RE: [RE][RE]SCSI filter driver..

Like I said originally, if the filter above breaks the rules and directs
IRPs to the PDO, you will not see them in your (well behaved) filter. Irp
tracker, I presume, does hooking of either dispatch routines or of
IofCallDriver. You can hook dispatch routines, it is just bad behavior, but
it is at least safer and less invasive than hooking the OS irp dispatching
routine itself. It would be better if, at least moving forward, the
offending filter drivers flunked whql.

=====================
Mark Roddy
Windows .NET/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Lavo
Sent: Thursday, February 03, 2005 8:27 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] [RE][RE]SCSI filter driver…

Hi Maxim,

Thanks for this idea - I tried it out, but I still have an
escape. One of the apps I’m trying to monitor installs a
lower class filter on CDROM, and even though my filter (as
per your instructions) sits below it (and IMAPI) and right
above the PDO I still don’t see the traffic.

But I can watch the IRPs with IrpTracker - one IRP from
user-mode to the lower-class filter, one IRP to the PDO
(ATAPI), and then back to the completion routine in the lower
filter. A very “private” stack. But this brings up the
question: how does IrpTracker see all this traffic?
Can I (safely) replicate the method? (I know you’re not
w/OSR, but opinions are welcome …)

– David

Maxim S. Shatskih wrote:
> Insert a device (not class) LowerFilter below IMAPI,
as a last
> in chain to PDO. I think it catches most of the burning apps.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “David Lavo”
> > Newsgroups: ntdev
> > To: “Windows System Software Devs Interest List”
>
> > Sent: Thursday, February 03, 2005 4:32 PM
> > Subject: Re:[ntdev] [RE][RE]SCSI filter driver…
> >
> >
> >
> >>Hi Mark,
> >>
> >>This is exactly the problem I’m dealing with on a current
> project: I’m
> >> trying to monitor reads to CD drives, and while a CD class upper
> >>filter catches most normal traffic, the direct-to-PDO and
> ASPI-style
> >>traffic escapes the monitor. Is there a way to capture
> this traffic
> >>by filtering, or is some sort of system hooking the only resort?
> >>
> >>Much thanks for any advice/info,
> >>
> >>David
> >>
> >>
> >>Mark Roddy wrote:
> >>
> >>>Currently there are products out there that install filters in the
> >>>storage
> >
> > stack that do not BOTHER to send requests to the next lower
> filter, as
> > they just know better, and send them directly to the PDO.
> This defeats
> > all legitimate filter drivers and unfortunately passes DV.
> >
> >>>=====================
> >>>Mark Roddy
> >>>Windows .NET/XP/2000 Consulting
> >>>Hollis Technology Solutions 603-321-1032 www.hollistech.com
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: xxxxx@lists.osr.com
> >>>>[mailto:xxxxx@lists.osr.com] On Behalf Of Henry
> >>>>Gabryjelski
> >>>>Sent: Friday, January 14, 2005 1:21 PM
> >>>>To: Windows System Software Devs Interest List
> >>>>Subject: RE:[ntdev] [RE][RE]SCSI filter driver…
> >>>>
> >>>>
> >>>>Son Won-Jang,
> >>>>
> >>>>Please keep the reply on the NTDEV list, as otherwise I
> will likely
> >>>>be unable to respond.
> >>>>Nero happens to use IOCTL_SCSI_PASS_THROUGH_DIRECT, while
> I believe
> >>>>Alcohol software installs their own filter so they can
> use a private
> >>>>“ASPI-like” functionality by default.
> >>>>Unfortunately, there are probably other software vendors who have
> >>>>done the same thing, and you will not catch them all.
> >>>>Technically speaking, it’s not possible to 100% prevent a driver
> >>>>from writing to CD, regardless of what you do; anything
> you can do,
> >>>>they can work around (as well as the other way). So, you need to
> >>>>developer a 100% correct solution to prevent other software from
> >>>>wanting to work around your driver.
> >>>>
> >>>>As for how to do this, I have no sample source to provide.
> >>>>
> >>>>If you just want this for your own purposes, failing all
> WRITE10 and
> >>>>MODE_SELECT commands should be “good enough”.
> >>>>For a shipping product (even inside an org), you’d need
> to be much
> >>>>more invasive than just failing a few commands. For
> example, you’d
> >>>>have to modify the GET_CONFIGURATION command response to
> remove the
> >>>>features that indicate the drive can write; You’d have to modify
> >>>>MODE_SENSE command reponse to modify the same data; You’d have to
> >>>>find out about (and fail) any vendor-unique commands for
> drives used
> >>>>in your organization; And probably more… Failure to
> do all these
> >>>>steps will likely result in writing software failing in new and
> >>>>unexpected ways.
> >>>>
> >>>>If this is going to be a product you hope to ship outside your
