driverentry.cpp

USB sniffer for windows

		"IRP_MJ_SET_QUOTA",
		"IRP_MJ_PNP",
	};
	
	UCHAR type = stack->MajorFunction;
	if (type >= arraysize(irpname))
		sprintf(TempBuff,
			"UsbSnoop - DispatchAny : Unknown IRP, MajorFunction=0x%x\n",
			type);
	else
		sprintf(TempBuff,"UsbSnoop - DispatchAny : %s\n",
		irpname[type]);
	FillRollingBuffer(TempBuff);
	
	// Pass request down without additional processing
	
	NTSTATUS status;
	status = IoAcquireRemoveLock(&pdx->RemoveLock, Irp);
	if (!NT_SUCCESS(status))
		return CompleteRequest(Irp, status, 0);
	IoSkipCurrentIrpStackLocation(Irp);
	status = IoCallDriver(pdx->LowerDeviceObject, Irp);
	IoReleaseRemoveLock(&pdx->RemoveLock, Irp);
	return status;
}

void DumpBuffer(unsigned char * buf, int len)
{
#define NB_BYTE 16 /* number of bytes displayed per line */

	char str[NB_BYTE*3 + 1];

	for (int i=0;i<len;i+=NB_BYTE)
	{
		char * p = str;

		for (int j=i;j<len&&j<i+NB_BYTE;j++)
		{
			char c;

			*p++ = ' ';
			c = (buf[j] >> 4) & 0xf;
			*p++ = (c<10) ? c+'0' : c-10+'a';
			c = buf[j] & 0xf;
			*p++ = (c<10) ? c+'0' : c-10+'a';
		}
		*p = 0;

		sprintf(TempBuff,"\t\t%04x:%s\n",i,str);
		FillRollingBuffer(TempBuff);
	}
}

void DumpTransferBuffer(PUCHAR pBuffer, PMDL pMdl, ULONG uBufferSize, BOOLEAN bPrintHeader)
{
	if(bPrintHeader)
	{
		sprintf(TempBuff,"\tTransferBufferLength\t= %08x\n", uBufferSize);
		FillRollingBuffer(TempBuff);
		sprintf(TempBuff,"\tTransferBuffer\t= %08x\n", pBuffer);
		FillRollingBuffer(TempBuff);
		sprintf(TempBuff,"\tTransferBufferMDL\t= %08x\n", pMdl);
		FillRollingBuffer(TempBuff);
	}
	else
	{
		if(pBuffer)
		{
			if(pMdl)
			{
				//KdPrint(("??? weird transfer buffer, both MDL and flat specified. Ignoring MDL\n"));
			}
			KdPrint(("BufferSize : %d\n", uBufferSize));
			DumpBuffer(pBuffer,uBufferSize);
		}
		else if(pMdl)
		{
			PUCHAR pMDLBuf = (PUCHAR)MmGetSystemAddressForMdl(pMdl);
			if(pMDLBuf)
				DumpBuffer(pMDLBuf,uBufferSize);
			else
			{
				sprintf(TempBuff,"*** error: can't map MDL!\n");
				FillRollingBuffer(TempBuff);
			}
		}
		else
		{
			sprintf(TempBuff,"\n\t\tno data supplied\n");
			FillRollingBuffer(TempBuff);
		}
	}
}

void DumpGetStatusRequest(struct _URB_CONTROL_GET_STATUS_REQUEST *pGetStatusRequest, BOOLEAN bReturnedFromHCD)
{
	DumpTransferBuffer((PUCHAR)pGetStatusRequest->TransferBuffer, pGetStatusRequest->TransferBufferMDL, pGetStatusRequest->TransferBufferLength, TRUE);
	if(pGetStatusRequest->TransferBufferLength != 1)
	{
		sprintf(TempBuff,
			"*** error - TransferBufferLength should be 1!\n");
		FillRollingBuffer(TempBuff);
	}
	if(bReturnedFromHCD)
	{
		DumpTransferBuffer((PUCHAR)pGetStatusRequest->TransferBuffer, pGetStatusRequest->TransferBufferMDL, pGetStatusRequest->TransferBufferLength, FALSE);
	}

	sprintf(TempBuff,"\tIndex\t\t= %02x\n",
		pGetStatusRequest->Index);
	FillRollingBuffer(TempBuff);
	
	if(pGetStatusRequest->UrbLink)
	{
		sprintf(TempBuff,"---> Linked URB:\n");
		FillRollingBuffer(TempBuff);
		DumpURB(pGetStatusRequest->UrbLink, bReturnedFromHCD);
		sprintf(TempBuff,"---< Linked URB\n");
		FillRollingBuffer(TempBuff);
	}
}

