How to attach prevent USB PNP Devices(WDM)?

NTDEV
1

Hi Guys,

I have several question about How to attach prevent USB PNP Devices(WDM)
I have to write wdm driver for handling PNP Event to prevent usb Mass storage device attach(no need read or write protection filter driver before this i writed this minifilter driver).
In my driver DriverEntry i used IoRegisterPlugPlayNotification routine with GUID_CLASS_USB_DEVICE and handle my CALLBACK fuction is PnpNotifyInterfaceChange(PVOID pNotifyContext, PVOID pContext)
and recived attach and detach event in my callback

Now my questions is:
1.how to remove device(deattach device) in for security reason in PnpNotifyInterfaceChange

  1. how to get USB_INTERFACE_DESCRIPTOR ? (i think must use UsbBuildGetDescriptorRequest routine, if this is correct how to use this routine?)

3.how to get in particular usb device type(USB DVD WRITER, USB THUMB DRIVE,)? (i know in PDEVICE_INTERFACE_CHANGE_NOTIFICATION is more information about device(VID&PID&SERIAL&etc) but not enough absolutely Because not detrmined usb devices type and also in USB_INTERFACE_DESCRIPTOR->bInterfaceClass get interface class E.G. 0x3 euqual to “HID Interface Class” and 0x08 equal to “Mass Storage USB Device Interface Class” but this is same for three device “USB DVD WRITER” , “USB thumb drive” drive and “Ramreader device”, i try to filter this with DEVICE_OBJECT->Characteristics and this is same for this devices )

class Ref:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff538820(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx

Thank you all.

2

There is built in Windows policy that prevents these devices from starting with out a driver blocking them. For the callback you are using, you can’t get the usb descriptor AND it is called after the device has been started which is probably not what you want.

Sent from my Windows 10 phone

From: xxxxx@yahoo.commailto:xxxxx
Sent: Wednesday, August 17, 2016 3:27 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] How to attach prevent USB PNP Devices(WDM)?

Hi Guys,

I have several question about How to attach prevent USB PNP Devices(WDM)
I have to write wdm driver for handling PNP Event to prevent usb Mass storage device attach(no need read or write protection filter driver before this i writed this minifilter driver).
In my driver DriverEntry i used IoRegisterPlugPlayNotification routine with GUID_CLASS_USB_DEVICE and handle my CALLBACK fuction is PnpNotifyInterfaceChange(PVOID pNotifyContext, PVOID pContext)
and recived attach and detach event in my callback

Now my questions is:
1.how to remove device(deattach device) in for security reason in PnpNotifyInterfaceChange

2. how to get USB_INTERFACE_DESCRIPTOR ? (i think must use UsbBuildGetDescriptorRequest routine, if this is correct how to use this routine?)

3.how to get in particular usb device type(USB DVD WRITER, USB THUMB DRIVE,)? (i know in PDEVICE_INTERFACE_CHANGE_NOTIFICATION is more information about device(VID&PID&SERIAL&etc) but not enough absolutely Because not detrmined usb devices type and also in USB_INTERFACE_DESCRIPTOR->bInterfaceClass get interface class E.G. 0x3 euqual to “HID Interface Class” and 0x08 equal to “Mass Storage USB Device Interface Class” but this is same for three device “USB DVD WRITER” , “USB thumb drive” drive and “Ramreader device”, i try to filter this with DEVICE_OBJECT->Characteristics and this is same for this devices )

class Ref:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff538820(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx

Thank you all.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx>

3

xxxxx@yahoo.com wrote:

I have several question about How to attach prevent USB PNP Devices(WDM)

The only reliable way to do that is to fill the USB plugs with silicone
sealant.

Please read Doron’s response three times. He has the right answer, as
usual.

I have to write wdm driver for handling PNP Event to prevent usb Mass storage device attach(no need read or write protection filter driver before this i writed this minifilter driver).
In my driver DriverEntry i used IoRegisterPlugPlayNotification routine with GUID_CLASS_USB_DEVICE and handle my CALLBACK fuction is PnpNotifyInterfaceChange(PVOID pNotifyContext, PVOID pContext)
and recived attach and detach event in my callback

Now my questions is:
1.how to remove device(deattach device) in for security reason in PnpNotifyInterfaceChange

You can’t. That’s way too late. The notification is telling you what
already happened. It’s not giving you a chance to interfere.

  1. how to get USB_INTERFACE_DESCRIPTOR ? (i think must use UsbBuildGetDescriptorRequest routine, if this is correct how to use this routine?)

To do this, you have to be in the device stack for the device you are
filtering. IoRegisterPlugPlayNotification just makes you an observer,
not a participant. Put another way, to do what you are asking, you
would have to install your driver as a filter for every USB device in
the system. That’s the only way you can interfere with the coming-up
process.

