I am trying to a USB lower-level filter driver using the MDF with the kmdf to control OS access to a usb device.
The driver would load during the boot loader phase and be called during all usb device initializations.
-If the device id matches allow.txt file in the system32 folder, pass off
the handle to the proper device driver.
-If the device id matches deny.txt, flush request data and do nothing.
Target OS is WinXPSP3 with the overall focus being a proof of concept
demonstrating a means to protect the OS from non-user interaction
exploitation. This driver is meant to complement the current Window’s
rules which provide user roles for access.
I have looked at the DDK examples and I do not understand. Please let me know if there is a good template or a good place to start for a beginner. Thank you.
You should be more specific what you need.
WDK contains a good sample of filter driver:
\WinDDK\XXX\src\general\toaster\kmdf\filter\generic
There are some comments on your design.
The driver would load during the boot loader phase and be called during all usb device >initializations. -If the device id matches allow.txt file in the system32 folder, pass off the handle to >the proper device driver. -If the device id matches deny.txt, flush request data and do nothing.
You should better to keep this information in Windows Register because file system operations would not be available during initial boot phase.
wrote in message news:xxxxx@ntdev… > I am trying to a USB lower-level filter driver using the MDF with the kmdf > to control OS access to a usb device. > The driver would load during the boot loader phase and be called during > all usb device initializations. > -If the device id matches allow.txt file in the system32 folder, pass off > the handle to the proper device driver. > -If the device id matches deny.txt, flush request data and do nothing. > > Target OS is WinXPSP3 with the overall focus being a proof of concept > demonstrating a means to protect the OS from non-user interaction > exploitation. This driver is meant to complement the current Window’s > rules which provide user roles for access. > > I have looked at the DDK examples and I do not understand. Please let me > know if there is a good template or a good place to start for a beginner. > Thank you. >
IMHO you’re very confused or disoriented - what you describe cannot do anything valuable to “protect the OS from non-user interaction exploitation”. (hint: hackers who can forge custom malicious hardware can forge any USB device ID as well).
Also, before “complementing Window’s rules” it won’t hurt to get know these rules.
Thanks for the responses. This is a proof of concept based on the following paper “Research and Applications of USB Filter Driver Based on Windows Kernel”
Two questions about the generic toaster filter example.
How do I tell if this is a lower-level or upper-level filter?
How do I apply this to USB?
How would I query the attributes to retrieve the device ID?
Please let me know where to go from here to at least get a start. Thanks.
Apparently you have to pay to actually be able to read this paper.
Anyway as Pavel already pointed out it’s possible to fake the hardware
to actually mimic the device your system has on its “trusted list” (hw
id, serial, you name it).
So apart from questionable robustness of such product you have quite a
lot of stuff to learn first. For the lower/upper filter you need to look
at the INF file from filter toaster sample. For the rest of your
questions you need to really understand the basics, so OS
fundamentals/internals, generic device stack concepts (including
filters), USB protocol/stack (standard requests, descriptors, etc.) and
kernel debugging techniques. Without it you won’t be able to do any
reasonable progress.
Kris
-----Original Message-----
From: xxxxx@yahoo.com [mailto:xxxxx@yahoo.com]
Posted At: Tuesday, August 17, 2010 1:12 AM
Posted To: ntdev
Conversation: Help to start a Device Driver
Subject: RE: Help to start a Device Driver
Thanks for the responses. This is a proof of concept based on the
following paper “Research and Applications of USB Filter Driver Based on
Windows Kernel”
Two questions about the generic toaster filter example.
How do I tell if this is a lower-level or upper-level filter?
How do I apply this to USB?
How would I query the attributes to retrieve the device ID?
Please let me know where to go from here to at least get a start.
Thanks.
Generic filters, rather than device or class specific filters, for example a
filter for all devices enumerated by the usbport driver, require a pdo
filter driver, also known as a bus filter driver, and are not documented or
supported by the WDK, although micrsoft provides at least two of them that I
know of and there are other non microsoft implementations of bus filter
driver based products that work just fine. Search this list for “bus filter
drivers”, we have discussed most of the implementation details.
Outside of ‘proof of concept’ this seems a rather dubious project.
Mark Roddy
On Mon, Aug 16, 2010 at 8:11 PM, wrote:
> Thanks for the responses. This is a proof of concept based on the > following paper “Research and Applications of USB Filter Driver Based on > Windows Kernel” > > Two questions about the generic toaster filter example. > 1. How do I tell if this is a lower-level or upper-level filter? > 2. How do I apply this to USB? > 3. How would I query the attributes to retrieve the device ID? > > Please let me know where to go from here to at least get a start. Thanks. > > --Mark > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >