driverentry.cpp

USB sniffer for windows

	sprintf(TempBuff,"\t->DeviceObject=%p\n",pdx->DeviceObject);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\t->LowerDeviceObject=%p\n",
		pdx->LowerDeviceObject);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\t->Pdo=%p\n",pdx->Pdo);
	FillRollingBuffer(TempBuff);
}

void DumpContext(PCONTEXT Context)
{
	sprintf(TempBuff,"DumpContext : Context=%p\n",Context);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tCompletionRoutine=%p, Context=%p, Control=%x\n",
		Context->CompletionRoutine,Context->Context,Context->Control);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tpUrb=%p, uSequenceNumber=%d, Stack=%p\n",
		Context->pUrb,Context->uSequenceNumber,Context->Stack);
	FillRollingBuffer(TempBuff);
}

#pragma INITCODE

/*
	DriverEntry : this function is called whenever this driver is loaded in memory,
		this is the only entry point this is accessible for the OS. Other entry
		points will be set up inside DriverEntry().
*/

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
	UCHAR MajorVersion, MinorVersion;

	//	Jean-Sebastien Vallette 25 08 2001
	//	Decaration for log file
	NTSTATUS status;
	LARGE_INTEGER ByteOffset;
	


	KdPrint(("UsbSnoop compiled on " __DATE__ " " __TIME__ "\n"));
	// Valette Jean-S閎astien
	//
	//	LogThread initialisation
	//
	//	Added 09 09 2001
	//	04 10 2001 : Move Global Buffer variable initialisation here 
	//				 Because of late Thread Init ! (loggin begins before
	//				 end of thread initialisation)
	LogBuffer.EndPos = LogBuffer.EndPos = 0;
	status = PsCreateSystemThread( &ThreadHandle,THREAD_ALL_ACCESS ,0,
					0,0, LogToFile,0);

	//	Valette Jean-S閎astien 
	//
	//	Initialize Semaphore
	//
	//	Added 09 09 2001
	KeInitializeSemaphore(&DataToBeRead,0,1000);



	ByteOffset.QuadPart = FILE_USE_FILE_POINTER_POSITION;
	
	// Insist that OS support at least the WDM 1.0 (Win98 DDK)
	
	if (!IoIsWdmVersionAvailable(1, 0))
	{
		sprintf(TempBuff,
			"UsbSnoop - Expected version of WDM (%d.%2.2d) not available\n",
			1, 0);
		FillRollingBuffer(TempBuff);
		return STATUS_UNSUCCESSFUL;
	}
	
	// See if we're running under Win98 or NT:
	
	win98 = !IoIsWdmVersionAvailable(1, 10); //DriverObject->DriverExtension->ServiceKeyName.Length == 0;
	
	MajorVersion = 0;
	MinorVersion = 0;

	while (IoIsWdmVersionAvailable(MajorVersion,MinorVersion))
		MajorVersion ++;

	MajorVersion --;

	while (IoIsWdmVersionAvailable(MajorVersion,MinorVersion))
		MinorVersion ++;
	MinorVersion --;

	if (win98)
		sprintf(TempBuff,
			"UsbSnoop - DriverEntry(%p) : Windows 98 WDM version %d.%d\n",
			DriverEntry,MajorVersion,MinorVersion);
	else
		sprintf(TempBuff,
		"UsbSnoop - DriverEntry(%p) : Windows NT WDM version %d.%d\n",
			DriverEntry,MajorVersion,MinorVersion);
	FillRollingBuffer(TempBuff);
//	DumpDriverObject(DriverObject);

	// Save the name of the service key

	servkey.Buffer = (PWSTR) ExAllocatePool(PagedPool, RegistryPath->MaximumLength);
	if (!servkey.Buffer)
	{
		sprintf(TempBuff,
			"UsbSnoop - Unable to allocate %d bytes for copy of service key name\n", 
			RegistryPath->MaximumLength);
		FillRollingBuffer(TempBuff);
		return STATUS_INSUFFICIENT_RESOURCES;
	}
	servkey.MaximumLength = RegistryPath->MaximumLength;
	RtlCopyUnicodeString(&servkey, RegistryPath);

	// Initialize function pointers

	DriverObject->DriverUnload = DriverUnload;
	DriverObject->DriverExtension->AddDevice = AddDevice;
	
	for (int i = 0; i < arraysize(DriverObject->MajorFunction); ++i)
		DriverObject->MajorFunction[i] = DispatchAny;

	// POWER IRP needs a special treatment
	DriverObject->MajorFunction[IRP_MJ_POWER] = DispatchPower;

	// we need a special callback to call RemoveDevice().
	// this is now done in MyDispatchPnp
//	DriverObject->MajorFunction[IRP_MJ_PNP] = DispatchPnp;

	// not needed
//	DriverObject->MajorFunction[IRP_MJ_SYSTEM_CONTROL] = DispatchWmi;

