win32k!StartDeviceRead函数分析之读取Driver-mouhid设备鼠标数据的过程

win32k!StartDeviceRead函数分析之读取Driver-mouhid设备鼠标数据的过程
1: kd> g
Breakpoint 4 hit
eax=00000000 ebx=bfa02600 ecx=00000000 edx=00000000 esi=e162bd40 edi=bfa01624
eip=bf8fc06b esp=bab9a8dc ebp=bab9a8f0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!StartDeviceRead:
bf8fc06b 55 push ebp
1: kd> dv
pDeviceInfo = 0xe162bd40
ulLengthToRead = 0xe162bd40
pBuffer = 0x00000008
fAlreadyHadDeviceInfoCrit = 0n-513622720
1: kd> dx -r1 ((win32k!tagDEVICEINFO *)0xe162bd40)
((win32k!tagDEVICEINFO *)0xe162bd40) : 0xe162bd40 [Type: tagDEVICEINFO *]
[+0x000] head [Type: _HEAD]
[+0x008] pNext : 0xe1414eb8 [Type: tagDEVICEINFO *]
[+0x00c] type : 0x0 [Type: unsigned char]
[+0x00d] bFlags : 0x2 [Type: unsigned char]
[+0x00e] usActions : 0x0 [Type: unsigned short]
[+0x010] nRetryRead : 0x0 [Type: unsigned char]
[+0x014] ustrName : "\??\HID#Vid_0e0f&Pid_0003&MI_00#8&28f6544d&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}" [Type: _UNICODE_STRING]
[+0x01c] handle : 0x21c [Type: void *]
[+0x020] NotificationEntry : 0xe13e70c0 [Type: void *]
[+0x024] pkeHidChangeCompleted : 0x897fb9c0 [Type: _KEVENT *]
[+0x028] iosb [Type: _IO_STATUS_BLOCK]
[+0x030] ReadStatus : 259 [Type: long]
[+0x034] OpenerProcess : 0x1b0 [Type: void *]
[+0x038] OpenStatus : 0 [Type: long]
[+0x03c] AttrStatus : 0 [Type: long]
[+0x040] timeStartRead : 0xffcae901 [Type: unsigned long]
[+0x044] timeEndRead : 0xffcae91f [Type: unsigned long]
[+0x048] nReadsOutstanding : 0 [Type: int]
[+0x04c] mouse [Type: tagMOUSE_DEVICE_INFO]
[+0x04c] keyboard [Type: tagKEYBOARD_DEVICE_INFO]
[+0x04c] hid [Type: tagHID_DEVICE_INFO]

1: kd> !handle 0x21c

PROCESS 898a7258 SessionId: 0 Cid: 01b0 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7c21b000 ObjectTable: e142d3c8 HandleCount: 304.
Image: csrss.exe

Handle table at e142d3c8 with 304 entries in use

021c: Object: 8983d458 GrantedAccess: 00100001 Entry: e15ca438
Object: 8983d458 Type: (89987710) File
ObjectHeader: 8983d440 (old version)
HandleCount: 1 PointerCount: 1

