CD /DVD read only filter

NTDEV
1

Dear Osrlist,

I am trying to write a filter driver which can block
attempts to copy data to a CD. For floppy disks and USB
thumbdrives I can use:

if(irpValue == IRP_MJ_WRITE){
NTSTATUS status = STATUS_MEDIA_WRITE_PROTECTED;

but this does not block attempts to burn data on to a CD
or DVD. Does anybody know what the CD equivalent of the
above code would be ?

Regards,

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(B
> NTDEV Digest for Saturday, May 21, 2005.
>
> 1. NO_MORE_IRP_STACK_LOCATIONS
> 2. Re: NO_MORE_IRP_STACK_LOCATIONS
> 3. RE: Complete Request in scsi miniport w/o
> timercall
> 4. RE: NO_MORE_IRP_STACK_LOCATIONS
>
>
----------------------------------------------------------------------
>
> Subject: NO_MORE_IRP_STACK_LOCATIONS
> From: “Cook, Mark” <mark.cook>
> Date: Sat, 21 May 2005 11:40:51 +0100
> X-Message-Number: 1
>
> This is a multi-part message in MIME format.
>
> ------=NextPart_001_01C55DF1.8EFEDF0A
> Content-Type: text/plain;
> charset=“us-ascii”
> Content-Transfer-Encoding: quoted-printable
>
> Hi all
>
> I’ve been developing a TDI filter driver that
> attaches to \Device\Tcp
> <file:> (among other things) using
> IoAttachDevice. It
> doesn’t currently do much apart from pass through
> any IRPs destined for
> the original device by calling IoCallDriver.
>
> =20
>
> Everything appears to work correctly until I attempt
> to make a NetBIOS
> call (in this case by typing net view at the command
> prompt). As soon as
> I do this, the system bugchecks with stop code 35
> (NO_MORE_IRP_STACK_LOCATIONS).
>
> =20
>
> Dumping the irp from the memory dump, I see the
> following (note that
> tdimon is my filter driver):
>
> =20
>
> Bugcheck code 00000035
>
> Arguments 862abc00 00000000 00000000 00000000
>
> =20
>
> kd> !irp 862abc00=20
>
> Irp is active with 2 stacks 0 is current (=3D
> 0x862baca0)
>
> No Mdl Thread 00000000: Irp stack trace. =20
>
> cmd flg cl Device File
> Completion-Context
>
> [f, 3] 0 e0 862baca0 86c6f170 f5162bf1-86af38c8
> Success Error
> Cancel=20
>
> \Driver\tdimon
> netbt!TcpConnectComplete
>
> Args: 00000000 86ca4578
> 00000000 f507bc50
>
> [f, 3] 0 e1 86ad8d30 86dffca0 f5165a8a-86c5d158
> Success Error
> Cancel pending
>
> \Driver\NetBT
> netbt!NbtpConnectCompletionRoutine
>
> Args: 00000000 86c5d168
> 00000000 f507bc50
>
> =20
>
> =20
>
> I have verified that when I call IoAttachDevice, the
> StackSize for my
> object increases to 2 (I am only attached to
> Device\TCP at this point
> which itself has a StackSize of 1) and I have
> verified that when the
> system bugchecks, this is still set to 2. In fact,
> if I dump the device
> stack for my device, it still appears to be correct:
>
> =20
>
> kd> !devstack 862baca0=20
>
> !DevObj !DrvObj !DevExt ObjectName
>
> > 862baca0 \Driver\tdimon 00000000 =20
>
> 86d29e50 \Driver\Tcpip 00000000 Tcp
>
> =20
>
> And using the dt against the DEVICE_OBJECTs for
> these two devices
> reveals that the stack sizes are set to 2 and 1
> respectively which also
> appears to be correct.
>
> =20
>
> =20
>
> From the IRP dump, it appears that one of the stack
> locations has been
> consumed by device 86ad8d30 but this device is not
> on my stack. In fact
> if I dump the device stack for this device, I see
> the following:
>
> =20
>
> kd> !devstack 86ad8d30=20
>
> !DevObj !DrvObj !DevExt ObjectName
>
> > 86ad8d30 \Driver\NetBT 86ad8de8
> NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
>
> =20
>
> Curiously, when I run dt against this device, it
> also has a StackSize of
> 2 even though it doesn’t appear to be attached to
> anything.
>
> =20
>
> It appears to me that because this device has
> consumed one of the stack
> locations for my IRP, by the time it reaches my
> device the stack has
> been exhausted and when I call IoCallDriver, the
> system bugchecks. What
> I don’t see though is why this IRP would be going
> through the mysterious
> NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
> device at all because
> it doesn’t seem to be in my driver stack.
>
> =20
>
> Does anybody have any ideas about why device
> NetBT_Tcpip_{F941E083-3AC1-4540-883C-169D85D2FBD5}
> is on my stack ??
>
> =20
>
> Kind Regards
>
> =20
>
> Mark
>
> =20
>
> =20
>
> =20
>
> =20
>
> =20
>
>
> ------_=_NextPart_001_01C55DF1.8EFEDF0A
> Content-Type: text/html;
> charset=“us-ascii”
> Content-Transfer-Encoding: quoted-printable
>
> > xmlns:o=3D"urn:schemas-microsoft-com:office:office"
> =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
>
>
> > content=3D"text/html; =
> charset=3Dus-ascii">
> > (filtered medium)">
>
>
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/</file:></mark.cook>

2

How about letting us know where the filter is located. That is probably
your problem. It also varies as to which software is being used to do the
writing.

