Computer Hope

Hardware => Drivers => Topic started by: pranav on January 15, 2009, 02:20:08 AM

Title: Your will have to load a filter driver
Post by: pranav on January 15, 2009, 02:20:08 AM

Tricky, you could try this:

Your will have to load a filter driver on your device and at one of the start IRPs such as IRP_MJ_STARTDEVICE block the IRP and wait for the app to supply the uname pwd. The app would do this via a dedicated device object created by the filter driver.

On a sucessfull entry the filter completes the IPR as success. On fail it completes it as failure and the system will unload the device stack.

It is possible that the OS wil timeout the IRP though, inwhich case you could try another, or wait for the device to start and then block all read/write/URB/IOCTL IRPs untill you get a valid uname-pwd. If you dont you could call an invalidate bus relations and fail the start device thereafter

Title: Re: Your will have to load a filter driver
Post by: BC_Programmer on January 15, 2009, 02:54:58 AM

odd how not only does this have absolutely no context, but it appears three times on codeproject and once on javaproject. a Quick google on the make-believe IRP_MJ_STARTDEVICE (strangely absent from any MS documentation) reveals this.

Quote

and wait for the app to supply the uname pwd

and this "app" where does it get the username/password to supply? If the app already has the username/password, why the gymnastics to create a FILTER DRIVER for the specific purpose of causing a BSOD at system boot because you decided to cause a "THREAD_STUCK_IN_DEVICE_DRIVER" Blue screen?
The "solution" given for what appears to be a keylogger wouldn't work. you cannot block in a driver because- get this: other stuff needs to execute! the driver executes in Ring 0 and no user threads (ring 2( or was it 3?)) execute while the current context is ring 0 without a explicit return from the driver function. blocking purposely in any driver function will just give you the aforementioned BSOD.

Quote

On a sucessfull entry the filter completes the IPR as success. On fail it completes it as failure and the system will unload the device stack.

No. you get a BSOD everytime you boot the PC. I have a feeling the user would feel something is amiss.

Quote

invalidate bus relations

I don't recommend trying to have relations on a bus, invalid or otherwise.