I have an application that communicates with a device driver. I haveplaced an upper filter driver on to the device driver to monitor the traffic between the application and the device driver. My filter driver is able to see the Create,Close,Cleanup,PNP, and Device Control functions; but it doesn’t see the read and write functions. My filter driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do I need to do so that my filter driver’s read and write dispatch routines are called?
Are you sure the app uses read and write file to communicate with the device? Outside of file systems, read and write file are much less likely to be used b/c IOCTLs can cover read and write semantics in a richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I haveplaced an upper filter driver on to the device driver to monitor the traffic between the application and the device driver. My filter driver is able to see the Create,Close,Cleanup,PNP, and Device Control functions; but it doesn’t see the read and write functions. My filter driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do I need to do so that my filter driver’s read and write dispatch routines are called?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
It should work given what you describe. Does !devstack show that your device is attached to the driver in question? One thing you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app. When either bp hits, dump the callstack and see if something funky is going on
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
!devstack does show that my device is attached to the driver in
question. I put a bp on IRP_MJ_READ and the callstack looks fine.
CALLSTACK:
WARNING: Stack unwind information not available. Following frames may be
wrong.
qcusbser+0x26480
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1d9
nt!NtReadFile+0x646
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwReadFile+0xc
kernel32!ReadFileEx+0x72
0x4147e4
So by the looks of things the service application is sending ReadFile
directly to the device driver and not going through the filter. Is there
away to cause the ReadFile() to go through the filter?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 1:21 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It should work given what you describe. Does !devstack
show that your device is attached to the driver in question? One thing
you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app.
When either bp hits, dump the callstack and see if something funky is
going on
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Are you attaching your filter dynamically after the device has started? Or are you a full fledged pnp filter and specified as a device or class upper filter?
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 4:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter driver?
!devstack does show that my device is attached to the driver in
question. I put a bp on IRP_MJ_READ and the callstack looks fine.
CALLSTACK:
WARNING: Stack unwind information not available. Following frames may be
wrong.
qcusbser+0x26480
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1d9
nt!NtReadFile+0x646
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwReadFile+0xc
kernel32!ReadFileEx+0x72
0x4147e4
So by the looks of things the service application is sending ReadFile
directly to the device driver and not going through the filter. Is there
away to cause the ReadFile() to go through the filter?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 1:21 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It should work given what you describe. Does !devstack
show that your device is attached to the driver in question? One thing
you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app.
When either bp hits, dump the callstack and see if something funky is
going on
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
It’s a full fledged pnp filter and specified as an upper filter.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 7:49 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you attaching your filter dynamically after the device has started?
Or are you a full fledged pnp filter and specified as a device or class
upper filter?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 4:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
!devstack does show that my device is attached to the driver in
question. I put a bp on IRP_MJ_READ and the callstack looks fine.
CALLSTACK:
WARNING: Stack unwind information not available. Following frames may be
wrong.
qcusbser+0x26480
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1d9
nt!NtReadFile+0x646
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwReadFile+0xc
kernel32!ReadFileEx+0x72
0x4147e4
So by the looks of things the service application is sending ReadFile
directly to the device driver and not going through the filter. Is there
away to cause the ReadFile() to go through the filter?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 1:21 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It should work given what you describe. Does !devstack
show that your device is attached to the driver in question? One thing
you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app.
When either bp hits, dump the callstack and see if something funky is
going on
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Is qcusbser a bus driver? Perhaps you are filtering the fdo and the io flows to the PDOs?
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 5:05 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter driver?
It’s a full fledged pnp filter and specified as an upper filter.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 7:49 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you attaching your filter dynamically after the device has started?
Or are you a full fledged pnp filter and specified as a device or class
upper filter?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 4:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
!devstack does show that my device is attached to the driver in
question. I put a bp on IRP_MJ_READ and the callstack looks fine.
CALLSTACK:
WARNING: Stack unwind information not available. Following frames may be
wrong.
qcusbser+0x26480
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1d9
nt!NtReadFile+0x646
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwReadFile+0xc
kernel32!ReadFileEx+0x72
0x4147e4
So by the looks of things the service application is sending ReadFile
directly to the device driver and not going through the filter. Is there
away to cause the ReadFile() to go through the filter?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 1:21 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It should work given what you describe. Does !devstack
show that your device is attached to the driver in question? One thing
you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app.
