USBHound驱动开发笔记
USBHound开发调试笔记-数据的过滤打印
2022-07-28
398
0
上周说要搞一个和BUSHOUND一样的USB数据抓包工具USBHOUND,专门来抓USB的数据。
说干就干,就开始写代码,一个简易的工程就如下:
通过注册表,将该驱动通过注册表安装到系统中。
最开始的时候,是和BUSHOUND一样,弄成了上层过滤驱动:
HKLM, System\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}, UpperFilters, 0x00010008, USBHound ; usb
不过好像不知道什么原因,没有进入IRP_MJ_INTERNAL_DEVICE_CONTROL中。就自己想着先弄成下层过滤驱动,先调试再说:
HKLM, System\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}, Lowerjb Filters, 0x00010008, USBHound ; usb
然后自己就在其对应的派遣函数中代码如下:
if (commonData->Type == DEVICE_TYPE_FIDO)
{
if (irpStack->MajorFunction == IRP_MJ_INTERNAL_DEVICE_CONTROL
&& irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_INTERNAL_USB_SUBMIT_URB)
{
PURB urb = irpStack->Parameters.Others.Argument1;
if (urb != NULL)
{
return UsbUrbFilter(DeviceObject, Irp);
}
}
return FilterPassNextDevice(DeviceObject, Irp);
}
而在UsbUrbFilter中,对IRP设置完成例程,在完成例程中根据URB的Urb->UrbHeader.Function来解析不同的USB请求。
为了只是看一些数据,就草草写了一部分代码来调试
switch (Urb->UrbHeader.Function)
{
case URB_FUNCTION_GET_DESCRIPTOR_FROM_DEVICE:
case URB_FUNCTION_GET_DESCRIPTOR_FROM_INTERFACE:
{
UrbFunctionGetDescriptor(DeviceObject,Urb);
break;
}
case URB_FUNCTION_CLASS_INTERFACE:
{
UrbFunctionClassInterface(DeviceObject, Urb);
break;
}
case URB_FUNCTION_SELECT_INTERFACE:
{
UrbFunctionSelectInterface(DeviceObject, Urb);
break;
}
case URB_FUNCTION_CONTROL_TRANSFER:
{
UrbFunctionControlTransfer(DeviceObject, Urb);
break;
}
case URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
{
UrbFunctionBulkOrInterruptTransfer(DeviceObject, Urb);
break;
}
case URB_FUNCTION_ISOCH_TRANSFER:
{
UrbFunctionISOTransfer(DeviceObject, Urb);
break;
}
default:
{
break;
}
}
}
可竟然没有想到,URB_FUNCTION_GET_DESCRIPTOR_FROM_INTERFACE和URB_FUNCTION_GET_DESCRIPTOR_FROM_DEVICE竟然没有调用,这和我平时做的USB虚拟设备有些不一样阿,这些请求全部到了URB_FUNCTION_CONTROL_TRANSFER中去了。
通过DMP其URB_FUNCTION_CONTROL_TRANSFER的数据,确实有相关的请求。
NTSTATUS UrbFunctionControlTransfer(PDEVICE_OBJECT DeviceObject, PURB Urb)
{
PFILTER_DEVICE_EXTENSION DeviceExtension = (PFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
PUCHAR buffer = GetTransferBuffer(Urb->UrbControlTransfer);
ULONG nLength = GetTransferLength(Urb->UrbControlTransfer);
UNREFERENCED_PARAMETER(DeviceExtension);
UNREFERENCED_PARAMETER(buffer);
UNREFERENCED_PARAMETER(nLength);
KdPrint(("DeviceObject:%p\n", DeviceObject));
KdPrint(("DeviceExtension:%p\n", DeviceExtension));
KdPrint(("UrbFunctionControlTransfer:\n"));
DumpHex(buffer, nLength);
return STATUS_SUCCESS;
}
通过windbg的输出如下:
Urb=FFFFC30B384132E0,urb2=FFFFC30B384132E0
Urb->UrbHeader.Function=8
DeviceObject:FFFFC30B335D8BA0
DeviceExtension:FFFFC30B335D8CF0
UrbFunctionControlTransfer:
12 01 00 02 00 00 00 08 EF 17 8D 60 00 01 01 02
00 01
Breakpoint 0 hit
USBHound!UrbFunctionControlTransfer+0xc3:
