Proper installation of x64 minispy minifilter driver

Question

Proper installation of x64 minispy minifilter driver

I'm trying to get the minispy minifilter from Microsoft to install and function properly. I started a new empty kernel driver project in VS2013, and compiled the driver and test signed it.

I can use the wdreg.exe utility to successfully install the driver, and I put a DbgPrint test in the beginning of the DriverEntry() function and I can read it using DbgView so the driver appears to install ok. Also using wdreg.exe to install the driver creates a Wdf01000 named service and using sc query Wdf01000 I can view it running. Using fltmc.exe to load or view the instances gives odd results.

Microsoft says that to install it I should right click the .inf file and click install, and when I do this Windows tells me "The .inf file you have selected does not support this method of installation". Pasted is a copy of my .inf file generated by VS2013.

Can someone tell me the correct way to install the minispy driver, start the minispy driver and attach it to a filesystem on x64 Win7/Win8? Thanks

[Version]
Signature="$WINDOWS NT$"
Class=Sample ; TODO: edit Class
ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
Provider=%ManufacturerName%
CatalogFile=MiniSpyDev.cat  
DriverVer= ; TODO: set DriverVer in stampinf property pages

[DestinationDirs]
DefaultDestDir = 12

; ================= Class section =====================

[ClassInstall32]
Addreg=SampleClassReg

[SampleClassReg]
HKR,,,0,%ClassName%
HKR,,Icon,,-5

[SourceDisksNames]
1 = %DiskName%,,,""

[SourceDisksFiles]
MiniSpyDev.sys  = 1,,

;*****************************************
; Install Section
;*****************************************

[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$

[Standard.NT$ARCH$]
%MiniSpyDev.DeviceDesc%=MiniSpyDev_Device, Root\MiniSpyDev ; TODO: edit hw-id

[MiniSpyDev_Device.NT]
CopyFiles=Drivers_Dir

[Drivers_Dir]
MiniSpyDev.sys

;-------------- Service installation
[MiniSpyDev_Device.NT.Services]
AddService = MiniSpyDev,%SPSVCINST_ASSOCSERVICE%, MiniSpyDev_Service_Inst

; -------------- MiniSpyDev driver install sections
[MiniSpyDev_Service_Inst]
DisplayName    = %MiniSpyDev.SVCDESC%
ServiceType    = 2               ; SERVICE_KERNEL_DRIVER
StartType      = 0               ; 
ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
ServiceBinary  = %12%\MiniSpyDev.sys
LoadOrderGroup = Extended Base

;
;--- MiniSpyDev_Device Coinstaller installation ------
;

[DestinationDirs]
MiniSpyDev_Device_CoInstaller_CopyFiles = 11

[MiniSpyDev_Device.NT.CoInstallers]
AddReg=MiniSpyDev_Device_CoInstaller_AddReg 
CopyFiles=MiniSpyDev_Device_CoInstaller_CopyFiles

[MiniSpyDev_Device_CoInstaller_AddReg]
HKR,,CoInstallers32,0x00010000,     "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"

[MiniSpyDev_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll

[SourceDisksFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with               SourceDisksNames

[MiniSpyDev_Device.NT.Wdf]
KmdfService =  MiniSpyDev, MiniSpyDev_wdfsect
[MiniSpyDev_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$

[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName="" ; TODO: add ManufacturerName
ClassName="Samples" ; TODO: edit ClassName
DiskName = "MiniSpyDev Installation Disk"
MiniSpyDev.DeviceDesc = "MiniSpyDev Device"
MiniSpyDev.SVCDESC = "MiniSpyDev Service"

drivers

asked on Super User Mar 3, 2014 by (unknown user)

2 Answers

You need to create a .cat file based on the inf and then sign the .cat. There is a tool called inf2cat that creates the cat then just use signtool to sign it. Once done, it should install no problem.

answered on Super User Apr 22, 2014 by

ddd

So you have your driver running, great. The Minispy FSFD sample is comprised of two parts, though.

But let's backtrack a little. Theat INF does not contain a DefaultInstall or DefaultInstall.Services section - a prerequisite to using the method you attempted (Right-click + "Install").

You can see what command gets executed by looking at HKCR\inffile\shell\Install\command (%SystemRoot%\System32\InfDefaultInstall.exe "%1" in my case). This, effectively uses setupapi.dll (InstallHinfSection) to attempt the installation. The same can be achieved using rundll32.exe according to this article.

Guessing by where the sample comes from (the WDK), I'd probably attempt installing via dpinst.exe which comes inside the redist\DIFx\dpinst folder of the Windows 7 SP1 WDK, for example. But since you already managed to install the driver, this doesn't seem to be the issue. The driver is evidently running.

Anyway, you need to understand that just because you see debug output from DriverEntry() doesn't mean that the filter driver is attached to any volumes. In fact the documentation for Minispy explicitly states that you need a user mode utility (doesn't state anything about a Windows service, though). And when I look at the sample code I would expect to get the mini-FSFD named minispy.sys and a console application named minispy.exe from a build. The latter is supposed to control the former, including control of attaching to volumes (consult InterpretCommand() inside mspyUser.c for details). For example the command a for attach, d for detach and l for listing devices (volumes).

I don't know why you used wdreg.exe, but the result looks as if it installed some user-mode driver (WDF/WUDF)?! This is a kernel mode driver, though, so it's natural for this not to work.

answered on Super User May 31, 2017 by

0xC0000022L

User contributions licensed under CC BY-SA 3.0