Hook mouse based on WDK moufiltr.

I have a requirement for hook mouse driver, to hide mouse position for windows except mine.

I started from wdk example: moufiltr.

The comments said, I should do something in MouFilter_ServiceCallback, But I also noticed that there is a function called MouFilter_IsrHook. I start from here.
I get each MOUSE_INPUT_DATA in MouFilter_IsrHook, and add 4 to LastX, It works. my mouse will always move to right quickly even if you move it to left.

Since the lastX/lastY are set relative to the previous location, so what I do is:
First, set current cursor position to control device, saved in a global value (x, y).
Second, in MouFilter_IsrHook, all LastX/LastY is added to (x, y).
Last, return (x, y) to user mode app through IOCTL.

All these changes do work, but the location from my driver is different with system (get by GetCursorPos). Looks like it moves faster than system.
I think maybe caused the system setting of mouse speed, so I change the motion setting to fast, It’s same.

My question:

1. what’s wrong with my implement? should I do it in MouFilter_ServiceCallback? (At first I do some DbgPrint in MouFilter_ServiceCallback and MouFilter_IsrHook, looks like after invoke 4 MouFilter_IsrHook, 1 MouFilter_ServiceCallback is invoked.)

2. If driver motion only faster, then when I move back to the original point (where I set it to kernel), the value should be same, but in my test, it isn’t. How can I correct it ?

1. moufilter_isrhook is only for ps2 mice, it does not work for HID mice. Use the ServiceCallback to manipulate any data you want to change.
2. the system has its own ballistics for mouse movement on top of the raw X / Y movements the driver reports. Don’t mess with this setting, it is the user’s setting.

I don’t understand what you are trying to do. If you want just your mouse to be active, just disable the other mice in device manager/devcon

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, November 18, 2010 11:09 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Hook mouse based on WDK moufiltr.

I have a requirement for hook mouse driver, to hide mouse position for windows except mine.

I started from wdk example: moufiltr.

The comments said, I should do something in MouFilter_ServiceCallback, But I also noticed that there is a function called MouFilter_IsrHook. I start from here.
I get each MOUSE_INPUT_DATA in MouFilter_IsrHook, and add 4 to LastX, It works. my mouse will always move to right quickly even if you move it to left.

Since the lastX/lastY are set relative to the previous location, so what I do is:
First, set current cursor position to control device, saved in a global value (x, y).
Second, in MouFilter_IsrHook, all LastX/LastY is added to (x, y).
Last, return (x, y) to user mode app through IOCTL.

All these changes do work, but the location from my driver is different with system (get by GetCursorPos). Looks like it moves faster than system.
I think maybe caused the system setting of mouse speed, so I change the motion setting to fast, It’s same.

My question:

1. what’s wrong with my implement? should I do it in MouFilter_ServiceCallback? (At first I do some DbgPrint in MouFilter_ServiceCallback and MouFilter_IsrHook, looks like after invoke 4 MouFilter_IsrHook, 1 MouFilter_ServiceCallback is invoked.)

2. If driver motion only faster, then when I move back to the original point (where I set it to kernel), the value should be same, but in my test, it isn’t. How can I correct it ?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks Doron.

Thinking about screen keyboard for some online bank login or etc, spy software can get the mouse location and guess the characters. That’s what I want to avoid.

xxxxx@gmail.com wrote:

Thanks Doron.

Thinking about screen keyboard for some online bank login or etc, spy software can get the mouse location and guess the characters. That’s what I want to avoid.

That’s hopeless. If the spy software can guess the code from the mouse
position, then they already know the layout of your onscreen keyboard,
and they can easily have hooked your window procedure.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

You can’t avoid that with a driver. The spyware could hook your app or your driver itself to the information. You are not making the system more secure by doing this

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, November 18, 2010 12:07 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook mouse based on WDK moufiltr.

Thanks Doron.

Thinking about screen keyboard for some online bank login or etc, spy software can get the mouse location and guess the characters. That’s what I want to avoid.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I know there is no totally security solution, just like no anti-virus software can clean all virus.
But at least, I think it’s more secure than doing nothing.
Maybe you can give me some valuable advice ? I will really appreciate you help.

My advise is that you don’t do this at all. There is no security at all in what you are doing. Mouse position is not considered secure information, as such, there are tens of ways to acquire it. You cannot block them all.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, November 18, 2010 12:36 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook mouse based on WDK moufiltr.

I know there is no totally security solution, just like no anti-virus software can clean all virus.
But at least, I think it’s more secure than doing nothing.
Maybe you can give me some valuable advice ? I will really appreciate you help.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Perhaps it might be due to it being far lower profile than the system
defaults, but that doesn’t take into account any errors that you might make

• anyone can make errors of course, but that device stack has been tested a
  whole lot more than anything you or I might implement - and also whatever
  instability you might introduce into the system and/or other products on the
  system. The cost of the later can be very large and it occurs frequently,
  so, in my opinion, minimally, it’s a question of cost of whatever it is that
  you’re trying to secure, weighted for the likelihood of attack/compromise v.
  cost of implementing and maintaining your system, including any problems it
  might cause, and what you think that you can make selling it.

It also assumes that there’s no other cost effective way for your attacker
to gain the information he/she seeks. I have no real experience with either
of these (PS/2, HID) device stacks, but that would seem like a monster ‘if,’
to put it mildly. There have to be lots of ways to get mouse position.

This is what makes security hard.

Good luck,

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, November 18, 2010 3:36 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook mouse based on WDK moufiltr.

I know there is no totally security solution, just like no anti-virus
software can clean all virus.
But at least, I think it’s more secure than doing nothing.
Maybe you can give me some valuable advice ? I will really appreciate you
help.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

xxxxx@gmail.com wrote:

I know there is no totally security solution, just like no anti-virus software can clean all virus.
But at least, I think it’s more secure than doing nothing.

Not necessarily. The danger in what you’re doing is that you give
people a false sense of security, leading them to do things which are
inherently unsafe, under the false impression that they are protected.
If you’re accepting secure information in a potentially unsecure
computer, the best you can do is warn people that they shouldn’t use the
software unless they’re sure their computer is protected and free from
malware. That won’t stop the problems, but maybe it will raise awareness.

Maybe you can give me some valuable advice ?

That’s what we are doing. Really.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

More interesting here.

Doron said:
“2) the system has its own ballistics for mouse movement on top of the raw X / Y
movements the driver reports. Don’t mess with this setting, it is the user’s
setting.”

If the system not strictly follow the driver reports, I can do also.
Then, even if spyware get the exactly reports from driver, how he can know the
location “I think”. (Just like what I have done: I get driver reports exactly, but it’s different
to system report).

Sorry, but I couldn’t parse what you just said

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, November 18, 2010 2:10 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook mouse based on WDK moufiltr.

More interesting here.

Doron said:
“2) the system has its own ballistics for mouse movement on top of the raw X / Y movements the driver reports. Don’t mess with this setting, it is the user’s setting.”

If the system not strictly follow the driver reports, I can do also.
Then, even if spyware get the exactly reports from driver, how he can know the location “I think”. (Just like what I have done: I get driver reports exactly, but it’s different to system report).

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Sorry for my poor English, that’s not my native language.

My point is, even if I and spyware get same date from driver, I can ignore some of them, but spyware never know which packet I ignored, so he can’t catch “my mouse location”.

Spyware can use the built in windows accessility APIs to get the cursor pos

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, November 18, 2010 2:40 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook mouse based on WDK moufiltr.

Sorry for my poor English, that’s not my native language.

My point is, even if I and spyware get same date from driver, I can ignore some of them, but spyware never know which packet I ignored, so he can’t catch “my mouse location”.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

windows accessility APIs? Like GetCursorPos() ?
When my mouse filter works, it will drop all packet to system.
(Actually I don’t know how to drop it, I just set the LastX/LastY to
zero
and pass through to upper. ) So from GetCursorPos(), the cursor
location never changed.

