Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 15  
01 Jan 18 01:06
James Danks
xxxxxx@gmx.com
Join Date: 26 Dec 2017
Posts To This List: 12
WDF attaching to device stack

In WDM I can attach to any device first getting the object with IoGetDeviceObjectPointer and later using IoAttachDevice and then it will pass all the IRPs through my driver and I can do whatever I want with it. Is this also possible in WDF? (taking into consideration I can call WDM functions inside KMDF driver) I was looking at other questions especially this one: https://social.msdn.microsoft.com/Forums/en-US/65101f09-0785-4e27-97bb-8d4552e1f3 44/devicedriver-stack-in-wdf?forum=wdk But I'm really confused. It says WDF drivers can only use .inf files to make them act like a filters. But what if I want to modify behaviour of a third party driver(not related to hardware) and not listed in official documentation talking about filters. Can I use WDF for that too? All I want is this: 1. Get device object by it's name 2. Attach to the stack / Replace function in dispatch table of the driver 3. Preprocess, postprocess IRPs (io completion routine)
  Message 2 of 15  
01 Jan 18 11:20
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10218
WDF attaching to device stack

Wdf only enables attaching to devices through pnp (AddDevice), not by name after the fact. What you describe doesn't require attaching to the stack. If you are replacing a dispatch table, being a part of the stack afterwards is optional. I am not endorsing hooking in this manner. d Bent from my phone ________________________________ From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> on behalf of xxxxx@gmx.com <xxxxx@lists.osr.com> Sent: Sunday, December 31, 2017 10:05:57 PM To: Windows System Software Devs Interest List Subject: [ntdev] WDF attaching to device stack In WDM I can attach to any device first getting the object with IoGetDeviceObjectPointer and later using IoAttachDevice and then it will pass all the IRPs through my driver and I can do whatever I want with it. Is this also possible in WDF? (taking into consideration I can call WDM functions inside KMDF driver) I was looking at other questions especially this one: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsocial.msdn.micr osoft.com%2FForums%2Fen-US%2F65101f09-0785-4e27-97bb-8d4552e1f344%2Fdevicedriver- stack-in-wdf%3Fforum%3Dwdk&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cda3378896 c0e429b0d8208d550ddada9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636503835625 651988&sdata=3FjzKOxlDJ0%2BEkFXZj8phjErYY6yolKpWbBLctT4BeI%3D&reserved=0 But I'm really confused. It says WDF drivers can only use .inf files to make them act like a filters. But what if I want to modify behaviour of a third party driver(not related to hardware) and not listed in official documentation talking about filters. Can I use WDF for that too? All I want is this: 1. Get device object by it's name 2. Attach to the stack / Replace function in dispatch table of the driver 3. Preprocess, postprocess IRPs (io completion routine) --- NTDEV is sponsored by OSR Visit the list online at: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fshowlists.cfm%3Flist%3Dntdev&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cda3 378896c0e429b0d8208d550ddada9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636503 835625651988&sdata=ACWdn3fMlmtmVroQYfZm3c23AwQ9SezZmx0KXwMWhPA%3D&reserved=0> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fse minars&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cda3378896c0e429b0d8208d550dda da9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636503835625661997&sdata=wCF%2FM cBrxTplEiGreH7KDfEjJzdkXiCN81EwFVz5CUU%3D&reserved=0> To unsubscribe, visit the List Server section of OSR Online at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fpage.cfm%3Fname%3DListServer&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cda3 378896c0e429b0d8208d550ddada9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636503 835625661997&sdata=YT%2FcAzDmncHyXIY8PbeKXR0fJP0FYunFsxtevYZgOZo%3D&reserved=0> --
  Message 3 of 15  
01 Jan 18 19:56
James Danks
xxxxxx@gmx.com
Join Date: 26 Dec 2017
Posts To This List: 12
WDF attaching to device stack

So if I want to attach dynamically by name I can only use WDM?
  Message 4 of 15  
01 Jan 18 20:07
James Danks
xxxxxx@gmx.com
Join Date: 26 Dec 2017
Posts To This List: 12
WDF attaching to device stack