“$B%V%i%&%s(B $B%9%3%C%H(B” wrote in message
news:xxxxx@ntdev…
> Dear Osrlist,
>
> I am trying to write a filter driver which can block
> attempts to copy data to a CD. For floppy disks and USB
> thumbdrives I can use:
>
> if(irpValue == IRP_MJ_WRITE){
> NTSTATUS status = STATUS_MEDIA_WRITE_PROTECTED;
>
> but this does not block attempts to burn data on to a CD
> or DVD. Does anybody know what the CD equivalent of the
> above code would be ?
>
> Regards,
>
> Scott
>
> — Windows System Software Devs Interest List digest
>
> $B$+$i$N%a%C%;!<%8!'(B
>> NTDEV Digest for Saturday, May 21, 2005.
>>
>> 1. NO_MORE_IRP_STACK_LOCATIONS
>> 2. Re: NO_MORE_IRP_STACK_LOCATIONS
>> 3. RE: Complete Request in scsi miniport w/o
>> timercall
>> 4. RE: NO_MORE_IRP_STACK_LOCATIONS
>>
>>
> ----------------------------------------------------------------------
>>
>> Subject: NO_MORE_IRP_STACK_LOCATIONS
>> From: “Cook, Mark” <mark.cook>
>> Date: Sat, 21 May 2005 11:40:51 +0100
>> X-Message-Number: 1
>>
>> This is a multi-part message in MIME format.
>>
>> ------=NextPart_001_01C55DF1.8EFEDF0A
>> Content-Type: text/plain;
>> charset=“us-ascii”
>> Content-Transfer-Encoding: quoted-printable
>>
>> Hi all
>>
>> I’ve been developing a TDI filter driver that
>> attaches to \Device\Tcp
>> <file:> (among other things) using
>> IoAttachDevice. It
>> doesn’t currently do much apart from pass through
>> any IRPs destined for
>> the original device by calling IoCallDriver.
>>
>> =20
>>
>> Everything appears to work correctly until I attempt
>> to make a NetBIOS
>> call (in this case by typing net view at the command
>> prompt). As soon as
>> I do this, the system bugchecks with stop code 35
>> (NO_MORE_IRP_STACK_LOCATIONS).
>>
>> =20
>>
>> Dumping the irp from the memory dump, I see the
>> following (note that
>> tdimon is my filter driver):
>>
>> =20
>>
>> Bugcheck code 00000035
>>
>> Arguments 862abc00 00000000 00000000 00000000
>>
>> =20
>>
>> kd> !irp 862abc00=20
>>
>> Irp is active with 2 stacks 0 is current (=3D
>> 0x862baca0)
>>
>> No Mdl Thread 00000000: Irp stack trace. =20
>>
>> cmd flg cl Device File
>> Completion-Context
>>
>> [f, 3] 0 e0 862baca0 86c6f170 f5162bf1-86af38c8
>> Success Error
>> Cancel=20
>>
>> \Driver\tdimon
>> netbt!TcpConnectComplete
>>
>> Args: 00000000 86ca4578
>> 00000000 f507bc50
>>
>> [f, 3] 0 e1 86ad8d30 86dffca0 f5165a8a-86c5d158
>> Success Error
>> Cancel pending
>>
>> \Driver\NetBT
>> netbt!NbtpConnectCompletionRoutine
>>
>> Args: 00000000 86c5d168
>> 00000000 f507bc50
>>
>> =20
>>
>> =20
>>
>> I have verified that when I call IoAttachDevice, the
>> StackSize for my
>> object increases to 2 (I am only attached to
>> Device\TCP at this point
>> which itself has a StackSize of 1) and I have
>> verified that when the
>> system bugchecks, this is still set to 2. In fact,
>> if I dump the device
>> stack for my device, it still appears to be correct:
>>
>> =20
>>
>> kd> !devstack 862baca0=20
>>
>> !DevObj !DrvObj !DevExt ObjectName
>>
>> > 862baca0 \Driver\tdimon 00000000 =20
>>
>> 86d29e50 \Driver\Tcpip 00000000 Tcp
>>
>> =20
>>
>> And using the dt against the DEVICE_OBJECTs for
>> these two devices
>> reveals that the stack sizes are set to 2 and 1
>> respectively which also
>> appears to be correct.
>>
>> =20
>>
>> =20
>>
>> From the IRP dump, it appears that one of the stack
>> locations has been
>> consumed by device 86ad8d30 but this device is not
>> on my stack. In fact
>> if I dump the device stack for this device, I see
>> the following:
>>
>> =20
>>
>> kd> !devstack 86ad8d30=20
>>
>> !DevObj !DrvObj !DevExt ObjectName
>>
>> > 86ad8d30 \Driver\NetBT 86ad8de8
>> NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
>>
>> =20
>>
>> Curiously, when I run dt against this device, it
>> also has a StackSize of
>> 2 even though it doesn’t appear to be attached to
>> anything.
>>
>> =20
>>
>> It appears to me that because this device has
>> consumed one of the stack
>> locations for my IRP, by the time it reaches my
>> device the stack has
>> been exhausted and when I call IoCallDriver, the
>> system bugchecks. What
>> I don’t see though is why this IRP would be going
>> through the mysterious
>> NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
>> device at all because
>> it doesn’t seem to be in my driver stack.
>>
>> =20
>>
>> Does anybody have any ideas about why device
>> NetBT_Tcpip_{F941E083-3AC1-4540-883C-169D85D2FBD5}
>> is on my stack ??
>>
>> =20
>>
>> Kind Regards
>>
>> =20
>>
>> Mark
>>
>> =20
>>
>> =20
>>
>> =20
>>
>> =20
>>
>> =20
>>
>>
>> ------_=_NextPart_001_01C55DF1.8EFEDF0A
>> Content-Type: text/html;
>> charset=“us-ascii”
>> Content-Transfer-Encoding: quoted-printable
>>
>> >> xmlns:o=3D"urn:schemas-microsoft-com:office:office"
>> =
>> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
>> xmlns=3D"http://www.w3.org/TR/REC-html40">
>>
>>
>> >> content=3D"text/html; =
>> charset=3Dus-ascii">
>> >> (filtered medium)">
>>
>>
> === message truncated ==
>
> __________________________________
> Do You Yahoo!?
> Upgrade Your Life
> http://bb.yahoo.co.jp/
>
></file:></mark.cook>

3

Scott, there was a discussion about this just recently – check the
archives. IIRC, it’s pretty difficult to do this. First of all you’d
have to handle SCSI pass-through IOCTLs, and even then you’re never
guaranteed that another driver won’t get in just below your filter and
send commands down directly.

Chuck

----- Original Message -----
From: “x”
To: “Windows System Software Devs Interest List”
Sent: Monday, May 23, 2005 11:46 AM
Subject: [ntdev] CD /DVD read only filter

> Dear Osrlist,
>
> I am trying to write a filter driver which can block
> attempts to copy data to a CD. For floppy disks and USB
> thumbdrives I can use:
>
> if(irpValue == IRP_MJ_WRITE){
> NTSTATUS status = STATUS_MEDIA_WRITE_PROTECTED;
>
> but this does not block attempts to burn data on to a CD
> or DVD. Does anybody know what the CD equivalent of the
> above code would be ?
>
> Regards,
>
> Scott

4

It would be rather difficult to do 100%. You need to define what situations are going to be blocked (i.e. which applications, etc.)

First, install a lowest-level filter driver on your test machine. Then, process both IRP_MJ_SCSI (SCSI_REQUEST_BLOCKs) and IOCTL_SCSI_PASS_THROUGH and IOCTL_SCSI_PASS_THROUGH_DIRECT. All three of these have an embedded CDB. (You will need to have special code to deal with 32-bit applications sending the ioctls on 64 bit systems.)

Look at the CDB, and setup a list of “allowed” commands (this avoids vendor-specific write commands or newly defined write commands getting through). You would also want to prevent changes to various mode pages – again, setup an “allowed” list.

In the end, since you cannot prevent filter drivers(*) from loading below you, or from overwriting the dispatch tables of the port driver(!), you may have difficulty preventing this entirely without having protection against the installation of other drivers on the system. i.e. You must have system security (known set of drivers) before you can have a driver prevent actions.

Hth,
.

(*) or bus filters, or … This is why you must define the applications you want to prevent working.

-----Original Message-----
From: $B%V%i%&%s(J $B%9%3%C%H(J [mailto:xxxxx@yahoo.co.jp]
Sent: Sunday, May 22, 2005 9:47 PM
Subject: CD /DVD read only filter

Dear Osrlist,

I am trying to write a filter driver which can block
attempts to copy data to a CD. For floppy disks and USB
thumbdrives I can use:

if(irpValue == IRP_MJ_WRITE){
NTSTATUS status = STATUS_MEDIA_WRITE_PROTECTED;

but this does not block attempts to burn data on to a CD
or DVD. Does anybody know what the CD equivalent of the
above code would be ?

