USB调试笔记
使用BUSHOUND手动分析USB控制传输的URB
2021-10-31
1290
0
USB的控制传输是最基本的传输类型,控制传输适用于设备的枚举和设备的状态控制。
我里我们使用BUSHOUND来抓取USB控制传输的URB。同样的,我们使用的操作系统是Windows10 x64,和同步传输的URB抓包一样,我们先抓取数据,然后再分析数据结构。
这里我插入电脑的U盘的枚举以获取设备描述符为例进行分析:
获取的数据如下:
Length Phase Data Description
------ ----- ------------------------------------------------------------------------------------------------
CTL 80 06 00 01 00 00 12 00 GET DESCRIPTOR
18 IN 12 01 00 02 00 00 00 40 51 09 65 16 00 02 01 02 03 01
URB CONTROL TRANSFER
88 00 08 00 00 00 00 00 d8 f2 75 a0 77 7f 00 00 00 00 00 07 88 80 ff ff e0 60 e2 59 88 80 ff ff
0b 00 00 00 12 00 00 00 30 cc 4b 5f 88 80 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 24 00 00 00 00 00 00 00 18 00 00 00 01 00 00 00 11 4a 00 eb 1a 9b d4 11
80 06 00 01 00 00 12 00
同样的,我们通过分析URB结构体,发现其结应的结构体是:
struct _URB_CONTROL_DESCRIPTOR_REQUEST
UrbControlDescriptorRequest;
对该结构体进行分析:
struct _URB_CONTROL_DESCRIPTOR_REQUEST {
struct _URB_HEADER Hdr;
PVOID Reserved;
ULONG Reserved0;
ULONG TransferBufferLength;
PVOID TransferBuffer;
PMDL TransferBufferMDL;
struct _URB *UrbLink; // Reserved
struct _URB_HCD_AREA hca; // Reserved
USHORT Reserved1;
UCHAR Index;
UCHAR DescriptorType;
USHORT LanguageId;
USHORT Reserved2;
};
和同步传输类似,对该结构体各成员字段偏移进行分析:
struct _URB_CONTROL_DESCRIPTOR_REQUEST {
struct _URB_HEADER Hdr; //0
PVOID Reserved; //24
ULONG Reserved0; //32
ULONG TransferBufferLength;//36
PVOID TransferBuffer; //40
PMDL TransferBufferMDL; //48
struct _URB *UrbLink; // Reserved 56
struct _URB_HCD_AREA hca; // Reserved 64
USHORT Reserved1; //128
UCHAR Index; //130
UCHAR DescriptorType; //131
USHORT LanguageId; //132
USHORT Reserved2; //134
};
分析后的结果如下:
Hdr 88 00 08 00 00 00 00 00 d8 f2 75 a0 77 7f 00 00 00 00 00 07 88 80 ff ff
Length 88 00
Function 08 00 //URB_FUNCTION_CONTROL_TRANSFER
Status 00 00 00 00
UsbdDeviceHandle d8 f2 75 a0 77 7f 00 00
UsbdFlags 00 00 00 07
结构体对齐补充88 80 ff ff
Reserved e0 60 e2 59 88 80 ff ff
Reserved0 0b 00 00 00
TransferBufferLength 12 00 00 00
TransferBuffer 30 cc 4b 5f 88 80 ff ff
TransferBufferMDL 00 00 00 00 00 00 00 00
UrbLink 00 00 00 00 00 00 00 00
hca
03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
24 00 00 00 00 00 00 00
18 00 00 00 01 00 00 00
11 4a 00 eb 1a 9b d4 11
Reserved1 80 06
Index 00
DescriptorType 01
LanguageId 00 00
Reserved2 12 00
HID人机交互QQ群:564808376
UAC音频QQ群:218581009
UVC相机QQ群:331552032
BOT&UASP大容量存储QQ群:258159197
STC-USB单片机QQ群:315457461
USB技术交流QQ群2:580684376
USB技术交流QQ群:952873936
