Hello,

I'm writing filter driver for usb joystick in Window XP. I want to add the upper filter driver to attach the to the HID game controller from Microsoft.
For the filter driver, I reference to the source code from ctrl2cap (I will modify it to joystick filter driver later). It works for PS/2 keyboard.

But if I have problem to install ctrl2cap driver to USB HID Keyboard (I don't know which registry key should modify by using .inf file).

Also for my own usb joystick, it also faces the same problem while install the filter driver.

Another question is that , for HID USB joystick , there is two components shown in Device Manager ("HID-compliant game controller" , USB Human Interface Device").
I just want to swap the joystick bottons function. Which component of driver should i filter ??

Can you give me example about .inf for HID USB device ?

Thank you very much !! And Looking forward for reply !

Regards,

Yu Chi Wai

======================================
Yu Chi Wai (Programmer)
Mobile(HK): 9493 2167
Email: xxxxx@sengital.com

Sengital Ltd.
Unit 207, 2/F, Innovation Centre, Science Park,
Shatin, N.T. , Hong Kong SAR.
Tel(HK): +852-21442628
Fax(HK): +852-21442623
Email: xxxxx@sengital.com
Homepage: www.sengital.com

< Sengital : Sensing Your Motion >

Open up device manager and find your HID joystick device. There will be
a parent and child device, you can see the relationship there.

USB Human Interface Device is the parent (it has a USB\Xxx hardware ID)
HID-compliant game controller is the child (it has a HID\Xxx hardware
ID)

You want to filter the HID-compliant game controller. Note that you
cannot send your own IO without opening up the device. If you are just
filtering the get report IRPs, you can just set a completion routine and
swap the data. You will have some work todo modifying the normalized
HID report.

As for the keyboard, I am not sure what you are asking.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
Sent: Thursday, October 07, 2004 7:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem writing .inf file for usb joystick

Hello,

I'm writing filter driver for usb joystick in Window XP. I want to add
the upper filter driver to attach the to the HID game controller from
Microsoft.
For the filter driver, I reference to the source code from ctrl2cap (I
will modify it to joystick filter driver later). It works for PS/2
keyboard.

But if I have problem to install ctrl2cap driver to USB HID Keyboard
(I don't know which registry key should modify by using .inf file).

Also for my own usb joystick, it also faces the same problem while
install the filter driver.

Another question is that , for HID USB joystick , there is two
components shown in Device Manager ("HID-compliant game controller" ,
USB Human Interface Device").
I just want to swap the joystick bottons function. Which component of
driver should i filter ??

Can you give me example about .inf for HID USB device ?

Thank you very much !! And Looking forward for reply !

Regards,

Yu Chi Wai

======================================
Yu Chi Wai (Programmer)
Mobile(HK): 9493 2167
Email: xxxxx@sengital.com

Sengital Ltd.
Unit 207, 2/F, Innovation Centre, Science Park,
Shatin, N.T. , Hong Kong SAR.
Tel(HK): +852-21442628
Fax(HK): +852-21442623
Email: xxxxx@sengital.com
Homepage: www.sengital.com

< Sengital : Sensing Your Motion >

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello , Thank Your for the reply !

Yes, I found the relation between USB Human Interface Device and
HID-compliant game controller.
However , when I add the upper filter to Human Interface Device by adding
registry key "UpperFilters" at HID\Xxxhardware ID", it failed to do so :

My Thought :
Actually case:

game controller game
controller | my upper filter

my upper filter
Human Interface

Human Interface

The upper filter and the game controller became the same level in the device
stack and can't trap the data between game controller and interface .

How can i trap the data between game controller and Human Interface ??

Thank you very much !

Regards,
Yu Chi Wa

"Doron Holan" ??? news:xxxxx@ntdev ???...
Open up device manager and find your HID joystick device. There will be
a parent and child device, you can see the relationship there.

USB Human Interface Device is the parent (it has a USB\Xxx hardware ID)
HID-compliant game controller is the child (it has a HID\Xxx hardware
ID)

You want to filter the HID-compliant game controller. Note that you
cannot send your own IO without opening up the device. If you are just
filtering the get report IRPs, you can just set a completion routine and
swap the data. You will have some work todo modifying the normalized
HID report.

As for the keyboard, I am not sure what you are asking.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
Sent: Thursday, October 07, 2004 7:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem writing .inf file for usb joystick

Hello,

I'm writing filter driver for usb joystick in Window XP. I want to add
the upper filter driver to attach the to the HID game controller from
Microsoft.
For the filter driver, I reference to the source code from ctrl2cap (I
will modify it to joystick filter driver later). It works for PS/2
keyboard.