Regards,

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(J
> NTDEV Digest for Saturday, May 21, 2005.
>
> 1. NO_MORE_IRP_STACK_LOCATIONS
> 2. Re: NO_MORE_IRP_STACK_LOCATIONS
> 3. RE: Complete Request in scsi miniport w/o
> timercall
> 4. RE: NO_MORE_IRP_STACK_LOCATIONS
>
>
----------------------------------------------------------------------
>
> Subject: NO_MORE_IRP_STACK_LOCATIONS
> From: “Cook, Mark” <mark.cook>
> Date: Sat, 21 May 2005 11:40:51 +0100
> X-Message-Number: 1
>
> This is a multi-part message in MIME format.
>
> ------=NextPart_001_01C55DF1.8EFEDF0A
> Content-Type: text/plain;
> charset=“us-ascii”
> Content-Transfer-Encoding: quoted-printable
>
> Hi all
>
> I’ve been developing a TDI filter driver that
> attaches to \Device\Tcp
> <file:> (among other things) using
> IoAttachDevice. It
> doesn’t currently do much apart from pass through
> any IRPs destined for
> the original device by calling IoCallDriver.
>
> =20
>
> Everything appears to work correctly until I attempt
> to make a NetBIOS
> call (in this case by typing net view at the command
> prompt). As soon as
> I do this, the system bugchecks with stop code 35
> (NO_MORE_IRP_STACK_LOCATIONS).
>
> =20
>
> Dumping the irp from the memory dump, I see the
> following (note that
> tdimon is my filter driver):
>
> =20
>
> Bugcheck code 00000035
>
> Arguments 862abc00 00000000 00000000 00000000
>
> =20
>
> kd> !irp 862abc00=20
>
> Irp is active with 2 stacks 0 is current (=3D
> 0x862baca0)
>
> No Mdl Thread 00000000: Irp stack trace. =20
>
> cmd flg cl Device File
> Completion-Context
>
> [f, 3] 0 e0 862baca0 86c6f170 f5162bf1-86af38c8
> Success Error
> Cancel=20
>
> \Driver\tdimon
> netbt!TcpConnectComplete
>
> Args: 00000000 86ca4578
> 00000000 f507bc50
>
> [f, 3] 0 e1 86ad8d30 86dffca0 f5165a8a-86c5d158
> Success Error
> Cancel pending
>
> \Driver\NetBT
> netbt!NbtpConnectCompletionRoutine
>
> Args: 00000000 86c5d168
> 00000000 f507bc50
>
> =20
>
> =20
>
> I have verified that when I call IoAttachDevice, the
> StackSize for my
> object increases to 2 (I am only attached to
> Device\TCP at this point
> which itself has a StackSize of 1) and I have
> verified that when the
> system bugchecks, this is still set to 2. In fact,
> if I dump the device
> stack for my device, it still appears to be correct:
>
> =20
>
> kd> !devstack 862baca0=20
>
> !DevObj !DrvObj !DevExt ObjectName
>
> > 862baca0 \Driver\tdimon 00000000 =20
>
> 86d29e50 \Driver\Tcpip 00000000 Tcp
>
> =20
>
> And using the dt against the DEVICE_OBJECTs for
> these two devices
> reveals that the stack sizes are set to 2 and 1
> respectively which also
> appears to be correct.
>
> =20
>
> =20
>
> From the IRP dump, it appears that one of the stack
> locations has been
> consumed by device 86ad8d30 but this device is not
> on my stack. In fact
> if I dump the device stack for this device, I see
> the following:
>
> =20
>
> kd> !devstack 86ad8d30=20
>
> !DevObj !DrvObj !DevExt ObjectName
>
> > 86ad8d30 \Driver\NetBT 86ad8de8
> NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
>
> =20
>
> Curiously, when I run dt against this device, it
> also has a StackSize of
> 2 even though it doesn’t appear to be attached to
> anything.
>
> =20
>
> It appears to me that because this device has
> consumed one of the stack
> locations for my IRP, by the time it reaches my
> device the stack has
> been exhausted and when I call IoCallDriver, the
> system bugchecks. What
> I don’t see though is why this IRP would be going
> through the mysterious
> NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
> device at all because
> it doesn’t seem to be in my driver stack.
>
> =20
>
> Does anybody have any ideas about why device
> NetBT_Tcpip_{F941E083-3AC1-4540-883C-169D85D2FBD5}
> is on my stack ??
>
> =20
>
> Kind Regards
>
> =20
>
> Mark
>
> =20
>
> =20
>
> =20
>
> =20
>
> =20
>
>
> ------_=_NextPart_001_01C55DF1.8EFEDF0A
> Content-Type: text/html;
> charset=“us-ascii”
> Content-Transfer-Encoding: quoted-printable
>
> > xmlns:o=3D"urn:schemas-microsoft-com:office:office"
> =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
>
>
> > content=3D"text/html; =
> charset=3Dus-ascii">
> > (filtered medium)">
>
>
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/</file:></mark.cook>

5

In addition, commercially shipping products with whql signatures bypass all
filters below them by using the pdo dev object for their IO target.

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Henry Gabryjelski
Sent: Monday, May 23, 2005 1:16 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] CD /DVD read only filter

It would be rather difficult to do 100%. You need to define what situations
are going to be blocked (i.e. which applications, etc.)

First, install a lowest-level filter driver on your test machine. Then,
process both IRP_MJ_SCSI (SCSI_REQUEST_BLOCKs) and IOCTL_SCSI_PASS_THROUGH
and IOCTL_SCSI_PASS_THROUGH_DIRECT. All three of these have an embedded
CDB. (You will need to have special code to deal with 32-bit applications
sending the ioctls on 64 bit systems.)

Look at the CDB, and setup a list of “allowed” commands (this avoids
vendor-specific write commands or newly defined write commands getting
through). You would also want to prevent changes to various mode pages –
again, setup an “allowed” list.

In the end, since you cannot prevent filter drivers(*) from loading below
you, or from overwriting the dispatch tables of the port driver(!), you may
have difficulty preventing this entirely without having protection against
the installation of other drivers on the system. i.e. You must have system
security (known set of drivers) before you can have a driver prevent
actions.

Hth,
.

(*) or bus filters, or … This is why you must define the applications
you want to prevent working.

-----Original Message-----
From: ブラウン スコット [mailto:xxxxx@yahoo.co.jp]
Sent: Sunday, May 22, 2005 9:47 PM
Subject: CD /DVD read only filter

Dear Osrlist,

I am trying to write a filter driver which can block attempts to copy data
to a CD. For floppy disks and USB thumbdrives I can use:

if(irpValue == IRP_MJ_WRITE){
NTSTATUS status = STATUS_MEDIA_WRITE_PROTECTED;

but this does not block attempts to burn data on to a CD or DVD. Does
anybody know what the CD equivalent of the above code would be ?

