键鼠栈回溯过检测
正常HID键鼠调用堆栈
0: kd> k
# Child-SP RetAddr Call Site
00 fffff805`434a2f98 fffff805`486e113a mouclass!MouseClassServiceCallback
01 fffff805`434a2fa0 fffff805`486c3aa8 vmusbmouse+0x113a //忽略这个虚拟机鼠标过滤驱动
02 fffff805`434a2fe0 fffff805`40824e6e mouhid!MouHid_ReadComplete+0x758
03 fffff805`434a3080 fffff805`40824d37 nt!IopfCompleteRequest+0x11e
04 fffff805`434a3170 fffff805`4868aef5 nt!IofCompleteRequest+0x17
05 fffff805`434a31a0 fffff805`4868a7ed HIDCLASS!HidpDistributeInterruptReport+0x3f5
06 fffff805`434a32a0 fffff805`40824e6e HIDCLASS!HidpInterruptReadComplete+0x37d
07 fffff805`434a3340 fffff805`40824d37 nt!IopfCompleteRequest+0x11e
08 fffff805`434a3430 fffff805`41cc811a nt!IofCompleteRequest+0x17
09 (Inline Function) --------`-------- Wdf01000!FxIrp::CompleteRequest+0x13 [minkernel\wdf\framework\shared\inc\private\km\FxIrpKm.hpp @ 75]
0a fffff805`434a3460 fffff805`41cc5bbf Wdf01000!FxRequest::CompleteInternal+0x23a [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 869]
0b (Inline Function) --------`-------- Wdf01000!FxRequest::Complete+0x31 [minkernel\wdf\framework\shared\inc\private\common\FxRequest.hpp @ 805]
0c fffff805`434a34f0 fffff805`4476cb4d Wdf01000!imp_WdfRequestComplete+0x8f [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 436]
0d fffff805`434a3550 fffff805`4476ca11 USBXHCI!Bulk_Transfer_CompleteCancelable+0xc9
0e fffff805`434a35b0 fffff805`4476c800 USBXHCI!Bulk_ProcessTransferEventWithED1+0x1fd
0f fffff805`434a3660 fffff805`44767101 USBXHCI!Bulk_EP_TransferEventHandler+0x10
10 fffff805`434a3690 fffff805`44766c35 USBXHCI!Endpoint_TransferEventHandler+0xb1
11 fffff805`434a36f0 fffff805`4476690c USBXHCI!Interrupter_DeferredWorkProcessor+0x315
12 fffff805`434a37f0 fffff805`41cc38f6 USBXHCI!Interrupter_WdfEvtInterruptDpc+0xc
13 (Inline Function) --------`-------- Wdf01000!FxInterrupt::DpcHandler+0x6e [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 75]
14 fffff805`434a3820 fffff805`4083989e Wdf01000!FxInterrupt::_InterruptDpcThunk+0xa6 [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 410]
15 fffff805`434a3860 fffff805`40838b84 nt!KiExecuteAllDpcs+0x30e
16 fffff805`434a39d0 fffff805`40a01b3e nt!KiRetireDpcList+0x1f4
17 fffff805`434a3c60 00000000`00000000 nt!KiIdleLoop+0x9e
0: kd> k
# Child-SP RetAddr Call Site
00 fffffa8f`09075e68 fffff805`486c3aa8 mouclass!MouseClassServiceCallback
01 fffffa8f`09075e70 fffff805`40824e6e mouhid!MouHid_ReadComplete+0x758
02 fffffa8f`09075f10 fffff805`409fe97f nt!IopfCompleteRequest+0x11e
03 fffffa8f`09076000 00000000`00000000 nt!NtContinueEx+0x29f
1: kd> k
# Child-SP RetAddr Call Site
00 fffffa8f`08a4be68 fffff805`486c3aa8 mouclass!MouseClassServiceCallback
01 fffffa8f`08a4be70 fffff805`40824e6e mouhid!MouHid_ReadComplete+0x758
02 fffffa8f`08a4bf10 fffff805`409fe97f nt!IopfCompleteRequest+0x11e