I'm currently using legacy wdm driver to accomplish this and it seems easier after all. Also question: can I attach single device to multiple devices with IoAttachDevice? If so how can I later pass IRP down the stack with IoCallDriver (if I have it attached to multiple different devices).
  Message 5 of 15  
01 Jan 18 20:20
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10218
WDF attaching to device stack

You can only attach once. You need a device object per attached stack. IoCallDriver has no idea about stacks, it just accepts a target device object. Bent from my phone ________________________________ From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> on behalf of xxxxx@gmx.com <xxxxx@lists.osr.com> Sent: Monday, January 1, 2018 5:06:51 PM To: Windows System Software Devs Interest List Subject: RE:[ntdev] WDF attaching to device stack I'm currently using legacy wdm driver to accomplish this and it seems easier after all. Also question: can I attach single device to multiple devices with IoAttachDevice? If so how can I later pass IRP down the stack with IoCallDriver (if I have it attached to multiple different devices). --- NTDEV is sponsored by OSR Visit the list online at: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fshowlists.cfm%3Flist%3Dntdev&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cdab 94d34020b4789dd6d08d5517d1009%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504 520188175245&sdata=D29bKRVXwDGuPvbB9KAfm%2BO2qqxuPyxbe1Elkx3w9NU%3D&reserved=0> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fse minars&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cdab94d34020b4789dd6d08d5517d1 009%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504520188175245&sdata=qD9zh7Z EGDPEGKlGURjqjiO37MhcwzLLhGMNmQu7i7Y%3D&reserved=0> To unsubscribe, visit the List Server section of OSR Online at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fpage.cfm%3Fname%3DListServer&data=02%7C01%7CDoron.Holan%40microsoft.com%7Cdab 94d34020b4789dd6d08d5517d1009%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504 520188185249&sdata=honwZjpYIOAQPN%2BtVYP3Pmh1QBzwAtx%2Bn40vL7nA4Fc%3D&reserved=0> --
  Message 6 of 15  
01 Jan 18 20:52
James Danks
xxxxxx@gmx.com
Join Date: 26 Dec 2017
Posts To This List: 12
WDF attaching to device stack

Thank you Doron ! One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ? And why aren't you endorsing hooking in this manner?
  Message 7 of 15  
01 Jan 18 21:06
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10218
WDF attaching to device stack

> One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ? This is exactly what I said two replies ago. You don't need to attach at all to hook in this fashion. You don't get your own stack location though, so no completion routine on the way back up the stack. If you have to ask why it isn't supported, you need to read up more on driver architecture and rules. Bent from my phone ________________________________ From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> on behalf of xxxxx@gmx.com <xxxxx@lists.osr.com> Sent: Monday, January 1, 2018 5:51:36 PM To: Windows System Software Devs Interest List Subject: RE:[ntdev] WDF attaching to device stack Thank you Doron ! One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ? And why aren't you endorsing hooking in this manner? --- NTDEV is sponsored by OSR Visit the list online at: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fshowlists.cfm%3Flist%3Dntdev&data=02%7C01%7CDoron.Holan%40microsoft.com%7C1be f8adf143a44ff281f08d551835068%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504 547028458942&sdata=V5PXXPy9ydVcXjiigJMCuPlO2DHUF4LObkunnKTOwms%3D&reserved=0> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fse minars&data=02%7C01%7CDoron.Holan%40microsoft.com%7C1bef8adf143a44ff281f08d551835 068%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504547028458942&sdata=Z0VtjWE 10Zoy1mvZlyTeOPmtYsxPGJj7seqnLd%2FsTR0%3D&reserved=0> To unsubscribe, visit the List Server section of OSR Online at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fpage.cfm%3Fname%3DListServer&data=02%7C01%7CDoron.Holan%40microsoft.com%7C1be f8adf143a44ff281f08d551835068%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504 547028458942&sdata=hltvUJ76J2M4hHPMLSBOm7cMEBdhCBi8bjVP%2BWoAj%2BY%3D&reserved=0> --
  Message 8 of 15  
01 Jan 18 21:29
James Danks
xxxxxx@gmx.com
Join Date: 26 Dec 2017
Posts To This List: 12
WDF attaching to device stack

