First the summary.
I’ve configured a very basic filter driver using KMDF that is filtering on both:
EvtIoInternalDeviceControl //for IRP_MJ_SCSI
EvtIoDeviceControl // for SCSI_PASS_THROUGH
Now during the initial load and configuration I see all the standard SCSI commands I would expect to see:
READ_CAPACITY
READ_10
I see these as IRP_MJ_SCSI IOCTLS and I’ve setup the following simple mechanism to report this to windbg.
WdfRequestGetParameters(Request,&RParms);
if (RParms.Type == WdfRequestTypeDeviceControlInternal){
pSRB = (PSCSI_REQUEST_BLOCK) RParms.Parameters.Others.Arg1;
WdfFltrTrace((“FltrRead SCSI IOCTL 0x%x, CDB 0x%x\n”,RParms.Parameters.Others.IoControlCode,pSRB->Cdb[0]));
}
The end result is simple and effective, I see the IOCTL and CDB descriptor.
The problem is, I don’t seem to be seeing any SCSI_INQUIRY (CDB 0x12) values, however I can see there are SCSI Inquiry operations being sent to the disk.
Therefore I tried setting up the same mechanism in my SCSI_PASS_THROUGH tracing function, still nothing, however I did see something interesting:
IOCTL_STORAGE_QUERY_PROPERTY
I see this query once with a value of 1 for the STORAGE_PROPERTY_QUERY->PropertyId and again with a value of 0 for the STORAGE_PROPERTY_QUERY->PropertyId.
After reviewing the information here: http://msdn.microsoft.com/en-us/library/ff800840(v=vs.85).aspx
It appears the system is asking for the device descriptor, in looking at the data behind that request it sounds like INQUIRY information would be in there.
I set a completion routine on the request and send it.
When my completion routine fires I take a look at the output buffer for the request:
status = WdfRequestRetrieveOutputBuffer(Request,
sizeof(PSTORAGE_DEVICE_DESCRIPTOR),
&Buffer,
&outLen);
The Status is STATUS_SUCCESS, however the outLen is 8 bytes, now this is consistent with the results of that query, it’s going to return the STORAGE_DESCRIPTOR_HEADER, which is 8 bytes in length (http://msdn.microsoft.com/en-us/library/ff800834(v=vs.85).aspx), however I’m supposed to use the Size member of the Header to obtain the accurate size of the resultant data in “Buffer”.
The real question is, how do I do that? Since WdfRequestRetrieveOutputBuffer has “returned” the buffer as 8 bytes, ie the header, how do I get it to allow me to access the rest of the buffer to hopefully locate the VendorIdOffset and get additional vendor information?
Perhaps I’m completely headed the wrong direction here, any suggestions or recommendations would be helpful.
Thanks!
-M