Regards,

Scott

— Windows System Software Devs Interest List digest
からのメッセージ:
> NTDEV Digest for Saturday, May 21, 2005.
>
> 1. NO_MORE_IRP_STACK_LOCATIONS
> 2. Re: NO_MORE_IRP_STACK_LOCATIONS
> 3. RE: Complete Request in scsi miniport w/o timercall 4. RE:
> NO_MORE_IRP_STACK_LOCATIONS
>
>
----------------------------------------------------------------------
>
> Subject: NO_MORE_IRP_STACK_LOCATIONS
> From: “Cook, Mark” <mark.cook>
> Date: Sat, 21 May 2005 11:40:51 +0100
> X-Message-Number: 1
>
> This is a multi-part message in MIME format.
>
> ------=NextPart_001_01C55DF1.8EFEDF0A
> Content-Type: text/plain;
> charset=“us-ascii”
> Content-Transfer-Encoding: quoted-printable
>
> Hi all
>
> I’ve been developing a TDI filter driver that attaches to
> \Device\Tcp <file:> (among other things) using
> IoAttachDevice. It doesn’t currently do much apart from pass through
> any IRPs destined for the original device by calling IoCallDriver.
>
> =20
>
> Everything appears to work correctly until I attempt to make a NetBIOS
> call (in this case by typing net view at the command prompt). As soon
> as I do this, the system bugchecks with stop code 35
> (NO_MORE_IRP_STACK_LOCATIONS).
>
> =20
>
> Dumping the irp from the memory dump, I see the following (note that
> tdimon is my filter driver):
>
> =20
>
> Bugcheck code 00000035
>
> Arguments 862abc00 00000000 00000000 00000000
>
> =20
>
> kd> !irp 862abc00=20
>
> Irp is active with 2 stacks 0 is current (=3D
> 0x862baca0)
>
> No Mdl Thread 00000000: Irp stack trace. =20
>
> cmd flg cl Device File
> Completion-Context
>
> [f, 3] 0 e0 862baca0 86c6f170 f5162bf1-86af38c8 Success Error
> Cancel=20
>
> \Driver\tdimon
> netbt!TcpConnectComplete
>
> Args: 00000000 86ca4578
> 00000000 f507bc50
>
> [f, 3] 0 e1 86ad8d30 86dffca0 f5165a8a-86c5d158 Success Error
> Cancel pending
>
> \Driver\NetBT
> netbt!NbtpConnectCompletionRoutine
>
> Args: 00000000 86c5d168
> 00000000 f507bc50
>
> =20
>
> =20
>
> I have verified that when I call IoAttachDevice, the StackSize for my
> object increases to 2 (I am only attached to Device\TCP at this point
> which itself has a StackSize of 1) and I have verified that when the
> system bugchecks, this is still set to 2. In fact, if I dump the
> device stack for my device, it still appears to be correct:
>
> =20
>
> kd> !devstack 862baca0=20
>
> !DevObj !DrvObj !DevExt ObjectName
>
> > 862baca0 \Driver\tdimon 00000000 =20
>
> 86d29e50 \Driver\Tcpip 00000000 Tcp
>
> =20
>
> And using the dt against the DEVICE_OBJECTs for these two devices
> reveals that the stack sizes are set to 2 and 1 respectively which
> also appears to be correct.
>
> =20
>
> =20
>
> From the IRP dump, it appears that one of the stack locations has been
> consumed by device 86ad8d30 but this device is not on my stack. In
> fact if I dump the device stack for this device, I see the following:
>
> =20
>
> kd> !devstack 86ad8d30=20
>
> !DevObj !DrvObj !DevExt ObjectName
>
> > 86ad8d30 \Driver\NetBT 86ad8de8
> NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
>
> =20
>
> Curiously, when I run dt against this device, it also has a StackSize
> of
> 2 even though it doesn’t appear to be attached to anything.
>
> =20
>
> It appears to me that because this device has consumed one of the
> stack locations for my IRP, by the time it reaches my device the stack
> has been exhausted and when I call IoCallDriver, the system bugchecks.
> What I don’t see though is why this IRP would be going through the
> mysterious NetBT_Tcpip{F941E083-3AC1-4540-883C-169D85D2FBD5}
> device at all because
> it doesn’t seem to be in my driver stack.
>
> =20
>
> Does anybody have any ideas about why device
> NetBT_Tcpip_{F941E083-3AC1-4540-883C-169D85D2FBD5}
> is on my stack ??
>
> =20
>
> Kind Regards
>
> =20
>
> Mark
>
> =20
>
> =20
>
> =20
>
> =20
>
> =20
>
>
> ------_=_NextPart_001_01C55DF1.8EFEDF0A
> Content-Type: text/html;
> charset=“us-ascii”
> Content-Transfer-Encoding: quoted-printable
>
> > xmlns:o=3D"urn:schemas-microsoft-com:office:office"
> =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
>
>
> > content=3D"text/html; =
> charset=3Dus-ascii">
> > medium)">
>
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com</file:></mark.cook>

6

Dear Osrlist,

thank you all for your replies.
I have added the filter to the device as an upper filter.
Apart from intercepting IRPs, I have also tried
IoCreateDevice() with FILE_DEVICE_CD_ROM as the device
type and FILE_READ_ONLY_DEVICE as the device
characteristic. However, this did not have any effect.

Are there any simple ways of making a CD or DVD player
read-only ? If not, is there any good source code
available for filtering CDs at the CDB level ?

Regards,

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!‘(B
> NTDEV Digest for Monday, May 23, 2005.
>
> 1. Re: CD /DVD read only filter
> 2. Re: CD /DVD read only filter
> 3. RE: NO_MORE_IRP_STACK_LOCATIONS
> 4. RE: DMA + common buffer ARC
> 5. RE: ntdev digest: May 22, 2005
> 6. Is it possible to bind two real network adapters
> into one?
> 7. driver to user app comunication
> 8. USB device frame work Problem.
> 9. RE: DMA + common buffer ARC
> 10. AddDevice() is not called
> 11. RE: AddDevice() is not called
> 12. Re: AddDevice() is not called
> 13. Re: DMA + common buffer ARC
> 14. Re: RE:ntdev digest: May 22, 2005
> 15. Re: Is it possible to bind two real network
> adapters into one?
> 16. Re: driver to user app comunication
> 17. Re: AddDevice() is not called
> 18. Re: driver to user app comunication
> 19. Re: driver to user app comunication
> 20. RE: driver to user app comunication
> 21. RE: driver to user app comunication
> 22. Re: driver to user app comunication
> 23. Re: Re:driver to user app comunication
> 24. Re: Re:driver to user app comunication
> 25. RE: Re:driver to user app comunication
> 26. Re: Re:Re:driver to user app comunication
> 27. Re: Re:Re:driver to user app comunication
> 28. RE: NO_MORE_IRP_STACK_LOCATIONS
> 29. Re: NO_MORE_IRP_STACK_LOCATIONS
> 30. Re: Re:Re:driver to user app comunication
> 31. RE: CD /DVD read only filter
> 32. RE: CD /DVD read only filter
> 33. RE: Is it possible to bind two real network
> adapters into one?
> 34. Re: driver to user app comunication
> 35. RE: Re:Re:driver to user app comunication
> 36. Re: driver to user app comunication
> 37. Re: Re:Re:driver to user app comunication
> 38. Re: Re:driver to user app comunication
> 39. RE: Re:driver to user app comunication
> 40. scsiminiport driver test tools.
> 41. Windows Kernel Memory Dump
>
>
----------------------------------------------------------------------
>
> Subject: Re: CD /DVD read only filter
> From: “David J. Craig”
> Date: Sun, 22 May 2005 22:33:18 -0700
> X-Message-Number: 1
>
> How about letting us know where the filter is
> located. That is probably
> your problem. It also varies as to which software
> is being used to do the
> writing.
>
> “$B%V%i%&%s(B $B%9%3%C%H(B”
> wrote in message
> news:xxxxx@ntdev…
> > Dear Osrlist,
> >
> > I am trying to write a filter driver which can
> block
> > attempts to copy data to a CD. For floppy disks
> and USB
> > thumbdrives I can use:
> >
> > if(irpValue == IRP_MJ_WRITE){
> > NTSTATUS status =
> STATUS_MEDIA_WRITE_PROTECTED;
> >
> > but this does not block attempts to burn data on
> to a CD
> > or DVD. Does anybody know what the CD equivalent
> of the
> > above code would be ?
> >
> > Regards,
> >
> > Scott
> >
> > — Windows System Software Devs Interest List
> digest
> >
> > $B$+$i$N%a%C%;!<%8!’(B
> >> NTDEV Digest for Saturday, May 21, 2005.
> >>
> >> 1. NO_MORE_IRP_STACK_LOCATIONS
> >> 2. Re: NO_MORE_IRP_STACK_LOCATIONS
> >> 3. RE: Complete Request in scsi miniport w/o
> >> timercall
> >> 4. RE: NO_MORE_IRP_STACK_LOCATIONS
> >>
> >>
> >
>
----------------------------------------------------------------------
> >>
> >> Subject: NO_MORE_IRP_STACK_LOCATIONS
> >> From: “Cook, Mark” <mark.cook>
> >> Date: Sat, 21 May 2005 11:40:51 +0100
> >> X-Message-Number: 1
> >>
> >> This is a multi-part message in MIME format.
> >>
> >> ------_=_NextPart_001_01C55DF1.8EFEDF0A
> >> Content-Type: text/plain;
> >> charset=“us-ascii”
> >> Content-Transfer-Encoding: quoted-printable
> >>
> >> Hi all
> >>
> >> I’ve been developing a TDI filter driver that
> >> attaches to \Device\Tcp
> >> <file:> (among other things)
> using
> >> IoAttachDevice. It
> >> doesn’t currently do much apart from pass through
> >> any IRPs destined for
> >> the original device by calling IoCallDriver.
> >>
> >> =20
> >>
> >> Everything appears to work correctly until I
> attempt
> >> to make a NetBIOS
> >> call (in this case by typing net view at the
> command
> >> prompt). As soon as
> >> I do this, the system bugchecks with stop code 35
> >> (NO_MORE_IRP_STACK_LOCATIONS).
> >>
> >> =20
> >>
> >> Dumping the irp from the memory dump, I see the
> >> following (note that
> >> tdimon is my filter driver):
> >>
> >> =20
> >>
> >> Bugcheck code 00000035
> >>
> >> Arguments 862abc00 00000000 00000000 00000000
> >>
> >> =20
> >>
> >> kd> !irp 862abc00=20
> >>
> >> Irp is active with 2 stacks 0 is current (=3D
> >> 0x862baca0)
> >>
> >> No Mdl Thread 00000000: Irp stack trace. =20
> >>
> >> cmd flg cl Device File
> >> Completion-Context
> >>
> >> [f, 3] 0 e0 862baca0 86c6f170
> f5162bf1-86af38c8
> >> Success Error
> >> Cancel=20
> >>
> >> \Driver\tdimon
> >> netbt!TcpConnectComplete
> >>
> >> Args: 00000000 86ca4578
> >> 00000000 f507bc50
> >>
> >> [f, 3] 0 e1 86ad8d30 86dffca0
> f5165a8a-86c5d158
> >> Success Error
> >> Cancel pending
> >>
> >> \Driver\NetBT
> >> netbt!NbtpConnectCompletionRoutine
> >>
> >> Args: 00000000 86c5d168
> >> 00000000 f507bc50
> >>
> >> =20
> >>
> >> =20
> >>
> >> I have verified that when I call IoAttachDevice,
> the
> >> StackSize for my
> >> object increases to 2 (I am only attached to
> >> Device\TCP at this point
> >> which itself has a StackSize of 1) and I have
> >> verified that when the
> >> system bugchecks, this is still set to 2. In
> fact,
> >> if I dump the device
> >> stack for my device, it still appears to be
> correct:
> >>
> >> =20
> >>
> >> kd> !devstack 862baca0=20
>
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/</file:></mark.cook>