What do you mean by no completion routine on the way back up the stack? I can insert my completion routine into the existing IRP like: PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation (Irp); irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE) IoCompletionRoutine;
  Message 9 of 15  
01 Jan 18 21:49
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10218
WDF attaching to device stack

1 You should be using IoSetCompletionRoutine. 2 if you are not attaching to the stack and just hooking the dispatch table you don't have an io stack location so when you call into the original dispatch routine that you hooked it can set a new routine. Bent from my phone ________________________________ From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> on behalf of xxxxx@gmx.com <xxxxx@lists.osr.com> Sent: Monday, January 1, 2018 6:28:37 PM To: Windows System Software Devs Interest List Subject: RE:[ntdev] WDF attaching to device stack What do you mean by no completion routine on the way back up the stack? I can insert my completion routine into the existing IRP like: PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation (Irp); irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE) IoCompletionRoutine; --- NTDEV is sponsored by OSR Visit the list online at: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fshowlists.cfm%3Flist%3Dntdev&data=02%7C01%7CDoron.Holan%40microsoft.com%7C203 c43fd32d746b5b50708d551887d8d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504 569263373050&sdata=fVJGBpRzGuufC1myOEa9fMxde6UWwWdxv7xzEFw6T30%3D&reserved=0> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fse minars&data=02%7C01%7CDoron.Holan%40microsoft.com%7C203c43fd32d746b5b50708d551887 d8d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504569263373050&sdata=88Dbgto xUP4paiWqTzki7wYZc9Ermw41UI6jmODqJHM%3D&reserved=0> To unsubscribe, visit the List Server section of OSR Online at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.co m%2Fpage.cfm%3Fname%3DListServer&data=02%7C01%7CDoron.Holan%40microsoft.com%7C203 c43fd32d746b5b50708d551887d8d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636504 569263383063&sdata=5LnIrfYW%2BBz8Is3WUeBH78zx2f4ghZeR%2F%2FguqUC5mgA%3D&reserved= 0> --
  Message 10 of 15  
02 Jan 18 02:32
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 12006
WDF attaching to device stack

On Jan 1, 2018, at 6:28 PM, xxxxx@gmx.com <xxxxx@lists.osr.com> wrote: > > What do you mean by no completion routine on the way back up the stack? I can insert my completion routine into the existing IRP like: > > PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation (Irp); > irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE) IoCompletionRoutine; Yes, but in doing so, you just erased the completion routine set up by the driver above you. Each driver in a correctly-formatted stack gets its own stack location, so you can advance to the next one before setting the completion routine. If you did not attach to the driver stack, then the IRP will not have enough stack locations for you to "borrow" one. ??? Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 11 of 15  
02 Jan 18 02:38
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 12006
WDF attaching to device stack

On Jan 1, 2018, at 5:51 PM, xxxxx@gmx.com <xxxxx@lists.osr.com> wrote: > > One more question: If I replace a pointer in dispatch table(IRP hook), then in theory I can hook many devices in one driver without using IoAttachDevice ? Yes, but then what? Each IRP has enough stack locations for the drivers that have attached to the stack. By hooking a dispatch pointer, you can poke around in the IRP and inspect the parameters, but you can't do anything to the IRP except pass it down unchanged, and you can't get a callback later. > And why aren't you endorsing hooking in this manner? Because it violates the rules, rules which are there to ensure the reliable execution of the operating system. That kind of hooking is delicate, unsupported, and not terribly useful. Plus, it's trivially easy to install a filter driver in the supported manner, which makes you a full participant in the IRP stack and lets you do everything KMDF can do. A device filter doesn't need an INF. Just copy the file into place, create the service, and tweak the registry. ??? Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 12 of 15  
02 Jan 18 03:11
James Danks
xxxxxx@gmx.com
Join Date: 26 Dec 2017
Posts To This List: 12
WDF attaching to device stack

