> How in the world do I tell that a WPD storage device is actually USB
connected?
In Device Manager, display the devices based on they connection so that you
can walk the device tree up from the iphone to the USB hub.
Here you have an USB stack example:
A usb device without an inbox driver is limited to interact with the usb core stack’s detection and initial config of the device. If the device can attack the OS at this stage, it doesn’t matter if you have a bus filter driver loaded or not as it happens before the PDO will load
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, June 8, 2017 2:10 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Filtering USB devices
Doran,
Also, it isn’t driver loading I am worried about. It is USB devices and their traffic. Drivers are controlled, I skimmed your post, and was thinking devices being controlled. Drivers are not a concern. But, USB devices can do incredibly dangerous things with in box drivers.
-Fred
—
NTDEV is sponsored by OSR
Visit the list online at: https:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:
To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>
Ah, I get what you are shooting at. Certainly, there is a limit to what we can protect. But, my main point is that we cannot limit things like storage devices in particular. Once you let the inbox file system load, you are in a whole new world of security issues. So, we have to deal from that front. The idea, obviously, is to let these devices operate, but protect best we can. Prevent devices from doing unexpected things, and protect from people doing things they should not. We cannot depend on ACLs and restrictions for this either. This has to be a fallback essentially. You folks have been massively successful in pushing Windows to the world. Now, unfortunately, there is no way to reign in bad setups. They are massive, critical, and they cannot be depended upon. Thus why we have breaches occurring at break neck pace. Other solutions have to be implemented, even though they aren’t “correct”. It just is what it is, and I know that means more people messing around in your kernel and that is not desirable, but its reality. And so, you have to determine whether you will provide help to those of us fighting this battle, or keep us blind. I will get the job done either way. There are certain things that reversing won’t tell you that might be good to know, but we have gotten by pretty good without it so far 
Not trying to rant, but there is a whole security landscape out there that I just don’t think anyone understands very well.
Anyway, interesting, I tried to send IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS to the disk device for my iPhone in my minifilter and it fails with STATUS_INVALID_DEVICE_REQUEST. WPD is kind of a strange animal no?
xxxxx@gmail.com wrote:
>2) WPD devices were never meant to be filtered from the kernel?
Are you sure ? I know about an antivirus that does this along with
many other device classes.
Antivirus systems do many ugly, nefarious things that were not meant to
be done.
HKLM,
System\CurrentControlSet\Control\Class{EEC5AD98-8080-425F-922A-DABF3DE3F69A},
UpperFilters, 0x00010008, %ServiceName% ; WPD
The key here is that the WPD driver is a UMDF driver. Its upper surface
lives in user-mode, but that surface doesn’t speak URBs anyway. The
lower surface speaks URBs, but you’d need to insert yourself below the
UMDF proxy.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Fred Fryser wrote:
Not trying to rant, but there is a whole security landscape out there that =
I just don’t think anyone understands very well.
Dear Mr. Fryser. Please believe that you are not the first person having this requirement, and even not in first hundred. Almost every “security” company and startup feels obliged to manage USB devices. Some of them eventually came to understand this stuff pretty well because, er… they also develop clever USB-based attacks. As Mr. Roberts suggested, there’s nothing better than sealant in the ports. And even this may be not good enough.
Good luck, Mr. Fryser.
– pa
Actually, there are other approaches than sealant, I know of a company that
can apply a lock with its own separately wired alarm system. Of course one
of my clients has the best approach, no cell phone or any USB device allowed
in or out of the building, with a search that puts TSA to shame in each
direction.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@fastmail.fm
Sent: Thursday, June 08, 2017 7:23 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Filtering USB devices
Fred Fryser wrote:
> Not trying to rant, but there is a whole security landscape out there that
=
I just don’t think anyone understands very well.
Dear Mr. Fryser. Please believe that you are not the first person having
this requirement, and even not in first hundred. Almost every “security”
company and startup feels obliged to manage USB devices. Some of them
eventually came to understand this stuff pretty well because, er… they
also develop clever USB-based attacks. As Mr. Roberts suggested, there’s
nothing better than sealant in the ports. And even this may be not good
enough.
Good luck, Mr. Fryser.
– pa
—
NTDEV is sponsored by OSR
Visit the list online at:
http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>
OP,
Have you ever heard of Google? If you spent 5 seconds searching you would have immediately found not only an answer to your questions but also a source code that you could use as a reference
https://github.com/desowin/usbpcap/tree/master/USBPcapDriver
However, you chose to post your questions here, and, certainly, to be told that your goal is infeasible and undoable, plus to hear all the “exciting” stuff that you normally hear from the usual suspect(OK, I shut up now - otherwise,again I will be accused of trolling)…
Anton Bassov
C’mon… the OP’s question is entirely reasonable.
Filtering USB devices at the bus level is tricky, but it can be done. If it’s a matter of security, you certainly don’t have to understand the protocol for every USB device class.
Peter
OSR
@OSRDrivers
> Filtering USB devices at the bus level is tricky, but it can be done. If it’s a matter of security,
you certainly don’t have to understand the protocol for every USB device class.
I think it had been done for the security purposes quite a few times. The first time I heard about something like that was around 15 years ago, and the product was called “Sanctuary Device Control” (it was developed by Securewave)
https://www.lumension.com/Legacy_Landing_Pages/139652.aspx
Subsequently I had come across the numerous adverts that were describing/promoting the products with comparable functionalities…
Anton Bassov