Re: EvtDriverDeviceAdd is not being called for vhdmp filter driver

xxxxx@gmail.com wrote:

Hi I am very new to windows driver development.
Recently I was writing a WDF filter driver for vhdmp class driver.

i) I have added my driver name as ‘UpperFilters’ value in vhdmp class driver registry(HKLM\SYSTEM\CurrentControlSet\Control\Class{2EA9B43F-3045-43B5-80F2-FD06C55FBB90})

On my Windows 10 system, that class’ key in the registry has
NoUseClass=1.  Where did you get the idea that it could be filtered?

i) I could see that driver’s DriverEntry is being called but not EvtDriverDeviceAdd even though i can see one PDO device in vhdmp driver.

Does that PDO have an FDO?  A class filter would only be applied when an
FDO driver is loaded for the device.  If the PDO is raw, then it can’t
be filtered in this way.

ServiceConfiguation :

ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; STARTUP_TYPE
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
LoadOrderGroup = “Filter”

This is for your INF?  Then StartType should be 3, SERVICE_DEMAND_START.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hi Tim

After I changed the StartType to 3 my driver itself is not loading.
Below are device info of vhdmp.sys

kd> !drvobj \Driver\vhdmp
Driver object (ffffe0007d5a69d0) is for:
\Driver\vhdmp
Driver Extension List: (id , addr)
(fffff80015197244 ffffe0007bca2830)
Device Object list:
ffffe0007cf5a1c0 ffffe0007cc40050

kd> !devobj ffffe0007cf5a1c0
Device object (ffffe0007cf5a1c0) is for:
VHDMP \Driver\vhdmp DriverObject ffffe0007d5a69d0
Current Irp 00000000 RefCount 4 Type 00000053 Flags 00000050
SecurityDescriptor ffffc001acedd0f0 DevExt ffffe0007cf5a310 DevObjExt ffffe0007cf5a3f8
ExtensionFlags (0xc0000000) DOE_BOTTOM_OF_FDO_STACK, DOE_DESIGNATED_FDO
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
Device queue is not busy.

kd> !devobj ffffe0007cc40050
Device object (ffffe0007cc40050) is for:
RaidPort1 \Driver\vhdmp DriverObject ffffe0007d5a69d0
Current Irp 00000000 RefCount 0 Type 00000004 Flags 00000050
SecurityDescriptor ffffc001a9f4b890 DevExt ffffe0007cc401a0 DevObjExt ffffe0007cc445e0
ExtensionFlags (0xe0000000) DOE_RAW_FDO, DOE_BOTTOM_OF_FDO_STACK,
DOE_DESIGNATED_FDO
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
AttachedDevice (Upper) ffffe0007d4da8e0 \DRIVER\VERIFIER_FILTER
AttachedTo (Lower) ffffe0007d513de0 \DRIVER\VERIFIER_FILTER
Device queue is not busy.

I want to filter device 0xffffe0007cf5a1c0.As i can see extension flags are DOE_BOTTOM_OF_FDO_STACK and DOE_DESIGNATED_FDO.
what is the meaning of these flag and Is there a way i can filter this device.

It is a scsiminiport and its class is 4D36E97B-E325-11CE-BFC1-08002BE10318
( SCSIAdapter) so I have no idea why filtering on
2EA9B43F-3045-43B5-80F2-FD06C55FBB90
would be a good idea.

However if you install a class filter on SCSIAdapter you are going to
filter *ALL* scsi adapters, not just vhdmp, so your filter is going to have
to figure out who is who. Then you are going to discover that you are
filtering on the parent FDO of a bus driver and that all your IO is going
to the child PDOs and you have no documented way to filter those in KMDF.

What are you actually trying to accomplish?

Mark Roddy

On Tue, Aug 28, 2018 at 2:49 PM xxxxx@probo.com wrote:

> xxxxx@gmail.com wrote:
> > Hi I am very new to windows driver development.
> > Recently I was writing a WDF filter driver for vhdmp class driver.
> >
> > i) I have added my driver name as ‘UpperFilters’ value in vhdmp class
> driver
> registry(HKLM\SYSTEM\CurrentControlSet\Control\Class{2EA9B43F-3045-43B5-80F2-FD06C55FBB90})
>
> On my Windows 10 system, that class’ key in the registry has
> NoUseClass=1. Where did you get the idea that it could be filtered?
>
>
> > i) I could see that driver’s DriverEntry is being called but not
> EvtDriverDeviceAdd even though i can see one PDO device in vhdmp driver.
>
> Does that PDO have an FDO? A class filter would only be applied when an
> FDO driver is loaded for the device. If the PDO is raw, then it can’t
> be filtered in this way.
>
>
> > ServiceConfiguation :
> >
> > ServiceType = 1 ; SERVICE_KERNEL_DRIVER
> > StartType = 0 ; STARTUP_TYPE
> > ErrorControl = 1 ; SERVICE_ERROR_NORMAL
> > LoadOrderGroup = “Filter”
>
> This is for your INF? Then StartType should be 3, SERVICE_DEMAND_START.
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

>and you have no documented way to filter those in KMDF

You’d write a LOWER filter of the Disk Class driver to accomplish this. That *must* be supported, to the extent that filtering anything is “supported”, isn’t it? It’s architecturally anticipated, at least. And given that you get the (sort of) disk class driver source code, you have a prayer of knowing what type of Requests to expect.

Peter
OSR
@OSRDrivers

Thanks Mark and Peter for reply,

Actually i am trying to implement VAIO like functionality for Hyper-V. My goal is
to intercept I/O happening on VHD as a disk not as a file.

I have two option

i) Writing a file system filter driver which will intercept I/O on VHD as a file, but, this would cause me to do reverse lookup of file I/O to disk I/O. But when snapshot and checkpoints are taken on a VM the I/O goes to a AVHDX file which i will have to keep references to and it is difficult to track VM state from file system filter driver too.

ii) Another option is i write VHDParser kind of a driver where i get view of VHD as a disk.So now i can track all I/O happening to VHD as a disk irrespective of whether it has a snapshot or not.
The challenge i am facing now is how to track snapshot or checkpoints initiated by the VM for the
book keeping.

Since all the operation to VHD are passed through vhdmp driver i was thinking i can intercept
snap operation as well by writing a filter to vhdmp.

Gaurav

Sure, but that would be a disk filter not a mp filter. That’s why I asked
what he was trying to do.

Mark Roddy

On Wed, Aug 29, 2018 at 3:17 PM xxxxx@osr.com wrote:

> >and you have no documented way to filter those in KMDF
>
> You’d write a LOWER filter of the Disk Class driver to accomplish this.
> That must be supported, to the extent that filtering anything is
> “supported”, isn’t it? It’s architecturally anticipated, at least. And
> given that you get the (sort of) disk class driver source code, you have a
> prayer of knowing what type of Requests to expect.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>