Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Re: EvtDriverDeviceAdd is not being called for vhdmp filter driver

Tim_RobertsTim_Roberts Member - All Emails Posts: 12,914
xxxxx@gmail.com wrote:
> Hi I am very new to windows driver development.
> Recently I was writing a WDF filter driver for vhdmp class driver.
>
> i) I have added my driver name as 'UpperFilters' value in vhdmp class driver registry(HKLM\SYSTEM\CurrentControlSet\Control\Class\{2EA9B43F-3045-43B5-80F2-FD06C55FBB90})

On my Windows 10 system, that class' key in the registry has
NoUseClass=1.  Where did you get the idea that it could be filtered?


> i) I could see that driver's DriverEntry is being called but not EvtDriverDeviceAdd even though i can see one PDO device in vhdmp driver.

Does that PDO have an FDO?  A class filter would only be applied when an
FDO driver is loaded for the device.  If the PDO is raw, then it can't
be filtered in this way.


> ServiceConfiguation :
>
> ServiceType = 1 ; SERVICE_KERNEL_DRIVER
> StartType = 0 ; STARTUP_TYPE
> ErrorControl = 1 ; SERVICE_ERROR_NORMAL
> LoadOrderGroup = "Filter"

This is for your INF?  Then StartType should be 3, SERVICE_DEMAND_START.
--
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

Comments

  • Gaurav_SinghGaurav_Singh Member - All Emails Posts: 3
    Hi Tim

    After I changed the StartType to 3 my driver itself is not loading.
    Below are device info of vhdmp.sys

    kd> !drvobj \Driver\vhdmp
    Driver object (ffffe0007d5a69d0) is for:
    \Driver\vhdmp
    Driver Extension List: (id , addr)
    (fffff80015197244 ffffe0007bca2830)
    Device Object list:
    ffffe0007cf5a1c0 ffffe0007cc40050


    kd> !devobj ffffe0007cf5a1c0
    Device object (ffffe0007cf5a1c0) is for:
    VHDMP \Driver\vhdmp DriverObject ffffe0007d5a69d0
    Current Irp 00000000 RefCount 4 Type 00000053 Flags 00000050
    SecurityDescriptor ffffc001acedd0f0 DevExt ffffe0007cf5a310 DevObjExt ffffe0007cf5a3f8
    ExtensionFlags (0xc0000000) DOE_BOTTOM_OF_FDO_STACK, DOE_DESIGNATED_FDO
    Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
    Device queue is not busy.


    kd> !devobj ffffe0007cc40050
    Device object (ffffe0007cc40050) is for:
    RaidPort1 \Driver\vhdmp DriverObject ffffe0007d5a69d0
    Current Irp 00000000 RefCount 0 Type 00000004 Flags 00000050
    SecurityDescriptor ffffc001a9f4b890 DevExt ffffe0007cc401a0 DevObjExt ffffe0007cc445e0
    ExtensionFlags (0xe0000000) DOE_RAW_FDO, DOE_BOTTOM_OF_FDO_STACK,
    DOE_DESIGNATED_FDO
    Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
    AttachedDevice (Upper) ffffe0007d4da8e0 \DRIVER\VERIFIER_FILTER
    AttachedTo (Lower) ffffe0007d513de0 \DRIVER\VERIFIER_FILTER
    Device queue is not busy.



    I want to filter device 0xffffe0007cf5a1c0.As i can see extension flags are DOE_BOTTOM_OF_FDO_STACK and DOE_DESIGNATED_FDO.
    what is the meaning of these flag and Is there a way i can filter this device.
  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,305
    It is a scsiminiport and its class is 4D36E97B-E325-11CE-BFC1-08002BE10318
    ( SCSIAdapter) so I have no idea why filtering on
    2EA9B43F-3045-43B5-80F2-FD06C55FBB90
    would be a good idea.

    However if you install a class filter on SCSIAdapter you are going to
    filter *ALL* scsi adapters, not just vhdmp, so your filter is going to have
    to figure out who is who. Then you are going to discover that you are
    filtering on the parent FDO of a bus driver and that all your IO is going
    to the child PDOs and you have no documented way to filter those in KMDF.

    What are you actually trying to accomplish?

    Mark Roddy


    On Tue, Aug 28, 2018 at 2:49 PM xxxxx@probo.com wrote:

    > xxxxx@gmail.com wrote:
    > > Hi I am very new to windows driver development.
    > > Recently I was writing a WDF filter driver for vhdmp class driver.
    > >
    > > i) I have added my driver name as 'UpperFilters' value in vhdmp class
    > driver
    > registry(HKLM\SYSTEM\CurrentControlSet\Control\Class\{2EA9B43F-3045-43B5-80F2-FD06C55FBB90})
    >
    > On my Windows 10 system, that class' key in the registry has
    > NoUseClass=1. Where did you get the idea that it could be filtered?
    >
    >
    > > i) I could see that driver's DriverEntry is being called but not
    > EvtDriverDeviceAdd even though i can see one PDO device in vhdmp driver.
    >
    > Does that PDO have an FDO? A class filter would only be applied when an
    > FDO driver is loaded for the device. If the PDO is raw, then it can't
    > be filtered in this way.
    >
    >
    > > ServiceConfiguation :
    > >
    > > ServiceType = 1 ; SERVICE_KERNEL_DRIVER
    > > StartType = 0 ; STARTUP_TYPE
    > > ErrorControl = 1 ; SERVICE_ERROR_NORMAL
    > > LoadOrderGroup = "Filter"
    >
    > This is for your INF? Then StartType should be 3, SERVICE_DEMAND_START.
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <
    > http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,138
    >and you have no documented way to filter those in KMDF

    You'd write a LOWER filter of the Disk Class driver to accomplish this. That *must* be supported, to the extent that filtering anything is "supported", isn't it? It's architecturally anticipated, at least. And given that you get the (sort of) disk class driver source code, you have a prayer of knowing what type of Requests to expect.

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • Gaurav_SinghGaurav_Singh Member - All Emails Posts: 3
    Thanks Mark and Peter for reply,

    Actually i am trying to implement VAIO like functionality for Hyper-V. My goal is
    to intercept I/O happening on VHD as a disk not as a file.

    I have two option

    i) Writing a file system filter driver which will intercept I/O on VHD as a file, but, this would cause me to do reverse lookup of file I/O to disk I/O. But when snapshot and checkpoints are taken on a VM the I/O goes to a AVHDX file which i will have to keep references to and it is difficult to track VM state from file system filter driver too.

    ii) Another option is i write VHDParser kind of a driver where i get view of VHD as a disk.So now i can track all I/O happening to VHD as a disk irrespective of whether it has a snapshot or not.
    The challenge i am facing now is how to track snapshot or checkpoints initiated by the VM for the
    book keeping.

    Since all the operation to VHD are passed through vhdmp driver i was thinking i can intercept
    snap operation as well by writing a filter to vhdmp.

    Gaurav
  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,305
    Sure, but that would be a disk filter not a mp filter. That's why I asked
    what he was trying to do.

    Mark Roddy


    On Wed, Aug 29, 2018 at 3:17 PM xxxxx@osr.com wrote:

    > >and you have no documented way to filter those in KMDF
    >
    > You'd write a LOWER filter of the Disk Class driver to accomplish this.
    > That *must* be supported, to the extent that filtering anything is
    > "supported", isn't it? It's architecturally anticipated, at least. And
    > given that you get the (sort of) disk class driver source code, you have a
    > prayer of knowing what type of Requests to expect.
    >
    > Peter
    > OSR
    > @OSRDrivers
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <
    > http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space