> >>>>organization, I would suggest not trying as the problem set (and
> >>>>problematic interactions) are too large to effectively
> test in one
> >>>>months timeframe. Of course, if you are only to use this
> inside an
> >>>>organization, it begs the question of why you are
> installing writing
> >>>>software on these machines in the first place…
> >>>>
> >>>>.
> >>>>
> >>>>-----Original Message-----
> >>>>From: Son Won-jang [mailto:xxxxx@hotmail.com]
> >>>>Sent: Thursday, January 13, 2005 10:03 PM
> >>>>To: Henry Gabryjelski
> >>>>Subject: [RE][RE]SCSI filter driver…
> >>>>
> >>>>Hi Henry… thank you very much for reply…
> >>>>
> >>>>I really want to do is write protect for CD.
> >>>>I trying to it by filtering the CDROM class( registered at
> >>>>{4D36E965-E325-11CE-BFC1-08002BE10318} ).
> >>>>By that method, Some program’s SRB can detect like
> NeroExpress. but,
> >>>>somekinds of program’s SRB cannot detect like an ALCHOLE120%.
> >>>>So that I think about SCSI or IDE filter…
> >>>>I saw some reply for SCSI filter…
> >>>>They mentioned that Bus Filter, BusRelations, Enumerate FDO …
> >>>>I don’t know how can I implement it…
> >>>>I trying to solve this problem about a month…
> >>>>If you possible give me some piece of source.
> >>>>
> >>>>Thanks for reading… Be always happy~
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>From: “Henry Gabryjelski”
> >>>>>Reply-To: “Windows System Software Devs Interest List”
> >>>>
> >>>>
> >>>>
> >>>>>To: “Windows System Software Devs Interest List”
> >>>>
> >>>>
> >>>>
> >>>>>Subject: RE:[ntdev] SCSI filter driver
> >>>>>Date: Thu, 13 Jan 2005 09:27:28 -0800
> >>>>>
> >>>>>Hello, Joneyson,
> >>>>>
> >>>>>I do not have the book you mention, so I cannot see the
> >>>>
> >>>>source. I will
> >>>>try to offer what help I can.
> >>>>
> >>>>
> >>>>>The class GUID you mention below is for “SCSI and RAID
> >>>>
> >>>>controllers”.
> >>>>Many consumer machines do not have SCSI controllers at
> all, and most
> >>>>that do have only one instance. If your machine has exactly one
> >>>>SCSI card, then this would explain why your driver has only one
> >>>>instance. Can you explain why you are expecting to have many
> >>>>instances of your filter driver?
> >>>>
> >>>>
> >>>>>If you want to monitor on a per-device basis, you would need
> >>>>
> >>>>to do have
> >>>>more complex filtering (either handle more class GUIDs or
> be a bus
> >>>>filter or …). If you are looking to do software bus tracing,
> >>>>there are already a couple of products that have been in the
> >>>>marketplace for some time, and are significantly less
> expensive than
> >>>>hardware analyzers. A quick search on google for “software bus
> >>>>analyzer” can find these.
> >>>>
> >>>>
> >>>>>Hth,
> >>>>>.
> >>>>>
> >>>>>-----Original Message-----
> >>>>>From: Son won-jang [mailto:xxxxx@hotmail.com]
> >>>>>Sent: Wednesday, January 12, 2005 3:40 AM
> >>>>>Subject: SCSI filter driver
> >>>>>
> >>>>>Sorry… I don’t know english well and I’m beginner driver auther.
> >>>>>
> >>>>>I want to monitoring all SCSI device’s SRB I registered
> simple WDM
> >>>>>filter
> >>>>
> >>>>driver as UpperFilters at
> >>>>HKLM\SYSTEM\CurrentControlSet\Control\Class{4D36E97B-E325-11C
> >>>>E-BFC1-08002BE10318}.
> >>>>
> >>>>
> >>>>
> >>>>>but it does not work that I thought.
> >>>>>I compared with another SCSI filter driver by DeviceTree utility
> >>>>>written
> >>>>
> >>>>by OSR.
> >>>>
> >>>>
> >>>>>My driver has just one node. but another filter has many
> sub nodes.
> >>>>>
> >>>>>My driver is very simple.
> >>>>>It is WDM filter sample in the book “Programming the
> >>>>
> >>>>MICROSOFT WINDOWS
> >>>>DRIVER MODEL 2nd”
> >>>>
> >>>>
> >>>>>Please let me know…
> >>>>>
> >>>>>thanks for reading…
> >>>>>
> >>>>>Questions? First check the Kernel Driver FAQ at
> >>>>
> >>>>http://www.osronline.com/article.cfm?id=256
> >>>>
> >>>>
> >>>>>You are currently subscribed to ntdev as: unknown lmsubst
> >>>>
> >>>>tag argument: ‘’
> >>>>
> >>>>
> >>>>>To unsubscribe send a blank email to
> >>>>>xxxxx@lists.osr.com
> >>>>
> >>>> _________________________________________________________________
> >>>>??? ?? ??? ??? ???.. MSN ??? ???
> >>>>http://vod.msn.co.kr
> >>>>
> >>>>
> >>>>—
> >>>>Questions? First check the Kernel Driver FAQ at
> >>>>http://www.osronline.com/article.cfm?id=256
> >>>>
> >>>>You are currently subscribed to ntdev as: unknown lmsubst tag
> >>>>argument: ‘’
> >>>>To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>—
> >>Questions? First check the Kernel Driver FAQ at
> >
> > http://www.osronline.com/article.cfm?id=256
> >
> >>You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
> >>unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@hollistech.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>