Cracking the USB HID device Interface Protocol 01/15 Update SLTechnology News&Howtos

Cracking the USB HID device Interface Protocol

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Analysis of USB HID device interface protocol

Tool: OllyDbg,Bus hound

The method for the program to identify USB HID peripherals: call the HidD_GetHidGuid function to obtain the class identity of the HID device, call the SetupDiGetClassDevs function to query all installed HID devices, get a handle to the HID device collection, call the SetupDiEnumDeviceInterface function to query the interface information of each device in the HID device set, and for each interface, call the SetupDiGetDeviceInterfaceDetail function to get its detailed information, including the device name (the first four bytes). CreateFile uses this device name to open the device. Call the SetupDiDestroyDeviceInfoList function to release the set of device information The second step is to open the device, get the attribute value of the device and the description of the device capability, and call the CreaterFile function to open the device. Call the HidD_GetAttributes function to get the relevant properties of the USB device. It includes the equipment manufacturer ID, product ID and product version number and so on.

Start OllyDbg to load the simulator software, the breakpoint HidD_GetAttributes,CreateFile, this function is able to obtain the key information of HID.

004417B2. 8B0D D8CD9500 MOV ECX,DWORD PTR DS: [95CDD8] 004417B8. A3 00CE9500 MOV DWORD PTR DS: [95CE00], EAX004417BD. 33D2 XOR EDX,EDX004417BF. 8BC1 MOV EAX,ECX004417C1. 8A15 D7CD9500 MOV DL,BYTE PTR DS: [95CDD7] 004417C7. 25 FF000000 AND EAX,0FF004417CC. 8BF2 MOV ESI,EDX 004417CE. 8BD0 MOV EDX,EAX004417D0. 83E2 03 AND EDX,3 004417D3. 33DB XOR EBX,EBX 004417D5. C1E2 08 SHL EDX,8 004417D8. 8A1D D6CD9500 MOV BL,BYTE PTR DS: [95CDD6] 004417DE. 8D9432 DC03000 > LEA EDX,DWORD PTR DS: [edX + ESI+3DC] 004417E5. 8915 E0CD9500 MOV DWORD PTR DS: [95CDE0], EDX 004417EB. 8BD0 MOV EDX,EAX004417ED. 83E2 0C AND EDX,0C 004417F0. C1E2 06 SHL EDX,6 004417F3. 8D941A DC03000 > LEA EDX,DWORD PTR DS: [EDX+EBX+3DC] 004417FA. 33DB XOR EBX,EBX004417FC. 8915 E4CD9500 MOV DWORD PTR DS: [95CDE4], EDX 00441802. 8BD0 MOV EDX,EAX00441804. 83E2 30 AND EDX,30 00441807. 8ADD MOV BL,CH 00441809. C1E2 04 SHL EDX,4 0044180C. 25 C0000000 AND EAX,0C0 00441811. 8D8C1A DC03000 > LEA ECX,DWORD PTR DS: [EDX+EBX+3DC] 00441818. 33D2 XOR EDX,EDX0044181A. 8A15 D5CD9500 MOV DL,BYTE PTR DS: [95CDD5] 00441820. 890D E8CD9500 MOV DWORD PTR DS: [95CDE8], ECX 00441826. 8D8482 DC03000 > LEA EAX,DWORD PTR DS: [EDX+EAX*4+3DC] 0044182D. A3 ECCD9500 MOV DWORD PTR DS: [95CDEC], EAX 00441832. A1 DCCD9500 MOV EAX,DWORD PTR DS: [95CDDC] 00441837. A8 40 TEST AL,40 00441839. 