When either bp hits, dump the callstack and see if something funky is
going on
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
To my understanding qcusbser is a bus driver? Is there away to filter
the PDOs?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Is qcusbser a bus driver? Perhaps you are filtering the fdo and the io
flows to the PDOs?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 5:05 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It’s a full fledged pnp filter and specified as an upper filter.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 7:49 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you attaching your filter dynamically after the device has started?
Or are you a full fledged pnp filter and specified as a device or class
upper filter?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 4:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
!devstack does show that my device is attached to the driver in
question. I put a bp on IRP_MJ_READ and the callstack looks fine.
CALLSTACK:
WARNING: Stack unwind information not available. Following frames may be
wrong.
qcusbser+0x26480
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1d9
nt!NtReadFile+0x646
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwReadFile+0xc
kernel32!ReadFileEx+0x72
0x4147e4
So by the looks of things the service application is sending ReadFile
directly to the device driver and not going through the filter. Is there
away to cause the ReadFile() to go through the filter?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 1:21 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It should work given what you describe. Does !devstack
show that your device is attached to the driver in question? One thing
you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app.
When either bp hits, dump the callstack and see if something funky is
going on
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You answered my question with another question and I don’t know how to respond to that. If you are asking how to confirm it is a bus driver, there are 2 ways really
- view in device manager by connection (and show hidden devices), find your device and see if it has children
- in the debugger, you can run !devstack on your devobj, then run !devnode 1 and it will dump the subtree of enumerated children (if present)
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Wednesday, February 18, 2009 8:48 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter driver?
To my understanding qcusbser is a bus driver? Is there away to filter
the PDOs?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Is qcusbser a bus driver? Perhaps you are filtering the fdo and the io
flows to the PDOs?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 5:05 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It’s a full fledged pnp filter and specified as an upper filter.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 7:49 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you attaching your filter dynamically after the device has started?
Or are you a full fledged pnp filter and specified as a device or class
upper filter?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 4:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
!devstack does show that my device is attached to the driver in
question. I put a bp on IRP_MJ_READ and the callstack looks fine.
CALLSTACK:
WARNING: Stack unwind information not available. Following frames may be
wrong.
qcusbser+0x26480
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1d9
nt!NtReadFile+0x646
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwReadFile+0xc
kernel32!ReadFileEx+0x72
0x4147e4
So by the looks of things the service application is sending ReadFile
directly to the device driver and not going through the filter. Is there
away to cause the ReadFile() to go through the filter?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 1:21 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It should work given what you describe. Does !devstack
show that your device is attached to the driver in question? One thing
you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app.
When either bp hits, dump the callstack and see if something funky is
going on
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
No, qcusbser is not a bus driver.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 1:22 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
You answered my question with another question and I don’t know how to
respond to that. If you are asking how to confirm it is a bus driver,
there are 2 ways really
- view in device manager by connection (and show hidden devices), find
your device and see if it has children - in the debugger, you can run !devstack on your devobj, then run
!devnode 1 and it will dump the subtree
of enumerated children (if present)
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Wednesday, February 18, 2009 8:48 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
To my understanding qcusbser is a bus driver? Is there away to filter
the PDOs?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Is qcusbser a bus driver? Perhaps you are filtering the fdo and the io
flows to the PDOs?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 5:05 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It’s a full fledged pnp filter and specified as an upper filter.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, February 18, 2009 7:49 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you attaching your filter dynamically after the device has started?
Or are you a full fledged pnp filter and specified as a device or class
upper filter?
d
Sent from my phone with no t9, all spilling mistakes are not
intentional.
-----Original Message-----
From: Nathan Burns
Sent: Wednesday, February 18, 2009 4:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
!devstack does show that my device is attached to the driver in
question. I put a bp on IRP_MJ_READ and the callstack looks fine.