03 fffffa8f`08a4c000 fffff805`40fb7094 nt!NtContinueEx+0x29f
04 fffffa8f`08a4c140 fffff805`409916db nt!ExAllocatePoolWithTag+0x64
05 fffffa8f`08a4c190 fffff805`4088a265 nt!HalpHvCounterQueryCounter+0x1b
06 fffffa8f`08a4c1c0 ffffe7e9`24639329 nt!KeQueryPerformanceCounter+0xd5
07 fffffa8f`08a4c1f0 ffffe7e9`24639008 win32kbase!EtwTraceAcquiredExclusiveUserCrit+0x299
08 fffffa8f`08a4c3f0 ffffe7e9`246374ee win32kbase!EnterCrit+0x1f8
09 fffffa8f`08a4c510 ffffe7e9`249dba1d win32kbase!ThreadUnlock1+0x6e
0a fffffa8f`08a4c540 ffffe7e9`249354b4 win32kfull!SfnINOUTLPPOINT5+0x31d
0b fffffa8f`08a4c690 ffffe7e9`249350a2 win32kfull!xxxSendMessageToClient+0x114
0c fffffa8f`08a4c750 fffff805`40c09b41 win32kfull!xxxSendTransformableMessageTimeout+0x282
0d fffffa8f`08a4c8a0 fffff805`4081aa60 nt!IopFreeMiniCompletionPacket+0x21
0e fffffa8f`08a4c8d0 fffff805`40c09d1f nt!IoRemoveIoCompletion+0x1b0
0f fffffa8f`08a4ca00 fffff805`40a0f9b5 nt!NtRemoveIoCompletionEx+0x13f
10 fffffa8f`08a4cb40 80000000`00000000 nt!KiSystemServiceCopyEnd+0x25
11 d8000000`00000000 00000000`00000000 0x80000000`00000000
ObjSurface : FFFF928D54037B70
gMouseObject.mouse_device=FFFFA606D8D92C00
gMouseObject.service_callback=FFFFF805444D4BE0
[+] MouHid_ReadComplete:fffff805486c3350
[+] returnAddr:FFFFF805409FE97F
[+] MouCallBackAddr:FFFFF805486C3A72
[+] g_target_routine:FFFFF80540824E5B
0: kd> k
# Child-SP RetAddr Call Site
00 fffffa8f`08ad0e68 fffff805`486c3aa8 mouclass!MouseClassServiceCallback
01 fffffa8f`08ad0e70 fffff805`40824e6e mouhid!MouHid_ReadComplete+0x758
02 fffffa8f`08ad0f10 fffff805`409fe97f nt!IopfCompleteRequest+0x11e
03 fffffa8f`08ad1000 270a0bd3`69052a0b nt!NtContinueEx+0x29f
04 fffffa8f`08ad1140 00f00e05`8c40051b 0x270a0bd3`69052a0b
05 fffffa8f`08ad1148 0706695c`13112443 0x00f00e05`8c40051b
06 fffffa8f`08ad1150 12502e24`052d0528 0x0706695c`13112443
07 fffffa8f`08ad1158 5953352b`aa1efb4e 0x12502e24`052d0528
08 fffffa8f`08ad1160 4d3bee59`4c6e3bee 0x5953352b`aa1efb4e
09 fffffa8f`08ad1168 46634768`2d573a3d 0x4d3bee59`4c6e3bee
0a fffffa8f`08ad1170 655e063f`7e0a2490 0x46634768`2d573a3d
0b fffffa8f`08ad1178 19065706`7d063a06 0x655e063f`7e0a2490
0c fffffa8f`08ad1180 0000f048`1f202478 0x19065706`7d063a06
0d fffffa8f`08ad1188 13097d46`1a19290d 0x0000f048`1f202478
0e fffffa8f`08ad1190 0577304b`3f6ea007 0x13097d46`1a19290d
0f fffffa8f`08ad1198 dd4c090e`40050674 0x0577304b`3f6ea007
10 fffffa8f`08ad11a0 1f052c06`687a6f05 0xdd4c090e`40050674
11 fffffa8f`08ad11a8 19834305`85051a05 0x1f052c06`687a6f05
12 fffffa8f`08ad11b0 39062770`4c053e05 0x19834305`85051a05
13 fffffa8f`08ad11b8 2814394e`88783f7f 0x39062770`4c053e05
14 fffffa8f`08ad11c0 7c1e5258`15061853 0x2814394e`88783f7f
15 fffffa8f`08ad11c8 4a1f00f0`30586946 0x7c1e5258`15061853
16 fffffa8f`08ad11d0 272c177e`10063706 0x4a1f00f0`30586946
17 fffffa8f`08ad11d8 3978362a`1b40162c 0x272c177e`10063706
