分析 USB HID 设备接口协议
工具: OllyDbg,Bus hound
程序识别USB HID外设的方法:调用HidD_GetHidGuid函数获取HID设备的类标识,调用SetupDiGetClassDevs函数查询所有已安装的HID设备,得到一个指向该HID设备集合的句柄,调用SetupDiEnumDeviceInterface函数查询HID设备集中每一个设备的接口信息,对每一个接口,调用SetupDiGetDeviceInterfaceDetail函数获取其详细的信息,包括设备名称(头四个字节),CreateFile用此设备名打开设备,调用SetupDiDestroyDeviceInfoList函数释放设备信息集合;第二步,打开设备,获取设备的属性值以及设备能力描述,调用CreaterFile函数打开本设备。调用HidD_GetAttributes函数,获取USB设备的有关属性。它包含了设备的厂商ID、产品ID及产品的版本号等。
启动OllyDbg 装入模拟器软件,下断点 HidD_GetAttributes,CreateFile,这个函数是能把HID 的关键信息获取。
004417B2 . 8B0D D8CD9500 MOV ECX,DWORD PTR DS:[95CDD8]
004417B8 . A3 00CE9500 MOV DWORD PTR DS:[95CE00],EAX
004417BD . 33D2 XOR EDX,EDX
004417BF . 8BC1 MOV EAX,ECX
004417C1 . 8A15 D7CD9500 MOV DL,BYTE PTR DS:[95CDD7]
004417C7 . 25 FF000000 AND EAX,0FF
004417CC . 8BF2 MOV ESI,EDX
004417CE . 8BD0 MOV EDX,EAX
004417D0 . 83E2 03 AND EDX,3
004417D3 . 33DB XOR EBX,EBX
004417D5 . C1E2 08 SHL EDX,8
004417D8 . 8A1D D6CD9500 MOV BL,BYTE PTR DS:[95CDD6]
004417DE . 8D9432 DC03000>LEA EDX,DWORD PTR DS:[EDX+ESI+3DC]
004417E5 . 8915 E0CD9500 MOV DWORD PTR DS:[95CDE0],EDX
004417EB . 8BD0 MOV EDX,EAX
004417ED . 83E2 0C AND EDX,0C
004417F0 . C1E2 06 SHL EDX,6
004417F3 . 8D941A DC03000>LEA EDX,DWORD PTR DS:[EDX+EBX+3DC]
004417FA . 33DB XOR EBX,EBX
004417FC . 8915 E4CD9500 MOV DWORD PTR DS:[95CDE4],EDX
00441802 . 8BD0 MOV EDX,EAX
00441804 . 83E2 30 AND EDX,30
00441807 . 8ADD MOV BL,CH
00441809 . C1E2 04 SHL EDX,4
0044180C . 25 C0000000 AND EAX,0C0
00441811 . 8D8C1A DC03000>LEA ECX,DWORD PTR DS:[EDX+EBX+3DC]
00441818 . 33D2 XOR EDX,EDX
0044181A . 8A15 D5CD9500 MOV DL,BYTE PTR DS:[95CDD5]
00441820 . 890D E8CD9500 MOV DWORD PTR DS:[95CDE8],ECX
00441826 . 8D8482 DC03000>LEA EAX,DWORD PTR DS:[EDX+EAX*4+3DC]
0044182D . A3 ECCD9500 MOV DWORD PTR DS:[95CDEC],EAX
00441832 . A1 DCCD9500 MOV EAX,DWORD PTR DS:[95CDDC]
00441837 . A8 40 TEST AL,40
00441839 . 74 41 JE SHORT REFLEX.0044187C
0044183B . 25 FF000000 AND EAX,0FF
00441840 . 33D2 XOR EDX,EDX
00441842 . 8A15 DBCD9500 MOV DL,BYTE PTR DS:[95CDDB] //取CH5的低8位数据
00441848 . 8BC8 MOV ECX,EAX
0044184A . 83E1 0C AND ECX,0C
0044184D . C1E1 06 SHL ECX,6
00441850 . 8D8C11 DC03000>LEA ECX,DWORD PTR DS:[ECX+EDX+3DC]
00441857 . 8BD0 MOV EDX,EAX
00441859 . 83E2 03 AND EDX,3 //取CH6 的高2位