CALLSTACK:
WARNING: Stack unwind information not available. Following frames may be
wrong.
qcusbser+0x26480
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1d9
nt!NtReadFile+0x646
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwReadFile+0xc
kernel32!ReadFileEx+0x72
0x4147e4
So by the looks of things the service application is sending ReadFile
directly to the device driver and not going through the filter. Is there
away to cause the ReadFile() to go through the filter?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 1:21 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
It should work given what you describe. Does !devstack
show that your device is attached to the driver in question? One thing
you can do is run
!drvobj \Driver\DriverNameYouAreFiltering 3
And then put a bp on IRP_MJ_READ and IRP_MJ_WRITE and then run the app.
When either bp hits, dump the callstack and see if something funky is
going on
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nathan Burns
Sent: Tuesday, February 17, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
I’m assuming that the application is using read and write file to
communicate because when I use IrpTracker in the Major Function column
it says READ or WRITE.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, February 17, 2009 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter
driver?
Are you sure the app uses read and write file to communicate with the
device? Outside of file systems, read and write file are much less
likely to be used b/c IOCTLs can cover read and write semantics in a
richer fashion
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@stonestreetone.com
Sent: Tuesday, February 17, 2009 9:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to capture the ReadFile() data in a filter driver?
I have an application that communicates with a device driver. I
haveplaced an upper filter driver on to the device driver to monitor the
traffic between the application and the device driver. My filter driver
is able to see the Create,Close,Cleanup,PNP, and Device Control
functions; but it doesn’t see the read and write functions. My filter
driver has a dispatch routine for IRP_MJ_READ and IRP_MJ_WRITE. What do
I need to do so that my filter driver’s read and write dispatch routines
are called?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
A couple of things to check/try:
-
Ensure your filter is attached where you think it is and that the DEVNODE looks like you think it does. I would personally use DeviceTree to determine this.
-
Determine the flow of reads and writes from the application through the device objects of interest. You’ve already used IRPTracker… and this is precisely what it’s for. IRPTracker will show you the flow of reads/writes, with respect to device objects. What’s the flow that you’re seeing?
If you have a properly formed devnode comprising a Filter over an FDO over a PDO, and an application that opens the FDO or PDO, subsequent writes on that opened handled from the application WILL enter the DEVNODE to the top of the DEVNODE. I mean… it HAS to work that way.
I guess another thing you might check is to ensure that the FILE_OBJECT that’s created by the application actually points to the Device Object that you think it points to… in other words, the app actually IS opening the device you expect.
Grasping at straws here,
Peter
OSR
After looking more into the driver I stand corrected the device driver
is a bus driver, it has children. And looking closely at the IrpTracker
output the read and writes are flowing from the application to a child
device of the bus driver. So I guess the question is how do I place the
filter driver around that child device?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Wednesday, February 18, 2009 1:58 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to capture the ReadFile() data in a filter
driver?
A couple of things to check/try:
-
Ensure your filter is attached where you think it is and that the
DEVNODE looks like you think it does. I would personally use DeviceTree
to determine this. -
Determine the flow of reads and writes from the application through
the device objects of interest. You’ve already used IRPTracker… and
this is precisely what it’s for. IRPTracker will show you the flow of
reads/writes, with respect to device objects. What’s the flow that
you’re seeing?
If you have a properly formed devnode comprising a Filter over an FDO
over a PDO, and an application that opens the FDO or PDO, subsequent
writes on that opened handled from the application WILL enter the
DEVNODE to the top of the DEVNODE. I mean… it HAS to work that way.
I guess another thing you might check is to ensure that the FILE_OBJECT
that’s created by the application actually points to the Device Object
that you think it points to… in other words, the app actually IS
opening the device you expect.
Grasping at straws here,
Peter
OSR
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Open up each child’s properties in device manager, goto the details tab and look at hw and compat ID properties and update your inf accordingly with a new match(es)
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: Nathan Burns
Sent: Thursday, February 19, 2009 4:43 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to capture the ReadFile() data in a filter driver?
After looking more into the driver I stand corrected the device driver
is a bus driver, it has children. And looking closely at the IrpTracker
output the read and writes are flowing from the application to a child
device of the bus driver. So I guess the question is how do I place the
filter driver around that child device?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Wednesday, February 18, 2009 1:58 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to capture the ReadFile() data in a filter
driver?
A couple of things to check/try:
- Ensure your filter is attached where you think it is and that the
DEVNODE looks like you think it does. I would personally use DeviceTree
to determine this.
