Hi Maxim,
Thanks for this idea - I tried it out, but I still have an escape. One
of the apps I’m trying to monitor installs a lower class filter on
CDROM, and even though my filter (as per your instructions) sits below
it (and IMAPI) and right above the PDO I still don’t see the traffic.
But I can watch the IRPs with IrpTracker - one IRP from user-mode to the
lower-class filter, one IRP to the PDO (ATAPI), and then back to the
completion routine in the lower filter. A very “private” stack. But
this brings up the question: how does IrpTracker see all this traffic?
Can I (safely) replicate the method? (I know you’re not w/OSR, but
opinions are welcome …)
– David
Maxim S. Shatskih wrote:
Insert a device (not class) LowerFilter below IMAPI, as a last in chain
to PDO. I think it catches most of the burning apps.Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com----- Original Message -----
From: “David Lavo”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, February 03, 2005 4:32 PM
> Subject: Re:[ntdev] [RE][RE]SCSI filter driver…
>
>
>
>>Hi Mark,
>>
>>This is exactly the problem I’m dealing with on a current project: I’m
>> trying to monitor reads to CD drives, and while a CD class upper
>>filter catches most normal traffic, the direct-to-PDO and ASPI-style
>>traffic escapes the monitor. Is there a way to capture this traffic by
>>filtering, or is some sort of system hooking the only resort?
>>
>>Much thanks for any advice/info,
>>
>>David
>>
>>
>>Mark Roddy wrote:
>>
>>>Currently there are products out there that install filters in the storage
>
> stack that do not BOTHER to send requests to the next lower filter, as they
> just know better, and send them directly to the PDO. This defeats all
> legitimate filter drivers and unfortunately passes DV.
>
>>>=====================
>>>Mark Roddy
>>>Windows .NET/XP/2000 Consulting
>>>Hollis Technology Solutions 603-321-1032
>>>www.hollistech.com
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: xxxxx@lists.osr.com
>>>>[mailto:xxxxx@lists.osr.com] On Behalf Of Henry
>>>>Gabryjelski
>>>>Sent: Friday, January 14, 2005 1:21 PM
>>>>To: Windows System Software Devs Interest List
>>>>Subject: RE:[ntdev] [RE][RE]SCSI filter driver…
>>>>
>>>>
>>>>Son Won-Jang,
>>>>
>>>>Please keep the reply on the NTDEV list, as otherwise I will
>>>>likely be unable to respond.
>>>>Nero happens to use IOCTL_SCSI_PASS_THROUGH_DIRECT, while I
>>>>believe Alcohol software installs their own filter so they
>>>>can use a private “ASPI-like” functionality by default.
>>>>Unfortunately, there are probably other software vendors who
>>>>have done the same thing, and you will not catch them all.
>>>>Technically speaking, it’s not possible to 100% prevent a
>>>>driver from writing to CD, regardless of what you do;
>>>>anything you can do, they can work around (as well as the
>>>>other way). So, you need to developer a 100% correct
>>>>solution to prevent other software from wanting to work
>>>>around your driver.
>>>>
>>>>As for how to do this, I have no sample source to provide.
>>>>
>>>>If you just want this for your own purposes, failing all
>>>>WRITE10 and MODE_SELECT commands should be “good enough”.
>>>>For a shipping product (even inside an org), you’d need to be
>>>>much more invasive than just failing a few commands. For
>>>>example, you’d have to modify the GET_CONFIGURATION command
>>>>response to remove the features that indicate the drive can
>>>>write; You’d have to modify MODE_SENSE command reponse to
>>>>modify the same data; You’d have to find out about (and fail)
>>>>any vendor-unique commands for drives used in your
>>>>organization; And probably more… Failure to do all these
>>>>steps will likely result in writing software failing in new
>>>>and unexpected ways.
>>>>
>>>>If this is going to be a product you hope to ship outside
>>>>your organization, I would suggest not trying as the problem
>>>>set (and problematic interactions) are too large to
>>>>effectively test in one months timeframe. Of course, if you
>>>>are only to use this inside an organization, it begs the
>>>>question of why you are installing writing software on these
>>>>machines in the first place…
>>>>
>>>>.
>>>>
>>>>-----Original Message-----
>>>>From: Son Won-jang [mailto:xxxxx@hotmail.com]
>>>>Sent: Thursday, January 13, 2005 10:03 PM
>>>>To: Henry Gabryjelski
>>>>Subject: [RE][RE]SCSI filter driver…
>>>>
>>>>Hi Henry… thank you very much for reply…
>>>>
>>>>I really want to do is write protect for CD.