1: kd> dt file_object 8983d458
winsrv!FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n112
+0x004 DeviceObject : 0x89536cc0 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0x895aad18 Void
+0x010 FsContext2 : 0xf750180e Void
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0n0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40000
+0x030 FileName : _UNICODE_STRING ""
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
1: kd> dx -id 0,0,898a7258 -r1 ((winsrv!_DEVICE_OBJECT *)0x89536cc0)
((winsrv!_DEVICE_OBJECT *)0x89536cc0) : 0x89536cc0 : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT *]
[<Raw View>] [Type: _DEVICE_OBJECT]
Flags : 0x3040
UpperDevices : Immediately above is Device for "\Driver\mouhid" [at 0x898db158]
LowerDevices
Driver : 0x895c35f0 : Driver "\Driver\hidusb" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,898a7258 -r1 -nv (*((winsrv!_DEVICE_OBJECT *)0x89536cc0))
(*((winsrv!_DEVICE_OBJECT *)0x89536cc0)) : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT]
[+0x000] Type : 3 [Type: short]
[+0x002] Size : 0x30c [Type: unsigned short]
[+0x004] ReferenceCount : 1 [Type: long]
[+0x008] DriverObject : 0x895c35f0 : Driver "\Driver\hidusb" [Type: _DRIVER_OBJECT *]
[+0x00c] NextDevice : 0x89626cc0 : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT *]
[+0x010] AttachedDevice : 0x898db158 : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT *]
[+0x014] CurrentIrp : 0x0 [Type: _IRP *]
[+0x018] Timer : 0x0 [Type: _IO_TIMER *]
[+0x01c] Flags : 0x3040 [Type: unsigned long]
[+0x020] Characteristics : 0x80 [Type: unsigned long]
[+0x024] Vpb : 0x0 [Type: _VPB *]
[+0x028] DeviceExtension : 0x89536d78 [Type: void *]
[+0x02c] DeviceType : 0x22 [Type: unsigned long]
[+0x030] StackSize : 8 [Type: char]
[+0x034] Queue [Type: __unnamed]
[+0x05c] AlignmentRequirement : 0x0 [Type: unsigned long]
[+0x060] DeviceQueue [Type: _KDEVICE_QUEUE]
[+0x074] Dpc [Type: _KDPC]
[+0x094] ActiveThreadCount : 0x0 [Type: unsigned long]
[+0x098] SecurityDescriptor : 0xe12977c0 [Type: void *]
[+0x09c] DeviceLock [Type: _KEVENT]
[+0x0ac] SectorSize : 0x0 [Type: unsigned short]
[+0x0ae] Spare1 : 0x1 [Type: unsigned short]
[+0x0b0] DeviceObjectExtension : 0x89536fd0 [Type: _DEVOBJ_EXTENSION *]
[+0x0b4] Reserved : 0x0 [Type: void *]
1: kd> dx -id 0,0,898a7258 -r1 ((winsrv!_DEVICE_OBJECT *)0x898db158)
((winsrv!_DEVICE_OBJECT *)0x898db158) : 0x898db158 : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT *]
[<Raw View>] [Type: _DEVICE_OBJECT]
Flags : 0x2000
UpperDevices : Immediately above is Device for "\Driver\Mouclass" [at 0x89406038]
LowerDevices
Driver : 0x8958d898 : Driver "\Driver\mouhid" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,898a7258 -r1 -nv (*((winsrv!_DEVICE_OBJECT *)0x898db158))
(*((winsrv!_DEVICE_OBJECT *)0x898db158)) : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT]
[+0x000] Type : 3 [Type: short]
[+0x002] Size : 0x1f0 [Type: unsigned short]
[+0x004] ReferenceCount : 0 [Type: long]
[+0x008] DriverObject : 0x8958d898 : Driver "\Driver\mouhid" [Type: _DRIVER_OBJECT *]
[+0x00c] NextDevice : 0x0 [Type: _DEVICE_OBJECT *]
[+0x010] AttachedDevice : 0x89406038 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
[+0x014] CurrentIrp : 0x0 [Type: _IRP *]
[+0x018] Timer : 0x0 [Type: _IO_TIMER *]
[+0x01c] Flags : 0x2000 [Type: unsigned long]
[+0x020] Characteristics : 0x0 [Type: unsigned long]
[+0x024] Vpb : 0x0 [Type: _VPB *]
[+0x028] DeviceExtension : 0x898db210 [Type: void *]
[+0x02c] DeviceType : 0xf [Type: unsigned long]
[+0x030] StackSize : 9 '\t' [Type: char]
[+0x034] Queue [Type: __unnamed]
[+0x05c] AlignmentRequirement : 0x0 [Type: unsigned long]
[+0x060] DeviceQueue [Type: _KDEVICE_QUEUE]
[+0x074] Dpc [Type: _KDPC]
[+0x094] ActiveThreadCount : 0x0 [Type: unsigned long]
[+0x098] SecurityDescriptor : 0x0 [Type: void *]
[+0x09c] DeviceLock [Type: _KEVENT]
[+0x0ac] SectorSize : 0x0 [Type: unsigned short]
[+0x0ae] Spare1 : 0x1 [Type: unsigned short]
[+0x0b0] DeviceObjectExtension : 0x898db348 [Type: _DEVOBJ_EXTENSION *]
[+0x0b4] Reserved : 0x0 [Type: void *]
1: kd> dx -id 0,0,898a7258 -r1 ((winsrv!_DEVICE_OBJECT *)0x89406038)
((winsrv!_DEVICE_OBJECT *)0x89406038) : 0x89406038 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
[<Raw View>] [Type: _DEVICE_OBJECT]
Flags : 0x2044
UpperDevices : None
LowerDevices
Driver : 0x89589a68 : Driver "\Driver\Mouclass" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,898a7258 -r1 -nv (*((winsrv!_DEVICE_OBJECT *)0x89406038))
(*((winsrv!_DEVICE_OBJECT *)0x89406038)) : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT]
[+0x000] Type : 3 [Type: short]
[+0x002] Size : 0x1c8 [Type: unsigned short]
[+0x004] ReferenceCount : 0 [Type: long]
[+0x008] DriverObject : 0x89589a68 : Driver "\Driver\Mouclass" [Type: _DRIVER_OBJECT *]
[+0x00c] NextDevice : 0x89808a40 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
[+0x010] AttachedDevice : 0x0 [Type: _DEVICE_OBJECT *]
[+0x014] CurrentIrp : 0x0 [Type: _IRP *]
[+0x018] Timer : 0x0 [Type: _IO_TIMER *]
[+0x01c] Flags : 0x2044 [Type: unsigned long]
[+0x020] Characteristics : 0x0 [Type: unsigned long]
[+0x024] Vpb : 0x0 [Type: _VPB *]
[+0x028] DeviceExtension : 0x894060f0 [Type: void *]
[+0x02c] DeviceType : 0xf [Type: unsigned long]
[+0x030] StackSize : 10 '\n' [Type: char]
[+0x034] Queue [Type: __unnamed]
[+0x05c] AlignmentRequirement : 0x0 [Type: unsigned long]
[+0x060] DeviceQueue [Type: _KDEVICE_QUEUE]
[+0x074] Dpc [Type: _KDPC]
[+0x094] ActiveThreadCount : 0x0 [Type: unsigned long]
[+0x098] SecurityDescriptor : 0xe12977c0 [Type: void *]
[+0x09c] DeviceLock [Type: _KEVENT]
[+0x0ac] SectorSize : 0x0 [Type: unsigned short]
[+0x0ae] Spare1 : 0x0 [Type: unsigned short]
[+0x0b0] DeviceObjectExtension : 0x89406200 [Type: _DEVOBJ_EXTENSION *]
[+0x0b4] Reserved : 0x0 [Type: void *]