7

$B%V%i%&%s(B $B%9%3%C%H(B wrote:

Are there any simple ways of making a CD or DVD player
read-only ?

Sure: remove it from the computer and install a CD-ROM or DVD-ROM drive.
That is the only reliable way.

If not, is there any good source code
available for filtering CDs at the CDB level ?

As was said yesterday, no. Too many applications bypass the driver stack
and talk straight to the lowest-level driver.

This is yet another misguided attempt to limit what users can do with
their own hardware, and it is as doomed to failure as the other queries
we’ve had recently. What is your actual goal? “Making a CD read-only” is
not a goal. That’s just one step toward achieving a goal. If you are
installing computers in a secure environment, where you don’t want users
burning removable media, than is a quite reasonable goal, and my first
suggestion is exactly the right one: don’t allow CD-RW drives in your
computers.

On the other hand, if you are writing an application, and want to be
able to limit the functionality of MY computer, then forget it. I’m not
going to let you do that.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

8

The purpose of the filter is for administrators to control
read/write access to CD drives, USB drives etc. on a
company network.

Scott
— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(B
> NTDEV Digest for Tuesday, May 24, 2005.
>
> 1. Need help for Windbg
> 2. Re: Need help for Windbg
> 3. Re: CD /DVD read only filter
> 4. Re: driver to user app comunication
> 5. Re: Need help for Windbg
> 6. RE: driver to user app comunication
> 7. Get process full path from PEPROCESS structure
> 8. Re: Need help for Windbg
> 9. RE: Get process full path from PEPROCESS
> structure
> 10. Re[2]: Get process full path from PEPROCESS
> structure
> 11. Re: Get process full path from PEPROCESS
> structure
> 12. Re: Re[2]: Get process full path from PEPROCESS
> structure
> 13. RE: Re[2]: Get process full path from PEPROCESS
> structure
> 14. Re: Re[2]: Get process full path from PEPROCESS
> structure
> 15. Re[4]: Get process full path from PEPROCESS
> structure
> 16. Re[4]: Get process full path from PEPROCESS
> structure
> 17. Re: NO_MORE_IRP_STACK_LOCATIONS
> 18. RE: DMA + common buffer ARC
> 19. Re: Get process full path from PEPROCESS
> structure
> 20. Re: Re[2]: Get process full path from PEPROCESS
> structure
> 21. Re: Windows Kernel Memory Dump
> 22. Re[2]: AddDevice() is not called
> 23. Re: scsiminiport driver test tools.
> 24. USB modem COM port usage
> 25. “build” compresses pdb files
> 26. Re: DMA + common buffer ARC
> 27. RE: USB modem COM port usage
> 28. Re: USB modem COM port usage
> 29. Re: CD /DVD read only filter
> 30. RE: USB modem COM port usage
> 31. Re: USB modem COM port usage
> 32. Re: USB modem COM port usage
> 33. Dual Opteron motherboard?
> 34. RE: Dual Opteron motherboard?
> 35. Re: Dual Opteron motherboard?
> 36. RE: Dual Opteron motherboard?
> 37. RE: Dual Opteron motherboard?
> 38. Re: Dual Opteron motherboard?
> 39. RE: Dual Opteron motherboard?
> 40. RE: Dual Opteron motherboard?
> 41. RE: Dual Opteron motherboard?
> 42. RE: Dual Opteron motherboard?
> 43. RE: Dual Opteron motherboard?
> 44. RE: Dual Opteron motherboard?
> 45. Re: Dual Opteron motherboard?
> 46. RE: Dual Opteron motherboard?
> 47. Re: Dual Opteron motherboard?
> 48. Re: Get process full path from PEPROCESS
> structure
> 49. RE: Dual Opteron motherboard?
>
>
----------------------------------------------------------------------
>
> Subject: Need help for Windbg
> From: Sharmila Panse
> Date: Mon, 23 May 2005 22:52:34 -0700 (PDT)
> X-Message-Number: 1
>
> Hello,
>
> I have setup graphic Windows debugger WinDbg, on
> 2000
> Professional, and is able to communicate with
> target.
> I have setup host to acess symbol server using
> SRV*\dirnamehttp://msdl.microsoft.com/download/symbols
>
> And set the srcpath to point to the path where my
> .sys
> & .pdb files are located. Now when the target
> reboots,
> the DbgPrints from my driver, loaded on traget
> appear
> on host. But after this I do not know how to do
> source
> level debugging? Also host machine is not finding
> any
> symbols for my driver. I tried to give brakpoint
> using
> bp command but host machine is not able to find
> thoes
> symbols. Any help regarding setting the source level
> debugging would be appreciated.
> .pdb file is generated using checked build
> environment
> of Windows latest DDK.
>
> Thanks
> Sharmila
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
>
----------------------------------------------------------------------
>
> Subject: Re: Need help for Windbg
> From: Anees M
> Date: Tue, 24 May 2005 11:37:52 +0530
> X-Message-Number: 2
>
> ------=_Part_5143_25712456.1116914872276
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> Apart from setting the symbol path for OS symbols,
> you also need to set the=
> =20
> symbol path for your pdb files. And source path
> should be set to point to=
> =20
> your source file directory, and not you symbols and
> sys files.=20
> Once both the symbol path and source path for your
> executables are set, you=
> =20
> should be able to set break points in your code and
> do source level=20
> debugging
> Thanks
> Anees
>
>
> On 5/24/05, Sharmila Panse
> wrote:=20
> >=20
> > Hello,
> >=20
> > I have setup graphic Windows debugger WinDbg, on
> 2000
> > Professional, and is able to communicate with
> target.
> > I have setup host to acess symbol server using
> >
> SRV\dirname*http://msdl.microsoft.com/download/symbols
> >=20
> > And set the srcpath to point to the path where my
> .sys
> > & .pdb files are located. Now when the target
> reboots,
> > the DbgPrints from my driver, loaded on traget
> appear
> > on host. But after this I do not know how to do
> source
> > level debugging? Also host machine is not finding
> any
> > symbols for my driver. I tried to give brakpoint
> using
> > bp command but host machine is not able to find
> thoes
> > symbols. Any help regarding setting the source
> level
> > debugging would be appreciated.
> > .pdb file is generated using checked build
> environment
> > of Windows latest DDK.
> >=20
> > Thanks
> > Sharmila
> >=20
> >__________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >=20
> > —
> > Questions? First check the Kernel Driver FAQ at=20
> > http://www.osronline.com/article.cfm?id=3D256
> >=20
> > You are currently subscribed to ntdev as:
> xxxxx@gmail.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
> ------=_Part_5143_25712456.1116914872276
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
>

