Help needed for getting my class-filter driver working

NTDEV
1

Hi guys,

I’m trying to get a basic class-filter driver working and in need for assistance.

I am preparing a solution that should attach to any present or added keyboard device,
for this - if I understand correctly, there should be a class-filter driver that would
operate in the keyboard class
(i.e. system defined guid {4d36e96b-e325-11ce-bfc1-08002be10318}).

I am facing the following (potential) problems -
* In DeviceTree, I see my driver attached below i8042prt (->DEV->ATT Mydriver->ATT \Device\KeyboardClass0),
but I don’t see it in the kbdclass tree at all - would this be expected ?

* I don’t get to the IRP_MJ_READ flow at all, I have initialized my driver in DriverEntry, is something between there and PnP flows overrides my irp handlers ?

* I don’t seem to load for any device other than KeyboardClass0, when I make an RDP connection for example,
I see it uses KeyboardClass1, but my AddDevice routine is not called at any point,
so I’m not part of the stack there.

The code follows:

NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
) {
unsigned i = 0;

KdPrint((“Benzo Driver Entry\n”));
// Set unload
DriverObject->DriverUnload = DriverUnload;

// Set general pass through
for(i=0; i<irp_mj_maximum_function> DriverObject->MajorFunction[i] = DriverPassThru;
}

// Set AddDevice
DriverObject->DriverExtension->AddDevice = DriverAddDevice;
// Set read
DriverObject->MajorFunction[IRP_MJ_READ] = DriverRead;
// Set PnP
DriverObject->MajorFunction[IRP_MJ_PNP] = DriverDispatchPnP;

return STATUS_SUCCESS;
}

NTSTATUS DriverPassThru(
PDEVICE_OBJECT DeviceObject,
PIRP pIrp
) {
PDEVICE_EXTENSION pdx = DeviceObject->DeviceExtension;
IoSkipCurrentIrpStackLocation(pIrp);
IoCallDriver(pdx->LowerDeviceObject, pIrp);
} /* DriverDispatchPnp has, for now, the same implementation */

NTSTATUS DriverAddDevice(
IN struct _DRIVER_OBJECT *DriverObject,
IN struct _DEVICE_OBJECT *PhysicalDeviceObject
) {
PDEVICE_OBJECT DeviceObject;
NTSTATUS status;
PDEVICE_EXTENSION deviceExtension;

status = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION),
NO_DEVICE_NAME,
FILE_DEVICE_KEYBOARD,
FILE_DEVICE_SECURE_OPEN,
NON_EXCLUSIVE,
&DeviceObject);

if(!NT_SUCCESS(status)) {
KdPrint((“Failed to create device”));
return;
}

// Initialize extension
RtlZeroMemory(DeviceObject->DeviceExtension, sizeof(DEVICE_EXTENSION));
deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;

// Set buffer io flag
DeviceObject->Flags |= DO_BUFFERED_IO;

// Attach to keyboard driver chain
deviceExtension->LowerDeviceObject = IoAttachDeviceToDeviceStack(
DeviceObject,
PhysicalDeviceObject);

// Set done flag
DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;

KdPrint((“Successfully attached to keyboard chain”));
return STATUS_SUCCESS;
}

Any clarifications or references would be highly appreciated !</irp_mj_maximum_function>

2

Update

  • Seems like the read routine reaches if I put the driver after kbdclass in the UpperFilters,
    can someone elaborate on why it only works after the kbdclass ?

The driver successfully attached to new devices now, but it still won’t attach to KeyboardClass1,
I would love any help on that issue as well.

Thanks !

3

xxxxx@gmail.com wrote:

  • Seems like the read routine reaches if I put the driver after kbdclass in the UpperFilters,
    can someone elaborate on why it only works after the kbdclass ?

There may be private communication going on between kbdclass and the device.

The driver successfully attached to new devices now, but it still won’t attach to KeyboardClass1,
I would love any help on that issue as well.

Is KeyboardClass1 the Remote Desktop device? Remote Desktop has hooks
pretty deep in the system it’s not clear to me that those keystrokes
pass through the kernel HID path.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

Rdp input didn’t go through pnp enumerated devices. You don’t see reads because kbdclass queued them. Below kbdclass you hook the service callback routine and you can then inject and inspect all input.

d

Bent from my phone

From: Tim Robertsmailto:xxxxx
Sent: ?3/?31/?2015 4:58 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] Help needed for getting my class-filter driver working

xxxxx@gmail.com wrote:
> - Seems like the read routine reaches if I put the driver after kbdclass in the UpperFilters,
> can someone elaborate on why it only works after the kbdclass ?

There may be private communication going on between kbdclass and the device.

> The driver successfully attached to new devices now, but it still won’t attach to KeyboardClass1,
> I would love any help on that issue as well.

Is KeyboardClass1 the Remote Desktop device? Remote Desktop has hooks
pretty deep in the system it’s not clear to me that those keystrokes
pass through the kernel HID path.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>