On Thu, Nov 18, 2010 at 5:42 PM, Doron Holan wrote:
> Spyware can use the built in windows accessility APIs to get the cursor pos
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> Sent: Thursday, November 18, 2010 2:40 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Hook mouse based on WDK moufiltr.
>
> Sorry for my poor English, that’s not my native language.
>
> My point is, even if I and spyware get same date from driver, I can ignore some of them, but spyware never know which packet I ignored, so he can’t catch “my mouse location”.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

This is the problem with starting with a “requirement” and inferring a
precise implementation. You are heading down the wrong path here. You have
the wrong “requirement”, that is, a requirement that says “hide the mouse
position for windows except mine”, when the correct requirement would have
been written “prevent other applications from seeing the mouse position
within my application”. The first requirement contains an implementation
specification, and therefore is not actually a “requirement” in the formal
sense. It specifies *how* to achieve a goal, instead of specifying the
goal.

In general, if you need to prevent classic malware from intercepting mouse
positions, the trick is to do it in a separate “desktop” at the application
level. Go read about desktops.

The issue here is that you can’t hook across desktops, so if your login
screen is on its own desktop, classic malware, which is running in the
user’s default login session, can’t see this other desktop and can’t hook
it. If someone has figured out how to install a rootkit or other kernel
malware, it is unlikely you will be able to lock them out, desktop or not.
So the usual limited assumption is classic malware, some application-level
program that does a mouse hook (SetWindowsHookEx) call.

But you have taken a poorly-written security “requirement” (if it is
possible to dignify such a sloppily-written specification as a
“requirement”) and inferred the implementation it suggests, which is
probably the wrong solution because it doesn’t really solve the problem you
are trying to solve. The problems you are seeing are the consequence of
trying to solve the problem using the wrong technique. You have gotten
caught up in the idea that filter drivers are somehow going to magically
solve this problem, and I’m reasonably certain this is not going to work.
The reason is that you have tried to couple kernel behavior to incidental
application level state (a particular window). It is not clear why you have
chosen this complex solution without investigating the use of desktops, but
strongly suggest you look at desktops first. There is an entire subculture
of desktop programming that exists at user level, and while I am not an
expert, I have seen lenghty discussions of these techniques, and code
samples. I suggest a google search for the topic, plus reading about
desktop and window station APIs.
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, November 18, 2010 2:09 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Hook mouse based on WDK moufiltr.

I have a requirement for hook mouse driver, to hide mouse position for
windows except mine.

I started from wdk example: moufiltr.

The comments said, I should do something in MouFilter_ServiceCallback, But I
also noticed that there is a function called MouFilter_IsrHook. I start from
here.
I get each MOUSE_INPUT_DATA in MouFilter_IsrHook, and add 4 to LastX, It
works. my mouse will always move to right quickly even if you move it to
left.

Since the lastX/lastY are set relative to the previous location, so what I
do is:
First, set current cursor position to control device, saved in a global
value (x, y).
Second, in MouFilter_IsrHook, all LastX/LastY is added to (x, y).
Last, return (x, y) to user mode app through IOCTL.

All these changes do work, but the location from my driver is different with
system (get by GetCursorPos). Looks like it moves faster than system.
I think maybe caused the system setting of mouse speed, so I change the
motion setting to fast, It’s same.

My question:

1. what’s wrong with my implement? should I do it in
   MouFilter_ServiceCallback? (At first I do some DbgPrint in
   MouFilter_ServiceCallback and MouFilter_IsrHook, looks like after invoke 4
   MouFilter_IsrHook, 1 MouFilter_ServiceCallback is invoked.)

2. If driver motion only faster, then when I move back to the original point
   (where I set it to kernel), the value should be same, but in my test, it
   isn’t. How can I correct it ?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

–
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

> In general, if you need to prevent classic malware from intercepting mouse positions, the trick is to do

it in a separate “desktop” at the application level. Go read about desktops.

Actually, I don’t know what you mean by “classic malware”, but your idea about desktops is good only for someone who wants to block the most primitive spyware that relies upon SetWindowsHookEx(). It is of no use
if there is a kernel-level keylogger around (which, btw, may be a perfectly “proper” filter for kbdclass or mouseclass)…

Anton Bassov