Wednesday, September 7, 2011

Each device object has certain properties that describe the device and how the device object interacts with the system. The device object properties include:
  • Device type. Specifies the device's type of hardware. For more information about device types, see Specifying Device Types.
  • Device characteristics. Specifies flags that provide additional information about the device. For more information, see Specifying Device Characteristics.
  • Exclusive access. Specifies whether the device object represents an exclusive device. If the device is exclusive, only one handle can be open for the device object at a time. (If the underlying device supports overlapped I/O, multiple threads of the same process can send requests through a single handle.) For more information, see Specifying Exclusive Access to Device Objects.
  • Security descriptor. Device objects have a security descriptor that controls access to the device. For more information, see Securing Device Objects.
For each of these properties, a default value can be set when the device object is created. For more information on creating device objects, see Creating a Device Object.
Values for device object properties can also be set in the registry. See Setting Device Object Properties in the Registry for more information.

Specifying Device Types

Each device object has a device type, which is stored in the DeviceType member of its DEVICE_OBJECT structure. The device type represents the type of underlying hardware for the driver.
Every kernel-mode driver that creates a device object must specify an appropriate device type value when calling IoCreateDevice. The IoCreateDevice routine uses the supplied device type to initialize the DeviceType member of the DEVICE_OBJECT structure.
The system defines the following device type values, listed in alphabetical order:
#define FILE_DEVICE_8042_PORT           0x00000027
#define FILE_DEVICE_ACPI                0x00000032
#define FILE_DEVICE_BATTERY             0x00000029
#define FILE_DEVICE_BEEP                0x00000001
#define FILE_DEVICE_BUS_EXTENDER        0x0000002a
#define FILE_DEVICE_CD_ROM              0x00000002
#define FILE_DEVICE_CD_ROM_FILE_SYSTEM  0x00000003
#define FILE_DEVICE_CHANGER             0x00000030
#define FILE_DEVICE_CONTROLLER          0x00000004
#define FILE_DEVICE_DATALINK            0x00000005
#define FILE_DEVICE_DFS                 0x00000006
#define FILE_DEVICE_DFS_FILE_SYSTEM     0x00000035
#define FILE_DEVICE_DFS_VOLUME          0x00000036
#define FILE_DEVICE_DISK                0x00000007
#define FILE_DEVICE_DISK_FILE_SYSTEM    0x00000008
#define FILE_DEVICE_DVD                 0x00000033
#define FILE_DEVICE_FILE_SYSTEM         0x00000009
#define FILE_DEVICE_FIPS                0x0000003a
#define FILE_DEVICE_FULLSCREEN_VIDEO    0x00000034
#define FILE_DEVICE_INPORT_PORT         0x0000000a
#define FILE_DEVICE_KEYBOARD            0x0000000b
#define FILE_DEVICE_KS                  0x0000002f
#define FILE_DEVICE_KSEC                0x00000039
#define FILE_DEVICE_MAILSLOT            0x0000000c
#define FILE_DEVICE_MASS_STORAGE        0x0000002d
#define FILE_DEVICE_MIDI_IN             0x0000000d
#define FILE_DEVICE_MIDI_OUT            0x0000000e
#define FILE_DEVICE_MODEM               0x0000002b
#define FILE_DEVICE_MOUSE               0x0000000f
#define FILE_DEVICE_MULTI_UNC_PROVIDER  0x00000010
#define FILE_DEVICE_NAMED_PIPE          0x00000011
#define FILE_DEVICE_NETWORK             0x00000012
#define FILE_DEVICE_NETWORK_BROWSER     0x00000013
#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014
#define FILE_DEVICE_NETWORK_REDIRECTOR  0x00000028
#define FILE_DEVICE_NULL                0x00000015
#define FILE_DEVICE_PARALLEL_PORT       0x00000016
#define FILE_DEVICE_PHYSICAL_NETCARD    0x00000017
#define FILE_DEVICE_PRINTER             0x00000018
#define FILE_DEVICE_SCANNER             0x00000019
#define FILE_DEVICE_SCREEN              0x0000001c
#define FILE_DEVICE_SERENUM             0x00000037
#define FILE_DEVICE_SERIAL_MOUSE_PORT   0x0000001a
#define FILE_DEVICE_SERIAL_PORT         0x0000001b
#define FILE_DEVICE_SMARTCARD           0x00000031
#define FILE_DEVICE_SMB                 0x0000002e
#define FILE_DEVICE_SOUND               0x0000001d
#define FILE_DEVICE_STREAMS             0x0000001e
#define FILE_DEVICE_TAPE                0x0000001f
#define FILE_DEVICE_TAPE_FILE_SYSTEM    0x00000020
#define FILE_DEVICE_TERMSRV             0x00000038
#define FILE_DEVICE_TRANSPORT           0x00000021
#define FILE_DEVICE_UNKNOWN             0x00000022
#define FILE_DEVICE_VDM                 0x0000002c
#define FILE_DEVICE_VIDEO               0x00000023
#define FILE_DEVICE_VIRTUAL_DISK        0x00000024
#define FILE_DEVICE_WAVE_IN             0x00000025
#define FILE_DEVICE_WAVE_OUT            0x00000026
These constants are defined in ntddk.h and wdm.h. Check these files to see if additional device types have been defined.
The FILE_DEVICE_DISK specification covers both floppy and fixed-disk devices, as well as disk partitions.
Intermediate drivers usually specify device types that represent the underlying device. For example, the system-supplied fault-tolerant disk driver, ftdisk, creates device objects of type FILE_DEVICE_DISK; it does not define new device types for the mirror sets, stripe sets, and volume sets it manages.
FILE_DEVICE_XXX values in the range of 0 through 32767 are reserved for Microsoft. All driver writers must use these system-defined constants for devices belonging to the system-defined device types.
If a type of hardware does not match any of the defined types, specify a value of either FILE_DEVICE_UNKNOWN, or a value within the range of 32768 through 65535.

