/noguxun/StorTrace/blob/master/StorTrace/Queue.c

Did I set any thing wrong?


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

@Don, @Scott, Thanks for the help.

I figured it out that it is problem during the installation. My script added the filter as a upper filter(just like Scott pointed out), after I changed my script to install it as a lower filter (same as my WDM driver), the WDF version starts to work perfectly.

WDF is much cleaner for coding. Will stick to that direction.