3.how to get in particular usb device type(USB DVD WRITER, USB THUMB DRIVE,)? (i know in PDEVICE_INTERFACE_CHANGE_NOTIFICATION is more information about device(VID&PID&SERIAL&etc) but not enough absolutely Because not detrmined usb devices type and also in USB_INTERFACE_DESCRIPTOR->bInterfaceClass get interface class E.G. 0x3 euqual to “HID Interface Class” and 0x08 equal to “Mass Storage USB Device Interface Class” but this is same for three device “USB DVD WRITER” , “USB thumb drive” drive and “Ramreader device”, i try to filter this with DEVICE_OBJECT->Characteristics and this is same for this devices )

Right. There is no 100% reliable way to look at a USB device’s
descriptors and determine what physical type of device it is. All you
can determine is how the device behaves. If a DVD Writer behaves like a
mass storage device, then the system sees it as a mass storage device.

However, if your target is to block the ability to copy data from a
computer in digital form, why would you want to allow DVD Writers? And
what about USB floppy drives? And what about Firewire disks, or ESATA
disks? Really, your task is utterly hopeless.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

> The only reliable way to do that is to fill the USB plugs with silicone sealant.

Actually, it is enough to remove PDOs from an array returned by IRP_MN_QUERY_DEVICE_RELATIONS for BusRelations at USBHUB or USBCCGP level .

5

But you don’t know which PDOs to remove because you can’t send USB IOCTLs to query their descriptors to know what they are. And removing is not enough, you need to Ob dereference them, otherwise they will leak. And you need to keep track of what you have removed in the past as the host will continue to report them on the next QDR. Not a simple solution in any imaginable way.

Set the group policy and you are done

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, August 17, 2016 10:51 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to attach prevent USB PNP Devices(WDM)?

> The only reliable way to do that is to fill the USB plugs with silicone sealant.

Actually, it is enough to remove PDOs from an array returned by IRP_MN_QUERY_DEVICE_RELATIONS for BusRelations at USBHUB or USBCCGP level .


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

6

> But you don’t know which PDOs to remove because you can’t send USB IOCTLs to
query their descriptors to know what they are.

There is always some workaround, at least basic device information used by PnP Manager to locate FDO driver can be queried by issuing the same requests. The idea is to emulate PnP Manager by taking control over PDOs and making device invisible for PnP Manager and applications. In the extreme case the PnP Manager and USB stack can be emulated so all functionality will be available.

Not a simple solution in any imaginable way.

It is not simple but not prohibitively hard.

7

But you can’t emulate everything. If anything requires the reported DO is a real PDO (with a backing devnode and registry), you can’t emulate that. Yes, you can query hw and compat IDs and elide some identity from the strings, but that is a boatload of complicated software

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, August 17, 2016 12:00 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to attach prevent USB PNP Devices(WDM)?

> But you don’t know which PDOs to remove because you can’t send USB IOCTLs to
query their descriptors to know what they are.

There is always some workaround, at least basic device information used by PnP Manager to locate FDO driver can be queried by issuing the same requests. The idea is to emulate PnP Manager by taking control over PDOs and making device invisible for PnP Manager and applications. In the extreme case the PnP Manager and USB stack can be emulated so all functionality will be available.

> Not a simple solution in any imaginable way.

It is not simple but not prohibitively hard.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

8

I am personally not afraid of complicated software. Yes, custom USB stack implementation might require order of magnitude more man hours to implement on Windows than in some open source kernel. I am just outlined the architecture.

BTW the registry entries might be also created, though this is not required for this solution. As I know Parallels implemented this back in 2005.

9

> The only reliable way to do that is to fill the USB plugs with silicone sealant.

Please read Doron’s response three times. He has the right answer, as usual.

In order to realize that you are wrong all you have to do is to recall any DLP software title
that disallows any USB device that is not explicitly authorized by the company. I think the OP
wants to develop yet another title with this functionality. This had been done quite a few times - (probably) the first one it had been done almost 20 years ago back on NT4 by the Securewave’s "Sanctuary"product.

Concerning the OP’s actual question,contrary to what you may see on this thread, the whole thing is pretty straightforward and can be done in an upper filter for USBSTOR. The idea here could be presenting a device as an unusable one to the upper layers (i.e.to DISK.SYS) , for example, by failing IOCTL_STORAGE_QUERY_PROPERTY request…

Anton Bassov

10

That only works for BOT devices. USAP compliant devices require filtering a different driver.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, August 17, 2016 3:06 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to attach prevent USB PNP Devices(WDM)?

> The only reliable way to do that is to fill the USB plugs with silicone sealant.

> Please read Doron’s response three times. He has the right answer, as usual.

In order to realize that you are wrong all you have to do is to recall any DLP software title that disallows any USB device that is not explicitly authorized by the company. I think the OP wants to develop yet another title with this functionality. This had been done quite a few times - (probably) the first one it had been done almost 20 years ago back on NT4 by the Securewave’s "Sanctuary"product.

Concerning the OP’s actual question,contrary to what you may see on this thread, the whole thing is pretty straightforward and can be done in an upper filter for USBSTOR. The idea here could be presenting a device as an unusable one to the upper layers (i.e.to DISK.SYS) , for example, by failing IOCTL_STORAGE_QUERY_PROPERTY request…

Anton Bassov


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

11

> I am just outlined the architecture.