fffff800`913b16a3 33c0 xor eax,eax
0: kd> g
Urb=FFFFC30B384132E0,urb2=FFFFC30B384132E0
Urb->UrbHeader.Function=8
DeviceObject:FFFFC30B335D8BA0
DeviceExtension:FFFFC30B335D8CF0
UrbFunctionControlTransfer:
09 02 22 00 01 01 00 A0 32
Urb=FFFFC30B384132E0,urb2=FFFFC30B384132E0
Urb->UrbHeader.Function=8
DeviceObject:FFFFC30B335D8BA0
DeviceExtension:FFFFC30B335D8CF0
UrbFunctionControlTransfer:
09 02 22 00 01 01 00 A0 32 09 04 00 00 01 03 01
02 00 09 21 11 01 00 01 22 2E 00 07 05 81 03 04
00 0A
Urb=FFFFC30B352621D0,urb2=FFFFC30B352621D0
Urb->UrbHeader.Function=32
Urb=FFFFC30B384132E0,urb2=FFFFC30B384132E0
Urb->UrbHeader.Function=8
DeviceObject:FFFFC30B335D8BA0
DeviceExtension:FFFFC30B335D8CF0
UrbFunctionControlTransfer:
Urb=FFFFC30B384132E0,urb2=FFFFC30B384132E0
Urb->UrbHeader.Function=8
DeviceObject:FFFFC30B335D8BA0
DeviceExtension:FFFFC30B335D8CF0
UrbFunctionControlTransfer:
05 01 09 02 A1 01 09 01 A1 00 05 09 19 01 29 03
15 00 25 01 95 08 75 01 81 02 05 01 09 30 09 31
09 38 15 81 25 7F 75 08 95 03 81 06 C0 C0
当然,对于电脑中的鼠标和键盘消息也可以通过UrbFunctionBulkOrInterruptTransfer来打印出来。不过好像当前的设备都是HUB了。
设备栈如下:
2: kd> !devstack DeviceObject:FFFFC30B335D8BA0
!DevObj !DrvObj !DevExt ObjectName
ffffc30b323f3290 \Driver\USBHUB3 ffffc30b322e9310
> ffffc30b335d8ba0 \Driver\USBHound ffffc30b335d8cf0
ffffc30b322e6040 \Driver\ACPI ffffc30ae4296bd0
ffffc30b316f0650 \Driver\USBXHCI ffffc30b31739a90 USBPDO-0
!DevNode ffffc30b335cb920 :
DeviceInst is "USB\ROOT_HUB30\4&31789dfb&0&0"
ServiceName is "USBHUB3"
鼠标的输入报告:
Urb=FFFFC30B34D4A8D0,urb2=FFFFC30B34D4A8D0
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 00 FD 00
Urb=FFFFC30B34D3F8D0,urb2=FFFFC30B34D3F8D0
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 00 F2 00
Urb=FFFFC30B34D4A8D0,urb2=FFFFC30B34D4A8D0
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 FD EF 00
Urb=FFFFC30B34D3F8D0,urb2=FFFFC30B34D3F8D0
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 FE F8 00
键盘的输入内容:
Urb=FFFFC30B35247690,urb2=FFFFC30B35247690
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 00 04 00 00 00 00 00
Urb=FFFFC30B35247690,urb2=FFFFC30B35247690
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 00 04 00 00 00 00 00
Urb=FFFFC30B35744780,urb2=FFFFC30B35744780
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 00 00 00 00 00 00 00
Urb=FFFFC30B35744780,urb2=FFFFC30B35744780
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 00 00 00 00 00 00 00
Urb=FFFFC30B34DAA0E0,urb2=FFFFC30B34DAA0E0
Urb->UrbHeader.Function=9
UrbFunctionBulkOrInterruptTransfer:
00 00 05 00 00 00 00 00
可以看到,都是标准的键鼠HID输入报告数据格式,至于为什么抓的信息和自己理解的不一致。我还不太清楚,还得研究一下。
最后附一张我们的驱动截图:
HID人机交互QQ群:564808376
UAC音频QQ群:218581009
UVC相机QQ群:331552032
BOT&UASP大容量存储QQ群:258159197
STC-USB单片机QQ群:315457461
USB技术交流QQ群2:580684376
USB技术交流QQ群:952873936
