WDF attaching to device stack

In WDM I can attach to any device first getting the object with IoGetDeviceObjectPointer and later using IoAttachDevice and then it will pass all the IRPs through my driver and I can do whatever I want with it. Is this also possible in WDF? (taking into consideration I can call WDM functions inside KMDF driver)

I was looking at other questions especially this one: https://social.msdn.microsoft.com/Forums/en-US/65101f09-0785-4e27-97bb-8d4552e1f344/devicedriver-stack-in-wdf?forum=wdk

But I’m really confused. It says WDF drivers can only use .inf files to make them act like a filters. But what if I want to modify behaviour of a third party driver(not related to hardware) and not listed in official documentation talking about filters. Can I use WDF for that too?

All I want is this:

  1. Get device object by it’s name
  2. Attach to the stack / Replace function in dispatch table of the driver
  3. Preprocess, postprocess IRPs (io completion routine)

Wdf only enables attaching to devices through pnp (AddDevice), not by name after the fact. What you describe doesn’t require attaching to the stack. If you are replacing a dispatch table, being a part of the stack afterwards is optional. I am not endorsing hooking in this manner.

d

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@gmx.com
Sent: Sunday, December 31, 2017 10:05:57 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] WDF attaching to device stack

In WDM I can attach to any device first getting the object with IoGetDeviceObjectPointer and later using IoAttachDevice and then it will pass all the IRPs through my driver and I can do whatever I want with it. Is this also possible in WDF? (taking into consideration I can call WDM functions inside KMDF driver)

I was looking at other questions especially this one: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2F65101f09-0785-4e27-97bb-8d4552e1f344%2Fdevicedriver-stack-in-wdf%3Fforum%3Dwdk&data=02|01|Doron.Holan%40microsoft.com|da3378896c0e429b0d8208d550ddada9|72f988bf86f141af91ab2d7cd011db47|1|0|636503835625651988&sdata=3FjzKOxlDJ0%2BEkFXZj8phjErYY6yolKpWbBLctT4BeI%3D&reserved=0

But I’m really confused. It says WDF drivers can only use .inf files to make them act like a filters. But what if I want to modify behaviour of a third party driver(not related to hardware) and not listed in official documentation talking about filters. Can I use WDF for that too?

All I want is this:

1. Get device object by it’s name
2. Attach to the stack / Replace function in dispatch table of the driver
3. Preprocess, postprocess IRPs (io completion routine)


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

So if I want to attach dynamically by name I can only use WDM?

I’m currently using legacy wdm driver to accomplish this and it seems easier after all.

Also question: can I attach single device to multiple devices with IoAttachDevice? If so how can I later pass IRP down the stack with IoCallDriver (if I have it attached to multiple different devices).

You can only attach once. You need a device object per attached stack. IoCallDriver has no idea about stacks, it just accepts a target device object.

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@gmx.com
Sent: Monday, January 1, 2018 5:06:51 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF attaching to device stack

I’m currently using legacy wdm driver to accomplish this and it seems easier after all.

Also question: can I attach single device to multiple devices with IoAttachDevice? If so how can I later pass IRP down the stack with IoCallDriver (if I have it attached to multiple different devices).


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

Thank you Doron !

One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ?

And why aren’t you endorsing hooking in this manner?

> One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ?

This is exactly what I said two replies ago. You don’t need to attach at all to hook in this fashion. You don’t get your own stack location though, so no completion routine on the way back up the stack. If you have to ask why it isn’t supported, you need to read up more on driver architecture and rules.

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@gmx.com
Sent: Monday, January 1, 2018 5:51:36 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF attaching to device stack

Thank you Doron !

One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ?

And why aren’t you endorsing hooking in this manner?


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

What do you mean by no completion routine on the way back up the stack? I can insert my completion routine into the existing IRP like:

PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation (Irp);
irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE) IoCompletionRoutine;

1 You should be using IoSetCompletionRoutine.
2 if you are not attaching to the stack and just hooking the dispatch table you don’t have an io stack location so when you call into the original dispatch routine that you hooked it can set a new routine.

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@gmx.com
Sent: Monday, January 1, 2018 6:28:37 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF attaching to device stack

What do you mean by no completion routine on the way back up the stack? I can insert my completion routine into the existing IRP like:

PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation (Irp);
irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE) IoCompletionRoutine;


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

On Jan 1, 2018, at 6:28 PM, xxxxx@gmx.com wrote:
>
> What do you mean by no completion routine on the way back up the stack? I can insert my completion routine into the existing IRP like:
>
> PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation (Irp);
> irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE) IoCompletionRoutine;

Yes, but in doing so, you just erased the completion routine set up by the driver above you. Each driver in a correctly-formatted stack gets its own stack location, so you can advance to the next one before setting the completion routine. If you did not attach to the driver stack, then the IRP will not have enough stack locations for you to “borrow” one.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On Jan 1, 2018, at 5:51 PM, xxxxx@gmx.com wrote:
>
> One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ?

