Minifilter and other driver in same binary

Hi,

I writing a Minifilter driver and I’m using the same driver to get other
system information .I would like to get some advices on how to build it…

I installed the driver using SCM and inf file to enable the Minifilter,
is that the right way?

I don`t need to have the information from the minifilter in user space
continuously and i would like enable or disable the minifilter, I had
thought 2 ways to do this:

1.- Load and unload the minifilter whatever i want without unload
the driver, is possible? I tried it but i havent had good results…

2.- Pass to kernel a flag through IOCTL to notify the Minifilter
that not send the information( although the Minifilter continue
capturing information ). I dont know if it is this righ way…

Thanks

Hi Alonso,

Regardless of the design (1 or 2) I advise you to implement the unload
properly. That will help you during development because you would be able
to test different versions of the driver without rebooting. Also, combined
with verifier.exe tracking yourdriver.sys and FltMgr.sys, will assure you
certain level of QA (memory leaks, contexts leaks, etc).

regards,

Julián

2016-08-12 10:43 GMT+02:00 Alonso :

> Hi,
>
> I writing a Minifilter driver and I’m using the same driver to get other
> system information .I would like to get some advices on how to build it…
>
> I installed the driver using SCM and inf file to enable the Minifilter, is
> that the right way?
>
>
> I don`t need to have the information from the minifilter in user space
> continuously and i would like enable or disable the minifilter, I had
> thought 2 ways to do this:
>
> 1.- Load and unload the minifilter whatever i want without unload the
> driver, is possible? I tried it but i havent had good results…
>
> 2.- Pass to kernel a flag through IOCTL to notify the Minifilter that
> not send the information( although the Minifilter continue capturing
> information ). I dont know if it is this righ way…
>
> Thanks
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> lists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Both 1 and 2 are possible.
You can use FltUnregisterFilter. If this call does not return ( with
verifier off ) it means you are leaking some references, handles, objects,
etc… Use “!stacks 2 .sys” in windbg to see this.
To make sure you do not leak any references in the minifilter, use
verifier.exe. It will let you know in a very direct way :slight_smile:
Other workarounds:
You could also make you filter manually attach/detach to/from existing
volumes. This would allow another way for your filter to process or not I/O
but without calling FltUnregisterFilter.
You could simply keep a list of all of your attached to instances or
enumerate them, ( see FltEnumerateVolumes/FltEnumerateInstances) and by
setting a flag internally ( and use synchronized access to it ) detach on
demand from all of them and don’t attach to new incoming volumes. You could
also keep a context to an instance to see if you are currently attacked to
it or not.

Both options should certainly work. Try it with a simple sample filter ( a
pass-through one for example ). Experiment with that and then see what you
are missing from yours.

Cheers,
Gabriel
www.kasardia.com
Windows Kernel Driver Consulting

On Fri, Aug 12, 2016 at 11:51 AM, Julián de Navascués <
xxxxx@gmail.com> wrote:

> Hi Alonso,
>
> Regardless of the design (1 or 2) I advise you to implement the unload
> properly. That will help you during development because you would be able
> to test different versions of the driver without rebooting. Also, combined
> with verifier.exe tracking yourdriver.sys and FltMgr.sys, will assure you
> certain level of QA (memory leaks, contexts leaks, etc).
>
> regards,
>
> Julián
>
>
>
> 2016-08-12 10:43 GMT+02:00 Alonso :
>
>> Hi,
>>
>> I writing a Minifilter driver and I’m using the same driver to get other
>> system information .I would like to get some advices on how to build it…
>>
>> I installed the driver using SCM and inf file to enable the Minifilter,
>> is that the right way?
>>
>>
>> I don`t need to have the information from the minifilter in user space
>> continuously and i would like enable or disable the minifilter, I had
>> thought 2 ways to do this:
>>
>> 1.- Load and unload the minifilter whatever i want without unload the
>> driver, is possible? I tried it but i havent had good results…
>>
>> 2.- Pass to kernel a flag through IOCTL to notify the Minifilter that
>> not send the information( although the Minifilter continue capturing
>> information ). I dont know if it is this righ way…
>>
>> Thanks
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: http:>> lists.cfm?list=ntdev>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at


Bercea. G.</http:></http:>

Hi, thanks for your replies.

The problem is solved, I wasnt unload the minifilter properly and the
memory manager never called my Unload routine.

I could load and unload the minifilter but when i wanted to unload the
driver my unload routine never was called. That was why I doubted if my
approach make sense…

THANKS!!!

El 12/08/2016 15:30, Gabriel Bercea escribió:

Both 1 and 2 are possible.
You can use FltUnregisterFilter. If this call does not return ( with
verifier off ) it means you are leaking some references, handles,
objects, etc… Use “!stacks 2 .sys” in windbg to see this.
> To make sure you do not leak any references in the minifilter, use
> verifier.exe. It will let you know in a very direct way :slight_smile:
> Other workarounds:
> You could also make you filter manually attach/detach to/from existing
> volumes. This would allow another way for your filter to process or
> not I/O but without calling FltUnregisterFilter.
> You could simply keep a list of all of your attached to instances or
> enumerate them, ( see FltEnumerateVolumes/FltEnumerateInstances) and
> by setting a flag internally ( and use synchronized access to it )
> detach on demand from all of them and don’t attach to new incoming
> volumes. You could also keep a context to an instance to see if you
> are currently attacked to it or not.
>
> Both options should certainly work. Try it with a simple sample filter
> ( a pass-through one for example ). Experiment with that and then see
> what you are missing from yours.
>
> Cheers,
> Gabriel
> www.kasardia.com http:
> Windows Kernel Driver Consulting
>
> On Fri, Aug 12, 2016 at 11:51 AM, Julián de Navascués
> > wrote:
>
> Hi Alonso,
>
> Regardless of the design (1 or 2) I advise you to implement the
> unload properly. That will help you during development because you
> would be able to test different versions of the driver without
> rebooting. Also, combined with verifier.exe tracking
> yourdriver.sys and FltMgr.sys, will assure you certain level of QA
> (memory leaks, contexts leaks, etc).
>
> regards,
>
> Julián
>
>
>
> 2016-08-12 10:43 GMT+02:00 Alonso > mailto:xxxxx>:
>
> Hi,
>
> I writing a Minifilter driver and I’m using the same driver to
> get other system information .I would like to get some advices
> on how to build it…
>
> I installed the driver using SCM and inf file to enable the
> Minifilter, is that the right way?
>
>
> I don`t need to have the information from the minifilter in
> user space continuously and i would like enable or disable the
> minifilter, I had thought 2 ways to do this:
>
> 1.- Load and unload the minifilter whatever i want without
> unload the driver, is possible? I tried it but i havent had
> good results…
>
> 2.- Pass to kernel a flag through IOCTL to notify the
> Minifilter that not send the information( although the
> Minifilter continue capturing information ). I dont know if it
> is this righ way…
>
> Thanks
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:> http:>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows
> internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:> http:>
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY
> seminars on crash dump analysis, WDF, Windows internals and
> software drivers! Details at To unsubscribe, visit the List Server
> section of OSR Online at
>
>
>
>
> –
> Bercea. G.
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY
> seminars on crash dump analysis, WDF, Windows internals and software
> drivers! Details at To unsubscribe, visit the List Server section of
> OSR Online at</http:></http:></http:></http:></http:></mailto:xxxxx></http:>