Re: Re:Debugging in the device-kernel



Hi mate

It is obvious that you have never dealt with this particular problem.
Furthermore, I am afraid you have quite
limited knowledge of the whole USB storage architecture, in the first place.


Look at the following statement:

"If you intercept the PnP sequence and modify the
information so that it does not mount with the USB disk class driver, you
can then change it so that it will mount with disk.sys"

What is "USB disk class driver"???? Do you mean USBSTOR.SYS??? You must know
that both hard drives and USB storage devices are managed by DISK.SYS - when
DISK.SYS creates DEVICE_OBJECT for USB storage device, it does so with
ClassCreateDeviceObject(), and passes a DEVICE_OBJECT that has been created
by USBSTOR.SYS as LowerDriver parameter. Concerning mounting, this is done
by MountManager, and it gets done AFTER (!!!) DISK.SYS has already created
its DEVICE_OBJECTs.

In order to solve the problem, you have to capture
IOCTL_STORAGE_QUERY_PROPERTY request to USBSTOR.SYS, which is made well
before DISK.SYS proceeds to creating its DEVICE_OBJECTs. The root of the
problem lies with the fact that USBSTOR.SYS gets loaded and unloaded
dynamically - you cannot do anything before plugging in the device (because
USBSTOR.SYS is not yet loaded),and after IOCTL_STORAGE_QUERY_PROPERTY
request has been handled,it is already too late to do anything

Therefore, in on order to be able to do anything, you have to capture the
moment when USBSTOR.SYS is about to create its DEVICE_OBJECT, so that you
have to hook IoCreateDevice(). In order to realize that it is USBSTOR.SYS
who creates its DEVICE_OBJECT, your hooking code has to call
ObOpenObjectByPointer() and ZwQueryObject() (both are undocumented). At this
point you are already able to hook
USBSTOR.SYS, so that you can capture all requests that it receives


As you can see, the solution to the problem is different from the one you
suggest

Regards

Anton Bassov
.