	// not needed
//	DriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = DispatchInternalIOCTL;

//	DumpDriverObject(DriverObject);

	return STATUS_SUCCESS;
}

///////////////////////////////////////////////////////////////////////////////

#pragma PAGEDCODE

/*
	DriverUnload() is called whenever our driver is unloaded from memory.
*/

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	NTSTATUS status;
	PAGED_CODE();
	sprintf(TempBuff,"UsbSnoop - DriverUnload(%p) : DriverObject %p\n",
		DriverUnload,DriverObject);
	FillRollingBuffer(TempBuff);
//	DumpDriverObject(DriverObject);
	RtlFreeUnicodeString(&servkey);
	Loging = FALSE;
	
	sprintf(TempBuff,"usbsnoop : Closed File \n");
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"usbsnoop: status %x\n",status);
	FillRollingBuffer(TempBuff);


}

const char * GetIrpPnpMinorFunctionName(ULONG fcn)
{
	static const char* fcnname[] =
	{
		"IRP_MN_START_DEVICE",
		"IRP_MN_QUERY_REMOVE_DEVICE",
		"IRP_MN_REMOVE_DEVICE",
		"IRP_MN_CANCEL_REMOVE_DEVICE",
		"IRP_MN_STOP_DEVICE",
		"IRP_MN_QUERY_STOP_DEVICE",
		"IRP_MN_CANCEL_STOP_DEVICE",
		"IRP_MN_QUERY_DEVICE_RELATIONS",
		"IRP_MN_QUERY_INTERFACE",
		"IRP_MN_QUERY_CAPABILITIES",
		"IRP_MN_QUERY_RESOURCES",
		"IRP_MN_QUERY_RESOURCE_REQUIREMENTS",
		"IRP_MN_QUERY_DEVICE_TEXT",
		"IRP_MN_FILTER_RESOURCE_REQUIREMENTS",
		"",
		"IRP_MN_READ_CONFIG",
		"IRP_MN_WRITE_CONFIG",
		"IRP_MN_EJECT",
		"IRP_MN_SET_LOCK",
		"IRP_MN_QUERY_ID",
		"IRP_MN_QUERY_PNP_DEVICE_STATE",
		"IRP_MN_QUERY_BUS_INFORMATION",
		"IRP_MN_DEVICE_USAGE_NOTIFICATION",
		"IRP_MN_SURPRISE_REMOVAL",
	};

	if (0<=fcn && fcn<arraysize(fcnname))
		return fcnname[fcn];

	return NULL;
}

NTSTATUS MyDispatchPnp(IN PDEVICE_OBJECT fdo, IN PIRP Irp)
{
	PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
	ULONG fcn = stack->MinorFunction;
	
	const char * MinorFunctionName = GetIrpPnpMinorFunctionName(fcn);
	if (MinorFunctionName != NULL)
		sprintf(TempBuff,
			"UsbSnoop - MyDispatchPNP(%p) : IRP_MJ_PNP (%s)\n",
			MyDispatchPnp,MinorFunctionName);
	else
		sprintf(TempBuff,
			"UsbSnoop - MyDispatchPNP(%p) : IRP_MJ_PNP (0x%x)\n",
			MyDispatchPnp,fcn);
	FillRollingBuffer(TempBuff);
	
	PDEVICE_OBJECT fido = fdo->AttachedDevice;
	NTSTATUS status;
	PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION) fido->DeviceExtension;

	status = pdx->OriginalDriverObject->MajorFunction[IRP_MJ_PNP](fdo,Irp);	

	// the following lines should be executed ONLY if DispatchPNP() callback
	// is not used, since it duplicates its work.

	if (fcn == IRP_MN_REMOVE_DEVICE)
		RemoveDevice(fido);
	
	return status;
}

/*
	AddDevice is called for each device we have to managed. This is where we
	get the oportunity to be added in the device object stack.
*/

NTSTATUS AddDevice(IN PDRIVER_OBJECT DriverObject, IN PDEVICE_OBJECT pdo)
{
	PAGED_CODE();
	sprintf(TempBuff,
		"UsbSnoop - AddDevice(%p) : DriverObject %p, pdo %p\n",
		AddDevice,DriverObject, pdo);
	FillRollingBuffer(TempBuff);
//	DumpDriverObject(DriverObject);
//	DumpDeviceObject(pdo);


	NTSTATUS status;
	
	// Create a UsbSnoop device object to represent the hardware we're managing.
	
	PDEVICE_OBJECT fido;

	status = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION),NULL,
		FILE_DEVICE_UNKNOWN, 0, FALSE, &fido);
	if (!NT_SUCCESS(status))
	{						// can't create device object
		sprintf(TempBuff,
			"UsbSnoop - IoCreateDevice failed - %X\n", status);
		FillRollingBuffer(TempBuff);
		return status;
	}						// can't create device object

	// Benoit PAPILLAULT 13/07/2001
	// fido->DeviceExtension is a user define structure whose size is passed
	// to IoCreateDevice(). We can store whatever we want inside.

	PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION) fido->DeviceExtension;
	
	// From this point forward, any error will have side effects that need to
	// be cleaned up. Using a try-finally block allows us to modify the program
	// easily without losing track of the side effects.
	
	__try
	{						// finish initialization
		IoInitializeRemoveLock(&pdx->RemoveLock, 0, 0, 255);
		pdx->DeviceObject = fido;
		pdx->Pdo = pdo;
		
		// Add our device object to the stack and propagate critical settings
		// from the immediately lower device object
		
		PDEVICE_OBJECT fdo = IoAttachDeviceToDeviceStack(fido, pdo);

		pdx->LowerDeviceObject = fdo;
		fido->Flags |= fdo->Flags & (DO_DIRECT_IO | DO_BUFFERED_IO | DO_POWER_PAGABLE | DO_POWER_INRUSH);
		fido->DeviceType = fdo->DeviceType;
		fido->Characteristics = fdo->Characteristics;
		fido->AlignmentRequirement = fdo->AlignmentRequirement;
		
		// Clear the "initializing" flag so that we can get IRPs
		
		fido->Flags &= ~DO_DEVICE_INITIALIZING;

//		DumpDriverObject(DriverObject);
//		DumpDeviceObject(fdo);
//		DumpDeviceObject(fido);
//		DumpDeviceObject(pdo);

		// we make a copy of fdo->DriverObject
		PDRIVER_OBJECT d = (PDRIVER_OBJECT)ExAllocatePool(PagedPool,sizeof(DRIVER_OBJECT));
		if (d != NULL)
		{
			*d = *fdo->DriverObject;

			// we make some changes to this copy
			d->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = MyDispatchInternalIOCTL;
			d->MajorFunction[IRP_MJ_PNP]                     = MyDispatchPnp;

			// here is the trick : we save the original DriverObject
			// and next, it points to our modified copy
			pdx->OriginalDriverObject = fdo->DriverObject;
			fdo->DriverObject = d;

			sprintf(TempBuff,
				"  OriginalDriverObject = %p\n",
				pdx->OriginalDriverObject);
			FillRollingBuffer(TempBuff);
		}
		else
		{
			sprintf(TempBuff,
				"ExAllocatePool failed : not redirecting PDO->DriverObject\n");
			FillRollingBuffer(TempBuff);
		}
	}						// finish initialization
	__finally
	{						// cleanup side effects
		if (!NT_SUCCESS(status))
		{					// need to cleanup
			IoDeleteDevice(fido);
		}					// need to cleanup
	}						// cleanup side effects
	
	return status;
}

///////////////////////////////////////////////////////////////////////////////

#pragma LOCKEDCODE

NTSTATUS CompleteRequest(IN PIRP Irp, IN NTSTATUS status, IN ULONG info)
{
	Irp->IoStatus.Status = status;
	Irp->IoStatus.Information = info;
	IoCompleteRequest(Irp, IO_NO_INCREMENT);
	return status;
}

///////////////////////////////////////////////////////////////////////////////

#pragma LOCKEDCODE				// make no assumptions about pageability of dispatch fcns

NTSTATUS DispatchAny(IN PDEVICE_OBJECT fido, IN PIRP Irp)
{
	PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION) fido->DeviceExtension;
	PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
	
	const char* irpname[] =
	{
		"IRP_MJ_CREATE",
		"IRP_MJ_CREATE_NAMED_PIPE",
		"IRP_MJ_CLOSE",
		"IRP_MJ_READ",
		"IRP_MJ_WRITE",
		"IRP_MJ_QUERY_INFORMATION",
		"IRP_MJ_SET_INFORMATION",
		"IRP_MJ_QUERY_EA",
		"IRP_MJ_SET_EA",
		"IRP_MJ_FLUSH_BUFFERS",
		"IRP_MJ_QUERY_VOLUME_INFORMATION",
		"IRP_MJ_SET_VOLUME_INFORMATION",
		"IRP_MJ_DIRECTORY_CONTROL",
		"IRP_MJ_FILE_SYSTEM_CONTROL",
		"IRP_MJ_DEVICE_CONTROL",
		"IRP_MJ_INTERNAL_DEVICE_CONTROL",
		"IRP_MJ_SHUTDOWN",
		"IRP_MJ_LOCK_CONTROL",
		"IRP_MJ_CLEANUP",
		"IRP_MJ_CREATE_MAILSLOT",
		"IRP_MJ_QUERY_SECURITY",
		"IRP_MJ_SET_SECURITY",
		"IRP_MJ_POWER",
		"IRP_MJ_SYSTEM_CONTROL",
		"IRP_MJ_DEVICE_CHANGE",
		"IRP_MJ_QUERY_QUOTA",