USB调试笔记
使用BUSHOUND手动分析USB批量传输的URB
2021-10-31
1250
6
使用BUSHOUND抓取U盘的批量传输的URB数据,我们对其其进行数据分析:
13 IN 55 53 42 53 40 0b ac 57 00 00 00 00 00
URB
80 00 09 00 00 00 00 00 d8 f2 75 a0 77 7f 00 00 00 00 00 00 00 00 00 00 20 a3 9c 5f 88 80 ff ff
03 00 00 00 0d 00 00 00 18 9a ef 5c 88 80 ff ff f0 f6 4e 06 88 80 ff ff 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
在Windows内核中,对批量传输和中断传输,使用的是同一个结构体。
typedef _Struct_size_bytes_(UrbHeader.Length) struct _URB {
union {
struct _URB_BULK_OR_INTERRUPT_TRANSFER
UrbBulkOrInterruptTransfer;
}
}
所以URB_BULK_OR_INTERRUPT_TRANSFER的结构体定义,并对结构体各成员的偏移地址进行分析如下:
struct _URB_BULK_OR_INTERRUPT_TRANSFER {
struct _URB_HEADER Hdr; //0
USBD_PIPE_HANDLE PipeHandle; //24
ULONG TransferFlags; //32
ULONG TransferBufferLength; //36
PVOID TransferBuffer; //40
PMDL TransferBufferMDL; //48
struct _URB *UrbLink; // Reserved //56
struct _URB_HCD_AREA hca; // Reserved //64
};
对批量的数据进分析如下:
Hdr
Length 80 00
Function 09 00 //URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER
Status 00 00 00 00
UsbdDeviceHandle d8 f2 75 a0 77 7f 00 00
UsbdFlags 00 00 00 00
结构体对齐补 00 00 00 00
PipeHandle 20 a3 9c 5f 88 80 ff ff
TransferFlags 03 00 00 00
TransferBufferLength 0d 00 00 00
TransferBuffer 18 9a ef 5c 88 80 ff ff
TransferBufferMDL f0 f6 4e 06 88 80 ff ff
UrbLink 00 00 00 00 00 00 00 00
hca
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
这里的数据结构TransferBufferLength成员为13字节,和IN的数据长度一致。
而对于中断传输,由于其结构体一致,而只是数据不一样。所以我们可以自己抓取一个鼠标或者键盘的数据对照URB_BULK_OR_INTERRUPT_TRANSFER结构体的偏移进行分析。
HID人机交互QQ群:564808376
UAC音频QQ群:218581009
UVC相机QQ群:331552032
BOT&UASP大容量存储QQ群:258159197
STC-USB单片机QQ群:315457461
USB技术交流QQ群2:580684376
USB技术交流QQ群:952873936