74 41 JE SHORT REFLEX.0044187C 0044183B. 25 FF000000 AND EAX,0FF 00441840. 33D2 XOR EDX,EDX00441842. 8A15 DBCD9500 MOV DL,BYTE PTR DS: [95CDDB] / / take the lower 8-bit data of CH5 00441848. 8BC8 MOV ECX,EAX0044184A. 83E1 0C AND ECX,0C0044184D. C1E1 06 SHL ECX,600441850. 8D8C11 DC03000 > LEA ECX,DWORD PTR DS: [ECX+EDX+3DC] 00441857. 8BD0 MOV EDX,EAX00441859. 83E2 03 AND EDX,3 / / take the high 2-bit 0044185C of CH6. 890D F8CD9500 MOV DWORD PTR DS: [95CDF8], ECX / / Save CH500441862. C1E2 08 SHL EDX,800441865. 33C9 XOR ECX,ECX00441867. 8A0D DACD9500 MOV CL,BYTE PTR DS: [95CDDA] / / take the lower 8-bit 0044186D of CH6. 8D940A DC03000 > LEA EDX,DWORD PTR DS: [EDX+ECX+3DC] / / calculate the CH6 data 00441874. 8915 FCCD9500 MOV DWORD PTR DS: [95CDFC], EDX / / saves CH6 data 0044187A. EB 4A JMP SHORT REFLEX.004418C60044187C > 25 FF000000 AND EAX,0FF00441881. 33D2 XOR EDX,EDX00441883. 8A15 DBCD9500 MOV DL,BYTE PTR DS: [95CDDB] 00441889. 8BC8 MOV ECX,EAX0044188B. 83E1 0C AND ECX,0C0044188E. C1E1 06 SHL ECX,600441891. 8D8C11 DC03000 > LEA ECX,DWORD PTR DS: [ECX+EDX+3DC] 00441898. 8BD0 MOV EDX,EAX0044189A. 890D F0CD9500 MOV DWORD PTR DS: [95CDF0], ECX004418A0. 83E2 03 AND EDX,3004418A3. 33C9 XOR ECX,ECX004418A5. 8A0D DACD9500 MOV CL,BYTE PTR DS: [95CDDA] 004418AB. C1E2 08 SHL EDX,8004418AE. 8D940A DC03000 > LEA EDX,DWORD PTR DS: [edX + ECX+3DC] 004418B5. 8BC8 MOV ECX,EAX004418B7. C1E9 07 SHR ECX,7 004418BA. 8915 F4CD9500 MOV DWORD PTR DS: [95CDF4], EDX 004418C0. 890D 04CE9500 MOV DWORD PTR DS: [95CE04], ECX004418C6 > 8BD0 MOV EDX,EAX 004418C8. 83F6 07 XOR ESI,7 004418CB. 83E2 0F AND EDX,0F 004418CE. 03D6 ADD EDX,ESI 004418D0. D1E2 SHL EDX,1 004418D2. 33D0 XOR EDX,EAX 004418D4. F6C2 30 TEST DL,30 004418D7. 74 3A JE SHORT REFLEX.00441913004418D9. A1 C4CD9500 MOV EAX,DWORD PTR DS: [95CDC4] 004418DE. 85C0 TEST EAX,EAX004418E0. 75 40 JNZ SHORT REFLEX.00441922004418E2. A1 08CE9500 MOV EAX,DWORD PTR DS: [95CE08] 004418E7. C705 C4CD9500 > MOV DWORD PTR DS: [95CDC4], 1004418F1. 50 PUSH EAX004418F2. EB 1D JMP SHORT REFLEX.00441911004418F4 > 8B0D 08CE9500 MOV ECX,DWORD PTR DS: [95CE08] 004418FA. C705 C4CD9500 > MOV DWORD PTR DS: [95CDC4], 100441904. 8935 B8CD9500 MOV DWORD PTR DS: [95CDB8], ESI0044190A. 8935 BCCD9500 MOV DWORD PTR DS: [95CDBC], ESI00441910. 51 PUSH ECX00441911 > FFD5 CALL EBP00441913 > A1 C4CD9500 MOV EAX,DWORD PTR DS: [95CDC4] 00441918. 33F6 XOR ESI,ESI0044191A. 3BC6 CMP EAX,ESI0044191C. ^ 0F84 61FEFFFF JE REFLEX.0044178300441922 > 5F POP EDI00441923. 5E POP ESI00441924. 5D POP EBP00441925. 33C0 XOR EAX,EAX00441927. 5B POP EBX00441928. 59 POP ECX00441929. C2 0400 RETN 4

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.