使用Ubuntu下usb抓包工具(usbmon)进行数据抓取的一次记录
前言
使用反汇编还原的库调试打印机网络作业设置,打印出来的日志与原库有出入,在usb传输处始终有偏差。
调用反汇编还原的库:
DEBUG: Net_OnlyGetDataSizeFromReplyHdr:: In
DEBUG: getNetDataByPrinterPipe:: No data need to readback
DEBUG: getNetDataByPrinterPipe:: Out. rc = 1
调用原库:
DEBUG: Net_OnlyGetDataSizeFromReplyHdr:: In
DEBUG: getNetDataByPrinterPipe:: readByte = 344
DEBUG: getNetDataByPrinterPipe:: malloc revBuf 344 bytes success.
DEBUG: getNetDataByPrinterPipe:: Read Data Success
DEBUG: getNetDataByPrinterPipe:: Receive Data, transferred = 344
DEBUG: getNetDataByPrinterPipe:: Out. rc = 1
usb传输 原库汇编片段:
.text:0000000000046C4E mov esi, [lpPrinter+220h]
.text:0000000000046C54 lea rdi, aGetnetdatabypr_12
.text:0000000000046C5B xor eax, eax
.text:0000000000046C5D call _DbgMsg
.text:0000000000046C62 movzx esi, byte ptr [lpPrinter+220h]
.text:0000000000046C69 mov rdi, [rsp+0B8h+handle]
.text:0000000000046C6E mov r9d, 1388h
.text:0000000000046C74 mov ecx, [rsp+0B8h+bufSize]
.text:0000000000046C78 mov r8, r12
.text:0000000000046C7B mov rdx, r13
.text:0000000000046C7E call _libusb_bulk_transfer
.text:0000000000046C83 errcode = rax ; int
.text:0000000000046C83 test eax, eax
.text:0000000000046C85 mov esi, eax
.text:0000000000046C87 lea rdi, aGetnetdatabypr_13
.text:0000000000046C8E js short loc_46CCF
.text:0000000000046C90 lea rdi, aGetnetdatabypr_14
.text:0000000000046C97 xor eax, eax
.text:0000000000046C99 errcode = rsi ; int
.text:0000000000046C99 call _DbgMsg
.text:0000000000046C9E movzx esi, byte ptr [lpPrinter+21Ch]
.text:0000000000046CA5 mov rdx, [rsp+0B8h+readBack]
.text:0000000000046CAA mov r9d, 1388h
.text:0000000000046CB0 mov rdi, [rsp+0B8h+handle]
.text:0000000000046CB5 mov r8, r12
.text:0000000000046CB8 mov ecx, 20h
.text:0000000000046CBD call _libusb_bulk_transfer
.text:0000000000046CC2 errcode = rax ; int
.text:0000000000046CC2 test eax, eax
.text:0000000000046CC4 jns short loc_46CDE
.text:0000000000046CC6 lea rdi, aGetnetdatabypr_15
.text:0000000000046CCD mov esi, eax
.text:0000000000046CCF
.text:0000000000046CCF loc_46CCF: ; CODE XREF: getNetDataByPrinterPipe+2D0↑j
.text:0000000000046CCF xor eax, eax
.text:0000000000046CD1 errcode = rsi ; int
.text:0000000000046CD1 call _DbgMsg
.text:0000000000046CD6
.text:0000000000046CD6 loc_46CD6: ; CODE XREF: getNetDataByPrinterPipe+343↓j
.text:0000000000046CD6 xor r14d, r14d
.text:0000000000046CD9 jmp loc_46D92
.text:0000000000046CDE ; ---------------------------------------------------------------------------
.text:0000000000046CDE
.text:0000000000046CDE loc_46CDE: ; CODE XREF: getNetDataByPrinterPipe+306↑j
.text:0000000000046CDE inBuf = r14 ; BYTE *
.text:0000000000046CDE errcode = rax ; int
.text:0000000000046CDE lea rdi, aGetnetdatabypr_16
.text:0000000000046CE5 xor eax, eax
.text:0000000000046CE7 call _DbgMsg
.text:0000000000046CEC cmp [rsp+0B8h+transferred], 20h
.text:0000000000046CF1 jz short loc_46D03
.text:0000000000046CF3 lea rdi, aGetnetdatabypr_17
.text:0000000000046CFA xor eax, eax
.text:0000000000046CFC call _DbgMsg
.text:0000000000046D01 jmp short loc_46CD6
.text:0000000000046D03 ; ---------------------------------------------------------------------------
.text:0000000000046D03
.text:0000000000046D03 loc_46D03: ; CODE XREF: getNetDataByPrinterPipe+333↑j
.text:0000000000046D03 mov rdi, [rsp+0B8h+readBack] ; readBack
