hello friends…
i m working on various file system filter drivers using IFS kit since 2.5 years and i believe i am just average on this. But now i got a new project where i need to block the access to certain classes of devices like disable all USB Devices or allow few USB Devices. OR Disable WIFI and BlueTooth devices which are not in the white list of a company security policy.
i have tried a solution which seems working…
i created a General Purpose Device Filter Driver and as soon as i got a new device of target class i attach my filter driver on that device and based on predefined rules i fail certain create requests. i use IoGetDeviceProperty() to determine the type of hardware and its details.
but
Question 1:
After looking that particular problem the usage of Device Filter is right or should i look for a Class Filter…? Is class Filter Driver is very much distinct from device filter driver…? there is very little on this topic in any book on Drivers. Will u please suggest me some links…!
Question 2:
If Device Filter Is OK then i have to Detach-Attach once more before my filter start working. New Device Arrived -> Driver Found -> Device Installed ->My device Filter installed(but not attached until device is re-inserted)-> Reinsert Device ->device Filter Working(Apply Rule). Is there is any way so that i can attach my driver on a new device which is not even installed and attached now(externally) on to the system.
thank you all
I will really appreciate any answer or suggestions.
xxxxx@gmail.com wrote:
Question 1:
After looking that particular problem the usage of Device Filter is right or should i look for a Class Filter…? Is class Filter Driver is very much distinct from device filter driver…? there is very little on this topic in any book on Drivers. Will u please suggest me some links…!
Device vs. class filter, in terms of what you are trying to do and
functionality is different only in how you install the driver. I would
think you need to look at the various classes of devices which you are
going to try and protect access. For instance, you can install your
driver for a volume class and for ANY storage device which loads a
driver and registers as a volume class driver, you will be called in
your add device routine.
So for any of the classes listed in the MSDN, such as at
http://msdn.microsoft.com/en-us/library/ms791134.aspx, you can install
your driver to filter these classes as either an upper or a lower filter.
Question 2:
If Device Filter Is OK then i have to Detach-Attach once more before my filter start working. New Device Arrived -> Driver Found -> Device Installed ->My device Filter installed(but not attached until device is re-inserted)-> Reinsert Device ->device Filter Working(Apply Rule). Is there is any way so that i can attach my driver on a new device which is not even installed and attached now(externally) on to the system.
Sounds like there is a problem in your installation process.
Pete
thank you all
I will really appreciate any answer or suggestions.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
>devices like disable all USB Devices or allow few USB Devices. OR Disable WIFI and BlueTooth
devices which are not in the white list of a company security policy.
There is no generic way of filtering all of these. Each device class will require it own filtering architecture.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Maxim S. Shatskih wrote:
> devices like disable all USB Devices or allow few USB Devices. OR Disable WIFI and BlueTooth
> devices which are not in the white list of a company security policy.
There is no generic way of filtering all of these. Each device class will require it own filtering architecture.
Not necessarily true, it depends on what aspect you are trying to
filter. If you are trying to eliminate ‘all’ access then a simple filter
driver which has a generic dispatch routine for all irps and fails all
requests will work across all devices. Of course this is a bit of a
brute force method but it is possible to implement a single filter that
can perform access control across a wide variety of classes of devices.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
> filter. If you are trying to eliminate ‘all’ access then a simple filter
driver which has a generic dispatch routine for all irps and fails all
requests will work across all devices.
Across NDIS?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Brute force won’t work for bluetooth devices which you use a socket to talk to, you are filtering the wrong devobj. There are group policy mechanisms in place to contol device access, much easier to use than a driver.
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: Peter Scott
Sent: Tuesday, April 07, 2009 7:22 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] class filter or device filter…??
Maxim S. Shatskih wrote:
>> devices like disable all USB Devices or allow few USB Devices. OR Disable WIFI and BlueTooth
>> devices which are not in the white list of a company security policy.
>
> There is no generic way of filtering all of these. Each device class will require it own filtering architecture.
>
Not necessarily true, it depends on what aspect you are trying to
filter. If you are trying to eliminate ‘all’ access then a simple filter
driver which has a generic dispatch routine for all irps and fails all
requests will work across all devices. Of course this is a bit of a
brute force method but it is possible to implement a single filter that
can perform access control across a wide variety of classes of devices.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Maxim S. Shatskih wrote:
> filter. If you are trying to eliminate ‘all’ access then a simple filter
> driver which has a generic dispatch routine for all irps and fails all
> requests will work across all devices.
Across NDIS?
Well, if you implement an NDIS IM filter, failing every IRP which comes
in, it will prevent anything from accessing the adapter you are sitting
above. But we are talking here about class filters so if you are
thinking about one of the ‘Net’ classes, then yes, the above filter
would probably break enough of the functionality that it would prevent
access.
I did say it is a brute force approach to fail everything and most
likely not a good design in a commercial product but with a bit of
tweaking it can be done. I have implemented such as filter across
several disparate classes of devices with success.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Doron Holan wrote:
Brute force won’t work for bluetooth devices which you use a socket to talk to, you are filtering the wrong devobj. There are group policy mechanisms in place to contol device access, much easier to use than a driver.
