Filtering USB

Hi guys,

I posted a little while back about a filter driver that I’m writing that looks at SCSI passthrough commands sent to a SCSI device, and then handles some of the data being returned from the device, i.e. looking at the data returned from certain inquiry commands. I got that working fine, but now I’m trying to run the same thing on a USB device, but I’m only seeing certain IRP’s sent to the drive.

I’ve got the driver sitting as a lower filter on the USB controllers stack. What I want to do initially is see the Test Unit Ready commands being sent by Windows RSM service (and ultimately all the traffic sent to the device). Because I can see all the traffic sent to my SCSI device properly, I’m assuming that this doesn’t quite work for the USB device because of where I’ve sat the filter driver. If anyone could advise on whether I need to put the driver elsewhere that would be great. I’m able to see a few IRP_MJ_PNP’s and the occasional IRP_MJ_SCSI but I’m not able to see the TUR commands from Windows which is odd…

Many thanks,

Al.

You do not want to be a lower filter below the usb host controller. I am surprised you saw any IRP_MJ_SCSI irps at all, I am guessing you actually saw IRP_MJ_INTERNAL_DEVICE_CONTROLs which are the same value, but not scsi SRB requests. You want to be a device lower filter below usbstor.sys. you will see all io to the device in the form of URBs.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.co.uk
Sent: Wednesday, September 24, 2008 9:16 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Filtering USB

Hi guys,

I posted a little while back about a filter driver that I’m writing that looks at SCSI passthrough commands sent to a SCSI device, and then handles some of the data being returned from the device, i.e. looking at the data returned from certain inquiry commands. I got that working fine, but now I’m trying to run the same thing on a USB device, but I’m only seeing certain IRP’s sent to the drive.

I’ve got the driver sitting as a lower filter on the USB controllers stack. What I want to do initially is see the Test Unit Ready commands being sent by Windows RSM service (and ultimately all the traffic sent to the device). Because I can see all the traffic sent to my SCSI device properly, I’m assuming that this doesn’t quite work for the USB device because of where I’ve sat the filter driver. If anyone could advise on whether I need to put the driver elsewhere that would be great. I’m able to see a few IRP_MJ_PNP’s and the occasional IRP_MJ_SCSI but I’m not able to see the TUR commands from Windows which is odd…

Many thanks,

Al.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Yes I think you’re right that I’m seeing MJ_INTERNAL_DEVICE_CONTROLs, not MJ_SCSI’s. When you say “You want to be a device lower filter below usbstor.sys”, can you explain how I go about sitting my driver in that exact position? At the moment I’m manually editing the registry to sit the driver as either an UpperFilter or LowerFilter on the different classes, I’m not sure how to go about putting the driver below usbstor.sys.

Thanks,

Al

Ugh. Typically you do this with an INF install, not by hacking the registry. To manually add it by hand, open the enum key. Look under usb and find the device instance path for your mass storage device (you can get the path by opening up device manager, opening the properties for the device, Details tab, select Device Instance Path). Open that path and then manually add a “LowerFilters” reg multi sz value and your driver as its contents

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.co.uk
Sent: Wednesday, September 24, 2008 10:33 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Filtering USB

Yes I think you’re right that I’m seeing MJ_INTERNAL_DEVICE_CONTROLs, not MJ_SCSI’s. When you say “You want to be a device lower filter below usbstor.sys”, can you explain how I go about sitting my driver in that exact position? At the moment I’m manually editing the registry to sit the driver as either an UpperFilter or LowerFilter on the different classes, I’m not sure how to go about putting the driver below usbstor.sys.

Thanks,

Al

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Ok thanks for that. I see that doing it the registry way is not the easiest! I can’t actually do that as you said in fact, regedit tells me that it can’t write new values to that key. I’ve been using an INF for the SCSI device filter, which adds the filter driver into the SCSI class, and I can change the stuff in that INF to put the driver in the USB class, but I’m not sure how to add values to the enum key (if that method still applies when doing it with the INF file?). Could you tell me what I need to put in the INF file to do this?