.text:0000000000046D08 call _Net_OnlyGetDataSizeFromReplyHdr
.text:0000000000046D0D readByte = rax ; int
.text:0000000000046D0D test eax, eax
.text:0000000000046D0F jnz short loc_46D25
.text:0000000000046D11 lea rdi, aGetnetdatabypr_18
.text:0000000000046D18 xor r14d, r14d
.text:0000000000046D1B call _DbgMsg
.text:0000000000046D20 jmp loc_46DC3
.text:0000000000046D25 ; ---------------------------------------------------------------------------
.text:0000000000046D25
.text:0000000000046D25 loc_46D25: ; CODE XREF: getNetDataByPrinterPipe+351↑j
.text:0000000000046D25 inBuf = r14 ; BYTE *
.text:0000000000046D25 readByte = rax ; int
.text:0000000000046D25 lea rdi, aGetnetdatabypr_19
.text:0000000000046D2C mov esi, eax
.text:0000000000046D2E movsxd r15, ebx
.text:0000000000046D31 xor eax, eax
.text:0000000000046D33 readByte = rsi ; int
.text:0000000000046D33 call _DbgMsg
逆向还原出来的代码片段:
// 发送writeBuf中指令到打印机
rsl = libusb_bulk_transfer(handle, lpPrinter->usb.printer_EP_OUT, writeBuf, bufSize, &transferred, 5000);
if( rsl != 0 )
{
DbgMsg("getNetDataByPrinterPipe:: (1)Error during control transfer: errorcode = %d", rsl);
revBuf = NULL;
rc = 0;
free(writeBuf);
goto func_end;
}
DbgMsg("getNetDataByPrinterPipe:: Write command success");
// 接收打印机返回指令保存到replyHeader
rsl = libusb_bulk_transfer(handle, lpPrinter->usb.printer_EP_IN, replyHeader, sizeof(replyHeader), &transferred, 5000);
if( rsl != 0 )
{
DbgMsg("getNetDataByPrinterPipe:: (2)Error libusb_bulk_transfer transfer: errorcode = %d", rsl);
revBuf = NULL;
rc = 0;
free(writeBuf);
goto func_end;
}
DbgMsg("getNetDataByPrinterPipe:: Read ReplyHeader Success");
// 接收的字节数是否与replyHeader数组长度相等,相等则接收成功
if( transferred != sizeof(replyHeader) )
{
DbgMsg("getNetDataByPrinterPipe:: transferred != %d", sizeof(replyHeader));
revBuf = NULL;
rc = 0;
free(writeBuf);
goto func_end;
}
//replyHeader中是否有回读指令
readByte = Net_OnlyGetDataSizeFromReplyHdr(replyHeader);
if( !readByte )
{
DbgMsg("getNetDataByPrinterPipe:: No data need to readback");
revBuf = NULL;
rc = 1;
free(writeBuf);
goto func_end;
}
DbgMsg("getNetDataByPrinterPipe:: readByte = %d", readByte);
终究还是我才疏学浅,对半天汇编找不到哪里错了。于是抓取原库usb传输数据与还原库的数据对比查看。
正文
usbmon是ubuntu下内置的usb抓包工具。
neko@neko:~$ ls /lib/modules/4.15.0-20-generic/kernel/drivers/usb/mon/
usbmon.ko
使用方法
1)运行 sudo mount -t debugfs none /sys/kernel/debug (一般已经默认挂载)
2)运行 sudo modprobe usbmon
3)查看能够识别到的设备号:sudo ls /sys/kernel/debug/usb/usbmon
neko@neko:~$ sudo ls /sys/kernel/debug/usb/usbmon
0s 0u 1s 1t 1u 2s 2t 2u
4)查看需要监控的总线编号(Bus):sudo cat /sys/kernel/debug/usb/devices
neko@neko:~$ sudo cat /sys/kernel/debug/usb/devices
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 12 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0638 ProdID=2e0f Rev= 0.01
S: Manufacturer=ZHONGCHU
S: Product=ZHONGCHU ZC-P6900DN
S: SerialNumber=AAAAAAA
C:* #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr= 2mA
I:* If#= 0 Alt= 0 #EPs= 5 Cls=06(still) Sub=ff Prot=ff Driver=(none)
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 32 Ivl=64ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=07(print) Sub=01 Prot=02 Driver=(none)
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
T: Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2
B: Alloc= 17/900 us ( 2%), #Int= 1, #Iso= 0
D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1d6b ProdID=0001 Rev= 4.15
