I’m trying to experiment with monitoring disk reads and writes for a project of mine. My goal is to be as low as possible when I do this. My question is how low can I be?
When you read a file it usually goes like this (I skipped a few steps ):
Application
|
ReadFile (Win32 API )
|
ReadFile (Kernel32.dll)
|
File System Driver
|
Volume Manager Disk Driver
|
Disk Driver (disk.sys )
|
Disk Port Driver
|
Disk Miniport Driver
|
HDD
My question is if there is a mechanism to install myself bellow Disk.sys in order to monitor and modify disk reads and writes.
This is a beginner’s question, but I’ve developed only file system filters and minifilters so far, and I wanted to get someone’s opinion if this can be done or not.
I know rootkits do it by hooking the port driver, but I was wondering if there is a way to do this more “elegant”.
Ask for all disk interfaces using IoGetDeviceInterfaces(GUID_DEVINTERFACE_DISK, …) and then call IoGetDeviceObjectPointer for each interface and get the lowest object using IoGetDeviceAttachmentBaseRef. Then hook IRP_MJ_SCSI routine.
The latter method returns all storage devices, so you need to do some filtering probably. Also it is not “production” method, but it is suitable for home experiments.
Thanks for the quick response.
The method with the filter driver … do you mean a disk filter driver, or I can install a filter lower than that?
Also will any of this methods be able to “filter” raw disk writes, for example using IoBuildSynchronousFsdRequest?
>My question is if there is a mechanism to install myself bellow Disk.sys in order to monitor and modify >disk reads and writes.
For education purposes designing a lower disk class filter would be fine. For production you need to consider a fact that some storage product could have and use its own disk class driver, not disk.sys.
>The method with the filter driver … do you mean a disk filter driver, or I can install a filter lower than >that?
I would design a lower disk class filter but not a filter for StorPort/SCSI port filter.
There are still storage devices which use legacy storage port model. It means they connected in your picture directly to disk.sys.
The architected solution for what you want is a lower disk filter.
Specifically, what you probably want is a lower disk class filter. This will
instantiate your filter below the disk FDO and above the disk PDO. This will
result in your filter being instantiated for any PnP enumerated disk in the
system, regardless of the underlying bus driver.
Because you are a lower disk filter, your filter will process IRP_MJ_SCSI
requests created by the disk class driver (source code for which is provided
in the WDK).
You can find an example of a WDM *upper* disk class filter in the WDK under
\src\storage\filters\diskperf. Note that because this is an upper filter it
is instantiated *above* the disk FDO and processes IRP_MJ_READ/IRP_MJ_WRITE
requests. In order to change this to a lower disk filter, you would need to
modify the supplied INF and fill in the IRP_MJ_SCSI entry point.
Good luck!
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc. http://www.osronline.com
wrote in message news:xxxxx@ntdev…
Can I figure out what model a particular storage device use, and use a
separate filter for legacy storage port model?