Hi Mark,
This is *exactly* the problem I’m dealing with on a current project: I’m
trying to monitor reads to CD drives, and while a CD class upper
filter catches most normal traffic, the direct-to-PDO and ASPI-style
traffic escapes the monitor. Is there a way to capture this traffic by
filtering, or is some sort of system hooking the only resort?
Much thanks for any advice/info,
David
Mark Roddy wrote:
Currently there are products out there that install filters in the storage stack that do not BOTHER to send requests to the next lower filter, as they just know better, and send them directly to the PDO. This defeats all legitimate filter drivers and unfortunately passes DV.
=====================
Mark Roddy
Windows .NET/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Henry
>Gabryjelski
>Sent: Friday, January 14, 2005 1:21 PM
>To: Windows System Software Devs Interest List
>Subject: RE:[ntdev] [RE][RE]SCSI filter driver…
>
>
>Son Won-Jang,
>
>Please keep the reply on the NTDEV list, as otherwise I will
>likely be unable to respond.
>Nero happens to use IOCTL_SCSI_PASS_THROUGH_DIRECT, while I
>believe Alcohol software installs their own filter so they
>can use a private “ASPI-like” functionality by default.
>Unfortunately, there are probably other software vendors who
>have done the same thing, and you will not catch them all.
>Technically speaking, it’s not possible to 100% prevent a
>driver from writing to CD, regardless of what you do;
>anything you can do, they can work around (as well as the
>other way). So, you need to developer a 100% correct
>solution to prevent other software from wanting to work
>around your driver.
>
>As for how to do this, I have no sample source to provide.
>
>If you just want this for your own purposes, failing all
>WRITE10 and MODE_SELECT commands should be “good enough”.
>For a shipping product (even inside an org), you’d need to be
>much more invasive than just failing a few commands. For
>example, you’d have to modify the GET_CONFIGURATION command
>response to remove the features that indicate the drive can
>write; You’d have to modify MODE_SENSE command reponse to
>modify the same data; You’d have to find out about (and fail)
>any vendor-unique commands for drives used in your
>organization; And probably more… Failure to do all these
>steps will likely result in writing software failing in new
>and unexpected ways.
>
>If this is going to be a product you hope to ship outside
>your organization, I would suggest not trying as the problem
>set (and problematic interactions) are too large to
>effectively test in one months timeframe. Of course, if you
>are only to use this inside an organization, it begs the
>question of why you are installing writing software on these
>machines in the first place…
>
>.
>
>-----Original Message-----
>From: Son Won-jang [mailto:xxxxx@hotmail.com]
>Sent: Thursday, January 13, 2005 10:03 PM
>To: Henry Gabryjelski
>Subject: [RE][RE]SCSI filter driver…
>
>Hi Henry… thank you very much for reply…
>
>I really want to do is write protect for CD.
>I trying to it by filtering the CDROM class( registered at
>{4D36E965-E325-11CE-BFC1-08002BE10318} ).
>By that method, Some program’s SRB can detect like
>NeroExpress. but, somekinds of program’s SRB cannot detect
>like an ALCHOLE120%.
>So that I think about SCSI or IDE filter…
>I saw some reply for SCSI filter…
>They mentioned that Bus Filter, BusRelations, Enumerate FDO …
>I don’t know how can I implement it…
>I trying to solve this problem about a month…
>If you possible give me some piece of source.
>
>Thanks for reading… Be always happy~
>
>
>
>
>>From: “Henry Gabryjelski”
>>>Reply-To: “Windows System Software Devs Interest List”
>>
>>
>>
>>>To: “Windows System Software Devs Interest List”
>>
>>
>>
>>>Subject: RE:[ntdev] SCSI filter driver
>>>Date: Thu, 13 Jan 2005 09:27:28 -0800
>>>
>>>Hello, Joneyson,
>>>
>>>I do not have the book you mention, so I cannot see the
>>
>>source. I will
>>try to offer what help I can.
>>
>>>The class GUID you mention below is for “SCSI and RAID
>>
>>controllers”.
>>Many consumer machines do not have SCSI controllers at all,
>>and most that do have only one instance. If your machine has
>>exactly one SCSI card, then this would explain why your
>>driver has only one instance. Can you explain why you are
>>expecting to have many instances of your filter driver?
>>
>>>If you want to monitor on a per-device basis, you would need
>>
>>to do have
>>more complex filtering (either handle more class GUIDs or be
>>a bus filter or …). If you are looking to do software bus
>>tracing, there are already a couple of products that have
>>been in the marketplace for some time, and are significantly
>>less expensive than hardware analyzers. A quick search on
>>google for “software bus analyzer” can find these.
>>
>>>Hth,
>>>.
>>>
>>>-----Original Message-----
>>>From: Son won-jang [mailto:xxxxx@hotmail.com]
>>>Sent: Wednesday, January 12, 2005 3:40 AM
>>>Subject: SCSI filter driver
>>>
>>>Sorry… I don’t know english well and I’m beginner driver auther.
>>>
>>>I want to monitoring all SCSI device’s SRB I registered simple WDM
>>>filter
>>
>>driver as UpperFilters at
>>HKLM\SYSTEM\CurrentControlSet\Control\Class{4D36E97B-E325-11C
>>E-BFC1-08002BE10318}.
>>
>>
>>>but it does not work that I thought.
>>>I compared with another SCSI filter driver by DeviceTree utility
>>>written
>>
>>by OSR.
>>
>>>My driver has just one node. but another filter has many sub nodes.
>>>
>>>My driver is very simple.
>>>It is WDM filter sample in the book “Programming the
>>
>>MICROSOFT WINDOWS
>>DRIVER MODEL 2nd”
>>
>>>Please let me know…
>>>
>>>thanks for reading…
>>>
>>>Questions? First check the Kernel Driver FAQ at
>>
>>http://www.osronline.com/article.cfm?id=256
>>
>>>You are currently subscribed to ntdev as: unknown lmsubst
>>
>>tag argument: ‘’
>>
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>> _________________________________________________________________
>>ì±…ìƒìœ„ì— ë‹¤ë¦¬ ì˜¬ë¦¬ê³ ëŠê¸‹í•˜ê²Œ ì¦ê¸´ë‹¤… MSN 온ë¼ì¸ ìƒì˜ê´€
>>http://vod.msn.co.kr
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: unknown lmsubst tag
>>argument: ‘’
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
>
>
>