Yes, but then what? Each IRP has enough stack locations for the drivers that have attached to the stack. By hooking a dispatch pointer, you can poke around in the IRP and inspect the parameters, but you can’t do anything to the IRP except pass it down unchanged, and you can’t get a callback later.

> And why aren’t you endorsing hooking in this manner?

Because it violates the rules, rules which are there to ensure the reliable execution of the operating system. That kind of hooking is delicate, unsupported, and not terribly useful.

Plus, it’s trivially easy to install a filter driver in the supported manner, which makes you a full participant in the IRP stack and lets you do everything KMDF can do. A device filter doesn’t need an INF. Just copy the file into place, create the service, and tweak the registry.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> Yes, but in doing so, you just erased the completion routine set up by =
the driver above you.

But I can always call the old(erased) completion routine in my own to preserve functionality. Won’t it be enough?

Plus, it’s trivially easy to install a filter driver in the supported =
manner, which makes you a full participant in the IRP stack and lets you =
do everything KMDF can do.

What if the device I want to hook is not PnP and it’s created by a third party and it’s not one of the common devices that is “FILE_DEVICE_UNKNOWN”. I can’t use KMDF and I’m forced to use WDM so I just get the name of the device and do what I want with it next.

Or maybe I get it wrong? Can’t I just mix KMDF with WDM and do the runtime attaching there? From what I understood KMDF (WDF) is just a wrapper over WDM. Callbacks have different parameters and there is no IRP in the arguments can I do the same in KMDF and set my io completion routines there?

xxxxx@gmx.com wrote:

> Yes, but in doing so, you just erased the completion routine set up by the driver above you.
But I can always call the old(erased) completion routine in my own to preserve functionality. Won’t it be enough?

Where are you going to put it?  There’s no place in the IRP or IO stack
location that belongs to you.  If you’re not in the stack, then your
device object is not going to get involved, so you won’t have an
extension structure.  Put it in a driver global, indexed by the IRP
address?  Yecch.

What if the device I want to hook is not PnP and it’s created by a third party and it’s not one of the common devices that is “FILE_DEVICE_UNKNOWN”. I can’t use KMDF and I’m forced to use WDM so I just get the name of the device and do what I want with it next.

Well, if it’s not PnP, then the UpperFilters/LowerFilters thing doesn’t
work.  You don’t even know that it receives IRPs.

Or maybe I get it wrong? Can’t I just mix KMDF with WDM and do the runtime attaching there? From what I understood KMDF (WDF) is just a wrapper over WDM. Callbacks have different parameters and there is no IRP in the arguments can I do the same in KMDF and set my io completion routines there?

In many cases, you can do this.  The KMDF dispatching relies on an
extension to the device object, which you wouldn’t have in a “hook”
situation, so you’d have to disable that by using “miniport mode”.  In
that situation, it’s not entirely clear what KMDF would buy you.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> Put it in a driver global, indexed by the IRP
address?

That’s how it’s done in the book “Rootkits - Subverting the Windows Kernel” and it seems to work. What wrong could happen?

Well, if it’s not PnP, then the UpperFilters/LowerFilters thing doesn’t
work.? You don’t even know that it receives IRPs.

Don’t all drivers receive IRPs or at least are supposed to do so? If I didn’t know I wouldn’t attach to it/hook it.

I didn’t know about miniport mode and I will surely study it more. Thank you!

On Jan 2, 2018, at 7:53 PM, xxxxx@gmx.com wrote:
>
>> Put it in a driver global, indexed by the IRP address?
>
> That’s how it’s done in the book “Rootkits - Subverting the Windows Kernel” and it seems to work. What wrong could happen?

Globals are evil. If you are filtering multiple devices, you have a lot of bookkeeping to do in order to keep it all straight. It’s just a lot more error-prone than using normal filtering.

>> Well, if it’s not PnP, then the UpperFilters/LowerFilters thing doesn’t
>> work.ย You don’t even know that it receives IRPs.
>
> Don’t all drivers receive IRPs or at least are supposed to do so? If I didn’t know I wouldn’t attach to it/hook it.

No. Many drivers handle hardware without communication from above. Some drivers use direct calls. GDI drivers (like display drivers and printer drivers) do not use IRPs.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.