True but if you fail the initialization processing for the device, such
as the PnP requests going to the device, then you can control access to
it, no? Like I said, brute force but doable.
Pete
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: Peter Scott
> Sent: Tuesday, April 07, 2009 7:22 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] class filter or device filter…??
>
>
> Maxim S. Shatskih wrote:
>>> devices like disable all USB Devices or allow few USB Devices. OR Disable WIFI and BlueTooth
>>> devices which are not in the white list of a company security policy.
>> There is no generic way of filtering all of these. Each device class will require it own filtering architecture.
>>
>
> Not necessarily true, it depends on what aspect you are trying to
> filter. If you are trying to eliminate ‘all’ access then a simple filter
> driver which has a generic dispatch routine for all irps and fails all
> requests will work across all devices. Of course this is a bit of a
> brute force method but it is possible to implement a single filter that
> can perform access control across a wide variety of classes of devices.
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
For what the OP wants (selectively allow specific bth devices through), brute force does not work because there is no 1:1 relationship between a device stack and bth device, all communication for all devices goes through on devobj
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: Peter Scott
Sent: Tuesday, April 07, 2009 7:35 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] class filter or device filter…??
Doron Holan wrote:
> Brute force won’t work for bluetooth devices which you use a socket to talk to, you are filtering the wrong devobj. There are group policy mechanisms in place to contol device access, much easier to use than a driver.
>
True but if you fail the initialization processing for the device, such
as the PnP requests going to the device, then you can control access to
it, no? Like I said, brute force but doable.
Pete
> d
>
> Sent from my phone with no t9, all spilling mistakes are not intentional.
>
> -----Original Message-----
> From: Peter Scott
> Sent: Tuesday, April 07, 2009 7:22 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] class filter or device filter…??
>
>
> Maxim S. Shatskih wrote:
>>> devices like disable all USB Devices or allow few USB Devices. OR Disable WIFI and BlueTooth
>>> devices which are not in the white list of a company security policy.
>> There is no generic way of filtering all of these. Each device class will require it own filtering architecture.
>>
>
> Not necessarily true, it depends on what aspect you are trying to
> filter. If you are trying to eliminate ‘all’ access then a simple filter
> driver which has a generic dispatch routine for all irps and fails all
> requests will work across all devices. Of course this is a bit of a
> brute force method but it is possible to implement a single filter that
> can perform access control across a wide variety of classes of devices.
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
thank you for your replies …
IRP_MJ_CREATE is a very initial requirement when any application want to use the device and if filter driver intercept this and return STATUS_ACCESS_DENIED then i think purpose is achieved.
i know that this will not applicable when device handle is already requested and opened because after that IRP_MJ_CREATE request will not come from application.
I am giving so much stress on IRP_MJ_CREATE because this is the only IRP which is certainly common in acquiring any resource in the system.
The device filter driver which i am using is based on oney’s FILTER sample. i hope all are familiar with the architecture of this. It has all Pnp Routines and Power handling. Adddevice () function with the chain of device Extensions.
if i attach this filter on the MODEM class then will that work or what happen when there are TWO modems in the system then will IRP requests will follow the same path as in device Filter?
i mean In the Device Filter, Code sections of Driver get executed in the context of Device Objects. so we can differentiate there that this request is coming from that device.
i think brute-forcing is relevant in my scenario alternatively i can manipulate few IOCTLS of specific classes so that perticular device did not work.
is there are any chances that i can restrict certain user to use the device and deny to another at the same time… if both are logged in from terminal. i m not sure that when certain user is accessing some device then all CREATE requests and other IOCTLS are processed in the context of the USER or SYSTEM a/c context…???
thank you alll…
Create irps only come down if an app opens a handle to the device, there are many stacks which operate autonomously and never see a create irp. If you want to control which users use a decie, there is no need for a filter. There is group policy and you can manually ACL the device class or particular device instances to limit access.
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, April 08, 2009 2:14 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] class filter or device filter…??
thank you for your replies …
IRP_MJ_CREATE is a very initial requirement when any application want to use the device and if filter driver intercept this and return STATUS_ACCESS_DENIED then i think purpose is achieved.
i know that this will not applicable when device handle is already requested and opened because after that IRP_MJ_CREATE request will not come from application.
I am giving so much stress on IRP_MJ_CREATE because this is the only IRP which is certainly common in acquiring any resource in the system.
The device filter driver which i am using is based on oney’s FILTER sample. i hope all are familiar with the architecture of this. It has all Pnp Routines and Power handling. Adddevice () function with the chain of device Extensions.
if i attach this filter on the MODEM class then will that work or what happen when there are TWO modems in the system then will IRP requests will follow the same path as in device Filter?
i mean In the Device Filter, Code sections of Driver get executed in the context of Device Objects. so we can differentiate there that this request is coming from that device.
i think brute-forcing is relevant in my scenario alternatively i can manipulate few IOCTLS of specific classes so that perticular device did not work.
is there are any chances that i can restrict certain user to use the device and deny to another at the same time… if both are logged in from terminal. i m not sure that when certain user is accessing some device then all CREATE requests and other IOCTLS are processed in the context of the USER or SYSTEM a/c context…???
thank you alll…
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