void DumpFeatureRequest(struct _URB_CONTROL_FEATURE_REQUEST *pFeatureRequest, BOOLEAN bReadFromDevice, BOOLEAN bReturnedFromHCD)
{
	sprintf(TempBuff,"\tFeatureSelector = %04x\n", 
		pFeatureRequest->FeatureSelector);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tIndex\t\t= %04x\n",
		pFeatureRequest->Index);
	FillRollingBuffer(TempBuff);
	if(pFeatureRequest->UrbLink)
	{
		sprintf(TempBuff,"---> Linked URB:\n");
		FillRollingBuffer(TempBuff);
		DumpURB(pFeatureRequest->UrbLink, bReturnedFromHCD);
		sprintf(TempBuff,"---< Linked URB\n");
		FillRollingBuffer(TempBuff);
	}
}

void DumpDescriptorRequest(struct _URB_CONTROL_DESCRIPTOR_REQUEST *pDescriptorRequest, BOOLEAN bReadFromDevice, BOOLEAN bReturnedFromHCD)
{
	DumpTransferBuffer((PUCHAR)pDescriptorRequest->TransferBuffer, pDescriptorRequest->TransferBufferMDL, pDescriptorRequest->TransferBufferLength, TRUE);
	if(((!bReadFromDevice) && (!bReturnedFromHCD)) || (bReadFromDevice && bReturnedFromHCD))
	{
		DumpTransferBuffer((PUCHAR)pDescriptorRequest->TransferBuffer, pDescriptorRequest->TransferBufferMDL, pDescriptorRequest->TransferBufferLength, FALSE);
	}

	sprintf(TempBuff,"\tIndex\t\t= %02x\n",
		pDescriptorRequest->Index);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tDescriptorType\t= %02x (%s)\n",
		pDescriptorRequest->DescriptorType,
		pDescriptorRequest->DescriptorType == USB_DEVICE_DESCRIPTOR_TYPE ? "USB_DEVICE_DESCRIPTOR_TYPE" :
		pDescriptorRequest->DescriptorType == USB_CONFIGURATION_DESCRIPTOR_TYPE ? "USB_CONFIGURATION_DESCRIPTOR_TYPE" :
		pDescriptorRequest->DescriptorType == USB_STRING_DESCRIPTOR_TYPE ? "USB_STRING_DESCRIPTOR_TYPE" : "<illegal descriptor type!>");
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tLanguageId\t= %04x\n",
		pDescriptorRequest->LanguageId);
	FillRollingBuffer(TempBuff);
	
	if(pDescriptorRequest->UrbLink)
	{
		sprintf(TempBuff,"---> Linked URB:\n");
		FillRollingBuffer(TempBuff);
		DumpURB(pDescriptorRequest->UrbLink, bReturnedFromHCD);
		sprintf(TempBuff,"---< Linked URB\n");
		FillRollingBuffer(TempBuff);
	}
}

void DumpVendorOrClassRequest(struct _URB_CONTROL_VENDOR_OR_CLASS_REQUEST *pFunctionClassInterface, BOOLEAN bReturnedFromHCD)
{
	BOOLEAN bReadFromDevice = (BOOLEAN)(pFunctionClassInterface->TransferFlags & USBD_TRANSFER_DIRECTION_IN);
	sprintf(TempBuff,"\tTransferFlags\t\t\t= %08x (%s, %sUSBD_SHORT_TRANSFER_OK)\n",
		pFunctionClassInterface->TransferFlags,
		bReadFromDevice ? "USBD_TRANSFER_DIRECTION_IN" : "USBD_TRANSFER_DIRECTION_OUT",
		pFunctionClassInterface->TransferFlags & USBD_SHORT_TRANSFER_OK ? "":"~");
	FillRollingBuffer(TempBuff);

	DumpTransferBuffer((PUCHAR)pFunctionClassInterface->TransferBuffer, pFunctionClassInterface->TransferBufferMDL, pFunctionClassInterface->TransferBufferLength, TRUE);
	if(((!bReadFromDevice) && (!bReturnedFromHCD)) || (bReadFromDevice && bReturnedFromHCD))
	{
		DumpTransferBuffer((PUCHAR)pFunctionClassInterface->TransferBuffer, pFunctionClassInterface->TransferBufferMDL, pFunctionClassInterface->TransferBufferLength, FALSE);
	}

	sprintf(TempBuff,"\tUrbLink\t\t\t\t= %08x\n",
		pFunctionClassInterface->UrbLink);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tRequestTypeReservedBits = %02x\n",
		pFunctionClassInterface->RequestTypeReservedBits);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tRequest\t\t\t\t= %02x\n",
		pFunctionClassInterface->Request);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tValue\t\t\t\t= %04x\n",
		pFunctionClassInterface->Value);
	FillRollingBuffer(TempBuff);
	sprintf(TempBuff,"\tIndex\t\t\t\t= %04x\n",
		pFunctionClassInterface->Index);
	FillRollingBuffer(TempBuff);
	if(pFunctionClassInterface->UrbLink)
	{
		sprintf(TempBuff,"---> Linked URB:\n");
		FillRollingBuffer(TempBuff);
		DumpURB(pFunctionClassInterface->UrbLink, bReturnedFromHCD);
		sprintf(TempBuff,"---< Linked URB\n");
		FillRollingBuffer(TempBuff);
	}