Apart from setting the symbol path for OS
> symbols, you also need to se=
> t the symbol path for your pdb files. And source
> path should be set to poin=
> t to your source file directory, and not you symbols
> and
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

9

$B%V%i%&%s(B $B%9%3%C%H(B wrote:

The purpose of the filter is for administrators to control
read/write access to CD drives, USB drives etc. on a
company network.

Then the company should not order read/write CD drives for the computers
it buys. Simple answer.

Remind me never to take a job at that company, however.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

10

You would be surprised at the lengths some companies go to
protect themselves from real or perceived security threats. Data
security is a problem today, and how does a corporation protect
itself from the eventuality that any Tom, Dick or Harry can
insert a pocket USB memory and suck out sensitive data or
intellectual property ?

There are two sides to that coin, mind you.

Alberto.

----- Original Message -----
From: “Tim Roberts”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 1:18 PM
Subject: Re: [ntdev] CD /DVD read only filter

> $B%V%i%&%s(B $B%9%3%C%H(B wrote:
>
>>The purpose of the filter is for administrators to control
>>read/write access to CD drives, USB drives etc. on a
>>company network.
>>
>>
>
> Then the company should not order read/write CD drives for the
> computers
> it buys. Simple answer.
>
> Remind me never to take a job at that company, however.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

11

Dear Tim,

I understand your anger, but we have to take in consideration the user
situation. Today almost any computer you buy has optical media recorder
embedded, and I can easily understand that the administrator of a company
network prefers to control recorder usage through software rather that open
each PC case to exchange the recorder by reader. I wouldn’t want to do
hardware changes in the two hundred computers of my company for instance
(although it would be fun to be a recording software company with no
recorder in-house but this is another debate).

Now the helpful restriction of the problem given by Scott is that the
software limitation is intended to be controlled by someone with
administrative privileges. So if this admin do not give its users privileges
to install drivers, we can design a driver which would prevent optical
recording. Or, much easier, the admin can disable IMAPI on the XP boxes and
don’t install 3rd party recording software or select 3rd party recording
software which permits per-user recording rights (anyone running something
not NT-based in a company windows network today?)

For instance, Nero offers for free Nero Burning Rights, a tool which allows
you to configure user group with recording privileges.

Scott, would that solve your problem?

Best regards,

David Burg

David Burg
Software Development,
InCD and Low Level Drivers Project Leader

Nero AG phone: +49 (0)7248 928 327 (room line) Internal VoIP
-363
Im Stoeckmaedle 18 fax: +49 (0)7248 928 299
76307 Karlsbad email: xxxxx@nero.com
Germany http://www.nero.com

Subject: Re: CD /DVD read only filter
From: Tim Roberts
Date: Wed, 25 May 2005 10:18:04 -0700
X-Message-Number: 35

$B%V%i%&%s(B $B%9%3%C%H(B wrote:

>The purpose of the filter is for administrators to control
>read/write access to CD drives, USB drives etc. on a
>company network.
>
>

Then the company should not order read/write CD drives for the computers
it buys. Simple answer.

Remind me never to take a job at that company, however.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

12

The correct way to do this, in a company network, is to control the software being installed on the machines.

With a known set of software, you can solve this problem, but you will require the assistance of any software which enables writing to the CD/DVD drive.

As far as I can tell, only Nero currently provides a tool (Nero Burning Rights) at this time to allow choosing who can and cannot use their software to write to the CD/DVD drive (at least for mastering).

For “live” file systems, you should move up to user-mode, and modify the ACLs of the volume appropriately. There may be more needed here – you should ask this portion of the question (how to prevent live file system on CD/DVD media based on user ID) on the file system mailing list OSR provides.

Hth,
.

-----Original Message-----
From: $B%V%i%&%s(J $B%9%3%C%H(J [mailto:xxxxx@yahoo.co.jp]
Sent: Tuesday, May 24, 2005 11:08 PM
Subject: Re: CD /DVD read only filter

The purpose of the filter is for administrators to control
read/write access to CD drives, USB drives etc. on a
company network.

