Hi All,
I have a function driver which exposes a bunch of IOCTLs. The question that I have is that can someone write a filter driver on top of my function driver and monitor/capture data that my application is sending me using the private IOCTL interfaces( assuming that they have information regarding the data structures that I use)
My understanding is that it cannot be done but I am not sure about it.
Any pointers are appreciated.
– Ajitabh.
Yes of course it can be done.
Mark Roddy
On Fri, Feb 5, 2010 at 4:07 PM, Ajitabh Saxena wrote:
>
> Hi All,
> ? ? ? I have a function driver which exposes a bunch of IOCTLs. The question that I have is that can someone write a filter driver on top of my function driver and monitor/capture data that my application is sending me using the private IOCTL interfaces( assuming that they have information regarding the data structures that I use)
>
> My understanding is that it cannot be done but I am not sure about it.
>
> Any pointers are appreciated.
> – Ajitabh.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Yup and there is nothing you can do about it in your driver. No matter what you try to do, a filter driver can undo it. Both drivers are running at the same level of trust in the OS and as a result, both are on equal footing
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ajitabh Saxena
Sent: Friday, February 05, 2010 1:08 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Device IO Controls.
Hi All,
I have a function driver which exposes a bunch of IOCTLs. The question that I have is that can someone write a filter driver on top of my function driver and monitor/capture data that my application is sending me using the private IOCTL interfaces( assuming that they have information regarding the data structures that I use)
My understanding is that it cannot be done but I am not sure about it.
Any pointers are appreciated.
– Ajitabh.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
So From the IO Manager perspective, does it create as many number of IO Stack locations as there are driver in the driver stack and then call the top level driver in the stack ?
– Aj.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, February 05, 2010 1:17 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Device IO Controls.
Yup and there is nothing you can do about it in your driver. No matter what you try to do, a filter driver can undo it. Both drivers are running at the same level of trust in the OS and as a result, both are on equal footing
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ajitabh Saxena
Sent: Friday, February 05, 2010 1:08 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Device IO Controls.
Hi All,
I have a function driver which exposes a bunch of IOCTLs. The question that I have is that can someone write a filter driver on top of my function driver and monitor/capture data that my application is sending me using the private IOCTL interfaces( assuming that they have information regarding the data structures that I use)
My understanding is that it cannot be done but I am not sure about it.
Any pointers are appreciated.
– Ajitabh.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
No, it is not necessarily true that the IO manager will provide sufficient
stack locations to accommodate the unplanned filter driver.
However, even if there are insufficient stack locations the filter driver
can allocate a “proxy IRP” or “relay IRP” of it’s own, initialize it with
the original IRPs data (or something of it’s own fabrication), send it down,
intercept its completion and then complete your original IRP (which it
saved…) with whatever information it desired.
This assumes that the filter driver has enough knowledge of your IOCTLs and
data structures to spoof them.
Good luck,
Thomas F. Divine
http://www.pcausa.com
From: “Ajitabh Saxena”
Sent: Friday, February 05, 2010 4:24 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] Device IO Controls.
>
> So From the IO Manager perspective, does it create as many number of IO
> Stack locations as there are driver in the driver stack and then call the
> top level driver in the stack ?
>
> – Aj.
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
> Sent: Friday, February 05, 2010 1:17 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Device IO Controls.
>
> Yup and there is nothing you can do about it in your driver. No matter
> what you try to do, a filter driver can undo it. Both drivers are running
> at the same level of trust in the OS and as a result, both are on equal
> footing
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Ajitabh Saxena
> Sent: Friday, February 05, 2010 1:08 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Device IO Controls.
>
>
> Hi All,
> I have a function driver which exposes a bunch of IOCTLs. The
> question that I have is that can someone write a filter driver on top of
> my function driver and monitor/capture data that my application is sending
> me using the private IOCTL interfaces( assuming that they have information
> regarding the data structures that I use)
>
> My understanding is that it cannot be done but I am not sure about it.
>
> Any pointers are appreciated.
> – Ajitabh.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Yes, that is what the DEVICE_OBJECT::StackSize field is for.
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ajitabh Saxena
Sent: Friday, February 05, 2010 1:25 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Device IO Controls.
So From the IO Manager perspective, does it create as many number of IO Stack locations as there are driver in the driver stack and then call the top level driver in the stack ?
– Aj.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, February 05, 2010 1:17 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Device IO Controls.
Yup and there is nothing you can do about it in your driver. No matter what you try to do, a filter driver can undo it. Both drivers are running at the same level of trust in the OS and as a result, both are on equal footing
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ajitabh Saxena
Sent: Friday, February 05, 2010 1:08 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Device IO Controls.
