Bus Filter

OSR_Community_User · February 20, 2009, 2:16am

Are there any sample Bus Filter Drivers to look at the source for educational purpose?

anton_bassov · February 20, 2009, 3:19am

I would rather suggest that you start your education process from reading MSDN and/or Walter Oney’s book, so that you will be at least able to tell the difference between bus driver and filter one.

Depending on its role in a given PnP stack, WDM driver can act as a bus driver, function driver, upper filter or lower filter (please note that the same driver may participate in different stacks). In practice, bus driver will always be a function one - its FDO will be attached to the lower device, and a separate stack will be built on top of each PDO that it creates. Lower filter will sit in between PDO and FDO, and the upper one will sit above FDO. However, filter drivers are not going to create PDOs, although they may create non-PnP control device objects…

Anton Bassov

OSR_Community_User · February 20, 2009, 12:07pm

I understand that. There is a PDO that gets IRPs directly under some conditions and the FDO is bypassed. So an upper or lower functional filter does not work. I want to find a sample code for a bus filter to see what will it take to get one going. IDE or SCSI is what I am working with. Thanks for all the help

anton_bassov · February 20, 2009, 12:35pm

> There is a PDO that gets IRPs directly under some conditions and the FDO is bypassed.

Normally IRPs are sent to the top of the stack as known to the caller. Therefore, if function driver sends IRPs
to PDO on its own initiative, then it is understandable that you are not going to see it if you filter FDO. This is what lower filters are for - the term “bus filter” does not make sense in itself. Concerning the sample, please check Toaster in WDK - IIRC, it provides lower filter sample…

Anton Bassov

Peter_Viscarola_OSR · February 20, 2009, 12:37pm

I think he means that some requests are being sent to a naked PDO… In which case, filtering is “a significant challenge.”

Peter
OSR

Mark_Roddy · February 20, 2009, 1:35pm

And a bus filter driver will not help as the misbehaving driver above will
continue to send IRPs directly to the PDO, and not to any filter DO.
Mark Roddy

On Fri, Feb 20, 2009 at 12:37 PM, wrote:

> I think he means that some requests are being sent to a naked PDO… In
> which case, filtering is “a significant challenge.”
>
> Peter
> OSR
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · February 20, 2009, 4:40pm

Hmmm, in that case I am thinking about trying to do the following (the goal is to filter the PDO and handle the case when someone sends requests directly to the PDO):

1: Replace the Driver Dispatch function pointers for the driver object on the PDO in question. Then all request sent to the PDO will arrive in my dispatch functions from which point I can do filtering and route them to the original function.

Is this the recommended approach for filtering PDO traffic? Or should I look into another approach. Unfortunately there isn’t any documentation that I was able to find from Microsoft explaining whats the recommended way to accomplish this is. Since it is easy for someone to bypass the FDO, there should be a recommendation on how to do this. At this time this approach looks promising I am just not sure if pathguard checks the DO Dispatch table on Vista which will be a problem if it does.

Thanks for the help!

Mark_Roddy · February 20, 2009, 4:59pm

Recommended? Of course not. PDO filters aren’t recommended to begin with and
dispatch table hooking certainly isn’t recommended. The recommended method
is to be a lower filter driver and then not work
It is probably the only way to filter upper drivers that break the rules. A
better question is why verifier doesn’t flunk drivers that skip attached
devices so that at least the rule breakers wouldn’t be signed.

Mark Roddy

On Fri, Feb 20, 2009 at 4:39 PM, wrote:

> Hmmm, in that case I am thinking about trying to do the following (the goal
> is to filter the PDO and handle the case when someone sends requests
> directly to the PDO):
>
> 1: Replace the Driver Dispatch function pointers for the driver object on
> the PDO in question. Then all request sent to the PDO will arrive in my
> dispatch functions from which point I can do filtering and route them to the
> original function.
>
> Is this the recommended approach for filtering PDO traffic? Or should I
> look into another approach. Unfortunately there isn’t any documentation that
> I was able to find from Microsoft explaining whats the recommended way to
> accomplish this is. Since it is easy for someone to bypass the FDO, there
> should be a recommendation on how to do this. At this time this approach
> looks promising I am just not sure if pathguard checks the DO Dispatch table
> on Vista which will be a problem if it does.
>
> Thanks for the help!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Peter_Viscarola_OSR · February 20, 2009, 5:41pm

Is it too late to award “post of the week” to this??

Peter
OSR

Mark_Roddy · February 20, 2009, 5:53pm

As far as I am concerned, the post of the week qualification period runs
from Sunday until the part of Saturday that ends early Monday morning.
Mark Roddy

On Fri, Feb 20, 2009 at 5:41 PM, wrote:

>

>
> Is it too late to award “post of the week” to this??
>
> Peter
> OSR
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · February 20, 2009, 10:54pm

well it doesn’t surprise me, thanks for the help.

By the way, how possible is it to accomplish this with a lower or upper filter around the bus FDO for IDE or SCSI? Should I expect to see requests flowing through there (from the PDOs) or are the PDOs cary out the operations through other routes in case of IDE or SCSI? If they do flow through the bus FDO then is that a proprietary protocol or a standard one?

anton_bassov · February 21, 2009, 12:31am

> how possible is it to accomplish this with a lower or upper filter around the bus FDO for IDE or SCSI?

As I can see, you mention IDE and SCSI interchangeably here. Combined with your statement about requests that get sent directly to PDOs, it makes me suspect that you are speaking about physical disk partitions - device objects for them end up as standalone devices with nothing attached to them, because logical volumes are mounted , rather than stacked, on them, while device that correspond to disks themselves are FDOs that are stacked on PDOs tcreated by port drivers . Is my suggestion correct?

Anton Bassov