none
Question about Retrieve String Info from Mirror Driver? RRS feed

  • Question

  • I have read this article about Mirror Driver In MSDN, and succefully build the mirror driver sample in WinDDK 7600.16385.1.

    My goal is to retrieve all text output , process id and coordination on screen on XP and WIN7 system.

    Now I have hooked INDEX_DrvTextOut(as following) in DrvEnableSurface:

    BOOL DrvTextOut( IN SURFOBJ *psoDst, IN STROBJ *pstro, IN FONTOBJ *pfo, IN CLIPOBJ *pco, IN RECTL *prclExtra, IN RECTL *prclOpaque, IN BRUSHOBJ *pboFore, IN BRUSHOBJ *pboOpaque, IN POINTL *pptlOrg, IN MIX mix ) { UNREFERENCED_PARAMETER(psoDst); UNREFERENCED_PARAMETER(pstro); UNREFERENCED_PARAMETER(pfo); UNREFERENCED_PARAMETER(pco); UNREFERENCED_PARAMETER(prclExtra); UNREFERENCED_PARAMETER(prclOpaque); UNREFERENCED_PARAMETER(pboFore); UNREFERENCED_PARAMETER(pboOpaque); UNREFERENCED_PARAMETER(pptlOrg); UNREFERENCED_PARAMETER(mix); DISPDBG((1, "Mirror Driver DrvTextOut: pid=0x%x pwstr=%08x\n", EngGetCurrentProcessId(), pstro ? pstro->pwszOrg : (WCHAR*)-1)); LOGWSTR(pstro->cGlyphs, pstro->pwszOrg);

    return TRUE; }


    Then I enable the mirror driver with 

    ddmlapp.exe -e

    For some application, the text can be logged,

    but for some applications, It seems DrvTextOut is not called at all!

    BTW,  I hooked GDI function ExtTextOut in the application which does not call DrvTextOut and got all text output successfully. 


    What happend after ExtTextOut and Before DrvTextOut?

    Maybe I missed some knowledge???

    Could anybody help to explain on this, Thanks!





    • Edited by Andyzn Tuesday, August 26, 2014 9:16 AM style
    Tuesday, August 26, 2014 9:12 AM

Answers

  • In some cases, GDI will render text to a bitmap and then copy the bitmap to the screen

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, August 26, 2014 11:37 PM
    Moderator

All replies

  • some update:

    I have tried to disable DirectDraw, Direct3D and WPFHardwareAcc using following script, but it seems still not work.

    @Echo Off
    ::Set Mode=1 to Disable, Mode=0 to Enable as the default if nothing specified on the command line.
    Set _Mode=0
    If /I "%~1"=="Disable" Set _Mode=1
    If /I "%~1"=="Enable" Set _Mode=0
    Reg Add HKLM\SOFTWARE\Microsoft\DirectDraw /V EmulationOnly /T REG_DWORD /D %_Mode% /F
    Reg Add HKLM\SOFTWARE\Microsoft\Direct3D\Drivers /V SoftwareOnly /T REG_DWORD /D %_Mode% /F
    Reg Add HKCU\SOFTWARE\Microsoft\Avalon.Graphics /V DisableHWAcceleration /T REG_DWORD /D %_Mode% /F
    
    Reg Add HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw /V EmulationOnly /T REG_DWORD /D %_Mode% /F
    Reg Add HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers /V SoftwareOnly /T REG_DWORD /D %_Mode% /F


    Tuesday, August 26, 2014 5:47 PM
  • In some cases, GDI will render text to a bitmap and then copy the bitmap to the screen

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, August 26, 2014 11:37 PM
    Moderator
  • Thanks!

    So, what is the case? And does it mean the text can not be restored?

    Thursday, August 28, 2014 7:49 AM
  • There are many cases where it GDI will choose to render off-screen and BITBLT the bitmap to the screen, typically when the driver doesn't accelerate some feature or doesn't support some pixel format. To force it to always call the driver, you have to lie to it and tell it you accelerate everything and that you support all pixel formats.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, August 28, 2014 7:39 PM
    Moderator