But if I have problem to install ctrl2cap driver to USB HID Keyboard
(I don't know which registry key should modify by using .inf file).

Also for my own usb joystick, it also faces the same problem while
install the filter driver.

Another question is that , for HID USB joystick , there is two
components shown in Device Manager ("HID-compliant game controller" ,
USB Human Interface Device").
I just want to swap the joystick bottons function. Which component of
driver should i filter ??

Can you give me example about .inf for HID USB device ?

Thank you very much !! And Looking forward for reply !

Regards,

Yu Chi Wai

======================================
Yu Chi Wai (Programmer)
Mobile(HK): 9493 2167
Email: xxxxx@sengital.com

Sengital Ltd.
Unit 207, 2/F, Innovation Centre, Science Park,
Shatin, N.T. , Hong Kong SAR.
Tel(HK): +852-21442628
Fax(HK): +852-21442623
Email: xxxxx@sengital.com
Homepage: www.sengital.com
======================================
< Sengital : Sensing Your Motion >
======================================

---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I also try to add upper filter to game controller
But it broke the relation between game controller and human interface :

Filter

Game controller Human Interface

I just want to write filter to change the HID joystick button signal to
keyboard signal. So I need to get the Joystick read report data .
I think the filter is ok, but I can't put it in right position to get the
buttons signal.

Can any one help me about that ?

Thank you very much !

Regards,
Yu Chi Wai

"NTDEV" ¦b¶l¥ó news:xxxxx@ntdev ¤¤¼¶¼g...
> Hello , Thank Your for the reply !
>
> Yes, I found the relation between USB Human Interface Device and
> HID-compliant game controller.
> However , when I add the upper filter to Human Interface Device by adding
> registry key "UpperFilters" at HID\Xxxhardware ID", it failed to do so :
>
> My Thought :
> Actually case:
>
> game controller
game
> controller | my upper filter
> ------------------ ----
--
> ----------------------------------
> my upper filter
> Human Interface
> ------------------
> Human Interface
>
>
> The upper filter and the game controller became the same level in the
device
> stack and can't trap the data between game controller and interface .
>
>
> How can i trap the data between game controller and Human Interface ??
>
>
> Thank you very much !
>
> Regards,
> Yu Chi Wa
>
>
> "Doron Holan" ??? news:xxxxx@ntdev ???...
> Open up device manager and find your HID joystick device. There will be
> a parent and child device, you can see the relationship there.
>
> USB Human Interface Device is the parent (it has a USB\Xxx hardware ID)
> HID-compliant game controller is the child (it has a HID\Xxx hardware
> ID)
>
> You want to filter the HID-compliant game controller. Note that you
> cannot send your own IO without opening up the device. If you are just
> filtering the get report IRPs, you can just set a completion routine and
> swap the data. You will have some work todo modifying the normalized
> HID report.
>
> As for the keyboard, I am not sure what you are asking.
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]
> Sent: Thursday, October 07, 2004 7:40 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Problem writing .inf file for usb joystick
>
>
> Hello,
>
> I'm writing filter driver for usb joystick in Window XP. I want to add
> the upper filter driver to attach the to the HID game controller from
> Microsoft.
> For the filter driver, I reference to the source code from ctrl2cap (I
> will modify it to joystick filter driver later). It works for PS/2
> keyboard.
>
> But if I have problem to install ctrl2cap driver to USB HID Keyboard
> (I don't know which registry key should modify by using .inf file).
>
> Also for my own usb joystick, it also faces the same problem while
> install the filter driver.
>
> Another question is that , for HID USB joystick , there is two
> components shown in Device Manager ("HID-compliant game controller" ,
> USB Human Interface Device").
> I just want to swap the joystick bottons function. Which component of
> driver should i filter ??
>
> Can you give me example about .inf for HID USB device ?
>
> Thank you very much !! And Looking forward for reply !
>
> Regards,
>
> Yu Chi Wai
>
>
> ======================================
> Yu Chi Wai (Programmer)
> Mobile(HK): 9493 2167
> Email: xxxxx@sengital.com
>
> Sengital Ltd.
> Unit 207, 2/F, Innovation Centre, Science Park,
> Shatin, N.T. , Hong Kong SAR.
> Tel(HK): +852-21442628
> Fax(HK): +852-21442623
> Email: xxxxx@sengital.com
> Homepage: www.sengital.com
> ======================================
> < Sengital : Sensing Your Motion >
> ======================================
>
>
>
> ---
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

You cannot trap data between the HID and its parent. The game
controller enumerated by HIDCLASS is a raw PDO with no function driver.
When the PDO talks to its parent, it does not use PIRPs, it uses an
internal calling mechanism. If you create a filter driver for the HID
part, it should work. The filter driver can actually be an FDO in this
case. You should read Walter Oney's book, 2nd edition. It should
clarify.
D

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of NTDEV
Sent: Saturday, October 09, 2004 8:44 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Problem writing .inf file for usb joystick

Hello , Thank Your for the reply !

Yes, I found the relation between USB Human Interface Device and
HID-compliant game controller.
However , when I add the upper filter to Human Interface Device by
adding
registry key "UpperFilters" at HID\Xxxhardware ID", it failed to do so :

My Thought :
Actually case:

game controller
game
controller | my upper filter

my upper filter
Human Interface

Human Interface

The upper filter and the game controller became the same level in the
device
stack and can't trap the data between game controller and interface .

How can i trap the data between game controller and Human Interface ??

Thank you very much !

Regards,
Yu Chi Wa

"Doron Holan" ??? news:xxxxx@ntdev ???...
Open up device manager and find your HID joystick device. There will be
a parent and child device, you can see the relationship there.

USB Human Interface Device is the parent (it has a USB\Xxx hardware ID)
HID-compliant game controller is the child (it has a HID\Xxx hardware
ID)

You want to filter the HID-compliant game controller. Note that you
cannot send your own IO without opening up the device. If you are just
filtering the get report IRPs, you can just set a completion routine and
swap the data. You will have some work todo modifying the normalized
HID report.

As for the keyboard, I am not sure what you are asking.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
Sent: Thursday, October 07, 2004 7:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem writing .inf file for usb joystick

Hello,

I'm writing filter driver for usb joystick in Window XP. I want to add
the upper filter driver to attach the to the HID game controller from
Microsoft.
For the filter driver, I reference to the source code from ctrl2cap (I
will modify it to joystick filter driver later). It works for PS/2
keyboard.

But if I have problem to install ctrl2cap driver to USB HID Keyboard
(I don't know which registry key should modify by using .inf file).

Also for my own usb joystick, it also faces the same problem while
install the filter driver.

Another question is that , for HID USB joystick , there is two
components shown in Device Manager ("HID-compliant game controller" ,
USB Human Interface Device").
I just want to swap the joystick bottons function. Which component of
driver should i filter ??

Can you give me example about .inf for HID USB device ?

Thank you very much !! And Looking forward for reply !

Regards,

Yu Chi Wai

======================================
Yu Chi Wai (Programmer)
Mobile(HK): 9493 2167
Email: xxxxx@sengital.com

Sengital Ltd.
Unit 207, 2/F, Innovation Centre, Science Park,
Shatin, N.T. , Hong Kong SAR.
Tel(HK): +852-21442628
Fax(HK): +852-21442623
Email: xxxxx@sengital.com
Homepage: www.sengital.com
======================================
< Sengital : Sensing Your Motion >
======================================

---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Really thx fo Doron Holan !
Finally I can add the upper filter to HID game controller . In the Game
Controller Control Panel , it can find out the name of the joystick.
However, when I get in to the “Properities” page (to test the keys of the
joystick). It said cannot find the joystick.

My filter just pass all the IRP down to the device stack. And I checked the
IRP flow from NTAPI (rundll32.exe) down to the HID game controller and also
USB Human Interface.
The passing of IRP was exactly the same with or without filter. (except
passing through the filter).

Is there any special technique to handle request from NTAPI (rundll32.exe)
to make my filter work ?

Thank You very much for your help !

Regards,
Yu Chi Wai

“Doron Holan” ??? news:xxxxx@ntdev ???..
You cannot trap data between the HID and its parent. The game
controller enumerated by HIDCLASS is a raw PDO with no function driver.
When the PDO talks to its parent, it does not use PIRPs, it uses an
internal calling mechanism. If you create a filter driver for the HID
part, it should work. The filter driver can actually be an FDO in this
case. You should read Walter Oney’s book, 2nd edition. It should
clarify.
D

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of NTDEV
Sent: Saturday, October 09, 2004 8:44 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Problem writing .inf file for usb joystick

Hello , Thank Your for the reply !

Yes, I found the relation between USB Human Interface Device and
HID-compliant game controller.
However , when I add the upper filter to Human Interface Device by
adding
registry key “UpperFilters” at HID\Xxxhardware ID", it failed to do so :

My Thought :
Actually case:

game controller
game
controller | my upper filter
------------------
------
----------------------------------
my upper filter
Human Interface
------------------
Human Interface

The upper filter and the game controller became the same level in the
device
stack and can’t trap the data between game controller and interface .

How can i trap the data between game controller and Human Interface ??

Thank you very much !

Regards,
Yu Chi Wa

“Doron Holan” ??? news:xxxxx@ntdev ???..
Open up device manager and find your HID joystick device. There will be
a parent and child device, you can see the relationship there.

USB Human Interface Device is the parent (it has a USB\Xxx hardware ID)
HID-compliant game controller is the child (it has a HID\Xxx hardware
ID)

You want to filter the HID-compliant game controller. Note that you
cannot send your own IO without opening up the device. If you are just
filtering the get report IRPs, you can just set a completion routine and
swap the data. You will have some work todo modifying the normalized
HID report.

As for the keyboard, I am not sure what you are asking.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
Sent: Thursday, October 07, 2004 7:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem writing .inf file for usb joystick

Hello,

I’m writing filter driver for usb joystick in Window XP. I want to add
the upper filter driver to attach the to the HID game controller from
Microsoft.
For the filter driver, I reference to the source code from ctrl2cap (I
will modify it to joystick filter driver later). It works for PS/2
keyboard.

But if I have problem to install ctrl2cap driver to USB HID Keyboard
(I don’t know which registry key should modify by using .inf file).

Also for my own usb joystick, it also faces the same problem while
install the filter driver.

Another question is that , for HID USB joystick , there is two
components shown in Device Manager (“HID-compliant game controller” ,
USB Human Interface Device").
I just want to swap the joystick bottons function. Which component of
driver should i filter ??

Can you give me example about .inf for HID USB device ?

Thank you very much !! And Looking forward for reply !

Regards,

Yu Chi Wai

======================================
Yu Chi Wai (Programmer)
Mobile(HK): 9493 2167
Email: xxxxx@sengital.com

Sengital Ltd.
Unit 207, 2/F, Innovation Centre, Science Park,
Shatin, N.T. , Hong Kong SAR.
Tel(HK): +852-21442628
Fax(HK): +852-21442623
Email: xxxxx@sengital.com
Homepage: www.sengital.com
======================================
< Sengital : Sensing Your Motion >
======================================

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I find that one of the problem was caused by NtReadFile call from
Rundll32.exe after adding the filter (after add the filter , the HID Game
controller will return INVALID_USER_BUFFER for READ).

I used IRP Tracker to trace the IRP flow :

Without Filter :

08:55:40.061 NTAPIRet NtDeviceIoControlFile rundll32.exe
\Device_HID00000002#COLLECTION00000001 DEVICE_CONTROL SUCCESS
Process : rundll32.exe
NTAPI Data :
IN HANDLE FileHandle = 0x218
PFILE_OBJECT FileObject = 0xff451318
PDEVICE_OBJECT DeviceObject = 0xffb66d50
(\Device_HID00000002#COLLECTION00000001)
IN HANDLE Event = 0x0
IN PIO_APC_ROUTINE ApcRoutine = 0x0
IN PVOID ApcContext = 0x0
OUT PIO_STATUS_BLOCK IoStatusBlock = 0x115ff20
NTSTATUS Status = 0x0 (SUCCESS)
PVOID Pointer = 0x0
ULONG_PTR Information = 0x0
IN ULONG IoControlCode = 0xb0197 (Unknown)
IN PVOID InputBuffer = 0x0
IN ULONG InputBufferLength = 0x0
OUT PVOID OutputBuffer = 0x0
IN ULONG OutputBufferLength = 0x0

08:55:40.061 NTAPI NtReadFile rundll32.exe
\Device_HID00000002#COLLECTION00000001 READ
Process : rundll32.exe
NTAPI Data :
IN HANDLE FileHandle = 0x218
PFILE_OBJECT FileObject = 0xff451318
PDEVICE_OBJECT DeviceObject = 0xffb66d50
(\Device_HID00000002#COLLECTION00000001)
IN HANDLE Event = 0x0
IN PIO_APC_ROUTINE ApcRoutine = 0x77e906d0
IN PVOID ApcContext = 0x955a8
OUT PIO_STATUS_BLOCK IoStatusBlock = 0xb5348
OUT PVOID Buffer = 0xb5b78
IN ULONG Length = 0x9
IN PLARGE_INTEGER ByteOffset = 0x115ff40
*ByteOffset = 0x0
IN PULONG Key = 0x0

08:55:40.061 Call 0x82DF4EB8-122 \Device_HID00000002#COLLECTION00000001
READ NORMAL
Process : rundll32.exe
Irp Data :
SHORT Type = 0x6
USHORT Size = 0x148
PMDL MdlAddress = 0xff61c670
ULONG Flags = 0x900
union AssociatedIrp
struct _IRP *MasterIrp = 0x0
LONG IrpCount = 0x0
PVOID SystemBuffer = 0x0
LIST_ENTRY ThreadListEntry
LIST_ENTRY Flink = 0x8199f6b8
LIST_ENTRY Blink = 0x8199f6b8
IO_STATUS_BLOCK IoStatus
NTSTATUS Status = 0x0 (SUCCESS)
PVOID Pointer = 0x0
ULONG Information = 0x0
KPROCESSOR_MODE RequestorMode = 0x1 (UserMode)
BOOLEAN PendingReturned = 0x0
CHAR StackCount = 0x6
CHAR CurrentLocation = 0x6
BOOLEAN Cancel = 0x0
ULONG CancelIrql = 0x0
CCHAR ApcEnvironment = 0x0
UCHAR AllocationFlags = 0x81
PIO_STATUS_BLOCK UserIosb = 0xb5348
PKEVENT UserEvent = 0x0
union Overlay
struct AsynchronousParameters
PIO_APC_ROUTINE UserApcRoutine = 0x77e906d0
PVOID UserApcContext = 0x955a8
LARGE_INTEGER AllocationSize
LONGLONG QuadPart = 0x77e906d0
PDRIVER_CANCEL CancelRoutine = 0x0
PVOID UserBuffer = 0x0
union Tail
struct Overlay
KDEVICE_QUEUE_ENTRY DeviceQueueEntry
LIST_ENTRY DeviceListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x0
ULONG SortKey = 0x0
CHAR Inserted = 0x0
PVOID DriverContext[4]
PVOID DriverContext[0] = 0x0
PVOID DriverContext[1] = 0x0
PVOID DriverContext[2] = 0x0
PVOID DriverContext[3] = 0x0
PETHREAD Thread = 0x8199f4a8
PCHAR AuxiliaryBuffer = 0x0
LIST_ENTRY ListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x0
PIO_STACK_LOCATION CurrentStackLocation = 0x82df4fdc
UCHAR MajorFunction = 0x3 (READ)
UCHAR MinorFunction = 0x0 (NORMAL)
UCHAR Flags = 0x0
UCHAR Control = 0x0
union Parameters
struct Read
ULONG Length = 0x9
ULONG Key = 0x0
LARGE_INTEGER ByteOffset
LONGLONG QuadPart = 0x0
PDEVICE_OBJECT DeviceObject = 0xffb66d50
(\Device_HID00000002#COLLECTION00000001)
PFILE_OBJECT FileObject = 0xff451318
PIO_COMPLETION_ROUTINE CompletionRoutine = 0x0
PVOID Context = 0x0
ULONG PacketType = 0x82df4fdc
PFILE_OBJECT OriginalFileObject = 0xff451318
KAPC Apc
USHORT Type = 0x0
USHORT Size = 0x0
ULONG Spare0 = 0x0
PETHREAD Thread = 0x0
LIST_ENTRY ApcListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x8199f4a8
PVOID KernelRoutine = 0x0
PVOID RundownRoutine = 0x0
PVOID NormalRoutine = 0x82df4fdc
PVOID NormalContext = 0x82df4fdc
PVOID SystemArgument1 = 0xff451318
PVOID SystemArgument2 = 0x0
CHAR ApcStateIndex = 0x0
CHAR ApcMode = 0x0
CHAR Inserted = 0x0
PVOID CompletionKey = 0x0

08:55:40.061 NTAPIRet NtReadFile rundll32.exe
\Device_HID00000002#COLLECTION00000001 READ PENDING
Process : rundll32.exe
NTAPI Data :
IN HANDLE FileHandle = 0x218
PFILE_OBJECT FileObject = 0xff451318
PDEVICE_OBJECT DeviceObject = 0xffb66d50
(\Device_HID00000002#COLLECTION00000001)
IN HANDLE Event = 0x0
IN PIO_APC_ROUTINE ApcRoutine = 0x77e906d0
IN PVOID ApcContext = 0x955a8
OUT PIO_STATUS_BLOCK IoStatusBlock = 0xb5348
NTSTATUS Status = 0x103 (PENDING)
PVOID Pointer = 0x103
ULONG_PTR Information = 0x0
OUT PVOID Buffer = 0xb5b78
IN ULONG Length = 0x9
IN PLARGE_INTEGER ByteOffset = 0x115ff40
*ByteOffset = 0x0
IN PULONG Key = 0x0

08:55:40.081 Comp 0x82DF4EB8-122 \Device_HID00000002#COLLECTION00000001
READ NORMAL SUCCESS, Info = 0x9
Process : rundll32.exe
Irp Data :
SHORT Type = 0x6
USHORT Size = 0x148
PMDL MdlAddress = 0xff61c670
ULONG Flags = 0x40000900
union AssociatedIrp
struct _IRP *MasterIrp = 0x0
LONG IrpCount = 0x0
PVOID SystemBuffer = 0x0
LIST_ENTRY ThreadListEntry
LIST_ENTRY Flink = 0x8199f6b8
LIST_ENTRY Blink = 0x8199f6b8
IO_STATUS_BLOCK IoStatus
NTSTATUS Status = 0x0 (SUCCESS)
PVOID Pointer = 0x0
ULONG Information = 0x9
KPROCESSOR_MODE RequestorMode = 0x1 (UserMode)
BOOLEAN PendingReturned = 0x0
CHAR StackCount = 0x6
CHAR CurrentLocation = 0x6
BOOLEAN Cancel = 0x0
ULONG CancelIrql = 0x0
CCHAR ApcEnvironment = 0x0
UCHAR AllocationFlags = 0x81
PIO_STATUS_BLOCK UserIosb = 0xb5348
PKEVENT UserEvent = 0x0
union Overlay
struct AsynchronousParameters
PIO_APC_ROUTINE UserApcRoutine = 0x77e906d0
PVOID UserApcContext = 0x955a8
LARGE_INTEGER AllocationSize
LONGLONG QuadPart = 0x77e906d0
PDRIVER_CANCEL CancelRoutine = 0x0
PVOID UserBuffer = 0x0
union Tail
struct Overlay
KDEVICE_QUEUE_ENTRY DeviceQueueEntry
LIST_ENTRY DeviceListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x0
ULONG SortKey = 0x0
CHAR Inserted = 0x0
PVOID DriverContext[4]
PVOID DriverContext[0] = 0x0
PVOID DriverContext[1] = 0x0
PVOID DriverContext[2] = 0x0
PVOID DriverContext[3] = 0x0
PETHREAD Thread = 0x8199f4a8
PCHAR AuxiliaryBuffer = 0x0
LIST_ENTRY ListEntry
LIST_ENTRY *Flink = 0x8053a2c4
LIST_ENTRY *Blink = 0x8053a2c4
PIO_STACK_LOCATION CurrentStackLocation = 0x82df4fdc
UCHAR MajorFunction = 0x3 (READ)
UCHAR MinorFunction = 0x0 (NORMAL)
UCHAR Flags = 0x0
UCHAR Control = 0x0
union Parameters
struct Read
ULONG Length = 0x9
ULONG Key = 0x0
LARGE_INTEGER ByteOffset
LONGLONG QuadPart = 0x0
PDEVICE_OBJECT DeviceObject = 0xffb66d50
(\Device_HID00000002#COLLECTION00000001)
PFILE_OBJECT FileObject = 0xff451318
PIO_COMPLETION_ROUTINE CompletionRoutine = 0x0
PVOID Context = 0x0
ULONG PacketType = 0x82df4fdc
PFILE_OBJECT OriginalFileObject = 0xff451318
KAPC Apc
USHORT Type = 0x0
USHORT Size = 0x0
ULONG Spare0 = 0x0
PETHREAD Thread = 0x0
LIST_ENTRY ApcListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x8199f4a8
PVOID KernelRoutine = 0x0
PVOID RundownRoutine = 0x8053a2c4
PVOID NormalRoutine = 0x82df4fdc
PVOID NormalContext = 0x82df4fdc
PVOID SystemArgument1 = 0xff451318
PVOID SystemArgument2 = 0x0
CHAR ApcStateIndex = 0x0
CHAR ApcMode = 0x0
CHAR Inserted = 0x0
PVOID CompletionKey = 0x0

With Filter :

09:02:51.522 NTAPIRet NtDeviceIoControlFile rundll32.exe (0xFF589F08)
\Driver\Ctrl2cap DEVICE_CONTROL SUCCESS
Process : rundll32.exe
NTAPI Data :
IN HANDLE FileHandle = 0x218
PFILE_OBJECT FileObject = 0x81a35a30
PDEVICE_OBJECT DeviceObject = 0xff589f08 ((0xFF589F08) \Driver\Ctrl2cap)
IN HANDLE Event = 0x0
IN PIO_APC_ROUTINE ApcRoutine = 0x0
IN PVOID ApcContext = 0x0
OUT PIO_STATUS_BLOCK IoStatusBlock = 0x115ff20
NTSTATUS Status = 0x0 (SUCCESS)
PVOID Pointer = 0x0
ULONG_PTR Information = 0x0
IN ULONG IoControlCode = 0xb0197 (Unknown)
IN PVOID InputBuffer = 0x0
IN ULONG InputBufferLength = 0x0
OUT PVOID OutputBuffer = 0x0
IN ULONG OutputBufferLength = 0x0

09:02:51.522 NTAPI NtReadFile rundll32.exe (0xFF589F08) \Driver\Ctrl2cap
READ
Process : rundll32.exe
NTAPI Data :
IN HANDLE FileHandle = 0x218
PFILE_OBJECT FileObject = 0x81a35a30
PDEVICE_OBJECT DeviceObject = 0xff589f08 ((0xFF589F08) \Driver\Ctrl2cap)
IN HANDLE Event = 0x0
IN PIO_APC_ROUTINE ApcRoutine = 0x77e906d0
IN PVOID ApcContext = 0xa4308
OUT PIO_STATUS_BLOCK IoStatusBlock = 0xac9e8
OUT PVOID Buffer = 0xa30f0
IN ULONG Length = 0x9
IN PLARGE_INTEGER ByteOffset = 0x115ff40
*ByteOffset = 0x0
IN PULONG Key = 0x0

09:02:51.522 Call 0x835FAE90-122 (0xFF589F08) \Driver\Ctrl2cap
\Device_HID00000003#COLLECTION00000001 READ NORMAL
Process : rundll32.exe
Irp Data :
SHORT Type = 0x6
USHORT Size = 0x16c
PMDL MdlAddress = 0x0
ULONG Flags = 0x40000900
union AssociatedIrp
struct _IRP *MasterIrp = 0x0
LONG IrpCount = 0x0
PVOID SystemBuffer = 0x0
LIST_ENTRY ThreadListEntry
LIST_ENTRY Flink = 0xffa14230
LIST_ENTRY Blink = 0xffa14230
IO_STATUS_BLOCK IoStatus
NTSTATUS Status = 0x0 (SUCCESS)
PVOID Pointer = 0x0
ULONG Information = 0x0
KPROCESSOR_MODE RequestorMode = 0x1 (UserMode)
BOOLEAN PendingReturned = 0x0
CHAR StackCount = 0x7
CHAR CurrentLocation = 0x6
BOOLEAN Cancel = 0x0
ULONG CancelIrql = 0x0
CCHAR ApcEnvironment = 0x0
UCHAR AllocationFlags = 0x81
PIO_STATUS_BLOCK UserIosb = 0xac9e8
PKEVENT UserEvent = 0x0
union Overlay
struct AsynchronousParameters
PIO_APC_ROUTINE UserApcRoutine = 0x77e906d0
PVOID UserApcContext = 0xa4308
LARGE_INTEGER AllocationSize
LONGLONG QuadPart = 0x77e906d0
PDRIVER_CANCEL CancelRoutine = 0x0
PVOID UserBuffer = 0xa30f0
union Tail
struct Overlay
KDEVICE_QUEUE_ENTRY DeviceQueueEntry
LIST_ENTRY DeviceListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x0
ULONG SortKey = 0x0
CHAR Inserted = 0x0
PVOID DriverContext[4]
PVOID DriverContext[0] = 0x0
PVOID DriverContext[1] = 0x0
PVOID DriverContext[2] = 0x0
PVOID DriverContext[3] = 0x0
PETHREAD Thread = 0xffa14020
PCHAR AuxiliaryBuffer = 0x0
LIST_ENTRY ListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x0
PIO_STACK_LOCATION CurrentStackLocation = 0x835fafb4
UCHAR MajorFunction = 0x3 (READ)
UCHAR MinorFunction = 0x0 (NORMAL)
UCHAR Flags = 0x0
UCHAR Control = 0xe0
union Parameters
struct Read
ULONG Length = 0x9
ULONG Key = 0x0
LARGE_INTEGER ByteOffset
LONGLONG QuadPart = 0x0
PDEVICE_OBJECT DeviceObject = 0xff519030
(\Device_HID00000003#COLLECTION00000001)
PFILE_OBJECT FileObject = 0x81a35a30
PIO_COMPLETION_ROUTINE CompletionRoutine = 0xf9a45af0
PVOID Context = 0xff589f08
PIO_STACK_LOCATION StackLocation 7
UCHAR MajorFunction = 0x3 (READ)
UCHAR MinorFunction = 0x0 (NORMAL)
UCHAR Flags = 0x0
UCHAR Control = 0x0
union Parameters
struct Read
ULONG Length = 0x9
ULONG Key = 0x0
LARGE_INTEGER ByteOffset
LONGLONG QuadPart = 0x0
PDEVICE_OBJECT DeviceObject = 0xff589f08 ((0xFF589F08) \Driver\Ctrl2cap)
PFILE_OBJECT FileObject = 0x81a35a30
PIO_COMPLETION_ROUTINE CompletionRoutine = 0x0
PVOID Context = 0x0
ULONG PacketType = 0x835fafb4
PFILE_OBJECT OriginalFileObject = 0x81a35a30
KAPC Apc
USHORT Type = 0x0
USHORT Size = 0x0
ULONG Spare0 = 0x0
PETHREAD Thread = 0x0
LIST_ENTRY ApcListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0xffa14020
PVOID KernelRoutine = 0x0
PVOID RundownRoutine = 0x0
PVOID NormalRoutine = 0x835fafb4
PVOID NormalContext = 0x835fafb4
PVOID SystemArgument1 = 0x81a35a30
PVOID SystemArgument2 = 0x0
CHAR ApcStateIndex = 0x0
CHAR ApcMode = 0x0
CHAR Inserted = 0x0
PVOID CompletionKey = 0x0