- Determine the flow of reads and writes from the application through
the device objects of interest. You’ve already used IRPTracker… and
this is precisely what it’s for. IRPTracker will show you the flow of
reads/writes, with respect to device objects. What’s the flow that
you’re seeing?
If you have a properly formed devnode comprising a Filter over an FDO
over a PDO, and an application that opens the FDO or PDO, subsequent
writes on that opened handled from the application WILL enter the
DEVNODE to the top of the DEVNODE. I mean… it HAS to work that way.
I guess another thing you might check is to ensure that the FILE_OBJECT
that’s created by the application actually points to the Device Object
that you think it points to… in other words, the app actually IS
opening the device you expect.
Grasping at straws here,
Peter
OSR
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
You know… you’re making it hard for us to help you by giving us information one little bit at a time.
There are FDO(s) created by function driver(s) over the PDOs that your bus driver creates and to which the I/O requests are flowing?? In other words, the application isn’t sending I/O to “naked” PDOs?
Peter
OSR
Nathan Burns wrote:
After looking more into the driver I stand corrected the device
driver is a bus driver, it has children.
Unless you have some totally different driver with the same name, I tend to doubt “qcusbser.sys” is a bus driver and is spawning children. qcusbser.sys is typically the name of Qualcomm’s USB serial driver for use with CDMA handsets. Are you sure?
Nathan Burns wrote:
My filter driver is able to see the Create,Close,Cleanup,PNP,
and Device Control functions;
Plus, it’s unlikely (though not out of the question) that someone is going to be opening the bus driver FDO and talking to it in this fashion. And you posted a backtrace showing the read request also. So I think something’s just wrong with your filter.
P.S. I have the source for qcusbser so if you have questions about how it works just let me know.
Even if the app opens the fdo by name, all io flows through the top of the stack downward. Something is amiss in the config or filter here…
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: xxxxx@gmail.com
Sent: Thursday, February 19, 2009 7:06 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to capture the ReadFile() data in a filter driver?
Nathan Burns wrote:
> My filter driver is able to see the Create,Close,Cleanup,PNP,
> and Device Control functions;
Plus, it’s unlikely (though not out of the question) that someone is going to be opening the bus driver FDO and talking to it in this fashion. And you posted a backtrace showing the read request also. So I think something’s just wrong with your filter.
P.S. I have the source for qcusbser so if you have questions about how it works just let me know.
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Ok … if that’s the case what could be wrong with my filter driver?
It’s very simple and similar to one that I have used in the past. I
thought that all I really needed to do was to Install to my filter
driver as an upper filter to the Qualcomm device (Qualcomm HS-USB
Diagnostics 9001 (COM5)) and I would be able to monitor the traffic. But
this hasn’t been the case. By looking at the source is there some other
device that I need to install my filter above.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, February 19, 2009 10:03 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to capture the ReadFile() data in a filter
driver?
Nathan Burns wrote:
My filter driver is able to see the Create,Close,Cleanup,PNP,
and Device Control functions;
Plus, it’s unlikely (though not out of the question) that someone is
going to be opening the bus driver FDO and talking to it in this
fashion. And you posted a backtrace showing the read request also. So
I think something’s just wrong with your filter.
P.S. I have the source for qcusbser so if you have questions about how
it works just let me know.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
OP: I know it’s stumping you, but at its root this can’t be that hard of a problem. Please… spend some time doing the diagnosis:
Using DeviceTree (or WinDbg) figure out the relationship of the PDOs and FDOs in the stack. Draw a diagram of all the FDOs and PDOs, including their names and IDs. This should take you, oh, less than 30 minutes.
Using IRPTracker, draw on that diagram that you just created the flow of I/O requests. Here’s a link (to an old article) of one way to draw the diagram:
http://www.osronline.com/article.cfm?id=40 – Make the PDOs squares and the FDOs circles.
Determine where your filter is loading now.
As Doron said, change your filter to be the UpperFilter or LowerFilter of an FDO that’s in the flow of the I/O you want to intercept.
If there’s something about this process that isn’t clear, or that you don’t understand how to do we CAN help you with each of these step. But, seriously, you can’t guess what’s going wrong (and neither can we) without knowing the relevant PDO/FDO relationships and flow of I/O. And once you know that, your problem will be solved.
Peter
OSR