}

void DumpPipeHandle(const char *s,USBD_PIPE_HANDLE inPipeHandle)
{
	unsigned char ep;

	// search for the matching endpoint

	if (GetEndpointInfo(inPipeHandle,&ep))
		sprintf(TempBuff,"%s = %p [endpoint 0x%x]\n",s,inPipeHandle,ep);
	else
		sprintf(TempBuff,"%s = %p\n",s,inPipeHandle);
	FillRollingBuffer(TempBuff);
}

void DumpURB(PURB pUrb, BOOLEAN bReturnedFromHCD)
{
	if(NULL == pUrb)
	{
		sprintf(TempBuff,"UsbSnoop - URB == NULL ???\n");
		FillRollingBuffer(TempBuff);
		return;
	}

	USHORT wFunction = pUrb->UrbHeader.Function;
	USHORT wLength = pUrb->UrbHeader.Length;
	USBD_STATUS lUsbdStatus = pUrb->UrbHeader.Status;

	/* Status values are defined in <usbdi.h> as USBD_STATUS_XXX */
//	KdPrint(("  Header.Length = %d\n",          pUrb->UrbHeader.Length));
//	KdPrint(("  Header.Function = 0x%x\n",      pUrb->UrbHeader.Function));
//	KdPrint(("  Header.Status = 0x%x\n",        pUrb->UrbHeader.Status));
//	KdPrint(("  Header.UsbdDeviceHandle = %p\n",pUrb->UrbHeader.UsbdDeviceHandle));
//	KdPrint(("  Header.UsbdFlags = 0x%x\n",     pUrb->UrbHeader.UsbdFlags));

	switch(wFunction)
	{
	case URB_FUNCTION_SELECT_CONFIGURATION:
		{

			/* _URB_SELECT_CONFIGURATION is as follows :

			- a first block of 16 bytes : struct _URB_HEADER Hdr
			- a pointer (4 byes) : PUSB_CONFIGURATION_DESCRIPTOR ConfigurationDescriptor
			      this can be a NULL pointer, in which case the array of USBD_INTERFACE_INFORMATION
				  is empty.
			- a handle (4 bytes) : USBD_CONFIGURATION_HANDLE ConfigurationHandle
			- an array of USBD_INTERFACE_INFORMATION, whose number are
			    ConfigurationDescriptor.bNumInterfaces

			each USBD_INTERFACE_INFORMATION contains fixed information (16 bytes), followed
			  by an array of USB_PIPE_INFORMATION (20 bytes) whose number is NumberOfPipes.
			*/

#define URB_SELECT_CONFIGURATION_SIZE 24

			struct _URB_SELECT_CONFIGURATION *pSelectConfiguration = (struct _URB_SELECT_CONFIGURATION*) pUrb;
			sprintf(TempBuff,"-- URB_FUNCTION_SELECT_CONFIGURATION:\n");
			FillRollingBuffer(TempBuff);
			if(pSelectConfiguration->Hdr.Length < URB_SELECT_CONFIGURATION_SIZE)
			{
				sprintf(TempBuff,"!!! Hdr.Length is wrong! (is: %d, should be at least: %d)\n",
					pSelectConfiguration->Hdr.Length,URB_SELECT_CONFIGURATION_SIZE);
				FillRollingBuffer(TempBuff);
			}

			PUSB_CONFIGURATION_DESCRIPTOR pCD = pSelectConfiguration->ConfigurationDescriptor;
			sprintf(TempBuff,"\tConfigurationDescriptor\t= 0x%x %s\n",
				pCD,pCD ? "(configure)":"(unconfigure)");
			FillRollingBuffer(TempBuff);
			if (pCD == NULL)
				break;

			sprintf(TempBuff,"\tConfigurationDescriptor : bLength\t\t\t\t= %d\n", 
				pCD->bLength);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationDescriptor : bDescriptorType\t\t= 0x%02x\n",
				pCD->bDescriptorType);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationDescriptor : wTotalLength\t\t\t= 0x%04x\n",
				pCD->wTotalLength);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationDescriptor : bNumInterfaces\t\t= 0x%02x\n",
				pCD->bNumInterfaces);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationDescriptor : bConfigurationValue = 0x%02x\n",
				pCD->bConfigurationValue);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationDescriptor : iConfiguration\t\t\t= 0x%02x\n",
				pCD->iConfiguration);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationDescriptor : bmAttributes\t\t\t\t= 0x%02x\n", 
				pCD->bmAttributes);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationDescriptor : MaxPower\t\t\t\t\t= 0x%02x\n",
				pCD->MaxPower);
			FillRollingBuffer(TempBuff);
			sprintf(TempBuff,"\tConfigurationHandle\t\t= 0x%08x\n",
				pSelectConfiguration->ConfigurationHandle);
			FillRollingBuffer(TempBuff);
			
