Driver Type - Class/ClassGuid

Hello,

I’m writing a security software WDM driver, which uses the following callback techniques in order to detect when a process/thread is started (this makes the driver a process startup driver). Also, the driver must be started as soon as possible at boot time, which makes it a boot driver.

  • PsSetCreateProcessNotifyRoutine
  • PsSetCreateThreadNotifyRoutine

Afterwards, I’m basically determining what the process image name is and some other characteristics in order to determine if I’m going to let the process run or terminate the process.

However, I’m interested in what kind of the driver this actually is. Basically I’m interested in what to specify as the Class/ClassGuid in INF file. I need the INF file in order to install the driver on the machine (I want to use the INF file and don’t want to use any other way, like copying the driver to system32/drivers manually):

Class = “ProcessMon”
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}

Therefore, I’ve been through the documentation and cannot decide what type of driver this actually is. On the higher-level ,the WDM drivers types are the following:

  • Bus driver: This is not the case, since I’m not managing any bus.
  • Function driver: This is not the case, since I’m not managing any software/hardware device. The only reason why I even register a device is to be able to stop the driver, otherwise I wouldn’t even need to IoCreateDevice.
  • Filter driver: This is what fits the description the most, although not perfectly, since I’m not actually modifying the behavior of a device or another driver.

There are also layered drivers:

  • Class drivers: Doesn’t fit.
  • Miniclass drivers: Doesn’t fit.
  • Port drivers: Doesn’t fit.
  • Miniport drivers: Doesn’t fit.

I’m interested in the following:

  1. what kind of a device driver the software based driver actually is?
  2. What to specify as a Class/ClassGuid in the INF file?

The class you have provided (ProcessMon) has a GUID that is already used :

FSFilter Activity Monitor
Class = ActivityMonitor
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}

https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/file-system-filter-driver-classes-and-class-guids

I would suggest you define your own class/guid pair.

https://msdn.microsoft.com/en-us/library/windows/hardware/ff542998(v=vs.85).aspx

H. G.

xxxxx@gmail.com wrote:

However, I’m interested in what kind of the driver this actually is. Basically I’m interested in what to specify as the Class/ClassGuid in INF file. I need the INF file in order to install the driver on the machine (I want to use the INF file and don’t want to use any other way, like copying the driver to system32/drivers manually):

Class = “ProcessMon”
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}

Therefore, I’ve been through the documentation and cannot decide what type of driver this actually is. On the higher-level ,the WDM drivers types are the following:

  • Bus driver: This is not the case, since I’m not managing any bus.
  • Function driver: This is not the case, since I’m not managing any software/hardware device. The only reason why I even register a device is to be able to stop the driver, otherwise I wouldn’t even need to IoCreateDevice.

You certainly are managing a device. The only way you can use an INF
file to install your driver is if you have a software PnP ID that
triggers your loading. You are the function driver for that virtual device.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> The class you have provided (ProcessMon) has a GUID that is already used?=A0:

Yeah, I’m aware, I must have picked it up at the URL you provided.

I would suggest you define your own class/guid pair.

Thank you for the link, that would work all-right. However, I would still like to know more about this and how to categorize the driver. I’m assuming it doesn’t fit in any of the categories listed above, however if the driver fits in any of the categories please let me know - on the highest level, is it a filter driver or not?

Also, not directly relevant, however still something I’m interested in: instead of using the old WDM model, could I use KMDF instead. Some drivers can be used with KMDF, which is especially suited for drivers that use Windows kernel API and manipulate IRP requests, but a driver must provide its own dispatch functions as well. However, since the software driver is so specific, I doubt KMDF would be of any use here?

> You certainly are managing a device. The only way you can use an INF file to install your driver is if you have a software PnP ID that triggers your loading. You are the function driver for that virtual device.

Yeah, a virtual device must be created in order to be able to interact with it later, when stopping the service/driver at least. By ‘software PnP ID’ you mean the Plug And Play device, which is my driver (identified by ClassGuid), which only has the software (no hardware) component - therefore, making it a virtual device (instead of an actual device, which is a hardware component).