>>>>I trying to it by filtering the CDROM class( registered at
>>>>{4D36E965-E325-11CE-BFC1-08002BE10318} ).
>>>>By that method, Some program’s SRB can detect like
>>>>NeroExpress. but, somekinds of program’s SRB cannot detect
>>>>like an ALCHOLE120%.
>>>>So that I think about SCSI or IDE filter…
>>>>I saw some reply for SCSI filter…
>>>>They mentioned that Bus Filter, BusRelations, Enumerate FDO …
>>>>I don’t know how can I implement it…
>>>>I trying to solve this problem about a month…
>>>>If you possible give me some piece of source.
>>>>
>>>>Thanks for reading… Be always happy~
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>From: “Henry Gabryjelski”
>>>>>Reply-To: “Windows System Software Devs Interest List”
>>>>
>>>>
>>>>
>>>>>To: “Windows System Software Devs Interest List”
>>>>
>>>>
>>>>
>>>>>Subject: RE:[ntdev] SCSI filter driver
>>>>>Date: Thu, 13 Jan 2005 09:27:28 -0800
>>>>>
>>>>>Hello, Joneyson,
>>>>>
>>>>>I do not have the book you mention, so I cannot see the
>>>>
>>>>source. I will
>>>>try to offer what help I can.
>>>>
>>>>
>>>>>The class GUID you mention below is for “SCSI and RAID
>>>>
>>>>controllers”.
>>>>Many consumer machines do not have SCSI controllers at all,
>>>>and most that do have only one instance. If your machine has
>>>>exactly one SCSI card, then this would explain why your
>>>>driver has only one instance. Can you explain why you are
>>>>expecting to have many instances of your filter driver?
>>>>
>>>>
>>>>>If you want to monitor on a per-device basis, you would need
>>>>
>>>>to do have
>>>>more complex filtering (either handle more class GUIDs or be
>>>>a bus filter or …). If you are looking to do software bus
>>>>tracing, there are already a couple of products that have
>>>>been in the marketplace for some time, and are significantly
>>>>less expensive than hardware analyzers. A quick search on
>>>>google for “software bus analyzer” can find these.
>>>>
>>>>
>>>>>Hth,
>>>>>.
>>>>>
>>>>>-----Original Message-----
>>>>>From: Son won-jang [mailto:xxxxx@hotmail.com]
>>>>>Sent: Wednesday, January 12, 2005 3:40 AM
>>>>>Subject: SCSI filter driver
>>>>>
>>>>>Sorry… I don’t know english well and I’m beginner driver auther.
>>>>>
>>>>>I want to monitoring all SCSI device’s SRB I registered simple WDM
>>>>>filter
>>>>
>>>>driver as UpperFilters at
>>>>HKLM\SYSTEM\CurrentControlSet\Control\Class{4D36E97B-E325-11C
>>>>E-BFC1-08002BE10318}.
>>>>
>>>>
>>>>
>>>>>but it does not work that I thought.
>>>>>I compared with another SCSI filter driver by DeviceTree utility
>>>>>written
>>>>
>>>>by OSR.
>>>>
>>>>
>>>>>My driver has just one node. but another filter has many sub nodes.
>>>>>
>>>>>My driver is very simple.
>>>>>It is WDM filter sample in the book “Programming the
>>>>
>>>>MICROSOFT WINDOWS
>>>>DRIVER MODEL 2nd”
>>>>
>>>>
>>>>>Please let me know…
>>>>>
>>>>>thanks for reading…
>>>>>
>>>>>Questions? First check the Kernel Driver FAQ at
>>>>
>>>>http://www.osronline.com/article.cfm?id=256
>>>>
>>>>
>>>>>You are currently subscribed to ntdev as: unknown lmsubst
>>>>
>>>>tag argument: ‘’
>>>>
>>>>
>>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>> _________________________________________________________________
>>>>ì±…ìƒìœ„ì— ë‹¤ë¦¬ ì˜¬ë¦¬ê³ ëŠê¸‹í•˜ê²Œ ì¦ê¸´ë‹¤… MSN 온ë¼ì¸ ìƒì˜ê´€
>>>>http://vod.msn.co.kr
>>>>
>>>>
>>>>—
>>>>Questions? First check the Kernel Driver FAQ at
>>>>http://www.osronline.com/article.cfm?id=256
>>>>
>>>>You are currently subscribed to ntdev as: unknown lmsubst tag
>>>>argument: ‘’
>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>
>>>
>>>
>>>
>>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>
> http://www.osronline.com/article.cfm?id=256
>
>>You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>