none
Windows virtual mouse driver

    Question

  • I am developing a KMDF virtual mouse driver.
    The general idea is a KMDF root enumerated non-filter driver which will be able to send output reports to the mouse and keyboard driver stacks.
    My driver is already working and sending requests to other driver stacks, but with no result.
    Report types and packet formats are pretty undocumented on Microsoft resources. There are no information about which data and to which device I need to send in order to move the mouse pointer, simulate clicks (with either mouse or keyboard).
    There is only general information about HID clients, drivers etc. Their documentation often refers to the Windows Driver Samples git repository, but the repository does not contain any sources close to my task. Few people are in driver development, so there are no tutorials either.
    I would appreciate giving me a hint where can I find more about my task.
    Friday, December 22, 2017 1:47 PM

Answers

  • I wrote one of these, and yes, they are indeed complicated, principally because HID I/O requests don't use standard buffer passing mechanisms. To make it easier, try using the Virtual HID Framework. There is an IoT sample (HID Injector) on the MS GitHub that uses VHF and only requires simple modification of the .INF file to run on "big Windows"

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, December 22, 2017 7:59 PM
    Moderator

All replies

  • I wrote one of these, and yes, they are indeed complicated, principally because HID I/O requests don't use standard buffer passing mechanisms. To make it easier, try using the Virtual HID Framework. There is an IoT sample (HID Injector) on the MS GitHub that uses VHF and only requires simple modification of the .INF file to run on "big Windows"

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, December 22, 2017 7:59 PM
    Moderator
  • Thank you for your answer.

    I have read about VHID before and I think it is pretty straightforward, but unfortunately I need it for Windows 7 and 8.1 as well. I went for KMDF 1.9 in order to run the same code on all versions from Win7 and above.

    I am going to abandon KMDF for a while and to try UMDF. It is far more clear though as I see there is no UMDF version able to cover all the Windows versions.

    There is also one available proprietary solution. BEMacro uses virtual mouse and keyboard drivers as its input emulation method. Unfortunately, its sources are not available and it works only on Windows 7, but I gonna give a try to reverse engineer it.

    Were there any resources you used during development of your driver?


    • Edited by Hedgar2018 Friday, December 22, 2017 9:12 PM Added my further plans
    Friday, December 22, 2017 9:00 PM
  • I studied the Windows sources (and even then, it took awhile; the HID stuff is poorly architected and doesn't interface with KMDF well), but that isn't available to you. I wrote my driver for a client that wanted to support Win7-8.1, so it was a few years ago (good news, I recently tried the driver on Win10, and it worked). The docs have improved since then. There are bits and pieces scattered all over the place (look at HID client and transport drivers). Pay particular attention to how buffers are passed to and from HID drivers, especially regarding the HID_XFER_PACKET. Also, learn to use the Microsoft Message Analyzer, which can capture USB traffic. I also found TDD to be helpful. Learn to use WPP Tracing, and output each packet and descriptor in the driver until you're comfortable with the protocol. Of course, you'll also need to spend some quality time with the KMDF, USB, HID, and HUT (HID Usage Table) docs.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, December 22, 2017 9:18 PM
    Moderator
  • Thanks for the tools.

    I'll go for them after trying UMDF stuff. I've just found a UMDF solution vmulti. I'll be lucky if I manage to adapt it.


    • Edited by Hedgar2018 Friday, December 22, 2017 9:36 PM
    Friday, December 22, 2017 9:35 PM
  • I finished the driver and now it works perfectly, but only on Win8.1 and Win10. On Win7 it starts, but when it comes to recognize HID devices specified in HID report descriptor, Win7 puts them into the 'Other devices category'.

    The two yellowed devices are mouse and keyboard, and the third is a fake HID device I use to send output reports (because mouse and keyboard are opened by HID services exclusively).

    Win8.1 and Win10 do everything right and put each HID device in its category (Mouse, Keyboard, and HID for the 3rd fake HID device).

    What does the Win7 lack? Please, help me for the last time :) It seems it needs some generic drivers, but docs don't tell anything Win7-specific.

    Wednesday, January 3, 2018 11:12 PM
  • For keyboard and mouse devices, you also have to set the subclass and protocol fields in the Interface Descriptor. Did you do that?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, January 3, 2018 11:16 PM
    Moderator
  • My driver is a lower filter driver for mshidkmdf.sys, so it handles only IOCTL_HID_GET_DEVICE_DESCRIPTOR and IOCTL_HID_GET_REPORT_DESCRIPTOR, so I provide only report and HID descriptors.

    Modern docs say I should develop that kind of driver, and there is a similar project vhidmini in driver samples. It seems that Win7's mshidkmdf can't do the rest of the work by itself. I suppose you are talking about developing a replacement for mshidkmdf if it comes to interface descriptor.

    I also see IOCTL_GET_PHYSICAL_DESCRIPTOR, IOCTL_HID_GET_COLLECTION_INFORMATION and IOCTL_HID_GET_COLLECTION_INFORMATION control codes in docs, which also specify some data for the HID stack. Is it the right way?
    • Edited by Hedgar2018 Wednesday, January 3, 2018 11:46 PM
    Wednesday, January 3, 2018 11:29 PM
  • I remember having issues getting my driver to work on Win7, but I don't remember off the top of my head how I solved it; I'd have to dig through the driver to figure it out. My solution is a complete HID minidriver, so what you are trying to do is possible, but it is a lot of work. I do know that I implemented a lot more IOCTLs than what you've listed

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, January 3, 2018 11:57 PM
    Moderator
  • Thank you. I hope I will not end up with making complete HID minidriver, as long as my solution works perfectly on 8.1 and 10.

    Firstly, I'll examine how other drivers from samples handle other IOCTLs and try to make my implementation. Maybe Win7 lacks just a few bits for getting work.

    Thursday, January 4, 2018 12:26 AM