Specifying Device Characteristics

Each device object can have one or more device characteristics. Device characteristics are stored as flags in the Characteristics member of the device object's DEVICE_OBJECT structure.
Most drivers specify only the FILE_DEVICE_SECURE_OPEN characteristic. This ensures that the same security settings are applied to any open request into the device's namespace. For more information, see Controlling Device Namespace Access.
The FILE_PNP_AUTOGENERATED_DEVICE_NAME is only used for PDOs. The FILE_FLOPPY_DISKETTE, FILE_REMOVABLE_MEDIA, and FILE_WRITE_ONCE_MEDIA characteristics are specific to storage devices. For a description of the possible device characteristic flags, see the Characteristics member of DEVICE_OBJECT.
Certain device characteristics, such as FILE_PNP_AUTOGENERATED_DEVICE_NAME, only apply to individual device objects. Drivers can specify a setting for the device characteristics for individual device objects when they create the device object by calling IoCreateDevice or IoCreateDeviceSecure.
The following characteristics apply to the entire device stack:
FILE_DEVICE_SECURE_OPEN
FILE_FLOPPY_DISKETTE
FILE_READ_ONLY_DEVICE
FILE_REMOVABLE_MEDIA
FILE_WRITE_ONCE_MEDIA
Drivers can set device characteristics that apply to the entire device stack by calling IoCreateDevice or IoCreateDeviceSecure. Alternatively, device characteristics that apply to the entire device stack can be set in the registry, for either the device or for the device's setup class. (For more information, see Setting Device Object Properties in the Registry.)
The PnP Manager determines the registry setting for device characteristics as follows.
  • If a value is specified for the individual device, the PnP Manager uses that value;
  • Otherwise if a value is specified for the device setup class, the PnP Manager uses that value;
  • Otherwise the PnP Manager uses a value of zero as the registry setting.
If a device characteristic that applies to the entire device stack is set in the registry, or if it is set for any FDO or filter DO in the stack, then the PnP Manager sets it for every device object in the stack. (If the device is raw-mode capable, and thus does not have an FDO, then the PnP Manager uses the PDO instead.)

Specifying Exclusive Access to Device Objects

If exclusive access to a device is enabled, only one handle to the device can be open at a time. For the I/O Manager to enforce exclusive access to the device, the exclusive property must be set for the named device object in the device stack.
For a WDM device stack that has a both a PDO and an FDO, this means that the exclusive property can only be set by the INF file, using an INF AddReg directive. The PDO is the named object in the stack, but it is created by the bus driver on behalf of the function driver, not by the function driver itself. The only way to direct the bus driver to set the exclusive flag for the PDO is by the class or device INF files. (The call to IoCreateDevice creates the FDO; setting the exclusive flag for the FDO has no effect.)
Drivers whose device objects are not stacked, such as non-WDM drivers and devices that operate in raw mode, can use IoCreateDeviceSecure to set the exclusive property for their named device object.
The I/O Manager enforces exclusivity on a per-name basis. If two objects in the device stack are named (which is not recommended), the I/O Manager allows a single handle to be opened for each named object. In such a case, drivers must enforce exclusivity themselves within their DispatchCreate routines.
Also note that the I/O Manager only enforces exclusivity for opens against the device object itself, not for any requests to open files within the device object's namespace. For example, suppose the device object has the name "\Device\DeviceName". The I/O Manager does not enforce exclusivity for a request to open "\Device\DeviceName\FileName". For more information about file open requests in the device's namespace, see Controlling Device Namespace Access.

Securing Device Objects

This section documents how to secure a driver's device objects from unauthorized access. It contains the following sections:
Controlling Device Access
Controlling Device Namespace Access
SDDL for Device Objects
There are two aspects of a device object that must be secured:
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)