WDF keyboard filter driver prevents kbdhid's AddDevice function from being called

I wrote a WDF keyboard filter driver which is supposed to hook the keyboard class service callback. I do everything exactly as kbfiltr does, but for some reason, my device completely replaces kbdhid in the keyboard device stack. Consequently, the keyboard service callback is never called and the request is dropped at hidclass level. After doing some debugging I noticed that when I load my driver and connect a physical device, the KbdHid_AddDevice function is not called by the system, whereas it usually is. Normally the keyboard device stack looks like hidclass->kbdhid->kbdclass, if my driver is loaded then it looks like hidclass->kbdhid->kbdclass. I don’t think this is intended since I should be able to just hook the service callback. Microsofts documentation doesn’t really help either. I also tried to load unmodified kbfiltr and the result is the same, the hook doesn’t work and the device is replaced. Help is much appreciated!

Probably an INF authoring mistake. How did you install your driver? Please post your INF

@Doron_Holan said:
Probably an INF authoring mistake. How did you install your driver? Please post your INF

I’ve tried installing the driver with devcon (as described for kbfiltr) and through device manager. Here’s my INF:

`[Version]
Signature=“$WINDOWS NT$”
Class=Keyboard
ClassGuid={4d36e96b-e325-11ce-bfc1-08002be10318}
Provider=%ManufacturerName%
CatalogFile=RFIDReaderDriver.cat

[DestinationDirs]
DefaultDestDir = 12
RFID_Reader_Device_CoInstaller_CopyFiles = 11

; ================= Class section =====================

[SourceDisksNames]
1 = %DiskName%,“”

[SourceDisksFiles]
RFIDReaderDriver.sys = 1,
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames

;*****************************************
; Install Section
;*****************************************

[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$

[Standard.NT$ARCH$]
%RFIDReaderDriver.DeviceDesc%=RFID_Reader_Device, HID\VID_FFFF&PID_0035&REV_0100&MI_00

[RFID_Reader_Device.NT]
CopyFiles=Drivers_Dir
Include=keyboard.inf
Needs=STANDARD_Inst

[Drivers_Dir]
RFIDReaderDriver.sys

;-------------- Service installation
[RFID_Reader_Device.NT.Services]
AddService = RFIDReaderDriver,%SPSVCINST_ASSOCSERVICE%, RFIDReaderDriver_Service_Inst
Include=keyboard.inf
Needs=STANDARD_Inst.Services

; -------------- RFIDReaderDriver driver install sections
[RFIDReaderDriver_Service_Inst]
DisplayName = %RFIDReaderDriver.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 0 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\RFIDReaderDriver.sys

[RFID_Reader_Device.NT.HW]
AddReg = RFID_Reader_Device.HW.AddReg

Include=keyboard.inf
Needs=STANDARD_Inst.HW

[RFID_Reader_Device.HW.AddReg]
HKR,“UpperFilters”,0x00010000,“RFIDReaderDriver”

;
;— RFID_Reader_Device Coinstaller installation ------
;

[RFID_Reader_Device.NT.CoInstallers]
AddReg=RFID_Reader_Device_CoInstaller_AddReg
CopyFiles=RFID_Reader_Device_CoInstaller_CopyFiles

[RFID_Reader_Device_CoInstaller_AddReg]
HKR,CoInstallers32,0x00010000, “WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller”

[RFID_Reader_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll

[RFID_Reader_Device.NT.Wdf]
KmdfService = RFIDReaderDriver, RFIDReaderDriver_wdfsect
[RFIDReaderDriver_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$

[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName=“RFID”
ClassName=“Keyboard”
DiskName = “RFID Reader Driver Installation Disk”
RFIDReaderDriver.DeviceDesc = “RFID Reader Device”
RFIDReaderDriver.SVCDESC = “RFID Reader Driver”`

This:

AddService = RFIDReaderDriver,%SPSVCINST_ASSOCSERVICE%, RFIDReaderDriver_Service_Inst

sets your driver as the FDO. Instead, omit the second value

AddService = RFIDReaderDriver, , RFIDReaderDriver_Service_Inst

@Doron_Holan said:
This:

AddService = RFIDReaderDriver,%SPSVCINST_ASSOCSERVICE%, RFIDReaderDriver_Service_Inst

sets your driver as the FDO. Instead, omit the second value

AddService = RFIDReaderDriver, , RFIDReaderDriver_Service_Inst

Thanks, that seemed to be one of the issues. I was thinking the system might be interpreting my driver as a function driver, but I was setting it as a filter driver in the EvtAddDevice function. Now I have another issue, for some reason, the i8042prt driver is also trying to create a device for my HID device, which doesn’t really make sense. It fails and the event log shows it returned error 0xC000000E. Consequently, the whole device stack gets destroyed. The question now is why the hell is i8042prt being added instead of kbdhid on top of hidclass and below my filter driver. Possibly another misconfiguration somewhere?

STANDARD_Inst is for ps2 keyboards. replace instances with HID_Keyboard_Inst

1 Like

@Doron_Holan said:
STANDARD_Inst is for ps2 keyboards. replace instances with HID_Keyboard_Inst

Thank you again! Finally got the hook working. First time dealing with physical devices.