S: Manufacturer=Linux 4.15.0-20-generic uhci_hcd
S: Product=UHCI Host Controller
S: SerialNumber=0000:02:00.0
C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA
I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub
E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=255ms
根据设备的信息,如PID、VID、设备描述等,找到对应设备,则可知总线编号。
如我要找的设备信息如下,则对应的总线编号应为Bus=01,即我要监控的usb总线号为01
P: Vendor=0638 ProdID=2e0f Rev= 0.01
S: Manufacturer=ZHONGCHU
S: Product=ZHONGCHU ZC-P6900DN
4)监听总线号所对应的usb数据包:cat /sys/kernel/debug/usb/usbmon/xu
这里x是总线号,我要监控的是Bus=01,故x对应1。若是想监听全部的数据包,x应为0
调用原库抓取的数据包:
neko@neko:~$ sudo cat /sys/kernel/debug/usb/usbmon/1u
ffff952ac43140c0 3004133315 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 <
ffff952ac43140c0 3004133626 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a
ffff952ac43140c0 3004133753 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 <
ffff952ac43140c0 3004134909 C Ci:1:012:0 0 4 = 04030904
ffff952ac43140c0 3004134983 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 <
ffff952ac43140c0 3004137237 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100
ffff952ac6b58d80 3004427176 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac6b58d80 3004427585 C Bo:1:012:1 0 114 >
ffff952ac6b58d80 3004427627 S Bi:1:012:1 -115 32 <
ffff952ac6b58d80 3004441157 C Bi:1:012:1 0 32 = 23524553 4f504552 07018133 00000000 58010000 f7280000 00000000 00000000
ffff952ac6b58d80 3004441297 S Bi:1:012:1 -115 344 <
ffff952ac6b58d80 3004442327 C Bi:1:012:1 0 344 = 9033c3ec 88550000 00000000 65000000 01000000 1b000000 2f6f7267 2f667265
ffff952ac6b58d80 3004442827 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac6b58d80 3004444242 C Bo:1:012:1 0 114 >
ffff952ac6b58d80 3004444319 S Bi:1:012:1 -115 32 <
ffff952ac6b58d80 3004451656 C Bi:1:012:1 0 32 = 23524553 4f504552 07018134 00000000 06000000 c4010000 00000000 00000000
ffff952ac6b58d80 3004451827 S Bi:1:012:1 -115 6 <
ffff952ac6b58d80 3004453138 C Bi:1:012:1 0 6 = 00023251 59e6
ffff952ac6b58d80 3004453593 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac6b58d80 3004454791 C Bo:1:012:1 0 114 >
ffff952ac6b58d80 3004454851 S Bi:1:012:1 -115 32 <
ffff952ac6b58d80 3004459528 C Bi:1:012:1 0 32 = 23524553 4f504552 07018135 00000000 06000000 00000000 00000000 00000000
ffff952ac6b58d80 3004459665 S Bi:1:012:1 -115 6 <
ffff952ac6b58d80 3004460768 C Bi:1:012:1 0 6 = 00000000 0000
ffff952ac43e5bc0 3019919468 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 <
ffff952ac43e5bc0 3019919821 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a
ffff952ac43e5bc0 3019920003 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 <
ffff952ac43e5bc0 3019921667 C Ci:1:012:0 0 4 = 04030904
ffff952ac43e5bc0 3019921765 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 <
ffff952ac43e5bc0 3019923118 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100
ffff952ac6b58cc0 3020193373 S Bo:1:012:1 -115 458 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac6b58cc0 3020193645 C Bo:1:012:1 0 458 >
ffff952ac6b58cc0 3020193688 S Bi:1:012:1 -115 32 <
ffff952ac6b58cc0 3020200401 C Bi:1:012:1 0 32 = 23524553 4f504552 07018236 00000000 00000000 00000000 00000000 00000000
调用逆向还原的库抓取的数据:
neko@neko:~$ sudo cat /sys/kernel/debug/usb/usbmon/1u
ffff952aefab2540 3248502374 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 <
ffff952aefab2540 3248502807 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a
ffff952aefab2540 3248503007 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 <
ffff952aefab2540 3248504003 C Ci:1:012:0 0 4 = 04030904
ffff952ac43e4900 3248505240 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 <
ffff952ac43e4900 3248506024 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100
ffff952ac43e5380 3248788561 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac43e5380 3248788829 C Bo:1:012:1 0 114 >
ffff952ac43e5380 3248788958 S Bi:1:012:1 -115 32 <
ffff952ac43e5380 3248794049 C Bi:1:012:1 0 32 = 23524553 4f504552 07018133 00010000 00000000 00000000 00000000 00000000
ffff952ac43e5380 3248795935 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac43e5380 3248796883 C Bo:1:012:1 0 114 >
ffff952ac43e5380 3248797023 S Bi:1:012:1 -115 32 <
ffff952ac43e5380 3248803548 C Bi:1:012:1 0 32 = 23524553 4f504552 07018134 00010000 00000000 00000000 00000000 00000000
ffff952ac43e5380 3248805724 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac43e5380 3248806825 C Bo:1:012:1 0 114 >
ffff952ac43e5380 3248806963 S Bi:1:012:1 -115 32 <
ffff952ac43e5380 3248813440 C Bi:1:012:1 0 32 = 23524553 4f504552 07018135 00010000 00000000 00000000 00000000 00000000
ffff952ac43152c0 3251683411 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 <
ffff952ac43152c0 3251683764 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a
ffff952ac43152c0 3251683898 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 <
ffff952ac43152c0 3251685598 C Ci:1:012:0 0 4 = 04030904
ffff952ac43152c0 3251685695 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 <
ffff952ac43152c0 3251686886 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100
ffff952aefab29c0 3601628752 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 <
ffff952aefab29c0 3601629096 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a
ffff952aefab29c0 3601629223 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 <
ffff952aefab29c0 3601630282 C Ci:1:012:0 0 4 = 04030904
ffff952aefab29c0 3601630398 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 <
ffff952aefab29c0 3601631788 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100
ffff952aefab2840 3601941687 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952aefab2840 3601941951 C Bo:1:012:1 0 114 >
ffff952aefab2840 3601942101 S Bi:1:012:1 -115 32 <
ffff952aefab2840 3601947329 C Bi:1:012:1 0 32 = 23524553 4f504552 07018133 00010000 00000000 00000000 00000000 00000000
ffff952aefab2840 3601951485 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952aefab2840 3601951996 C Bo:1:012:1 0 114 >
ffff952aefab2840 3601952184 S Bi:1:012:1 -115 32 <
ffff952aefab2840 3601956917 C Bi:1:012:1 0 32 = 23524553 4f504552 07018134 00010000 00000000 00000000 00000000 00000000
ffff952ac43e4cc0 3601961587 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052
ffff952ac43e4cc0 3601962277 C Bo:1:012:1 0 114 >
ffff952ac43e4cc0 3601962619 S Bi:1:012:1 -115 32 <
ffff952ac43e4cc0 3601966634 C Bi:1:012:1 0 32 = 23524553 4f504552 07018135 00010000 00000000 00000000 00000000 00000000
这里writeBuf发送的是114个字节数据,replyHeader接收32个字节数据。经对比看到发送的数据内容一致,而接收回来的数据内容不一样。按理来说发出去的一样,接收回来的也应该一样。目前还在找原因,解决问题了再更新。
要分析usb抓包后的数据,具体的数据格式如何解析,可以参考Linux内核源码库目录下的文档 :
kernel\doc\Documentation\usb\usbmon.txt
或内核官方网站文档
有大佬能看出来的还请留言指点迷津,感谢!