filter driver installations

NTDEV
21

> 2. I was also wondering if PsSetLoadImageNotifyRoutine could be good choice - but probably it won’t since this

api is called BEFORE driver will be loaded - right?

Yes it is a good choice, at least some old open-source disk encryptor (TrueCrypt? DCrypt?) uses this to filter the crash dump/hiberfile paths.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

22

Tim thank you again,

Well this is some undocumented structures, I’ve also found this one: IoDeviceObjectType and IoDriverObjectType… so I’m gonna check those two.

IoFileObjectType is working properly - I mean it is working as creation handler notifier (I’ve already checked it). So my first idea was to try to check if handle was opened for driver I would like to track (sys file)- and then try attach - I haven’t check it yet - but I think it won’t work because it seems to be too early (handle creation is not same time as service creation right?) so I thought you could help me here and give me some advice :slight_smile:

Today I’m going to check if me assumption on IoFileOBjectType is correct and check IoDeviceObjectType and IoDriverObjectType also.

Maxim,
Thank you for your input.
Are you sure it is good choice? I think that this is too early - since image on sys file is already loaded to memory, but it doesn’t mean that dirver entry point is called and device object is created - right? Please correct me if I’m wrong.

Thank you so much!
joe joe

23

> IoFileObjectType is working properly - I mean it is working as creation handler notifier (I’ve already checked it).

Using Ob callbacks to implement the filter driver is like using oscilloscope to watch movies.

Are you sure it is good choice? I think that this is too early - since image on sys file is already loaded to memory,
but it doesn’t mean that dirver entry point is called and device object is created - right?

Yes. A good place to hook DriverEntry, which was the only way of filtering hiber/crash writes on pre-Vista.

Now about filter drivers. If you’re filtering the PnP devnode - register as a PnP filter.

If not so - then the classic NT4 way is to know the name of the device you’re filtering (anyway the non-PnP devices have some naming contract) and use IoAttachDevice.

No hooks, no Ob callbacks.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

24

OK. I think it can work, however it is not legal solution still since we have to use hijaq.

  1. starting from how OBJECT_TYPE structure looks like:
    typedef struct _OBJECT_TYPE
    {
    ERESOURCE Mutex;
    LIST_ENTRY TypeList;
    UNICODE_STRING Name;
    PVOID DefaultObject;
    ULONG Index;
    ULONG TotalNumberOfObjects;
    ULONG TotalNumberOfHandles;
    ULONG HighWaterNumberOfObjects;
    ULONG HighWaterNumberOfHandles;
    OBJECT_TYPE_INITIALIZER TypeInfo;
    ULONG Key;
    EX_PUSH_LOCK ObjectLocks[32];
    } OBJECT_TYPE, *POBJECT_TYPE;

  2. Now take a look on TypeInfo (I have taken it from http://www.nirsoft.net/kernel_struct/vista/OBJECT_TYPE_INITIALIZER.html) structure
    typedef struct _OBJECT_TYPE_INITIALIZER
    {
    WORD Length;
    UCHAR ObjectTypeFlags;
    ULONG CaseInsensitive: 1;
    ULONG UnnamedObjectsOnly: 1;
    ULONG UseDefaultObject: 1;
    ULONG SecurityRequired: 1;
    ULONG MaintainHandleCount: 1;
    ULONG MaintainTypeList: 1;
    ULONG ObjectTypeCode;
    ULONG InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ULONG ValidAccessMask;
    POOL_TYPE PoolType;
    ULONG DefaultPagedPoolCharge;
    ULONG DefaultNonPagedPoolCharge;
    PVOID DumpProcedure;
    LONG * OpenProcedure;
    PVOID CloseProcedure;
    PVOID DeleteProcedure;
    LONG * ParseProcedure;
    LONG * SecurityProcedure;
    LONG * QueryNameProcedure;
    UCHAR * OkayToCloseProcedure;
    } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

but in this structure there is hidden one bit:
ULONG SupportCallbacks: 1;

  1. Now in driver if we take IoDeviceObjectType (probably we have to declare it as extern) and cast it to OBJECT_TYPE with fixed OBJECT_TYPE_INITIALIZER and set SupportCallbacks bit we should be able to use this in ObRegisterCallbacks.

  2. Now just use it :slight_smile: I’ve checked it on IoDeviceObjectType and seems to work - I mean I see callback invoked when driver is loaded (hadn’t time to check everything).

What do you think?

joe joe

25

Maxim, thank you for you response.

Can you please give me additional links or tips how to ‘hook’ DriverEntry in psLoadImageNotifyRoutine callback? Sorry I’m new in driver developement so if you’re saying something like ‘hook DriverEntry’ I’m not really sure what is your point of view.

