none
Do you know why this USB sniffer cannot detect HID packet with the RID at zero ? RRS feed

  • Question

  • It's a Microsoft USB sniffer:

    https://github.com/microsoft/Windows-driver-samples/tree/master/hid/hclient


    • Edited by Dilly0 Friday, September 27, 2019 11:31 AM
    Friday, September 27, 2019 11:24 AM

Answers

  • A Report ID of 0 is not valid.  Zero is used to signal that "report IDs are not being used."

    And that's not really a "USB sniffer".  It's a sample HID client.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Friday, September 27, 2019 4:58 PM

All replies

  • A Report ID of 0 is not valid.  Zero is used to signal that "report IDs are not being used."

    And that's not really a "USB sniffer".  It's a sample HID client.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Friday, September 27, 2019 4:58 PM
  • So, it's a bug inside UMDF.

    FeelsSad

    At least, I have this software that can read HID packets with RID at zero, but need to install a driver, better than nothing.

    https://github.com/djpnewton/busdog

    Else the funny thing is I can send HID packets with RID at zero with my USB sniffer, but not read :D








    • Edited by Dilly0 Friday, September 27, 2019 6:30 PM
    Friday, September 27, 2019 6:24 PM
  • Else the funny thing is I can send HID packets with RID at zero with my USB sniffer, but not read

    You can do anything, break the rules. Then deal with results.

    -- pa

    Friday, September 27, 2019 6:51 PM
  • > So, it's a bug inside of UMDF.

    No, it absolutely is not.  It's a bug in your design.  The USB HID Specification requires Report IDs to be non-zero.  You are attempting something that is not allowed.

    > Else the funny thing is I can send HID packets with RID at zero

    There are many things you CAN do that are invalid.  Here's the summary: don't do that.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Saturday, September 28, 2019 7:08 AM
  • Finally yes you right, _hidReportDescriptor has no Report ID at 0 in my mouse, it begins at 1.

    If it starts at 1, why I cannot read mouse coordinates with my USB sniffer, but only mouse buttons state ?






    • Edited by Dilly0 Saturday, September 28, 2019 8:14 AM
    Saturday, September 28, 2019 8:12 AM
  • Beats me.  The typical mouse report has one byte for button state, one byte for delta X, one byte for delta Y.  You'll have to decode your report descriptor to figure out what you're getting.

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Sunday, September 29, 2019 2:30 AM
  • USB sniffer doesn't detect anything if I move the mouse:


    It does detect if I press the 4th button (not with coordinate packet, but with the packet sent to my Logitech Gaming Software

    Same for my keyboard, it doesn't detect keystrokes, but it does for Media keys (Mute for the example)

    And for both of USB sniffer, from hclient and mine (I based mine on hclient tho)





    • Edited by Dilly0 Sunday, September 29, 2019 7:56 AM
    Sunday, September 29, 2019 7:49 AM
  • Same for my keyboard, it doesn't detect keystrokes, but it does for Media keys (Mute for the example)

    Aha, Then you're looking at a wrong device. The USB HID driver creates a separate device from every "top level collection". Usually the media keys and normal keys are in different collections.

    Maybe your mouse has several collections as well.

    Parse the report descriptor.

    -- pa

    Sunday, September 29, 2019 9:01 PM
  • It seems, yes.

    So I've browsed all the available devices with different collections and I got

    ERROR_ACCESS_DENIED
    5 (0x5)
    Access is denied.

    from CreateFile() for some of them, I suspect that it's the mouse coordinates I wanted to read.

    Is it to prevent keyloggers this protection feature that we need to install a kernel driver to be able to read keystrokes and mouse coordinates ?








    • Edited by Dilly0 Monday, September 30, 2019 5:04 AM
    Monday, September 30, 2019 5:00 AM
  • ... protection feature that we need to install a kernel driver to be able to read keystrokes and mouse coordinates ?

    Would think so
    Looks like in mouclass driver (mouclass.c MouseClassCreate):
    there is a check for Irp->RequestorMode:
     // We do not allow user mode opens for read.  This includes services (who
        // have the TCB privilege).
        //


    Additionally, examining mouse-pdo, there is in HIDCLASS!_PDO_EXTENSION a 'read-restriction':
    lkd> dt HIDCLASS!_PDO_EXTENSION 0xffff8d8c0924a1d0
       +0x000 prevState        : 0 (No matching name)
       +0x004 state            : 3 ( COLLECTION_STATE_RUNNING )
       +0x008 collectionNum    : 1
       +0x00c collectionIndex  : 0
       +0x010 removeLock       : _IO_REMOVE_LOCK
       +0x030 pdo              : 0xffff8d8c`0924a060 _DEVICE_OBJECT
       +0x038 name             : 0xffff8d8c`08e8bb40 _UNICODE_STRING "\Device\_HID00000001#COLLECTION00000001"
       +0x040 deviceFdoExt     : 0xffff8d8c`092051b0 _HIDCLASS_DEVICE_EXTENSION
       ...
       +0x094 restrictionsForRead : 0n1  <----------------------------------
       +0x098 restrictionsForWrite : 0n0
       +0x09c restrictionsForAnyOpen : 0n0
        ...
       +0x100 MouseOrKeyboard  : 0x1 ''
       +0x101 SessionSecurityEnabled : 0 ''
       +0x102 WakeOnSxEnabled  : 0 ''
       +0x104 IdleTimeout      : 0
       +0x108 S0IdleStopCount  : 0n0
       +0x110 WmiLibInfo       : _WMILIB_CONTEXT
       +0x150 LastStopIdleForIoTime : _LARGE_INTEGER 0x01d3b5a4`4d45bbf6


    No warranty
    With kind regards

    • Marked as answer by Dilly0 Tuesday, October 1, 2019 7:56 AM
    • Unmarked as answer by Dilly0 Tuesday, October 1, 2019 7:56 AM
    Monday, September 30, 2019 9:59 AM
  • Yes, the operating system claims all standard keyboard and mouse devices and opens them in exclusive mode.  You can't get at them.  To use a custom device, you have to make it another type of collection.

    Tim Roberts | Driver MVP Emeritus | Providenza &amp; Boekelheide, Inc.

    Tuesday, October 1, 2019 4:04 AM
  • Understoood.
    Tuesday, October 1, 2019 7:57 AM