18 fffffa8f`08ad11e0 053e05e2`7809390f 0x3978362a`1b40162c
19 fffffa8f`08ad11e8 30053e21`5a7b683c 0x053e05e2`7809390f
1a fffffa8f`08ad11f0 05198140`05702f05 0x30053e21`5a7b683c
1b fffffa8f`08ad11f8 51052527`483c053e 0x05198140`05702f05
1c fffffa8f`08ad1200 9419fa19`3c253c2c 0x51052527`483c053e
1d fffffa8f`08ad1208 ee22821a`10fd4f4e 0x9419fa19`3c253c2c
1e fffffa8f`08ad1210 33221c1f`0000f01c 0xee22821a`10fd4f4e
1f fffffa8f`08ad1218 6f374a5b`2d051b09 0x33221c1f`0000f01c
20 fffffa8f`08ad1220 2f062006`6f7c2a06 0x6f374a5b`2d051b09
21 fffffa8f`08ad1228 24051021`bb4c05ca 0x2f062006`6f7c2a06
22 fffffa8f`08ad1230 176318ab`29442f3a 0x24051021`bb4c05ca
23 fffffa8f`08ad1238 051ef706`340587b5 0x176318ab`29442f3a
24 fffffa8f`08ad1240 43062eb1`a2063823 0x051ef706`340587b5
25 fffffa8f`08ad1248 4b360e38`e0195e16 0x43062eb1`a2063823
26 fffffa8f`08ad1250 6d4a0681`00f03f06 0x4b360e38`e0195e16
27 fffffa8f`08ad1258 14820518`401413f8 0x6d4a0681`00f03f06
28 fffffa8f`08ad1260 ad067d05`13051428 0x14820518`401413f8
29 fffffa8f`08ad1268 a75c7e19`f3310f07 0xad067d05`13051428
2a fffffa8f`08ad1270 13181364`4e056e06 0xa75c7e19`f3310f07
2b fffffa8f`08ad1278 48151905`10290a76 0x13181364`4e056e06
2c fffffa8f`08ad1280 812c1a18`a8730a15 0x48151905`10290a76
2d fffffa8f`08ad1288 6419508f`6e494b27 0x812c1a18`a8730a15
2e fffffa8f`08ad1290 06ee0a2d`176400f0 0x6419508f`6e494b27
2f fffffa8f`08ad1298 19fe12f1`58a3101d 0x06ee0a2d`176400f0
30 fffffa8f`08ad12a0 534fa452`dd744e6a 0x19fe12f1`58a3101d
31 fffffa8f`08ad12a8 2a055005`754a0564 0x534fa452`dd744e6a
32 fffffa8f`08ad12b0 241413f6`3615f04e 0x2a055005`754a0564
33 fffffa8f`08ad12b8 f01a183f`1f091e56 0x241413f6`3615f04e
34 fffffa8f`08ad12c0 069bc806`50050000 0xf01a183f`1f091e56
35 fffffa8f`08ad12c8 052a365a`066506d1 0x069bc806`50050000
36 fffffa8f`08ad12d0 ff13fdbc`4818062e 0x052a365a`066506d1
37 fffffa8f`08ad12d8 1af85a1a`1e0e0629 0xff13fdbc`4818062e
38 fffffa8f`08ad12e0 1810f497`433f573e 0x1af85a1a`1e0e0629
39 fffffa8f`08ad12e8 1c0d00f0`060ff795 0x1810f497`433f573e
3a fffffa8f`08ad12f0 1f300590`8836066f 0x1c0d00f0`060ff795
3b fffffa8f`08ad12f8 211b192d`1c051271 0x1f300590`8836066f
3c fffffa8f`08ad1300 131c2005`121a25ee 0x211b192d`1c051271
3d fffffa8f`08ad1308 11742229`1b25ee21 0x131c2005`121a25ee
3e fffffa8f`08ad1310 fffff7d3`c0016b70 0x11742229`1b25ee21
3f fffffa8f`08ad1318 fffff805`409916db 0xfffff7d3`c0016b70
40 fffffa8f`08ad1320 fffff805`4088a265 nt!HalpHvCounterQueryCounter+0x1b
41 fffffa8f`08ad1350 ffffe7e9`24639329 nt!KeQueryPerformanceCounter+0xd5
42 fffffa8f`08ad1380 ffffe7e9`24639008 win32kbase!EtwTraceAcquiredExclusiveUserCrit+0x299
43 fffffa8f`08ad1580 ffffe7e9`24940544 win32kbase!EnterCrit+0x1f8
44 fffffa8f`08ad16a0 ffffe7e9`249354b4 win32kfull!SfnDWORD+0x304
45 fffffa8f`08ad17b0 ffffe7e9`249350a2 win32kfull!xxxSendMessageToClient+0x114
46 fffffa8f`08ad1870 ffffe7e9`24938af0 win32kfull!xxxSendTransformableMessageTimeout+0x282
