driverentry.cpp

USB sniffer for windows

// Main program for UsbSnoop driver
// Generated by Walt Oney's driver wizard

#include "stddcls.h"
#include "driver.h"
#include "usbioctl.h"

NTSTATUS AddDevice(IN PDRIVER_OBJECT DriverObject, IN PDEVICE_OBJECT pdo);
VOID DriverUnload(IN PDRIVER_OBJECT fido);
NTSTATUS DispatchAny(IN PDEVICE_OBJECT fido, IN PIRP Irp);
NTSTATUS DispatchPower(IN PDEVICE_OBJECT fido, IN PIRP Irp);
NTSTATUS DispatchPnp(IN PDEVICE_OBJECT fido, IN PIRP Irp);
NTSTATUS DispatchWmi(IN PDEVICE_OBJECT fido, IN PIRP Irp);
NTSTATUS DispatchInternalIOCTL(IN PDEVICE_OBJECT fido, IN PIRP Irp);
NTSTATUS MyDispatchInternalIOCTL(IN PDEVICE_OBJECT fido, IN PIRP Irp);
void DumpURB(PURB pUrb, BOOLEAN bReturnedFromHCD);

BOOLEAN win98 = FALSE;
UNICODE_STRING servkey;
HANDLE fileHandle = (HANDLE)NULL;
KSEMAPHORE DataToBeRead;
//PWORK_QUEUE_ITEM BottomHalf;
HANDLE ThreadHandle;
BOOLEAN Loging;

struct RollingBuffer
{
	int StartPos;
	int EndPos;
	char Buffer[BUFFER_SIZE];
};


struct RollingBuffer LogBuffer;

char TempBuff[256];

// functions to handle conversion from PipeHandle to endpint number

struct ENDPOINT_INFO 
{
    USBD_PIPE_HANDLE PipeHandle;
	unsigned char    Endpoint;
};

struct ENDPOINT_INFO TabEndpointInfo[10] =
{
	{ NULL, 0 },
};

bool GetEndpointInfo(USBD_PIPE_HANDLE inPipeHandle, unsigned char * outEndpoint)
{
	for (int i=0;i<arraysize(TabEndpointInfo);i++)
	{
		if (TabEndpointInfo[i].PipeHandle != NULL 
			&& TabEndpointInfo[i].PipeHandle == inPipeHandle)
		{
			*outEndpoint = TabEndpointInfo[i].Endpoint;
			return true;
		}
	}

	return false;
}

//		Jean-S閍bstien Valette
//
//		FillRollingBuffer
//
//		13 09 2001
//
//		Copy a string to the rolling Buffer

void inline FillRollingBuffer(char *s)
{
	int bufflen;

	bufflen = strlen(s);

	if(LogBuffer.EndPos >= LogBuffer.StartPos)
		if(LogBuffer.EndPos + bufflen <= BUFFER_SIZE)
		{
			//KdPrint(("Fillrollingbuffer 1\n"));
			memcpy(LogBuffer.Buffer + LogBuffer.EndPos,
				s,bufflen);
			LogBuffer.EndPos +=  bufflen;
		}
		else
		{
			//KdPrint(("Fillrollingbuffer 2\n"));
			memcpy(LogBuffer.Buffer + LogBuffer.EndPos,
				s,BUFFER_SIZE - LogBuffer.EndPos);
			memcpy(LogBuffer.Buffer, s + BUFFER_SIZE - LogBuffer.EndPos,
				bufflen - (BUFFER_SIZE - LogBuffer.EndPos));
			LogBuffer.EndPos += bufflen - BUFFER_SIZE;

		}
	else
		if(LogBuffer.EndPos + bufflen < LogBuffer.StartPos)
		{
			//KdPrint(("\n\nFillrollingbuffer 3\n"));
			//if(LogBuffer.EndPos + bufflen < BUFFER_SIZE)
			//{
				memcpy(LogBuffer.Buffer + LogBuffer.EndPos, s, bufflen);
				LogBuffer.EndPos +=  bufflen;
			//}
		}
		else
		{
			//KdPrint(("Fillrollingbuffer 4\n"));
			KdPrint(("usbsnoop : Buffer Overrun \n"));
			//KdPrint(("usbsnoop : StartPos %d, Endpos : %d\n", 
			//	LogBuffer.StartPos, LogBuffer.EndPos));

		}
		//KdPrint(("usbsnoop: Start %d, Stop %d\n",
		//	LogBuffer.StartPos, LogBuffer.EndPos));
		if(LogBuffer.EndPos == BUFFER_SIZE) 
			LogBuffer.EndPos = 0 ;


}

//		Jean-S閎astien Valette
//
//		Write To LogFile
//
//		26 08 2001
//
//		09 09 2001 change to be a thread
//