0044185C . 890D F8CD9500 MOV DWORD PTR DS:[95CDF8],ECX //保存CH5
00441862 . C1E2 08 SHL EDX,8
00441865 . 33C9 XOR ECX,ECX
00441867 . 8A0D DACD9500 MOV CL,BYTE PTR DS:[95CDDA] //取CH6 的低8位
0044186D . 8D940A DC03000>LEA EDX,DWORD PTR DS:[EDX+ECX+3DC] //计算出CH6 数据
00441874 . 8915 FCCD9500 MOV DWORD PTR DS:[95CDFC],EDX // 保存CH6 数据
0044187A . EB 4A JMP SHORT REFLEX.004418C6
0044187C > 25 FF000000 AND EAX,0FF
00441881 . 33D2 XOR EDX,EDX
00441883 . 8A15 DBCD9500 MOV DL,BYTE PTR DS:[95CDDB]
00441889 . 8BC8 MOV ECX,EAX
0044188B . 83E1 0C AND ECX,0C
0044188E . C1E1 06 SHL ECX,6
00441891 . 8D8C11 DC03000>LEA ECX,DWORD PTR DS:[ECX+EDX+3DC]
00441898 . 8BD0 MOV EDX,EAX
0044189A . 890D F0CD9500 MOV DWORD PTR DS:[95CDF0],ECX
004418A0 . 83E2 03 AND EDX,3
004418A3 . 33C9 XOR ECX,ECX
004418A5 . 8A0D DACD9500 MOV CL,BYTE PTR DS:[95CDDA]
004418AB . C1E2 08 SHL EDX,8
004418AE . 8D940A DC03000>LEA EDX,DWORD PTR DS:[EDX+ECX+3DC]
004418B5 . 8BC8 MOV ECX,EAX
004418B7 . C1E9 07 SHR ECX,7
004418BA . 8915 F4CD9500 MOV DWORD PTR DS:[95CDF4],EDX
004418C0 . 890D 04CE9500 MOV DWORD PTR DS:[95CE04],ECX
004418C6 > 8BD0 MOV EDX,EAX
004418C8 . 83F6 07 XOR ESI,7
004418CB . 83E2 0F AND EDX,0F
004418CE . 03D6 ADD EDX,ESI
004418D0 . D1E2 SHL EDX,1
004418D2 . 33D0 XOR EDX,EAX
004418D4 . F6C2 30 TEST DL,30
004418D7 . 74 3A JE SHORT REFLEX.00441913
004418D9 . A1 C4CD9500 MOV EAX,DWORD PTR DS:[95CDC4]
004418DE . 85C0 TEST EAX,EAX
004418E0 . 75 40 JNZ SHORT REFLEX.00441922
004418E2 . A1 08CE9500 MOV EAX,DWORD PTR DS:[95CE08]
004418E7 . C705 C4CD9500 >MOV DWORD PTR DS:[95CDC4],1
004418F1 . 50 PUSH EAX
004418F2 . EB 1D JMP SHORT REFLEX.00441911
004418F4 > 8B0D 08CE9500 MOV ECX,DWORD PTR DS:[95CE08]
004418FA . C705 C4CD9500 >MOV DWORD PTR DS:[95CDC4],1
00441904 . 8935 B8CD9500 MOV DWORD PTR DS:[95CDB8],ESI
0044190A . 8935 BCCD9500 MOV DWORD PTR DS:[95CDBC],ESI
00441910 . 51 PUSH ECX
00441911 > FFD5 CALL EBP
00441913 > A1 C4CD9500 MOV EAX,DWORD PTR DS:[95CDC4]
00441918 . 33F6 XOR ESI,ESI
0044191A . 3BC6 CMP EAX,ESI
0044191C .^0F84 61FEFFFF JE REFLEX.00441783
00441922 > 5F POP EDI
00441923 . 5E POP ESI
00441924 . 5D POP EBP
00441925 . 33C0 XOR EAX,EAX
00441927 . 5B POP EBX
00441928 . 59 POP ECX
00441929 . C2 0400 RETN 4