Hi All,
I have a function driver which exposes a bunch of IOCTLs. The question that I have is that can someone write a filter driver on top of my function driver and monitor/capture data that my application is sending me using the private IOCTL interfaces( assuming that they have information regarding the data structures that I use)
My understanding is that it cannot be done but I am not sure about it.
Any pointers are appreciated.
– Ajitabh.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
If the filter attaches (by following the rules) when the stack is being built by pnp, there will always be enough stack locations in the irps sent by the io manager. There will not always be enough stack locations if you are attaching after the stack has been started or there are existing handles (for a legacy device which does not have clear starting semantics)
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Friday, February 05, 2010 1:34 PM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Device IO Controls.
No, it is not necessarily true that the IO manager will provide sufficient
stack locations to accommodate the unplanned filter driver.
However, even if there are insufficient stack locations the filter driver
can allocate a “proxy IRP” or “relay IRP” of it’s own, initialize it with
the original IRPs data (or something of it’s own fabrication), send it down,
intercept its completion and then complete your original IRP (which it
saved…) with whatever information it desired.
This assumes that the filter driver has enough knowledge of your IOCTLs and
data structures to spoof them.
Good luck,
Thomas F. Divine
http://www.pcausa.com
From: “Ajitabh Saxena”
Sent: Friday, February 05, 2010 4:24 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] Device IO Controls.
>
> So From the IO Manager perspective, does it create as many number of IO
> Stack locations as there are driver in the driver stack and then call the
> top level driver in the stack ?
>
> – Aj.
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
> Sent: Friday, February 05, 2010 1:17 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Device IO Controls.
>
> Yup and there is nothing you can do about it in your driver. No matter
> what you try to do, a filter driver can undo it. Both drivers are running
> at the same level of trust in the OS and as a result, both are on equal
> footing
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Ajitabh Saxena
> Sent: Friday, February 05, 2010 1:08 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Device IO Controls.
>
>
> Hi All,
> I have a function driver which exposes a bunch of IOCTLs. The
> question that I have is that can someone write a filter driver on top of
> my function driver and monitor/capture data that my application is sending
> me using the private IOCTL interfaces( assuming that they have information
> regarding the data structures that I use)
>
> My understanding is that it cannot be done but I am not sure about it.
>
> Any pointers are appreciated.
> – Ajitabh.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Got it.
Thanks for the quick refresher!!
– Ajitabh
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, February 05, 2010 1:38 PM
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] Device IO Controls.
If the filter attaches (by following the rules) when the stack is being built by pnp, there will always be enough stack locations in the irps sent by the io manager. There will not always be enough stack locations if you are attaching after the stack has been started or there are existing handles (for a legacy device which does not have clear starting semantics)
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Friday, February 05, 2010 1:34 PM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Device IO Controls.
No, it is not necessarily true that the IO manager will provide sufficient
stack locations to accommodate the unplanned filter driver.
However, even if there are insufficient stack locations the filter driver
can allocate a “proxy IRP” or “relay IRP” of it’s own, initialize it with
the original IRPs data (or something of it’s own fabrication), send it down,
intercept its completion and then complete your original IRP (which it
saved…) with whatever information it desired.
This assumes that the filter driver has enough knowledge of your IOCTLs and
data structures to spoof them.
Good luck,
Thomas F. Divine
http://www.pcausa.com
From: “Ajitabh Saxena”
Sent: Friday, February 05, 2010 4:24 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] Device IO Controls.
>
> So From the IO Manager perspective, does it create as many number of IO
> Stack locations as there are driver in the driver stack and then call the
> top level driver in the stack ?
>
> – Aj.
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
> Sent: Friday, February 05, 2010 1:17 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Device IO Controls.
>
> Yup and there is nothing you can do about it in your driver. No matter
> what you try to do, a filter driver can undo it. Both drivers are running
> at the same level of trust in the OS and as a result, both are on equal
> footing
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Ajitabh Saxena
> Sent: Friday, February 05, 2010 1:08 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Device IO Controls.
>
>
> Hi All,
> I have a function driver which exposes a bunch of IOCTLs. The
> question that I have is that can someone write a filter driver on top of
> my function driver and monitor/capture data that my application is sending
> me using the private IOCTL interfaces( assuming that they have information
> regarding the data structures that I use)
>
> My understanding is that it cannot be done but I am not sure about it.
>
> Any pointers are appreciated.
> – Ajitabh.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer