Storage filter driver to intercept SRBs

y_m · January 9, 2013, 10:22pm

Hello all,

I am relatively new to windows driver development and have been studying the
“diskperf” filter driver sample provided by Microsoft.

I am doing an internship where I have been tasked with creating a lower filter
driver that sits underneath the storage class driver and above the storage port
driver. The objective of the filter driver is to intercept SRBs being sent to
the storage port driver and display some of its member values. The long term
goal of the filter driver is to modify the SRBs values and forward it down the
driver stack for driver validation.

I am looking for a sample filter driver that intercepts SRBs that I can use as a
template or any recourse that explains how to capture SRBs and display some of
its members such as the LUN value. If you can point me to any resources that can
help in writing the filter driver I would greatly appreciate it!

Best Regards,

Y

pradeep_bisht · January 10, 2013, 5:09pm

Look at the src\storage\class\classpnp (especially xferpkt.c) example in WDK.

y_m · January 10, 2013, 6:05pm

Thanks Pradeep I will have a look at the sample.

-Y

y_m · January 11, 2013, 5:24pm

Hi all,

After spending some time going through some samples I have the following question:

1.) In the driver entry, when setting up the dispatch points do I need to override the IRP_MJ_SCSI major function to capture SRBs?

2.) Do i need to override IPR_MJ_WRITE and IRP_MJ_READ as well? Or do I just use the IRP_MJ_SCSI function and read the CDBs in the SRBs to determine if its a read or write request?

Thanks,

Y

OSR_Community_User · January 11, 2013, 6:06pm

You want to use the second way if you are writing lower disk class filter. That is how I am writing mine.

If you are using KMDF, then the example from http://www.osronline.com/article.cfm?article=446 is extremely helpful.
In WDF, the internal device control is defined as SCSI request. In wdm.h you can get the define as follow:
//
// Make the Scsi major code the same as internal device control.
//

#define IRP_MJ_SCSI IRP_MJ_INTERNAL_DEVICE_CONTROL

As a result, you will get SCSI requests in Internal device control callback.

Thanks,
Rajib

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, January 11, 2013 3:24 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Storage filter driver to intercept SRBs

Hi all,

After spending some time going through some samples I have the following question:

1.) In the driver entry, when setting up the dispatch points do I need to override the IRP_MJ_SCSI major function to capture SRBs?

2.) Do i need to override IPR_MJ_WRITE and IRP_MJ_READ as well? Or do I just use the IRP_MJ_SCSI function and read the CDBs in the SRBs to determine if its a read or write request?

Thanks,

Y

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 11, 2013, 7:07pm

After some thoughts I remember that I have written a WDM lower disk class driver in which I used the filter read and write callbacks.
From the irp you can get the databuffer and from there you can get SRB headers.

For KMDF, you need to use the internal device IO control.
Thanks,
Rajib

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ghosal, Rajib
Sent: Friday, January 11, 2013 4:06 PM
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] Storage filter driver to intercept SRBs

You want to use the second way if you are writing lower disk class filter. That is how I am writing mine.

If you are using KMDF, then the example from http://www.osronline.com/article.cfm?article=446 is extremely helpful.
In WDF, the internal device control is defined as SCSI request. In wdm.h you can get the define as follow:
//
// Make the Scsi major code the same as internal device control.
//

#define IRP_MJ_SCSI IRP_MJ_INTERNAL_DEVICE_CONTROL

As a result, you will get SCSI requests in Internal device control callback.

Thanks,
Rajib

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, January 11, 2013 3:24 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Storage filter driver to intercept SRBs

Hi all,

After spending some time going through some samples I have the following question:

1.) In the driver entry, when setting up the dispatch points do I need to override the IRP_MJ_SCSI major function to capture SRBs?

2.) Do i need to override IPR_MJ_WRITE and IRP_MJ_READ as well? Or do I just use the IRP_MJ_SCSI function and read the CDBs in the SRBs to determine if its a read or write request?

Thanks,

Y

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 12, 2013, 1:15am

Could you provide me some example of disk filter driver especially
upper filter driver, I just have the diskperf of WDK example.

Quoting xxxxx@gmail.com:

Hi all,

After spending some time going through some samples I have the
following question:

1.) In the driver entry, when setting up the dispatch points do I
need to override the IRP_MJ_SCSI major function to capture SRBs?

2.) Do i need to override IPR_MJ_WRITE and IRP_MJ_READ as well? Or
do I just use the IRP_MJ_SCSI function and read the CDBs in the SRBs
to determine if its a read or write request?

Thanks,

Y

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

y_m · January 14, 2013, 2:42pm

@Dongyang:
Unfortunately, I have not found a sample that pertains to intercepting SRBs. I am using the diskperf as a template for building a filter driver and I am using LSI_U3 StorPort Miniport Driver and ClassPnP Storage Class Driver Library samples and other bits and pieces from the internet to get started. If you find anything else that is useful please share it on this thread. Thanks!

@Rajib:
What is the difference between IRP_MJ_SCSI and IRP_MJ_INTERNAL_DEVICE_CONTROL for capturing SRBs? From the #define it seems they are equivalent. Also, I wanted to make sure that so far I am structuring the filter driver correctly. In my driver entry routine I have set up the dispatch routine:

…
DriverObject0->MajorFunction[IRP_MJ_SCSI] = fltrSCSI;
…

I have overridden IRP_MJ_SCSI with my fltrSCSI function which has the following structure to start things out:

NTSTATUS fltrSCSI(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
…
PIO_STACK_LOCATION stackLoc;
PCDB cdb;
…

StackLoc = IoGetCurrentIrpStackLocation(pIrp);
cdb = (PCDB) StackLoc->parameters.Scsi.Srb->Cdb;

Switch(cdb->CDB10.OperationCode)
{
Case SCSIOP_READ:
DbgPrint(“\n***SCSI READ***\n”);

…
}

Is my logic correct so far in capturing an srb and reading its cdb operation code to determine the SCSI operation to be performed on the device?

Thanks for all the help!

Tim_Roberts · January 14, 2013, 4:19pm

xxxxx@gmail.com wrote:

@Rajib:
What is the difference between IRP_MJ_SCSI and IRP_MJ_INTERNAL_DEVICE_CONTROL for capturing SRBs? From the #define it seems they are equivalent.

And that should answer your question. The processor has no idea what
the original symbol name was. All it knows that the IRP has a major
code of 15.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · January 14, 2013, 5:30pm

Try filtering below DiskClass. Above that, you receive IRP_MJ_READ and IRP_MJ_WRITE, below that you receive IRP_MJ_SCSI (INTERNAL_DEVICE_CONTROL).

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, January 14, 2013 2:42 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Storage filter driver to intercept SRBs

@Dongyang:
Unfortunately, I have not found a sample that pertains to intercepting SRBs. I am using the diskperf as a template for building a filter driver and I am using LSI_U3 StorPort Miniport Driver and ClassPnP Storage Class Driver Library samples and other bits and pieces from the internet to get started. If you find anything else that is useful please share it on this thread. Thanks!

@Rajib:
What is the difference between IRP_MJ_SCSI and IRP_MJ_INTERNAL_DEVICE_CONTROL for capturing SRBs? From the #define it seems they are equivalent. Also, I wanted to make sure that so far I am structuring the filter driver correctly. In my driver entry routine I have set up the dispatch routine:

…
DriverObject0->MajorFunction[IRP_MJ_SCSI] = fltrSCSI;
…

I have overridden IRP_MJ_SCSI with my fltrSCSI function which has the following structure to start things out:

NTSTATUS fltrSCSI(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp) { …
PIO_STACK_LOCATION stackLoc;
PCDB cdb;
…

StackLoc = IoGetCurrentIrpStackLocation(pIrp);
cdb = (PCDB) StackLoc->parameters.Scsi.Srb->Cdb;

Switch(cdb->CDB10.OperationCode)
{
Case SCSIOP_READ:
DbgPrint(“\n***SCSI READ***\n”);

…
}

Is my logic correct so far in capturing an srb and reading its cdb operation code to determine the SCSI operation to be performed on the device?

Thanks for all the help!

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 14, 2013, 6:41pm

Here is Rajib’s answers:

>@Rajib:
> What is the difference between IRP_MJ_SCSI and IRP_MJ_INTERNAL_DEVICE_CONTROL for capturing SRBs? From the #define it seems they are equivalent. Also, I wanted to make sure that so far I am structuring the filter
> driver correctly. In my driver entry routine I have set up the dispatch routine:

They are same, if you happen to write the driver using WDF (KMDF driver) then you need to filter in the Internal Device IO function. Also, in the upper disk filter, you cannot get the SRB. The disk class filter converts the IO to SRB or SCSI command. As a result of you need to format SCSI, you need to write a filter below disk class.