Scott
— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(J
> NTDEV Digest for Tuesday, May 24, 2005.
>
> 1. Need help for Windbg
> 2. Re: Need help for Windbg
> 3. Re: CD /DVD read only filter
> 4. Re: driver to user app comunication
> 5. Re: Need help for Windbg
> 6. RE: driver to user app comunication
> 7. Get process full path from PEPROCESS structure
> 8. Re: Need help for Windbg
> 9. RE: Get process full path from PEPROCESS
> structure
> 10. Re[2]: Get process full path from PEPROCESS
> structure
> 11. Re: Get process full path from PEPROCESS
> structure
> 12. Re: Re[2]: Get process full path from PEPROCESS
> structure
> 13. RE: Re[2]: Get process full path from PEPROCESS
> structure
> 14. Re: Re[2]: Get process full path from PEPROCESS
> structure
> 15. Re[4]: Get process full path from PEPROCESS
> structure
> 16. Re[4]: Get process full path from PEPROCESS
> structure
> 17. Re: NO_MORE_IRP_STACK_LOCATIONS
> 18. RE: DMA + common buffer ARC
> 19. Re: Get process full path from PEPROCESS
> structure
> 20. Re: Re[2]: Get process full path from PEPROCESS
> structure
> 21. Re: Windows Kernel Memory Dump
> 22. Re[2]: AddDevice() is not called
> 23. Re: scsiminiport driver test tools.
> 24. USB modem COM port usage
> 25. “build” compresses pdb files
> 26. Re: DMA + common buffer ARC
> 27. RE: USB modem COM port usage
> 28. Re: USB modem COM port usage
> 29. Re: CD /DVD read only filter
> 30. RE: USB modem COM port usage
> 31. Re: USB modem COM port usage
> 32. Re: USB modem COM port usage
> 33. Dual Opteron motherboard?
> 34. RE: Dual Opteron motherboard?
> 35. Re: Dual Opteron motherboard?
> 36. RE: Dual Opteron motherboard?
> 37. RE: Dual Opteron motherboard?
> 38. Re: Dual Opteron motherboard?
> 39. RE: Dual Opteron motherboard?
> 40. RE: Dual Opteron motherboard?
> 41. RE: Dual Opteron motherboard?
> 42. RE: Dual Opteron motherboard?
> 43. RE: Dual Opteron motherboard?
> 44. RE: Dual Opteron motherboard?
> 45. Re: Dual Opteron motherboard?
> 46. RE: Dual Opteron motherboard?
> 47. Re: Dual Opteron motherboard?
> 48. Re: Get process full path from PEPROCESS
> structure
> 49. RE: Dual Opteron motherboard?
>
>
----------------------------------------------------------------------
>
> Subject: Need help for Windbg
> From: Sharmila Panse
> Date: Mon, 23 May 2005 22:52:34 -0700 (PDT)
> X-Message-Number: 1
>
> Hello,
>
> I have setup graphic Windows debugger WinDbg, on
> 2000
> Professional, and is able to communicate with
> target.
> I have setup host to acess symbol server using
> SRV*\dirnamehttp://msdl.microsoft.com/download/symbols
>
> And set the srcpath to point to the path where my
> .sys
> & .pdb files are located. Now when the target
> reboots,
> the DbgPrints from my driver, loaded on traget
> appear
> on host. But after this I do not know how to do
> source
> level debugging? Also host machine is not finding
> any
> symbols for my driver. I tried to give brakpoint
> using
> bp command but host machine is not able to find
> thoes
> symbols. Any help regarding setting the source level
> debugging would be appreciated.
> .pdb file is generated using checked build
> environment
> of Windows latest DDK.
>
> Thanks
> Sharmila
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
>
----------------------------------------------------------------------
>
> Subject: Re: Need help for Windbg
> From: Anees M
> Date: Tue, 24 May 2005 11:37:52 +0530
> X-Message-Number: 2
>
> ------=_Part_5143_25712456.1116914872276
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> Apart from setting the symbol path for OS symbols,
> you also need to set the=
> =20
> symbol path for your pdb files. And source path
> should be set to point to=
> =20
> your source file directory, and not you symbols and
> sys files.=20
> Once both the symbol path and source path for your
> executables are set, you=
> =20
> should be able to set break points in your code and
> do source level=20
> debugging
> Thanks
> Anees
>
>
> On 5/24/05, Sharmila Panse
> wrote:=20
> >=20
> > Hello,
> >=20
> > I have setup graphic Windows debugger WinDbg, on
> 2000
> > Professional, and is able to communicate with
> target.
> > I have setup host to acess symbol server using
> >
> SRV\dirname*http://msdl.microsoft.com/download/symbols
> >=20
> > And set the srcpath to point to the path where my
> .sys
> > & .pdb files are located. Now when the target
> reboots,
> > the DbgPrints from my driver, loaded on traget
> appear
> > on host. But after this I do not know how to do
> source
> > level debugging? Also host machine is not finding
> any
> > symbols for my driver. I tried to give brakpoint
> using
> > bp command but host machine is not able to find
> thoes
> > symbols. Any help regarding setting the source
> level
> > debugging would be appreciated.
> > .pdb file is generated using checked build
> environment
> > of Windows latest DDK.
> >=20
> > Thanks
> > Sharmila
> >=20
> >__________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >=20
> > —
> > Questions? First check the Kernel Driver FAQ at=20
> > http://www.osronline.com/article.cfm?id=3D256
> >=20
> > You are currently subscribed to ntdev as:
> xxxxx@gmail.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
> ------=_Part_5143_25712456.1116914872276
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
>

Apart from setting the symbol path for OS
> symbols, you also need to se=
> t the symbol path for your pdb files. And source
> path should be set to poin=
> t to your source file directory, and not you symbols
> and
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

13

You can’t. I was lucky enough to recently finish a grad class focused on
computer security, and a key point to much of the theory is that you
*must* trust the user (person). If a human has access to data, then they
have access to data. There is no way to stop them from disseminating
that data if they chose to do so. Worst case, they memorize it or write
it down on a napkin and take it home. You can try to make it more
difficult to do so, but there is no way to guarantee it.

Security *is* important in regards to problems of Trojan threats, or
regarding people NOT authorized to look at data / modify data, but this
is a different problem.

Regards,
-Mike

Alberto Moreira wrote:

You would be surprised at the lengths some companies go to protect
themselves from real or perceived security threats. Data security is a
problem today, and how does a corporation protect itself from the
eventuality that any Tom, Dick or Harry can insert a pocket USB memory
and suck out sensitive data or intellectual property ?

There are two sides to that coin, mind you.

Alberto.

----- Original Message ----- From: “Tim Roberts”
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, May 25, 2005 1:18 PM
> Subject: Re: [ntdev] CD /DVD read only filter
>
>
>> $B%V%i%&%s(B $B%9%3%C%H(B wrote:
>>
>>> The purpose of the filter is for administrators to control
>>> read/write access to CD drives, USB drives etc. on a
>>> company network.
>>>
>>>
>>
>> Then the company should not order read/write CD drives for the computers
>> it buys. Simple answer.
>>
>> Remind me never to take a job at that company, however.
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@hologic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

14

Exactly. Every attempt to stop people from disseminating data they have access to is doomed to failure. How to stop people, for example, from using cameras in their mobile phones? Miserable quality but probably sufficient for this purpose and much easier than memorizing and faster then writing down. Here in Europe almost everybody has such a handy so having it in work isn’t suspicous at all.

The only way is to properly use access rights and give access only to people who can be trusted. Such a “security software” OP meant doesn’t solve problem cause but the consequence.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Michael Becker[SMTP:xxxxx@hologic.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, May 26, 2005 7:40 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] CD /DVD read only filter

You can’t. I was lucky enough to recently finish a grad class focused on
computer security, and a key point to much of the theory is that you
*must* trust the user (person). If a human has access to data, then they
have access to data. There is no way to stop them from disseminating
that data if they chose to do so. Worst case, they memorize it or write
it down on a napkin and take it home. You can try to make it more
difficult to do so, but there is no way to guarantee it.

Security *is* important in regards to problems of Trojan threats, or
regarding people NOT authorized to look at data / modify data, but this
is a different problem.

Regards,
-Mike

Alberto Moreira wrote:

> You would be surprised at the lengths some companies go to protect
> themselves from real or perceived security threats. Data security is a
> problem today, and how does a corporation protect itself from the
> eventuality that any Tom, Dick or Harry can insert a pocket USB memory
> and suck out sensitive data or intellectual property ?
>
> There are two sides to that coin, mind you.
>
> Alberto.
>
>
> ----- Original Message ----- From: “Tim Roberts”
> > To: “Windows System Software Devs Interest List”
> > Sent: Wednesday, May 25, 2005 1:18 PM
> > Subject: Re: [ntdev] CD /DVD read only filter
> >
> >
> >> $B%V%i%&%s(J $B%9%3%C%H(J wrote:
> >>
> >>> The purpose of the filter is for administrators to control
> >>> read/write access to CD drives, USB drives etc. on a
> >>> company network.
> >>>
> >>>
> >>
> >> Then the company should not order read/write CD drives for the computers
> >> it buys. Simple answer.
> >>
> >> Remind me never to take a job at that company, however.
> >>
> >> –
> >> Tim Roberts, xxxxx@probo.com
> >> Providenza & Boekelheide, Inc.
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: xxxxx@ieee.org
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@hologic.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

15

> If a human has access to data, then they

have access to data. There is no way to stop them from disseminating
that data if they chose to do so. Worst case, they memorize it or write
it down on a napkin and take it home.

The solution is you DON’T give access to the DATA, you only give access to
the effect of the data.

For example the private key in a crypto smart card is often not readable.
It’s generated on the card and stays ONLY on the card. You can give the card
the password to prepare the private key for use, and you can ask the crypto
smart card to run the signature algorithm on some data. The result is no
virus or intentional breach can steal the private key, allowing the digital
signature to happen outside the smart card.