Thanks,

Al

Look at the AddReg section in the INF docs about how to add a device lower filter.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.co.uk
Sent: Wednesday, September 24, 2008 11:56 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Filtering USB

Ok thanks for that. I see that doing it the registry way is not the easiest! I can’t actually do that as you said in fact, regedit tells me that it can’t write new values to that key. I’ve been using an INF for the SCSI device filter, which adds the filter driver into the SCSI class, and I can change the stuff in that INF to put the driver in the USB class, but I’m not sure how to add values to the enum key (if that method still applies when doing it with the INF file?). Could you tell me what I need to put in the INF file to do this?

Thanks,

Al

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Ok, I can probably get that working for the device, thanks for the tip. Would it be possible to add my filter below the usbstor.sys driver as you mentioned for all USB devices? So that I could selectively capture from any device below it? Obviously I can use this method for adding the driver to a single device, it would be great if I could capture any device though.

Al

No, there is no documented way to add yourself as a filter for all usb devices in the tree. There is a way to do this by becoming a bus filter driver, but that is not msft supported and is very difficult to get right and test properly.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.co.uk
Sent: Wednesday, September 24, 2008 12:14 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Filtering USB

Ok, I can probably get that working for the device, thanks for the tip. Would it be possible to add my filter below the usbstor.sys driver as you mentioned for all USB devices? So that I could selectively capture from any device below it? Obviously I can use this method for adding the driver to a single device, it would be great if I could capture any device though.

Al

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

xxxxx@live.co.uk wrote:

Ok, I can probably get that working for the device, thanks for the tip. Would it be possible to add my filter below the usbstor.sys driver as you mentioned for all USB devices? So that I could selectively capture from any device below it? Obviously I can use this method for adding the driver to a single device, it would be great if I could capture any device though.

You need to stand back and think about what “above” and “below” mean here.

Usbstor.sys is a mass storage driver from above. That means you get
mass storage type requests. An upper filter will see IRP_MJ_SCSI.

But from below, usbstor.sys is talking to the USB hub/controller stack.
At the lower end, it’s just a generic USB device. It’s not a storage
device any more. That means a lower filter is going to see URBs via
IRP_MJ_INTERNAL_DEVICE_CONTROL.

So, the answer to your question depends on what it is you expect to filter.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Well, the only reason I ask if this can be done for all USB devices is because what I am trying to achieve from the filter driver is changing some of the inquiry data sent back to the OS from the device. I need to change the name of the device that it reports, so it might be tricky to hook the driver on to a particular device name in the registry, if that name is going to be changed by the filter driver… I’ll have a play and see if it works though!

Al

Also… I’ve tried the following AddReg line in my INF, but it doesn’t actually add the data to my registry for some reason.

[rdxsim.AddReg]
HKLM, System\CurrentControlSet\Enum\USB\Vid_058f&Pid_6387\0F28788D, LowerFilters, 0x00010008, rdxsim

Could somebody help me with why this is not working?

Thanks

Al

xxxxx@live.co.uk wrote:

Well, the only reason I ask if this can be done for all USB devices is because what I am trying to achieve from the filter driver is changing some of the inquiry data sent back to the OS from the device. I need to change the name of the device that it reports, so it might be tricky to hook the driver on to a particular device name in the registry, if that name is going to be changed by the filter driver… I’ll have a play and see if it works though!

If you need to change the name in the string descriptors, that’s a
low-level USB operation. You’d need to be fairly low in the device stack.

If you need to change the SCSI-type disk device name, that’s a
mass-storage operation. You’d need to be fairly high in the device stack.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Exactly what I was going to say ;)…furthermore, why do you want to change the name? for UI purposes? You can do that with an INF and no driver whatsoever in that case.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, September 25, 2008 9:55 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Filtering USB

xxxxx@live.co.uk wrote:

Well, the only reason I ask if this can be done for all USB devices is because what I am trying to achieve from the filter driver is changing some of the inquiry data sent back to the OS from the device. I need to change the name of the device that it reports, so it might be tricky to hook the driver on to a particular device name in the registry, if that name is going to be changed by the filter driver… I’ll have a play and see if it works though!

If you need to change the name in the string descriptors, that’s a
low-level USB operation. You’d need to be fairly low in the device stack.