> Yes, but in doing so, you just erased the completion routine set up by = the driver above you. But I can always call the old(erased) completion routine in my own to preserve functionality. Won't it be enough? > Plus, it's trivially easy to install a filter driver in the supported = manner, which makes you a full participant in the IRP stack and lets you = do everything KMDF can do. What if the device I want to hook is not PnP and it's created by a third party and it's not one of the common devices that is "FILE_DEVICE_UNKNOWN". I can't use KMDF and I'm forced to use WDM so I just get the name of the device and do what I want with it next. Or maybe I get it wrong? Can't I just mix KMDF with WDM and do the runtime attaching there? From what I understood KMDF (WDF) is just a wrapper over WDM. Callbacks have different parameters and there is no IRP in the arguments can I do the same in KMDF and set my io completion routines there?
  Message 13 of 15  
02 Jan 18 13:23
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 12006
WDF attaching to device stack

xxxxx@gmx.com wrote: >> Yes, but in doing so, you just erased the completion routine set up by the driver above you. > But I can always call the old(erased) completion routine in my own to preserve functionality. Won't it be enough? Where are you going to put it?  There's no place in the IRP or IO stack location that belongs to you.  If you're not in the stack, then your device object is not going to get involved, so you won't have an extension structure.  Put it in a driver global, indexed by the IRP address?  Yecch. > What if the device I want to hook is not PnP and it's created by a third party and it's not one of the common devices that is "FILE_DEVICE_UNKNOWN". I can't use KMDF and I'm forced to use WDM so I just get the name of the device and do what I want with it next. Well, if it's not PnP, then the UpperFilters/LowerFilters thing doesn't work.  You don't even know that it receives IRPs. > Or maybe I get it wrong? Can't I just mix KMDF with WDM and do the runtime attaching there? From what I understood KMDF (WDF) is just a wrapper over WDM. Callbacks have different parameters and there is no IRP in the arguments can I do the same in KMDF and set my io completion routines there? In many cases, you can do this.  The KMDF dispatching relies on an extension to the device object, which you wouldn't have in a "hook" situation, so you'd have to disable that by using "miniport mode".  In that situation, it's not entirely clear what KMDF would buy you. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 14 of 15  
02 Jan 18 22:53
James Danks
xxxxxx@gmx.com
Join Date: 26 Dec 2017
Posts To This List: 12
WDF attaching to device stack

> Put it in a driver global, indexed by the IRP address? That's how it's done in the book "Rootkits - Subverting the Windows Kernel" and it seems to work. What wrong could happen? > Well, if it's not PnP, then the UpperFilters/LowerFilters thing doesn't work.? You don't even know that it receives IRPs. Don't all drivers receive IRPs or at least are supposed to do so? If I didn't know I wouldn't attach to it/hook it. I didn't know about miniport mode and I will surely study it more. Thank you!
  Message 15 of 15  
03 Jan 18 02:06
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 12006
WDF attaching to device stack

On Jan 2, 2018, at 7:53 PM, xxxxx@gmx.com <xxxxx@lists.osr.com> wrote: > >> Put it in a driver global, indexed by the IRP address? > > That's how it's done in the book "Rootkits - Subverting the Windows Kernel" and it seems to work. What wrong could happen? Globals are evil. If you are filtering multiple devices, you have a lot of bookkeeping to do in order to keep it all straight. It's just a lot more error-prone than using normal filtering. >> Well, if it's not PnP, then the UpperFilters/LowerFilters thing doesn't >> work.??? You don't even know that it receives IRPs. > > Don't all drivers receive IRPs or at least are supposed to do so? If I didn't know I wouldn't attach to it/hook it. No. Many drivers handle hardware without communication from above. Some drivers use direct calls. GDI drivers (like display drivers and printer drivers) do not use IRPs. ??? Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 00:44.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license