Search code examples
reverse-engineeringserial-communicationfilter-driver

Filter driver vs Direct Serial Communcation

I am reverse engineering a serial communication protocol. After i decode the bits I am supposed to write an interface for it. My choices are split between writing a filter driver to intercept the data coming in and going out or just have a basic serial direct communication. Is there any advantage over using one method as opposed to the other?

Solution

  • Well, there's a big difference:

    • Debugging your filter driver requires a kernel debugger. Options to stop a debug session in flight and edit+build your code are limited and typically requires an operating system reboot. Debugging user mode code is trivial
    • A bug in your filter driver will crash the operating system. A bug in your user mode code only crashes the program
    • Deploying your filter driver normally requires an installer. User mode code is simply linked into the program at build time.

    These are pretty grave disadvantages. About the only advantage of a filter driver that I can think of is that the code is completely invisible to the user mode programmer. This is however also a liability, there's very little this programmer can do to help you with diagnostic information when the filter driver misbehaves.