Thank you!
joe joe

26

> Can you please give me additional links or tips how to ‘hook’ DriverEntry in psLoadImageNotifyRoutine callback?

TrueCrypt source.

NOTE: this is a very special way, only used for hiberfil, since there was no pre-Vista supported means of hiber file write filtering, and, with Vista+, they do exist (fvevol.sys uses them), but undocumented.

If you need to filter the WDM driver, whose device is in the Device Manager - then just plain use PnP filter and do not bother about Ob callbacks.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

27

This is way off into undocumented, unsupported, likely to break without any warning land. Do not do this.

  • S (Msft)

-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, August 31, 2011 0:38
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] filter driver installations

OK. I think it can work, however it is not legal solution still since we have to use hijaq.

  1. starting from how OBJECT_TYPE structure looks like:
    typedef struct _OBJECT_TYPE
    {
    ERESOURCE Mutex;
    LIST_ENTRY TypeList;
    UNICODE_STRING Name;
    PVOID DefaultObject;
    ULONG Index;
    ULONG TotalNumberOfObjects;
    ULONG TotalNumberOfHandles;
    ULONG HighWaterNumberOfObjects;
    ULONG HighWaterNumberOfHandles;
    OBJECT_TYPE_INITIALIZER TypeInfo;
    ULONG Key;
    EX_PUSH_LOCK ObjectLocks[32];
    } OBJECT_TYPE, *POBJECT_TYPE;

  2. Now take a look on TypeInfo (I have taken it from http://www.nirsoft.net/kernel_struct/vista/OBJECT_TYPE_INITIALIZER.html) structure
    typedef struct _OBJECT_TYPE_INITIALIZER
    {
    WORD Length;
    UCHAR ObjectTypeFlags;
    ULONG CaseInsensitive: 1;
    ULONG UnnamedObjectsOnly: 1;
    ULONG UseDefaultObject: 1;
    ULONG SecurityRequired: 1;
    ULONG MaintainHandleCount: 1;
    ULONG MaintainTypeList: 1;
    ULONG ObjectTypeCode;
    ULONG InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ULONG ValidAccessMask;
    POOL_TYPE PoolType;
    ULONG DefaultPagedPoolCharge;
    ULONG DefaultNonPagedPoolCharge;
    PVOID DumpProcedure;
    LONG * OpenProcedure;
    PVOID CloseProcedure;
    PVOID DeleteProcedure;
    LONG * ParseProcedure;
    LONG * SecurityProcedure;
    LONG * QueryNameProcedure;
    UCHAR * OkayToCloseProcedure;
    } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

but in this structure there is hidden one bit:
ULONG SupportCallbacks: 1;

  1. Now in driver if we take IoDeviceObjectType (probably we have to declare it as extern) and cast it to OBJECT_TYPE with fixed OBJECT_TYPE_INITIALIZER and set SupportCallbacks bit we should be able to use this in ObRegisterCallbacks.

  2. Now just use it :slight_smile: I’ve checked it on IoDeviceObjectType and seems to work - I mean I see callback invoked when driver is loaded (hadn’t time to check everything).

What do you think?

joe joe

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

28

Maxim S. Shatskih wrote:

Now about filter drivers. If you’re filtering the PnP devnode - register as a PnP filter.

If not so - then the classic NT4 way is to know the name of the device you’re filtering (anyway the non-PnP devices have some naming contract) and use IoAttachDevice.

No hooks, no Ob callbacks.

The key problem – and it’s one that has been presented here before –
is that he needs to know when it is safe to do that. The application
does this:
OpenServiceManager
CreateService
StartService
CreateFile
DeviceIoControl

So, he needs to do the attach between the StartService call and the
DeviceIoControl, and that might be a very short interval. I’m not
convinced that can be done without hooking or callbacks.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

29

You have to admit that it sounds like a lot of fun though (as long as
you are not worried about product liability). :slight_smile:

On 8/31/2011 10:52 AM, Skywing wrote:

This is way off into undocumented, unsupported, likely to break without any warning land. Do not do this.

  • S (Msft)
30

Well, right up to the point where it causes a compatibility headache for customers, sure :slight_smile:

  • S

-----Original Message-----
From: George M. Garner Jr.
Sent: Wednesday, August 31, 2011 15:46
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] filter driver installations

You have to admit that it sounds like a lot of fun though (as long as
you are not worried about product liability). :slight_smile:

On 8/31/2011 10:52 AM, Skywing wrote:

This is way off into undocumented, unsupported, likely to break without any warning land. Do not do this.

  • S (Msft)

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer