win32k!StartDeviceRead函数分析之读取Driver-mouhid设备鼠标数据的过程
1: kd> g
Breakpoint 4 hit
eax=00000000 ebx=bfa02600 ecx=00000000 edx=00000000 esi=e162bd40 edi=bfa01624
eip=bf8fc06b esp=bab9a8dc ebp=bab9a8f0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!StartDeviceRead:
bf8fc06b 55 push ebp
1: kd> dv
pDeviceInfo = 0xe162bd40
ulLengthToRead = 0xe162bd40
pBuffer = 0x00000008
fAlreadyHadDeviceInfoCrit = 0n-513622720
1: kd> dx -r1 ((win32k!tagDEVICEINFO *)0xe162bd40)
((win32k!tagDEVICEINFO *)0xe162bd40) : 0xe162bd40 [Type: tagDEVICEINFO *]
+0x000\] head \[Type: _HEAD
+0x008\] pNext : 0xe1414eb8 \[Type: tagDEVICEINFO \*
+0x00c\] type : 0x0 \[Type: unsigned char
+0x00d\] bFlags : 0x2 \[Type: unsigned char
+0x00e\] usActions : 0x0 \[Type: unsigned short
+0x010\] nRetryRead : 0x0 \[Type: unsigned char
+0x014\] ustrName : "\\??\\HID#Vid_0e0f\&Pid_0003\&MI_00#8\&28f6544d\&0\&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}" \[Type: _UNICODE_STRING
+0x01c\] handle : 0x21c \[Type: void \*
+0x020\] NotificationEntry : 0xe13e70c0 \[Type: void \*
+0x024\] pkeHidChangeCompleted : 0x897fb9c0 \[Type: _KEVENT \*
+0x028\] iosb \[Type: _IO_STATUS_BLOCK
+0x030\] ReadStatus : 259 \[Type: long
+0x034\] OpenerProcess : 0x1b0 \[Type: void \*
+0x038\] OpenStatus : 0 \[Type: long
+0x03c\] AttrStatus : 0 \[Type: long
+0x040\] timeStartRead : 0xffcae901 \[Type: unsigned long
+0x044\] timeEndRead : 0xffcae91f \[Type: unsigned long
+0x048\] nReadsOutstanding : 0 \[Type: int
+0x04c\] mouse \[Type: tagMOUSE_DEVICE_INFO
+0x04c\] keyboard \[Type: tagKEYBOARD_DEVICE_INFO
+0x04c\] hid \[Type: tagHID_DEVICE_INFO
1: kd> !handle 0x21c
PROCESS 898a7258 SessionId: 0 Cid: 01b0 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7c21b000 ObjectTable: e142d3c8 HandleCount: 304.
Image: csrss.exe
Handle table at e142d3c8 with 304 entries in use
021c: Object: 8983d458 GrantedAccess: 00100001 Entry: e15ca438
Object: 8983d458 Type: (89987710) File
ObjectHeader: 8983d440 (old version)
HandleCount: 1 PointerCount: 1
1: kd> dt file_object 8983d458
winsrv!FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n112
+0x004 DeviceObject : 0x89536cc0 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0x895aad18 Void
+0x010 FsContext2 : 0xf750180e Void
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0n0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40000
+0x030 FileName : _UNICODE_STRING ""
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
1: kd> dx -id 0,0,898a7258 -r1 ((winsrv!_DEVICE_OBJECT *)0x89536cc0)
((winsrv!_DEVICE_OBJECT *)0x89536cc0) : 0x89536cc0 : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT *]
\
Flags : 0x3040
UpperDevices : Immediately above is Device for "\Driver\mouhid" [at 0x898db158]
LowerDevices
Driver : 0x895c35f0 : Driver "\Driver\hidusb" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,898a7258 -r1 -nv (*((winsrv!_DEVICE_OBJECT *)0x89536cc0))
(*((winsrv!_DEVICE_OBJECT *)0x89536cc0)) : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT]
+0x000\] Type : 3 \[Type: short
+0x002\] Size : 0x30c \[Type: unsigned short
+0x004\] ReferenceCount : 1 \[Type: long
+0x008\] DriverObject : 0x895c35f0 : Driver "\\Driver\\hidusb" \[Type: _DRIVER_OBJECT \*
+0x00c\] NextDevice : 0x89626cc0 : Device for "\\Driver\\hidusb" \[Type: _DEVICE_OBJECT \*
+0x010\] AttachedDevice : 0x898db158 : Device for "\\Driver\\mouhid" \[Type: _DEVICE_OBJECT \*
+0x014\] CurrentIrp : 0x0 \[Type: _IRP \*
+0x018\] Timer : 0x0 \[Type: _IO_TIMER \*
+0x01c\] Flags : 0x3040 \[Type: unsigned long
+0x020\] Characteristics : 0x80 \[Type: unsigned long
+0x024\] Vpb : 0x0 \[Type: _VPB \*
+0x028\] DeviceExtension : 0x89536d78 \[Type: void \*
+0x02c\] DeviceType : 0x22 \[Type: unsigned long
+0x030\] StackSize : 8 \[Type: char
+0x034\] Queue \[Type: __unnamed
+0x05c\] AlignmentRequirement : 0x0 \[Type: unsigned long
+0x060\] DeviceQueue \[Type: _KDEVICE_QUEUE
+0x074\] Dpc \[Type: _KDPC
+0x094\] ActiveThreadCount : 0x0 \[Type: unsigned long
+0x098\] SecurityDescriptor : 0xe12977c0 \[Type: void \*
+0x09c\] DeviceLock \[Type: _KEVENT
+0x0ac\] SectorSize : 0x0 \[Type: unsigned short
+0x0ae\] Spare1 : 0x1 \[Type: unsigned short
+0x0b0\] DeviceObjectExtension : 0x89536fd0 \[Type: _DEVOBJ_EXTENSION \*
+0x0b4\] Reserved : 0x0 \[Type: void \*
1: kd> dx -id 0,0,898a7258 -r1 ((winsrv!_DEVICE_OBJECT *)0x898db158)
((winsrv!_DEVICE_OBJECT *)0x898db158) : 0x898db158 : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT *]
\
Flags : 0x2000
UpperDevices : Immediately above is Device for "\Driver\Mouclass" [at 0x89406038]
LowerDevices
Driver : 0x8958d898 : Driver "\Driver\mouhid" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,898a7258 -r1 -nv (*((winsrv!_DEVICE_OBJECT *)0x898db158))
(*((winsrv!_DEVICE_OBJECT *)0x898db158)) : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT]
+0x000\] Type : 3 \[Type: short
+0x002\] Size : 0x1f0 \[Type: unsigned short
+0x004\] ReferenceCount : 0 \[Type: long
+0x008\] DriverObject : 0x8958d898 : Driver "\\Driver\\mouhid" \[Type: _DRIVER_OBJECT \*
+0x00c\] NextDevice : 0x0 \[Type: _DEVICE_OBJECT \*
+0x010\] AttachedDevice : 0x89406038 : Device for "\\Driver\\Mouclass" \[Type: _DEVICE_OBJECT \*
+0x014\] CurrentIrp : 0x0 \[Type: _IRP \*
+0x018\] Timer : 0x0 \[Type: _IO_TIMER \*
+0x01c\] Flags : 0x2000 \[Type: unsigned long
+0x020\] Characteristics : 0x0 \[Type: unsigned long
+0x024\] Vpb : 0x0 \[Type: _VPB \*
+0x028\] DeviceExtension : 0x898db210 \[Type: void \*
+0x02c\] DeviceType : 0xf \[Type: unsigned long
+0x030\] StackSize : 9 '\\t' \[Type: char
+0x034\] Queue \[Type: __unnamed
+0x05c\] AlignmentRequirement : 0x0 \[Type: unsigned long
+0x060\] DeviceQueue \[Type: _KDEVICE_QUEUE
+0x074\] Dpc \[Type: _KDPC
+0x094\] ActiveThreadCount : 0x0 \[Type: unsigned long
+0x098\] SecurityDescriptor : 0x0 \[Type: void \*