If you need to change the SCSI-type disk device name, that’s a
mass-storage operation. You’d need to be fairly high in the device stack.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

That is not how you do it. Look in %windir%\inf\msports.inf for how serenum is added as an upper filter. You use HKR and you do not specify the full path (imagine how that would work generically…it could not)

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.co.uk
Sent: Thursday, September 25, 2008 7:29 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Filtering USB

Also… I’ve tried the following AddReg line in my INF, but it doesn’t actually add the data to my registry for some reason.

[rdxsim.AddReg]
HKLM, System\CurrentControlSet\Enum\USB\Vid_058f&Pid_6387\0F28788D, LowerFilters, 0x00010008, rdxsim

Could somebody help me with why this is not working?

Thanks

Al

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi again,

Sorry for leaving this topic for a while, I’ve spent ages trying to get this to work, but I’m still not getting anywhere. I’ve tried using the method you suggested Doron, following the msports.inf example, but I’m clearly doing something wrong still!

I’ve pasted the INF that I’m using below, if you could tell me what I’m missing that’d be great.

Many thanks,

Al.

; RDXSIM inf file
[Version]
Signature = “$Windows NT$”
Class = USB
ClassGUID = {36FC9E60-C465-11CF-8056-444553540000}
Provider = %msft%
DriverVer = 08/06/2008,5.1.2600.0

;
; General installation section
;

[DefaultInstall.NT]
CopyFiles = @rdxsim.sys
Addreg = rdxsim.AddReg

[DestinationDirs]
DefaultDestDir = 12

[rdxsim.NT.HW]
AddReg=rdxsim.NT.HW.AddReg

[rdxsim.NT.HW.AddReg]
HKR,“UpperFilters”,0x00010008,“rdxsim”

[rdxsim.Service.Install]
DisplayName = %service_desc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\rdxsim.sys
LoadOrderGroup = PNP Filter

; Service installation section

[DefaultInstall.NT.Services]
AddService = rdxsim, , rdxsim.Service.Install

[rdxsim.Service.Install]
DisplayName = %service_desc%
ServiceType = 1
StartType = 0
ErrorControl = 0
ServiceBinary = %12%\rdxsim.sys
LoadOrderGroup = “PnP Filter”

[SourceDisksFiles]
rdxsim.sys=1

; Win2000

[SourceDisksNames]
1 = %diskid1%,\i386

; WinXP and later

[SourceDisksNames.x86]
1 = %diskid1%,\i386

[SourceDisksNames.ia64]
1 = %diskid1%,\ia64

[SourceDisksNames.amd64]
1 = %diskid1%,\amd64

;
; Localizable Strings
;

[Strings]

msft = “Microsoft Corporation”
service_desc = “RDXSIM Filter Driver”
diskid1 = “Microsoft Corp. Installation Disk #1 (rdxsim)”

I am pretty sure you need a mfg section and you need to match against a hardware ID like any other pnp device stack.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.co.uk
Sent: Thursday, October 16, 2008 5:27 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Filtering USB

Hi again,

Sorry for leaving this topic for a while, I’ve spent ages trying to get this to work, but I’m still not getting anywhere. I’ve tried using the method you suggested Doron, following the msports.inf example, but I’m clearly doing something wrong still!

I’ve pasted the INF that I’m using below, if you could tell me what I’m missing that’d be great.

Many thanks,

Al.

; RDXSIM inf file
[Version]
Signature = “$Windows NT$”
Class = USB
ClassGUID = {36FC9E60-C465-11CF-8056-444553540000}
Provider = %msft%
DriverVer = 08/06/2008,5.1.2600.0

;
; General installation section
;

[DefaultInstall.NT]
CopyFiles = @rdxsim.sys
Addreg = rdxsim.AddReg

[DestinationDirs]
DefaultDestDir = 12

[rdxsim.NT.HW]
AddReg=rdxsim.NT.HW.AddReg

[rdxsim.NT.HW.AddReg]
HKR,“UpperFilters”,0x00010008,“rdxsim”

[rdxsim.Service.Install]
DisplayName = %service_desc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\rdxsim.sys
LoadOrderGroup = PNP Filter