VOID LogToFile(PVOID Parameter)
{
	char *test = "Test\n";
	NTSTATUS status;
	IO_STATUS_BLOCK ioStatusBlock;
	OBJECT_ATTRIBUTES objectAttributes;
	UNICODE_STRING unicodeObjectName;
	ANSI_STRING ansiObjectName;
	LARGE_INTEGER Timeout;
	int endpos;
	LARGE_INTEGER offset;

	char *version="UsbSnoop compiled on " __DATE__ " " __TIME__ "\n";

	
	//	Jean-S閎astien Valette 08 09 2001
	//
	//	try to open a log File

	RtlInitAnsiString(&ansiObjectName,"\\SystemRoot\\snoopy.log");
 	status = RtlAnsiStringToUnicodeString(&unicodeObjectName,
		&ansiObjectName,TRUE);
	if (status != STATUS_SUCCESS)
	{
 		sprintf(TempBuff,
			"RtlAnsiStringToUnicodeString failed, status = 0x%xx\n",
			status);
		FillRollingBuffer(TempBuff);
	}
	InitializeObjectAttributes(&objectAttributes,&unicodeObjectName,
		0,NULL,NULL);


 
 	//status = ZwCreateFile(&fileHandle,FILE_WRITE_DATA|SYNCHRONIZE ,
	// 	&objectAttributes,&ioStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,
	//FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
	status = ZwCreateFile(&fileHandle,GENERIC_WRITE,
	 	&objectAttributes,&ioStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,
	FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
 	if (status != STATUS_SUCCESS)
 		KdPrint(("ZwCreateFile failed, status = 0x%x\n",status));
	else
		KdPrint(("\n\nusbsnoop: File Opened\nusbsnoop: fileHandle = %x\n",
			fileHandle));

	status = ZwWriteFile(fileHandle,NULL,NULL,NULL,&ioStatusBlock,version,
				(unsigned long)strlen(version),NULL,NULL);
	if(status != STATUS_SUCCESS )
	{
		KdPrint(("Can't write into Logfile, status = %x\n",status));
		ZwClose(fileHandle);
	}
	Timeout.QuadPart = -1000000;
	Loging = TRUE;
	offset.QuadPart = strlen(version);
	while(Loging != FALSE)
	{
		status = KeWaitForSingleObject(&DataToBeRead,Executive, KernelMode,
			FALSE,&Timeout);
		if(status == STATUS_SUCCESS)
		{
			KdPrint(("usbsnoop: LogToFile AWAKE !\n"));
			endpos = LogBuffer.EndPos;
			if(LogBuffer.StartPos != endpos)
			{
				//KdPrint(("usbsnoop: Start %d, Stop %d\n",
				//	LogBuffer.StartPos, endpos));
				//KdPrint(("UsbSnoop: offset %Ld\n",offset.QuadPart));
				//KdPrint(("UsbSnoop: string for file %.30s\n %Ld\n",
				//	&(LogBuffer.Buffer[LogBuffer.StartPos])));
				if( endpos > LogBuffer.StartPos)
				{
					status = ZwWriteFile(fileHandle,NULL,NULL,NULL,
						&ioStatusBlock, 
						&(LogBuffer.Buffer[LogBuffer.StartPos]), 
						endpos - LogBuffer.StartPos , &offset,NULL);
					if( status != STATUS_SUCCESS )
						KdPrint(("UsbSnoop : Can't WriteTofFile\nStatus %x",
								status));
					else
						offset.QuadPart += endpos - LogBuffer.StartPos;

				}
				else
				{
					if(LogBuffer.StartPos != BUFFER_SIZE)
					{
						ZwWriteFile(fileHandle,NULL,NULL,NULL,
							&ioStatusBlock,
							&(LogBuffer.Buffer[LogBuffer.StartPos]),
							BUFFER_SIZE - LogBuffer.StartPos, &offset,
							NULL);
						if( status != STATUS_SUCCESS )
							KdPrint(("UsbSnoop : Can't WriteTofFile\nStatus %x",
									status));
						else
							offset.QuadPart += BUFFER_SIZE - LogBuffer.StartPos;
					}
					ZwWriteFile(fileHandle,NULL,NULL,NULL,
						&ioStatusBlock,
						&(LogBuffer.Buffer[0]), endpos, &offset, NULL);
					if( status != STATUS_SUCCESS )
						KdPrint(("UsbSnoop : Can't WriteTofFile\nStatus %x",
								status));
					else
						offset.QuadPart += endpos;
				}
				LogBuffer.StartPos = endpos;
			}
		}
	}


	ZwClose(fileHandle);