+0x09c\] DeviceLock \[Type: _KEVENT
+0x0ac\] SectorSize : 0x0 \[Type: unsigned short
+0x0ae\] Spare1 : 0x1 \[Type: unsigned short
+0x0b0\] DeviceObjectExtension : 0x898db348 \[Type: _DEVOBJ_EXTENSION \*
+0x0b4\] Reserved : 0x0 \[Type: void \*
1: kd> dx -id 0,0,898a7258 -r1 ((winsrv!_DEVICE_OBJECT *)0x89406038)
((winsrv!_DEVICE_OBJECT *)0x89406038) : 0x89406038 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
\
Flags : 0x2044
UpperDevices : None
LowerDevices
Driver : 0x89589a68 : Driver "\Driver\Mouclass" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,898a7258 -r1 -nv (*((winsrv!_DEVICE_OBJECT *)0x89406038))
(*((winsrv!_DEVICE_OBJECT *)0x89406038)) : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT]
+0x000\] Type : 3 \[Type: short
+0x002\] Size : 0x1c8 \[Type: unsigned short
+0x004\] ReferenceCount : 0 \[Type: long
+0x008\] DriverObject : 0x89589a68 : Driver "\\Driver\\Mouclass" \[Type: _DRIVER_OBJECT \*
+0x00c\] NextDevice : 0x89808a40 : Device for "\\Driver\\Mouclass" \[Type: _DEVICE_OBJECT \*
+0x010\] AttachedDevice : 0x0 \[Type: _DEVICE_OBJECT \*
+0x014\] CurrentIrp : 0x0 \[Type: _IRP \*
+0x018\] Timer : 0x0 \[Type: _IO_TIMER \*
+0x01c\] Flags : 0x2044 \[Type: unsigned long
+0x020\] Characteristics : 0x0 \[Type: unsigned long
+0x024\] Vpb : 0x0 \[Type: _VPB \*
+0x028\] DeviceExtension : 0x894060f0 \[Type: void \*
+0x02c\] DeviceType : 0xf \[Type: unsigned long
+0x030\] StackSize : 10 '\\n' \[Type: char
+0x034\] Queue \[Type: __unnamed
+0x05c\] AlignmentRequirement : 0x0 \[Type: unsigned long
+0x060\] DeviceQueue \[Type: _KDEVICE_QUEUE
+0x074\] Dpc \[Type: _KDPC
+0x094\] ActiveThreadCount : 0x0 \[Type: unsigned long
+0x098\] SecurityDescriptor : 0xe12977c0 \[Type: void \*
+0x09c\] DeviceLock \[Type: _KEVENT
+0x0ac\] SectorSize : 0x0 \[Type: unsigned short
+0x0ae\] Spare1 : 0x0 \[Type: unsigned short
+0x0b0\] DeviceObjectExtension : 0x89406200 \[Type: _DEVOBJ_EXTENSION \*
+0x0b4\] Reserved : 0x0 \[Type: void \*
1: kd> g
MOUCLASS-MouseClassRead: enter
MOUCLASS-MouseClassServiceCallback: enter
MOUCLASS-MouseClassServiceCallback: port queue length 0x18, read length 0xf0
MOUCLASS-MouseClassServiceCallback: number of bytes to move from port to SystemBuffer 0x18
MOUCLASS-MouseClassServiceCallback: move bytes from 0x898db2f8 to 0x894dee70
MOUCLASS-MouseClassServiceCallback: bytes remaining after move to SystemBuffer 0x0
MOUCLASS-MouseClassServiceCallback: exit
Breakpoint 1 hit
eax=00000000 ebx=bfa02600 ecx=00000000 edx=80bf6160 esi=e162bd40 edi=bfa01624
eip=bf8e9149 esp=bab9a8dc ebp=bab9a8f0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!ProcessMouseInput:
bf8e9149 55 push ebp
1: kd> dv
pMouseInfo = 0xe162bd40
ptLastMove = {x=-1081175735 y=8}
1: kd> dx -r1 ((win32k!tagDEVICEINFO *)0xe162bd40)
((win32k!tagDEVICEINFO *)0xe162bd40) : 0xe162bd40 [Type: tagDEVICEINFO *]
+0x000\] head \[Type: _HEAD