; Service installation section

[DefaultInstall.NT.Services]
AddService = rdxsim, , rdxsim.Service.Install

[rdxsim.Service.Install]
DisplayName = %service_desc%
ServiceType = 1
StartType = 0
ErrorControl = 0
ServiceBinary = %12%\rdxsim.sys
LoadOrderGroup = “PnP Filter”

[SourceDisksFiles]
rdxsim.sys=1

; Win2000

[SourceDisksNames]
1 = %diskid1%,\i386

; WinXP and later

[SourceDisksNames.x86]
1 = %diskid1%,\i386

[SourceDisksNames.ia64]
1 = %diskid1%,\ia64

[SourceDisksNames.amd64]
1 = %diskid1%,\amd64

;
; Localizable Strings
;

[Strings]

msft = “Microsoft Corporation”
service_desc = “RDXSIM Filter Driver”
diskid1 = “Microsoft Corp. Installation Disk #1 (rdxsim)”

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

xxxxx@live.co.uk wrote:

Sorry for leaving this topic for a while, I’ve spent ages trying to get this to work, but I’m still not getting anywhere. I’ve tried using the method you suggested Doron, following the msports.inf example, but I’m clearly doing something wrong still!

Your INF doesn’t look anything like msports.inf.

[DefaultInstall.NT]
CopyFiles = @rdxsim.sys
Addreg = rdxsim.AddReg

We’ve seen quite a rash recently of people who think drivers can be
installed using the [DefaultInstall] section. It ain’t so. If you’re
installing this on a piece of hardware, then you need to have a PnP ID.
[DefaultInstall] is for installing software.

[rdxsim.NT.HW]
AddReg=rdxsim.NT.HW.AddReg

[rdxsim.NT.HW.AddReg]
HKR,“UpperFilters”,0x00010008,“rdxsim”

For example, where do you think this registry entry is going to be
written? The .HW key is used to add registry keys to the hardware
registry key for a device, but nothing in here has told the system what
device you will be handling. And, in fact, you CANNOT do so using
[DefaultInstall].

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Ok, thanks Tim. I’m clearly way off from what I’m trying to achieve here then. Am I right in saying then that “USB\Vid_058f&Pid_6387\0F28788D” is the hardware registry key I should be using, as you mentioned? And if [DefaultInstall] is not the correct method for installing this filter driver, what is the correct method? Do you have any examples of something similar?

Al

xxxxx@live.co.uk wrote:

Ok, thanks Tim. I’m clearly way off from what I’m trying to achieve here then. Am I right in saying then that “USB\Vid_058f&Pid_6387\0F28788D” is the hardware registry key I should be using, as you mentioned? And if [DefaultInstall] is not the correct method for installing this filter driver, what is the correct method? Do you have any examples of something similar?

The “toaster” sample in the WDK shows this.
src\general\toaster\inf\i386\filter.inf, for example. You use
Include/Needs to pull in parts of the original INF file.

Alternatively, you can write a simple user-mode application to install
this without an INF, using the SetupDi APIs to write the UpperFilters
key. Our friends at Microsoft don’t like that solution, because among
other things it means you can’t play with the “Rollback” option, but it
is simple.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Also, there is a utility supplied with Oney’s WDM book that does exactly
what Tim suggests.
The utility is called “filtject”, chapter 16 in the 2’nd edition of the
book.

Alexey

Tim Roberts wrote:

xxxxx@live.co.uk wrote:

> Ok, thanks Tim. I’m clearly way off from what I’m trying to achieve here then. Am I right in saying then that “USB\Vid_058f&Pid_6387\0F28788D” is the hardware registry key I should be using, as you mentioned? And if [DefaultInstall] is not the correct method for installing this filter driver, what is the correct method? Do you have any examples of something similar?
>
>

The “toaster” sample in the WDK shows this.
src\general\toaster\inf\i386\filter.inf, for example. You use
Include/Needs to pull in parts of the original INF file.

Alternatively, you can write a simple user-mode application to install
this without an INF, using the SetupDi APIs to write the UpperFilters
key. Our friends at Microsoft don’t like that solution, because among
other things it means you can’t play with the “Rollback” option, but it
is simple.