			ULONG uNumInterfaces = pCD->bNumInterfaces;

			if(uNumInterfaces > 0xff)
			{
				sprintf(TempBuff,"*** error: uNumInterfaces is too large (%d), resetting to 1\n", 
					uNumInterfaces);
				FillRollingBuffer(TempBuff);
				uNumInterfaces = 1;
			}
			
			
			PUSBD_INTERFACE_INFORMATION pInterface = &pSelectConfiguration->Interface;
			for(ULONG i = 0; i < uNumInterfaces; i++)
			{
				sprintf(TempBuff,
					"\tInterface[%d]: Length\t\t\t\t= %d\n", i, 
					pInterface->Length);
				FillRollingBuffer(TempBuff);
				sprintf(TempBuff,
					"\tInterface[%d]: InterfaceNumber\t\t= %d\n", i, 
					pInterface->InterfaceNumber);
				FillRollingBuffer(TempBuff);
				sprintf(TempBuff,
					"\tInterface[%d]: AlternateSetting\t= %d\n", i, 
					pInterface->AlternateSetting);
				FillRollingBuffer(TempBuff);
				if(bReturnedFromHCD)
				{
					ULONG uNumPipes;
					sprintf(TempBuff,
						"\tInterface[%d]: Class\t\t\t\t\t= 0x%02x\n",
						i, pInterface->Class);
					FillRollingBuffer(TempBuff);
					sprintf(TempBuff,
						"\tInterface[%d]: SubClass\t\t\t\t= 0x%02x\n",
						i, pInterface->SubClass);
					FillRollingBuffer(TempBuff);
					sprintf(TempBuff,
						"\tInterface[%d]: Protocol\t\t\t\t= 0x%02x\n",
						i, pInterface->Protocol);
					FillRollingBuffer(TempBuff);
					sprintf(TempBuff,
						"\tInterface[%d]: InterfaceHandle\t= 0x%08x\n",
						i, pInterface->InterfaceHandle);
					FillRollingBuffer(TempBuff);
					sprintf(TempBuff,
						"\tInterface[%d]: NumberOfPipes\t\t= %d\n", 
						i, pInterface->NumberOfPipes);
					FillRollingBuffer(TempBuff);
					
					uNumPipes = pInterface->NumberOfPipes;
					if(uNumPipes > 0x1f)
					{
						sprintf(TempBuff,
							"*** error: uNumPipes is too large (%d), resetting to 1\n", 
							uNumPipes);
						FillRollingBuffer(TempBuff);
						uNumPipes = 1;
					}
					for(ULONG p = 0; p< uNumPipes; p++)
					{
						sprintf(TempBuff,
							"\tInterface[%d]: Pipes[%lu] : MaximumPacketSize\t= 0x%04x\n",
							i, p, pInterface->Pipes[p].MaximumPacketSize);
						FillRollingBuffer(TempBuff);
						sprintf(TempBuff,
							"\tInterface[%d]: Pipes[%lu] : EndpointAddress\t= 0x%02x\n",
							i, p, pInterface->Pipes[p].EndpointAddress);
						FillRollingBuffer(TempBuff);
						sprintf(TempBuff,
							"\tInterface[%d]: Pipes[%lu] : Interval\t\t\t\t= 0x%02x\n",
							i, p, pInterface->Pipes[p].Interval);
						FillRollingBuffer(TempBuff);
						sprintf(TempBuff,
							"\tInterface[%d]: Pipes[%lu] : PipeType\t\t\t\t= 0x%02x (%s)\n",
							i, p, pInterface->Pipes[p].PipeType,
							pInterface->Pipes[p].PipeType == UsbdPipeTypeControl ? "UsbdPipeTypeControl" :
						pInterface->Pipes[p].PipeType == UsbdPipeTypeIsochronous ? "UsbdPipeTypeIsochronous" :
						pInterface->Pipes[p].PipeType == UsbdPipeTypeBulk ? "UsbdPipeTypeBulk" :
						pInterface->Pipes[p].PipeType == UsbdPipeTypeInterrupt ? "UsbdPipeTypeInterrupt" : "!!! INVALID !!!");
						FillRollingBuffer(TempBuff);