Thanks,
Rajib

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, January 14, 2013 12:42 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Storage filter driver to intercept SRBs

@Dongyang:
Unfortunately, I have not found a sample that pertains to intercepting SRBs. I am using the diskperf as a template for building a filter driver and I am using LSI_U3 StorPort Miniport Driver and ClassPnP Storage Class Driver Library samples and other bits and pieces from the internet to get started. If you find anything else that is useful please share it on this thread. Thanks!

@Rajib:
What is the difference between IRP_MJ_SCSI and IRP_MJ_INTERNAL_DEVICE_CONTROL for capturing SRBs? From the #define it seems they are equivalent. Also, I wanted to make sure that so far I am structuring the filter driver correctly. In my driver entry routine I have set up the dispatch routine:

…
DriverObject0->MajorFunction[IRP_MJ_SCSI] = fltrSCSI;
…

I have overridden IRP_MJ_SCSI with my fltrSCSI function which has the following structure to start things out:

NTSTATUS fltrSCSI(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp) { …
PIO_STACK_LOCATION stackLoc;
PCDB cdb;
…

StackLoc = IoGetCurrentIrpStackLocation(pIrp);
cdb = (PCDB) StackLoc->parameters.Scsi.Srb->Cdb;

Switch(cdb->CDB10.OperationCode)
{
Case SCSIOP_READ:
DbgPrint(“\n***SCSI READ***\n”);

…
}

Is my logic correct so far in capturing an srb and reading its cdb operation code to determine the SCSI operation to be performed on the device?

Thanks for all the help!

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Maxim_S_Shatskih · January 14, 2013, 10:41pm

> What is the difference between IRP_MJ_SCSI and IRP_MJ_INTERNAL_DEVICE_CONTROL for

capturing SRBs? From the #define it seems they are equivalent.

Yes.

Is my logic correct so far in capturing an srb and reading its cdb operation code to determine the
SCSI operation to be performed on the device?

Correct.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

y_m · January 16, 2013, 4:00pm

Thanks everyone for the help so far,

I am currently trying to experiment on how to attach the filter driver and I could use some help here. the Disperf sample attaches the filter to the highest device object. For my purpose I want to insert the filter in this location in the device stack:

(Storage class driver)
|
|
(Lower filter driver) <— this is where the filter driver needs to be placed
|
|
(Storage port driver).

Again, any advice or resources that can help me attach the filter driver between the class and storage port driver is greatly appreciated!

Best Regards,

Y.M.

y_m · February 13, 2013, 9:11pm

Hello all,

I have finally got the storage filter driver to load without any BSODs or hanging issues. I am able to see the SCSI requests in my dispatch routine.

However, in winDbg I am getting an endless spam of DbgPrintEx statements from my SCSI dispatch routine. I believe this is because I am getting SCSI requests from the disk class driver for multiple SCSI devices. The device that I need to be filtering is UFS (universal flash storage).

Currently in my inf file I have specified the device class as DiskDrive. However, I am not sure if I should be using the SCSIAdapter class instead. Here is what !devstack shows for my filter driver:
kd> !devstack 83f15020
!DevObj !DrvObj !DevExt ObjectName
83f15658 \Driver\partmgr 83f15710
83f159d8 \Driver\disk 83f15a90 DR2
> 83f15020 \Driver\FilterDrv 83f150d8
83eaf578 \Driver\sdstor 83eaf630 0000003d

My question is what is the difference between specifying a lower filter storage driver as a DiskDrive or SCSIAdapter class? For filtering a UFS device what is the correct class to use?

My next question is I have set most of my dispatch routines (e.g. IRP_MJ_PNP) to pass through except for the DriverEntry, AddDevice and IRP_MJ_INTERNAL_DEVICE_CONTROL routines. My thinking is since that I am attaching between Microsoft’s inbox drivers and I am only interested in changing some values in the SRBs that I can just forward and forget about the different IRPs such as PnP. Is the assumption in the previous sentence correct? Or are there IRPs that as a filter driver that I must handle rather than just forwarding it down the stack and forgetting about it?
Thanks Everyone for taking the time to help!

y_m · February 13, 2013, 9:37pm

Forgive me for the MS Word formatting here is the !devstack output:

kd> !devstack 83f15020
!DevObj !DrvObj !DevExt ObjectName
83f15658 \Driver\partmgr 83f15710
83f159d8 \Driver\disk 83f15a90 DR2
> 83f15020 \Driver\FilterDrv 83f150d8
83eaf578 \Driver\sdstor 83eaf630 0000003d

Thanks again!

Y.M.