  • Jan
16

I’ve got the filter working now.
Thank you to everybody for your helpful advice.

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(B
> NTDEV Digest for Friday, May 27, 2005.
>
> 1. RE: Re:Hardware Filter & Filter-centric
> 2. Sockets, I/O Completion ports, TCP_NODELAY,
> SO_RCVBUF and SO_SNDBUF
> 3. disable F8 at winxp boot?
> 4. Re: Sockets, I/O Completion ports, TCP_NODELAY,
> SO_RCVBUF and SO_SNDBUF
> 5. Re: Sockets, I/O Completion ports, TCP_NODELAY,
> SO_RCVBUF and SO_SNDBUF
> 6. Re: disable F8 at winxp boot?
> 7. Re: Sockets, I/O Completion ports, TCP_NODELAY,
> SO_RCVBUF and SO_SNDBUF
> 8. Device Detection Sequence differs in Storport
> Environment
> 9. RE: CD /DVD read only filter
> 10. Re: Device Detection Sequence differs in
> Storport Environment
> 11. 64 bit printer driver problem when print to file
> bugcheck 0x3b…
> 12. Re: disable F8 at winxp boot?
> 13. RE: disable F8 at winxp boot?
> 14. Opteron 64-bit debugging
> 15. Re: Re:Get process full path from PEPROCESS
> structure
> 16. Re: Sending IOCTLs to network adapter from a WDM
> filter driver
> 17. Re: Re:Sending IOCTLs to network adapter from a
> WDM filter driver
> 18. Re:Sending IOCTLs to network adapter from a WDM
> filter driver
> 19. Re: >> USB (usbhub.sys on XP) Upper Filter
> driver
> 20. Re: >> USB (usbhub.sys on XP) Upper Filter
> driver
> 21. Re: Sockets, I/O Completion ports, TCP_NODELAY,
> SO_RCVBUF and SO_SNDBUF
> 22. RE: >> USB (usbhub.sys on XP) Upper Filter
> driver
> 23. RE: >> USB (usbhub.sys on XP) Upper Filter
> driver
> 24. Re:>> USB (usbhub.sys on XP) Upper Filter driver
> 25. RE: >> USB (usbhub.sys on XP) Upper Filter
> driver
> 26. Re: Dual Opteron motherboard?
> 27. Re: disable F8 at winxp boot?
> 28. Re: disable F8 at winxp boot?
> 29. Spelling
> 30. Re:disable F8 at winxp boot?
> 31. RE: disable F8 at winxp boot?
> 32. RE: disable F8 at winxp boot?
> 33. Re: disable F8 at winxp boot?
> 34. Re:Sending IOCTLs to network adapter from a WDM
> filter driver
> 35. Debugging Printer Driver
>
>
----------------------------------------------------------------------
>
> Subject: RE: Re:Hardware Filter & Filter-centric
> From: Max Paklin
> Date: Thu, 26 May 2005 22:33:05 -0700 (PDT)
> X-Message-Number: 1
>
> From what I understand about filter centric AVStream
> minidrivers (all of my drivers are/were
> pin-centric) is that they support only one data flow
> and therefore can be used only for
> single-stream cases.
>
> In todays world most of A/V hardware support
> multiple streams of different formats. As the result
> what you have is a streaming pin per hardwares
> supported data flow. Thus the driver becomes
> pin-centric.
>
> I can imagine some transcoder hardware (say, DV to
> MPEG2 for example). For that piece of hardware
> filter-centric driver would be a natural choice.
> However mostly filter-centric things are used for
> software encoder/decoder drivers such as Teletext or
> Closed Captions decoders.
>
> – Max.
>
>
>
>
--------------------------------------------------------------------------------
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of Phil
> Sikora
> Sent: Friday, May 20, 2005 8:54 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Re:Hardware Filter &
> Filter-centric
>
>
> Hi Tim:
>
> I think the reference to “rare” is in the DDK docs.
> "In general, software filters use filter-centric
> processing and hardware filters use pin-centric
> processing. For instance, hardware that transforms
> or renders data could route data on a
> pin-centric filter. There are rare cases in which
> these roles may be reversed. "
>
> Hence my TV Tuner example.
>
> Or your reference to rare may mean that a these
> filter-centric (TV Tuner) hardware filter do not
> use a entry for PFNKSFILTERPROCESS Process, to
> perform the processing part of the filter.
> Which off hand I would agree is rare. Mainly what
> is required from a filter-centric filter using
> hardware is set/get properties and modes not a
> processing component.
>
> Phil
>
>
>
> “Tim McDaniel” wrote in message
> news:xxxxx@ntdev…
> Thanks Phil,
>
> Unfortunately, I don’t have access to the DDK, and I
> was really interested in an example of a
> filter-centric hardware filter, as opposed to a
> pin-centric hardware filter. Microsoft calls
> this case a rare exception. Why would this case
> be so rare?
>
> Thanks,
> Tim
>
> ----- Original Message -----
> From: Phil Sikora
> Newsgroups: ntdev
> To: Windows System Software Devs Interest List
> Sent: Friday, May 20, 2005 9:08 AM
> Subject: Re:[ntdev] Hardware Filter & Filter-centric
>
>
> A Video Capture adapter has many examples of a
> hardware filter, TV Tuner, FM Radio, TVAudio, IF
> Demodulators and Video Decoders. The DDK
> src\wdm\videocap\atiwdm\ Tuner\1226 has a sample of
> a TV Tuner.
>
> The “PINS” if you will are still really hardware
> signals (RF) that needs to be converted. So the
> PINS
> for these filters are still found physically on the
> adapter between the Tuner, Noise filters, IF
> demodulators
> and a Video decoder. Now the output is suitable to
> become a PIN centric filter providing video
> data.
>
> The TVTuner would have properties to set frequency,
> check for tuning / signal status and
> demodulation
> modes.
>
> Phil
> “Tim McDaniel” wrote in message
> news:xxxxx@ntdev…
> I have searched and searched but cannot find an
> answer to the following questions. Any assistance
> would be greatly appreciated!
>
>
> Microsoft says “In general, software filters use
> filter-centric
> processing and hardware filters use pin-centric
> processing. <…> There
> are rare cases in which these roles may be
> reversed.”
>
> Q1) Please provide an example of the case, where a
> hardware filter uses filter-centric
> processing.
>
> Q2) What reason(s) may be behind that? —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

17

I absolutely agree!  This is an excellent example of just not giving
the user access to the data.  It’s also my humble opinion that more
effort should go into setting up correct access controls than trying to
prevent a person from using a functionality of the system if they are
allowed to access it in the first place.  If a user shouldn’t be
burning CDs, then set the user’s account up without permission to the
CD-RW drive.  Let the OS do the work of preventing access to data /
devices that shouldn’t be accessed.  (I think / hope Windows allows
this level of access control).

Just my opinion, and we all know what those are like :slight_smile:

Best Regards,

-Mike

Jan Bottorff wrote:

cite="mid20050527085240.C554B2000997@mx2.hologic.com.hologic.com"
type=“cite”>

If a human has access to data, then they
have access to data. There is no way to stop them from disseminating
that data if they chose to do so. Worst case, they memorize it or write
it down on a napkin and take it home.

The solution is you DON’T give access to the DATA, you only give access to
the effect of the data.

For example the private key in a crypto smart card is often not readable.
It’s generated on the card and stays ONLY on the card. You can give the card
the password to prepare the private key for use, and you can ask the crypto
smart card to run the signature algorithm on some data. The result is no
virus or intentional breach can steal the private key, allowing the digital
signature to happen outside the smart card.

  • Jan

Questions? First check the Kernel Driver FAQ athttp://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:xxxxx@hologic.com
To unsubscribe send a blank email toxxxxx@lists.osr.com