	
	PsTerminateSystemThread(STATUS_SUCCESS);
	return;	
};




void AddEndpointInfo(USBD_PIPE_HANDLE inPipeHandle, unsigned char inEndpoint)
{
	int i;

	// search for an existing PipeHandle
	for (i=0;i<arraysize(TabEndpointInfo);i++)
	{
		if (TabEndpointInfo[i].PipeHandle != NULL 
			&& TabEndpointInfo[i].PipeHandle == inPipeHandle)
			return ; 
	}

	// search for a free slot 
	for (i=0;i<arraysize(TabEndpointInfo);i++)
	{
		if (TabEndpointInfo[i].PipeHandle == NULL)
		{
			TabEndpointInfo[i].PipeHandle = inPipeHandle;
			TabEndpointInfo[i].Endpoint = inEndpoint;
			return ;
		}
	}

	sprintf(TempBuff,"AddEndpointInfo failed!\n");
	FillRollingBuffer(TempBuff);
}



///////////////////////////////////////////////////////////////////////////////

void DumpStackLocation(PIO_STACK_LOCATION stack)
{
	if (stack == NULL)
		return ;

	sprintf(TempBuff,"\tMajorFunction=%d, MinorFunction=%d\n",
		stack->MajorFunction,stack->MinorFunction);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDeviceObject=%p\n",stack->DeviceObject);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tCompletionRoutine=%p Context=%p\n",
		stack->CompletionRoutine,stack->Context);
	FillRollingBuffer(TempBuff);

}

void DumpIrp(PIRP Irp)
{
	sprintf(TempBuff,"Dumping IRP %p\n",Irp);
	FillRollingBuffer(TempBuff);
	if (Irp==NULL)
		return ;

	sprintf(TempBuff,"\tType=%d, Size=%d\n",Irp->Type,Irp->Size);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tStackCount=%d, CurrentLocation=%d\n",
		Irp->StackCount,Irp->CurrentLocation);
	FillRollingBuffer(TempBuff);
	for (CHAR i=0;i<Irp->StackCount;i++)
	{
		PIO_STACK_LOCATION stack = (PIO_STACK_LOCATION) (Irp+1) + i;
		sprintf(TempBuff,"\t[%d] MajorFunction=%d, MinorFunction=%d, DeviceObject=%p\n",
			i,stack->MajorFunction, stack->MinorFunction,
			stack->DeviceObject);
		FillRollingBuffer(TempBuff);
		sprintf(TempBuff,"\tArg1=%p, Arg2=%p, Arg3=%p, Arg4=%p\n",
			stack->Parameters.Others.Argument1,
			stack->Parameters.Others.Argument2,
			stack->Parameters.Others.Argument3,
			stack->Parameters.Others.Argument4);
		FillRollingBuffer(TempBuff);
		sprintf(TempBuff,"\tCompletionRoutine=%p Context=%p\n",
			stack->CompletionRoutine,stack->Context);
		FillRollingBuffer(TempBuff);
	}
}

void DumpDriverObject(PDRIVER_OBJECT p)
{
	sprintf(TempBuff,"UsbSnoop - DumpDriverObject : p = %p\n",p);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tType = %d\n",p->Type);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tSize = %d\n",p->Size);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDeviceObject = %p\n",p->DeviceObject);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tFlags = 0x%x\n",p->Flags);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverStart = %p\n",p->DriverStart);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverSize = %d\n",p->DriverSize);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverSection = %p\n",p->DriverSection);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverExtension = %p\n",p->DriverExtension);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverExtension->AddDevice = %p\n",
		p->DriverExtension->AddDevice);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tFastIoDispatch = %p\n",p->FastIoDispatch);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"  DriverInit = %p\n",p->DriverInit);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverStartIo = %p\n",p->DriverStartIo);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverUnload = %p\n",p->DriverUnload);
	FillRollingBuffer(TempBuff);
	for (int i=0;i<IRP_MJ_MAXIMUM_FUNCTION + 1;i++)
	{
		sprintf(TempBuff,"\tMajorFunction[%d] = %p\n",i,
			p->MajorFunction[i]);
		FillRollingBuffer(TempBuff);
	}
}

void DumpDeviceObject(PDEVICE_OBJECT p)
{
	sprintf(TempBuff,"UsbSnoop - DumpDeviceObject : p = %p\n",p);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDriverObject = %p\n",p->DriverObject);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tNextDevice = %p\n",p->NextDevice);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tAttachedDevice = %p\n",p->AttachedDevice);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tStackSize=%d\n",p->StackSize);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tCurrentIrp = %p\n",p->CurrentIrp);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDeviceObjectExtension = %p\n",
		p->DeviceObjectExtension);
	FillRollingBuffer(TempBuff);

	PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION)p->DeviceObjectExtension;