Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

IOCTL sent to a driver without an endpoint

a78a78 Member Posts: 5
edited July 14 in NTDEV

Hello,

This question is out of curiosity, and may not have any practical use (but who knows ?).

Imagine I create a windows kernel driver with no endpoint (i.e : no call to IoCreateSymbolicLink, nor IoCreateDevice), but still I fill pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] to register a handler for IOCTLs. Question is : can I send IOCTL to it from userland (or kernelland) ? If yes, how ? Subquestion : is it necessary to fill this array if I don't register an endpoint ?

Thank you for your answer.

Post edited by Peter_Viscarola_(OSR) on

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,111

    can i send IOCTL to it from userland...

    No. How could you? How would you get a file handle to send the ioctl?

    (or kernelland)?

    No. How could you? If there's no DEVICE_OBJECT, what would you pass to IoCallDriver?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,704

    Mr. @a78 ... WHY is this question in the Announcements and Administration forum? I mean, seriously...

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,704

    No Device Object means you don't have a driver. How would you do this, even?

    Did you try it, before posting such a question here???

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • a78a78 Member Posts: 5

    @Peter_Viscarola_(OSR) said:
    Mr. @a78 ... WHY is this question in the Announcements and Administration forum? I mean, seriously...

    Peter

    Wrong move obviously, sorry about that.

  • a78a78 Member Posts: 5

    @Peter_Viscarola_(OSR) said:
    No Device Object means you don't have a driver. How would you do this, even?

    Did you try it, before posting such a question here???

    Peter

    I don't understand how I could "try" anything that I don't know how to do, but in fact I have tried some things yes : I have found an existing device driver with this particular case : a IOCTL handler setup, but no endpoint registered, and I was just curious about it.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,704

    Mr. @a78 ... I'm Moving this to NTDEV where it belongs.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,704
    edited July 14

    I don't understand how I could "try" anything that I don't know how to do

    You know, replies like that annoy me.

    You wrote "Imagine I create a windows kernel driver with no endpoint (i.e : no call to IoCreateSymbolicLink, nor IoCreateDevice), but still I fill pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] to register a handler for IOCTLs."

    It would take you less time to try that, than to post your question here.

    But I digress...

    I have found an existing device driver with this particular case : a IOCTL handler setup, but no endpoint registered, and I was just curious about it.

    Hmmmm... I don't know what you mean by "endpoint"... so you're gonna have to explain what you mean. That's not a "standard" or typical Windows kernel-mode term.

    I don't know how you can have a driver that's loaded but not have a Device Object associated with that driver. I just don't.

    Now, you could CERTAINLY have a driver loaded that has a Device Object is unnamed and that doesn't export a Device Interface GUID and doesn't create a Symbolic Link name for its Device object. That would effectively prevent the Device from being accessible from user mode. This is pretty commonly done in Filter Drivers.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • a78a78 Member Posts: 5

    Thank you for your answer.

    You know, replies like that annoy me.

    You wrote "Imagine I create a windows kernel driver with no endpoint (i.e : no call to IoCreateSymbolicLink, nor IoCreateDevice), but still I fill pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] to register a handler for IOCTLs."

    It would take you less time to try that, than to post your question here.

    I am sorry but I don't understand that intro. I did try that, and I checked that I wasn't able to access it by the ways I am aware of. What could I have tried ?

    I have found an existing device driver with this particular case : a IOCTL handler setup, but no endpoint registered, and I was just curious about it.

    Hmmmm... I don't know what you mean by "endpoint"... so you're gonna have to explain what you mean. That's not a "standard" or typical Windows kernel-mode term.

    I agree. In first post I tried to clarify the terme "no endpoint" with : no call to IoCreateSymbolicLink, nor IoCreateDevice, so I have a driver, but no device created and no symbolic link.

    I don't know how you can have a driver that's loaded but not have a Device Object associated with that driver. I just don't.

    Now, you could CERTAINLY have a driver loaded that has a Device Object is unnamed and that doesn't export a Device Interface GUID and doesn't create a Symbolic Link name for its Device object. That would effectively prevent the Device from being accessible from user mode. This is pretty commonly done in Filter Drivers.

    Exactly, that's what happens. I was thinking that maybe there was a way by which windows automatically generates a name by default, or something that I would not be aware of. Now I understand that the answer is no : there is no way to communicate with that driver, thank you for that.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,111

    Here's the short answer. In Windows, you don't send requests to a driver. You send requests to a device. If there's no DEVICE_OBJECT, then there is no device, and that driver's IRP dispatch routines will never be called. It's just that simple.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,704

    maybe there was a way by which windows automatically generates a name by default

    In fact, Windows will do this by default for PDOs (children of bus drivers — which is why you see useless names like PCI000021 and such on Device Objects), but not FDOs.

    To answer this question with a bit more depth, if only for the archives: There are actually multiple “levels” of naming to consider. Native Device Object names (for PDOs and FDOs… they’re different), external symbolic links making the device easily accessible to user mode, and device interface GUIDs (which work out to be just another flavor of symbolic link — to the PDO — at the end of the day).

    It is in fact needlessly complicated, and you can read a bit about it here (one of my favorite articles of all time).

    An FDO that is both unnamed and has not created a symbolic link to its underlying PDO either directly or is creating a device interface can’t be directly targeted (even from kernel mode, without playing games like shipping the device object address around)…. but can still receive requests if something else in its Device Stack is targeted (and the request is not completed or sent to another Device Stack before it gets to the FDO in question). Again, this is how filter drivers usually work.

    But…. you can’t have a driver instance without at least one Device Object instance. That is part of what you asked about, and was what I was suggesting you try, and you would see that the driver unloads immediately.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • a78a78 Member Posts: 5

    Thank you for your answers.

  • 0xrepnz0xrepnz Member Posts: 86
    edited July 17

    you can’t have a driver instance without at least one Device Object instance. That is part of what you asked about, and was what I was suggesting you try, and you would see that the driver unloads immediately.

    @Peter_Viscarola_(OSR) Can you explain this sentence? This is an empty driver without any device and it stays in memory until it's manually unloaded:

    #include <ntifs.h>
    
    VOID
    DriverUnload(
        __in PDRIVER_OBJECT Driver
        )
    {
        UNREFERENCED_PARAMETER(Driver);
    }
    
    NTSTATUS
    DriverEntry(
        __in PDRIVER_OBJECT Driver,
        __in PUNICODE_STRING Registry
        )
    {
        UNREFERENCED_PARAMETER(Registry);
    
        Driver->DriverUnload = DriverUnload;
        return STATUS_SUCCESS;
    }
    

    EDIT: I didn't know that PnP drivers are unloaded automatically when their last device object is removed, thanks.

    - Ori Damari
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers 24 January 2022 Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online