Actually, the whole thing reminds me of one of our “Professor Flounder’s” stories about some university professor who was suggesting really ridiculous solutions all the time. Every time the stupidity of his proposed “solutions” was pointed out to him he was saying " I just gave you the idea, and the rest is the question of an implementation".

One day he had complained to his students about having missed a flight to some conference.
One of his students asked him why he had not tried turning into a bird so that he could fly
to this conference anyway. The professor was shocked by this suggestion, and said - “This is one of the most stupid things that I have ever heard in my entire life”, to which his student replied “Well, I just gave you the idea, and the rest is the question of an implementation”…

Anton Bassov

12

> USAP compliant devices require filtering a different driver.

But the main idea is,apparently, the same - by blocking the appropriate requests from the storage subsystem you can ensure that the attached device’s practical usefulness is zero…

Anton Bassov

13

@ Anton

Actually, the idea with PDOs removal has at least one open source implementation. OSR need to add image support so we have more Dilbert like stories from you.

14

>Actually, the idea with PDOs removal has at least one open source implementation.

Well, ReactOS provides a custom open source re-implementation of the entire Windows OS,so that this “argument” is not as strong as you may think…

OSR need to add image support so we have more Dilbert like stories from you

Actually, this story was presented on NTDEV by our “Professor Flounder”, a.k.a. 'Dr.Joe" - I don’t want to be accused of plagiarism, do I ( this was one of very few things from him that I actually liked - he was incredibly boring “preacher” most of the time, but this time he was,indeed, funny and witty). I just could not be bothered to search the archives for a particular thread where he told us this story, so that I simply repeated it. You can try to search the archives…

When I saw the suggestion to provide a custom implementation of the entire Windows
USB stack that was followed by “I just gave you the idea”…well, this story came up to my mind straight away…

Anton Bassov

15

Anton, you are missing the point. PDOs removal doesn’t require USB stack implementation. This is 500 LOC and one day work for an average developer.

USB stack implementation is required if control over device is required.

16

> Anton, you are missing the point.

Am I?

PDOs removal doesn’t require USB stack implementation. This is 500 LOC and one day
work for an average developer.

Actually, the only thing that I am speaking about is your statement below

Anton Bassov

17

@ Anton

Am I?

Yes, you are.
Better luck next time.

18

> Yes, you are. Better luck next time.

Never mind. BTW, concerning Dr.Joe’s story, here is the thread (post 15)

http://www.osronline.com/showThread.cfm?link=222063

The rest of the thread is a classical example of a typical Dr.Joe’s “preaching”, so it can be a fun to read as well.

Enjoy!

Anton Bassov

19

Hi Guys,

A special thanks goes Doron Holan, Slava Imameev and anton bassov for your advise me.
I Writed a upper usb filter driver but BSOD occured after delete device.

NTSTATUS
FilterPnp(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
.

switch(IrpStack->MinorFunction)
{
case IRP_MN_QUERY_DEVICE_RELATIONS:
//case IOCTL_STORAGE_QUERY_PROPERTY:
{
switch (IrpStack->Parameters.QueryDeviceRelations.Type)
{
case BusRelations:
{
DbgPrint(CURINFO " USBFilterPnp IRP_MN_QUERY_DEVICE_RELATIONS …\n");
IoReleaseRemoveLockAndWait(&USBDeviceExe->RemoveLock, Irp);
IoSkipCurrentIrpStackLocation(Irp);
ntStatus = IoCallDriver(USBDeviceExe->NextLowerDriver, Irp);
SET_NEW_PNP_STATE(USBDeviceExe, Deleted);
IoDetachDevice(USBDeviceExe->NextLowerDriver);
IoDeleteDevice(DeviceObject);
DbgBreakPoint();
return ntStatus;

}
}
}

Irp->IoStatus.Status = ntStatus;
IoSkipCurrentIrpStackLocation(Irp);
ntStatus = IoCallDriver(USBDeviceExe->NextLowerDriver,Irp);
IoReleaseRemoveLock(&USBDeviceExe->RemoveLock,Irp);

return ntStatus; //BSOD in occured this line after return from IRP_MN_QUERY_DEVICE_RELATIONS body

}

How to fix this problem?

Thanks again.

20

I didn’t get what you want to achieve by this code.

IoDetachDevice can be called only on response to IRP_MN_REMOVE_DEVICE.
IoDeleteDevice(DeviceObject) I presume removes a filter device object and definitely crashes the system as there might be device object attached to it and the system still uses it. A device should be removed in IRP_MN_REMOVE_DEVICE.

If you want to remove PDO from a list of related “child” reported by USBHUB Fdo then you need to set a completion routine by IoSetCompletionRoutine and process the returned array. Do not forget to derefrence removed PDOs ( OdDerefrenceObject ).

To facilitate you I will provide you with a link to Dmitry Fleytman’s KMDF driver that does this - filters IRP_MN_QUERY_DEVICE_RELATIONS and removes PDOs. The code heavily uses C++ 11 features like lambdas so it is not easy to read for those who used to C but the functionality you are looking for is in CUsbDkHubFilterStrategy::PNPPreProcess that calls PostProcessOnSuccess and sets a filter by defining it via lambda ( when you see XXXX-> this is a lambda for a function in C++11) .