I think you have a security driver. That is how I would call it because you are providing a kernel based sofware restriction solution. This is different from monitoring I think.

You should use KMDF. It is easier and faster. 

H. G.

You want to use an inf with a [DefaultInstall] section which is not a pnp inf and does not require a class guid. Honestly it is simpler for you to write the code to copy the driver and call CreateService than it will be to jam this into an inf

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
Sent: Tuesday, June 27, 2017 6:05:26 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Driver Type - Class/ClassGuid

> You certainly are managing a device. The only way you can use an INF file to install your driver is if you have a software PnP ID that triggers your loading. You are the function driver for that virtual device.

Yeah, a virtual device must be created in order to be able to interact with it later, when stopping the service/driver at least. By ‘software PnP ID’ you mean the Plug And Play device, which is my driver (identified by ClassGuid), which only has the software (no hardware) component - therefore, making it a virtual device (instead of an actual device, which is a hardware component).


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

> You want to use an inf with a [DefaultInstall] section which is not a pnp inf and does not require a class guid. Honestly it is simpler for you to write the code to copy the driver and call CreateService than it will be to jam this into an inf.

I need an INF in order to be able to WHQL test the driver. Therefore, it’s non-negotiable to provide the INF that describes the driver in full.

Since the driver must also be started at boot, it’s not enough to simply provide the [DefaultInstall], but must also provide other sections, at least the [DefaultInstall.Services] section.

I didn’t say the [DefaultInstall] section was the only section you needed, but it is the style of INF you need. You only need the INF to sign the driver, it is a necessary part of the WHQL submission to get the driver embed signed…BUT it is not required to install a non pnp driver on the host since the OS cares only about the embedded signing, not the INF.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, June 28, 2017 12:20 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Driver Type - Class/ClassGuid

> You want to use an inf with a [DefaultInstall] section which is not a pnp inf and does not require a class guid. Honestly it is simpler for you to write the code to copy the driver and call CreateService than it will be to jam this into an inf.

I need an INF in order to be able to WHQL test the driver. Therefore, it’s non-negotiable to provide the INF that describes the driver in full.

Since the driver must also be started at boot, it’s not enough to simply provide the [DefaultInstall], but must also provide other sections, at least the [DefaultInstall.Services] section.


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

Doron, thanks for all the answers.

BUT it is not required to install a non pnp driver on the host since the OS cares only about the embedded signing, not the INF.

Regarding this statement, did we come to the conclusion that a security software driver belongs into the “non-pnp driver” category? Contrary to that, the PnP driver manager is used to detect hardware changes in the system and automatically install drivers for such devices. However, since the security software driver does not come with a hardware device to manage, it therefore makes it a non-pnp driver?

I’m trying to categorize the driver at least to some extent, since it’s somewhat confusing to have quite a few driver categories, but the software driver not fitting anywhere at all.

On Tue, Jun 27, 2017 at 8:52 PM, Tim Roberts wrote:

> You certainly are managing a device. The only way you can use an INF
> file to install your driver is if you have a software PnP ID that
> triggers your loading. You are the function driver for that virtual
> device.
>

You can still use inf files to install legacy drivers. FsFilter and
Registry filter drivers do this, and it is even documented and supported.

Mark Roddy

Can you attestation sign a driver that has no INF associated with it?

Peter
OSR
@OSRDrivers

xxxxx@gmail.com wrote:

> BUT it is not required to install a non pnp driver on the host since the OS cares only about the embedded signing, not the INF.
Regarding this statement, did we come to the conclusion that a security software driver belongs into the “non-pnp driver” category?

You are making this a lot more complicated than it needs to be.

The determination of PnP vs non-PnP is made by your driver archtecture.
It’s not an after-the-fact choice. If your loading is triggered by the
creation of a PnP device ID, and you have an AddDevice callback where
you call IoCreateDevice, and you handle IRP_MJ_PNP, then you are a PnP
driver. If your loading is managed by the Service Manager, and you call
IoCreateDevice in your DriverEntry, then you are non-PnP.

How do you unload your driver? That by itself might answer the
question. If you unload it using ControlService(SERVICE_CONTROL_STOP),
then you are not PnP.

A non-PnP driver doesn’t use an INF for loading. You need it for the
signing process, but that’s all.

The only purpose for the ClassGuid (with a few special-case exceptions)
is to determine your placement within Device Manager. If you are a
non-PnP device, then you won’t appear in Device Manager, so the
ClassGuid is irrelevant.

Contrary to that, the PnP driver manager is used to detect hardware changes in the system and automatically install drivers for such devices. However, since the security software driver does not come with a hardware device to manage, it therefore makes it a non-pnp driver?

No. A PnP driver is loaded in response to the appearance of a new PDO
with a PnP device ID. The operating system neither knows nor cares
whether that device was created by a bus driver for a physical bus
(example, PCI\VEN_1234&DEV_5678 or USB\VID_9999&PID_8888&MI_00) or by
one of the software device bus drivers (ROOT\BASICRENDER or
SW{12345678-1234-1234-123456789ABC}).

I’m trying to categorize the driver at least to some extent, since it’s somewhat confusing to have quite a few driver categories, but the software driver not fitting anywhere at all.

The point, I think, is that you don’t need to categorize the driver.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Agreed that it’s irrelevant in this case, but I would disagree with your characterization of the ClassGuid. It does determine your device manager placement, but often time does quite a bit more. It may set regkeys, register the device somewhere, (legacy) call a class installer, mark the device as boot critical, etc.

If you have no idea what class to put your device in, put it in System {4d36e97d-e325-11ce-bfc1-08002be10318}. This makes the device generic and the driver boot critical.

“The only purpose for the ClassGuid (with a few special-case exceptions)
is to determine your placement within Device Manager. If you are a
non-PnP device, then you won’t appear in Device Manager, so the
ClassGuid is irrelevant.”

So I am curious: what makes a device appear in Device Manager?

I am currently working on a software-only driver (not going to characterize as Pnp or nonPnp) that installed on Win7 and appeared in Device Manager just fine. I have been trying to replicate on Win10 1607, but so far only able to install/load as non-Pnp, and thus no longer see it in Device Manager (but would like to).

Device manager used to show non pnp “devices” (really loaded drivers), that was removed after win7.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@knowwareinc.com
Sent: Wednesday, July 5, 2017 12:02 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Driver Type - Class/ClassGuid

“The only purpose for the ClassGuid (with a few special-case exceptions) is to determine your placement within Device Manager. If you are a non-PnP device, then you won’t appear in Device Manager, so the ClassGuid is irrelevant.”

So I am curious: what makes a device appear in Device Manager?

I am currently working on a software-only driver (not going to characterize as Pnp or nonPnp) that installed on Win7 and appeared in Device Manager just fine. I have been trying to replicate on Win10 1607, but so far only able to install/load as non-Pnp, and thus no longer see it in Device Manager (but would like to).


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

“Device manager used to show non pnp “devices” (really loaded drivers), that was removed after win7.”

Thank you for that, Doron.

Might this be different for Test Mode / Driver Signing Enforcement disabled?
That is, that nonPnP device *do* appear in Device Manager under Test Mode?

I seem to recall that same driver showing up under Device Manger while using Test Cert, so I have been trying to figure this out.

Don’t think it changes behavior based on mode

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@knowwareinc.com xxxxx@lists.osr.com
Sent: Thursday, July 6, 2017 11:07 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Driver Type - Class/ClassGuid

“Device manager used to show non pnp “devices” (really loaded drivers), that was removed after win7.”

Thank you for that, Doron.

Might this be different for Test Mode / Driver Signing Enforcement disabled?
That is, that nonPnP device do appear in Device Manager under Test Mode?

I seem to recall that same driver showing up under Device Manger while using Test Cert, so I have been trying to figure this out.


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>