1: kd> g
MOUCLASS-MouseClassRead: enter
MOUCLASS-MouseClassServiceCallback: enter
MOUCLASS-MouseClassServiceCallback: port queue length 0x18, read length 0xf0
MOUCLASS-MouseClassServiceCallback: number of bytes to move from port to SystemBuffer 0x18
MOUCLASS-MouseClassServiceCallback: move bytes from 0x898db2f8 to 0x894dee70
MOUCLASS-MouseClassServiceCallback: bytes remaining after move to SystemBuffer 0x0
MOUCLASS-MouseClassServiceCallback: exit
Breakpoint 1 hit
eax=00000000 ebx=bfa02600 ecx=00000000 edx=80bf6160 esi=e162bd40 edi=bfa01624
eip=bf8e9149 esp=bab9a8dc ebp=bab9a8f0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!ProcessMouseInput:
bf8e9149 55 push ebp
1: kd> dv
pMouseInfo = 0xe162bd40
ptLastMove = {x=-1081175735 y=8}
1: kd> dx -r1 ((win32k!tagDEVICEINFO *)0xe162bd40)
((win32k!tagDEVICEINFO *)0xe162bd40) : 0xe162bd40 [Type: tagDEVICEINFO *]
[+0x000] head [Type: _HEAD]
[+0x008] pNext : 0xe1414eb8 [Type: tagDEVICEINFO *]
[+0x00c] type : 0x0 [Type: unsigned char]
[+0x00d] bFlags : 0x2 [Type: unsigned char]
[+0x00e] usActions : 0x0 [Type: unsigned short]
[+0x010] nRetryRead : 0x0 [Type: unsigned char]
[+0x014] ustrName : "\??\HID#Vid_0e0f&Pid_0003&MI_00#8&28f6544d&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}" [Type: _UNICODE_STRING]
[+0x01c] handle : 0x21c [Type: void *]
[+0x020] NotificationEntry : 0xe13e70c0 [Type: void *]
[+0x024] pkeHidChangeCompleted : 0x897fb9c0 [Type: _KEVENT *]
[+0x028] iosb [Type: _IO_STATUS_BLOCK]
[+0x030] ReadStatus : 259 [Type: long]
[+0x034] OpenerProcess : 0x1b0 [Type: void *]
[+0x038] OpenStatus : 0 [Type: long]
[+0x03c] AttrStatus : 0 [Type: long]
[+0x040] timeStartRead : 0xffcae94e [Type: unsigned long]
[+0x044] timeEndRead : 0xffcae95d [Type: unsigned long]
[+0x048] nReadsOutstanding : 0 [Type: int]
[+0x04c] mouse [Type: tagMOUSE_DEVICE_INFO]
[+0x04c] keyboard [Type: tagKEYBOARD_DEVICE_INFO]
[+0x04c] hid [Type: tagHID_DEVICE_INFO]
1: kd> dx -r1 (*((win32k!_IO_STATUS_BLOCK *)0xe162bd68))
(*((win32k!_IO_STATUS_BLOCK *)0xe162bd68)) [Type: _IO_STATUS_BLOCK]
[+0x000] Status : 0 [Type: long]
[+0x000] Pointer : 0x0 [Type: void *]
[+0x004] Information : 0x18 [Type: unsigned long]
1: kd> dx -r1 (*((win32k!tagMOUSE_DEVICE_INFO *)0xe162bd8c))
(*((win32k!tagMOUSE_DEVICE_INFO *)0xe162bd8c)) [Type: tagMOUSE_DEVICE_INFO]
[+0x000] Attr [Type: _MOUSE_ATTRIBUTES]
[+0x00c] Data [Type: _MOUSE_INPUT_DATA [10]]
1: kd> dx -r1 (*((win32k!_MOUSE_INPUT_DATA (*)[10])0xe162bd98))
(*((win32k!_MOUSE_INPUT_DATA (*)[10])0xe162bd98)) [Type: _MOUSE_INPUT_DATA [10]]
[0] [Type: _MOUSE_INPUT_DATA]
[1] [Type: _MOUSE_INPUT_DATA]
[2] [Type: _MOUSE_INPUT_DATA]
[3] [Type: _MOUSE_INPUT_DATA]
[4] [Type: _MOUSE_INPUT_DATA]
[5] [Type: _MOUSE_INPUT_DATA]
[6] [Type: _MOUSE_INPUT_DATA]
[7] [Type: _MOUSE_INPUT_DATA]
[8] [Type: _MOUSE_INPUT_DATA]
[9] [Type: _MOUSE_INPUT_DATA]
1: kd> dx -r1 (*((win32k!_MOUSE_INPUT_DATA *)0xe162bd98))
(*((win32k!_MOUSE_INPUT_DATA *)0xe162bd98)) [Type: _MOUSE_INPUT_DATA]
[+0x000] UnitId : 0x1 [Type: unsigned short]
[+0x002] Flags : 0x1 [Type: unsigned short]
[+0x004] Buttons : 0x0 [Type: unsigned long]
[+0x004] ButtonFlags : 0x0 [Type: unsigned short]
[+0x006] ButtonData : 0x0 [Type: unsigned short]
[+0x008] RawButtons : 0x0 [Type: unsigned long]
[+0x00c] LastX : 36764 [Type: long]
[+0x010] LastY : 38610 [Type: long]
[+0x014] ExtraInformation : 0x0 [Type: unsigned long]
1: kd> g
Breakpoint 2 hit
eax=00000000 ebx=ffcae97d ecx=bc510013 edx=00000100 esi=e162bd98 edi=00000000
eip=bf8e7542 esp=bab9a898 ebp=bab9a8d8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!QueueMouseEvent:
bf8e7542 55 push ebp
1: kd> dv
ButtonFlags = 0
ButtonData = 0
ExtraInfo = 0
ptMouse = {x=574 y=452}
time = 0n-3479171
hDevice = 0x00010049
pmei = 0xe162bd98
bInjected = 0n0
bWakeRIT = 0n1