+0x008\] pNext : 0xe1414eb8 \[Type: tagDEVICEINFO \*
+0x00c\] type : 0x0 \[Type: unsigned char
+0x00d\] bFlags : 0x2 \[Type: unsigned char
+0x00e\] usActions : 0x0 \[Type: unsigned short
+0x010\] nRetryRead : 0x0 \[Type: unsigned char
+0x014\] ustrName : "\\??\\HID#Vid_0e0f\&Pid_0003\&MI_00#8\&28f6544d\&0\&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}" \[Type: _UNICODE_STRING
+0x01c\] handle : 0x21c \[Type: void \*
+0x020\] NotificationEntry : 0xe13e70c0 \[Type: void \*
+0x024\] pkeHidChangeCompleted : 0x897fb9c0 \[Type: _KEVENT \*
+0x028\] iosb \[Type: _IO_STATUS_BLOCK
+0x030\] ReadStatus : 259 \[Type: long
+0x034\] OpenerProcess : 0x1b0 \[Type: void \*
+0x038\] OpenStatus : 0 \[Type: long
+0x03c\] AttrStatus : 0 \[Type: long
+0x040\] timeStartRead : 0xffcae94e \[Type: unsigned long
+0x044\] timeEndRead : 0xffcae95d \[Type: unsigned long
+0x048\] nReadsOutstanding : 0 \[Type: int
+0x04c\] mouse \[Type: tagMOUSE_DEVICE_INFO
+0x04c\] keyboard \[Type: tagKEYBOARD_DEVICE_INFO
+0x04c\] hid \[Type: tagHID_DEVICE_INFO
1: kd> dx -r1 (*((win32k!_IO_STATUS_BLOCK *)0xe162bd68))
(*((win32k!_IO_STATUS_BLOCK *)0xe162bd68)) [Type: _IO_STATUS_BLOCK]
+0x000\] Status : 0 \[Type: long
+0x000\] Pointer : 0x0 \[Type: void \*
+0x004\] Information : 0x18 \[Type: unsigned long
1: kd> dx -r1 (*((win32k!tagMOUSE_DEVICE_INFO *)0xe162bd8c))
(*((win32k!tagMOUSE_DEVICE_INFO *)0xe162bd8c)) [Type: tagMOUSE_DEVICE_INFO]
+0x000\] Attr \[Type: _MOUSE_ATTRIBUTES
+0x00c\] Data \[Type: _MOUSE_INPUT_DATA \[10\]
1: kd> dx -r1 (*((win32k!_MOUSE_INPUT_DATA (*)[10])0xe162bd98))
(*((win32k!_MOUSE_INPUT_DATA (*)[10])0xe162bd98)) [Type: _MOUSE_INPUT_DATA [10]]
0\] \[Type: _MOUSE_INPUT_DATA
1\] \[Type: _MOUSE_INPUT_DATA
2\] \[Type: _MOUSE_INPUT_DATA
3\] \[Type: _MOUSE_INPUT_DATA
4\] \[Type: _MOUSE_INPUT_DATA
5\] \[Type: _MOUSE_INPUT_DATA
6\] \[Type: _MOUSE_INPUT_DATA
7\] \[Type: _MOUSE_INPUT_DATA
8\] \[Type: _MOUSE_INPUT_DATA
9\] \[Type: _MOUSE_INPUT_DATA
1: kd> dx -r1 (*((win32k!_MOUSE_INPUT_DATA *)0xe162bd98))
(*((win32k!_MOUSE_INPUT_DATA *)0xe162bd98)) [Type: _MOUSE_INPUT_DATA]
+0x000\] UnitId : 0x1 \[Type: unsigned short
+0x002\] Flags : 0x1 \[Type: unsigned short
+0x004\] Buttons : 0x0 \[Type: unsigned long
+0x004\] ButtonFlags : 0x0 \[Type: unsigned short
+0x006\] ButtonData : 0x0 \[Type: unsigned short
+0x008\] RawButtons : 0x0 \[Type: unsigned long
+0x00c\] LastX : 36764 \[Type: long
+0x010\] LastY : 38610 \[Type: long
+0x014\] ExtraInformation : 0x0 \[Type: unsigned long
1: kd> g
Breakpoint 2 hit
eax=00000000 ebx=ffcae97d ecx=bc510013 edx=00000100 esi=e162bd98 edi=00000000
eip=bf8e7542 esp=bab9a898 ebp=bab9a8d8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!QueueMouseEvent:
bf8e7542 55 push ebp
1: kd> dv
ButtonFlags = 0
ButtonData = 0
ExtraInfo = 0
ptMouse = {x=574 y=452}
time = 0n-3479171
hDevice = 0x00010049
pmei = 0xe162bd98
bInjected = 0n0
bWakeRIT = 0n1