47 fffffa8f`08ad19c0 ffffe7e9`24943ca8 win32kfull!xxxSendMessage+0x2c
48 fffffa8f`08ad1a20 ffffe7e9`24943c59 win32kfull!SmartObjStackRefBase<tagMENU>::~SmartObjStackRefBase<tagMENU>+0x40
49 fffffa8f`08ad1a50 ffffe7e9`24949774 win32kfull!SmartObjStackRef<tagMENU>::~SmartObjStackRef<tagMENU>+0x9
4a fffffa8f`08ad1a80 00000000`00000000 win32kfull!xxxRealDefWindowProc+0xfc
0: kd> u HalpHvCounterQueryCounter
nt!HalpHvCounterQueryCounter:
fffff805`409916c0 4883ec28 sub rsp,28h
fffff805`409916c4 488b05f57a9600 mov rax,qword ptr [nt!HalpHvTimerApi (fffff805`412f91c0)]
fffff805`409916cb 4885c0 test rax,rax
fffff805`409916ce 0f84e8aa1000 je nt!HalpHvCounterQueryCounter+0x10aafc (fffff805`40a9c1bc)
fffff805`409916d4 33c9 xor ecx,ecx
fffff805`409916d6 e895540700 call nt!guard_dispatch_icall (fffff805`40a06b70)
fffff805`409916db 4883c428 add rsp,28h
fffff805`409916df c3 ret
1: kd> r
rax=fffffa8f066d6820 rbx=ffffa606dd09e000 rcx=ffffa606d8d92c00
rdx=fffffa8f066d6808 rsi=fffffa8f066d6890 rdi=fffffa8f066d6820
rip=fffff8055f162628 rsp=fffffa8f066d67e0 rbp=fffffa8f066d6a60
r8=fffffa8f066d6820 r9=fffffa8f066d6800 r10=20756f4d64624b65
r11=ffffa606d772a2a0 r12=ffff928d5175e820 r13=ffffffff800029bc
r14=0000000000000000 r15=ffffa606df438a10
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040286
SimpleDriver!KbdMou::SafeSendMouseInput+0x48:
fffff805`5f162628 e8eee9ffff call SimpleDriver!AsmCopMouseCall (fffff805`5f16101b)
1: kd> r
rax=fffffa8f066d6820 rbx=ffffa606dd09e000 rcx=ffffa606d8d92c00
rdx=fffffa8f066d6808 rsi=fffffa8f066d6890 rdi=fffffa8f066d6820
rip=fffff8055f16101b rsp=fffffa8f066d67d8 rbp=fffffa8f066d6a60
r8=fffffa8f066d6820 r9=fffffa8f066d6800 r10=20756f4d64624b65
r11=ffffa606d772a2a0 r12=ffff928d5175e820 r13=ffffffff800029bc
r14=0000000000000000 r15=ffffa606df438a10
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040286
SimpleDriver!AsmCopMouseCall:
fffff805`5f16101b 55 push rbp
AsmCopMouseCall PROC
sub rsp, 1000h
mov rdi, rsp ; DriverExtension
lea rax, LABEL_CALLRET
push rax
;-----------------------------
push rbp
push rbx
push rsi
push rdi
push r12
push r13
push r14
push r15
mov rbp, rsp
sub rsp, 58h
;-----------------------------
mov rax, [MouseClassServiceCallback]
mov [rdi+0E8h], rax ;
mov [rdi+0E0h], rcx ; DeviceObject
mov rbx, rdi ; Save rdi
lea rdi, [rdi+160h] ; InputDataStart
mov rsi, rdx ; pInputData
mov ecx, 18h
rep movs byte ptr [rdi], byte ptr [rsi] ; rep movsb
mov rdi, rbx ; Restore rdi
mov [rbp-014h], r9 ; &Consumed
mov rax, cr8
mov byte ptr [rbp+50h], al ; bypass IoAllocateErrorLogEntry
mov rax, 0
mov [rbp+58h], rax ; bypass jump up
jmp [MouHid_CopAddress]
;-----------------------------
;add rsp, 58h
;pop r15
;pop r14
;pop r13
;pop r12
;pop rdi
;pop rsi
;pop rbx
;pop rbp
;ret
LABEL_CALLRET:
add rsp, 1000h
ret
AsmCopMouseCall ENDP