09:02:51.522 Comp 0x835FAE90-122 \Device_HID00000003#COLLECTION00000001
READ NORMAL INVALID_USER_BUFFER, Info = 0x0
Process : rundll32.exe
Irp Data :
SHORT Type = 0x6
USHORT Size = 0x16c
PMDL MdlAddress = 0x0
ULONG Flags = 0x40000900
union AssociatedIrp
struct _IRP *MasterIrp = 0x0
LONG IrpCount = 0x0
PVOID SystemBuffer = 0x0
LIST_ENTRY ThreadListEntry
LIST_ENTRY Flink = 0xffa14230
LIST_ENTRY Blink = 0xffa14230
IO_STATUS_BLOCK IoStatus
NTSTATUS Status = 0xc00000e8 (INVALID_USER_BUFFER)
PVOID Pointer = 0xc00000e8
ULONG Information = 0x0
KPROCESSOR_MODE RequestorMode = 0x1 (UserMode)
BOOLEAN PendingReturned = 0x0
CHAR StackCount = 0x7
CHAR CurrentLocation = 0x6
BOOLEAN Cancel = 0x0
ULONG CancelIrql = 0x0
CCHAR ApcEnvironment = 0x0
UCHAR AllocationFlags = 0x81
PIO_STATUS_BLOCK UserIosb = 0xac9e8
PKEVENT UserEvent = 0x0
union Overlay
struct AsynchronousParameters
PIO_APC_ROUTINE UserApcRoutine = 0x77e906d0
PVOID UserApcContext = 0xa4308
LARGE_INTEGER AllocationSize
LONGLONG QuadPart = 0x77e906d0
PDRIVER_CANCEL CancelRoutine = 0x0
PVOID UserBuffer = 0xa30f0
union Tail
struct Overlay
KDEVICE_QUEUE_ENTRY DeviceQueueEntry
LIST_ENTRY DeviceListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x0
ULONG SortKey = 0x0
CHAR Inserted = 0x0
PVOID DriverContext[4]
PVOID DriverContext[0] = 0x0
PVOID DriverContext[1] = 0x0
PVOID DriverContext[2] = 0x0
PVOID DriverContext[3] = 0x0
PETHREAD Thread = 0xffa14020
PCHAR AuxiliaryBuffer = 0x0
LIST_ENTRY ListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0x0
PIO_STACK_LOCATION CurrentStackLocation = 0x835fafb4
UCHAR MajorFunction = 0x3 (READ)
UCHAR MinorFunction = 0x0 (NORMAL)
UCHAR Flags = 0x0
UCHAR Control = 0xe0
union Parameters
struct Read
ULONG Length = 0x9
ULONG Key = 0x0
LARGE_INTEGER ByteOffset
LONGLONG QuadPart = 0x0
PDEVICE_OBJECT DeviceObject = 0xff519030
(\Device_HID00000003#COLLECTION00000001)
PFILE_OBJECT FileObject = 0x81a35a30
PIO_COMPLETION_ROUTINE CompletionRoutine = 0xf9a45af0
PVOID Context = 0xff589f08
PIO_STACK_LOCATION StackLocation 7
UCHAR MajorFunction = 0x3 (READ)
UCHAR MinorFunction = 0x0 (NORMAL)
UCHAR Flags = 0x0
UCHAR Control = 0x0
union Parameters
struct Read
ULONG Length = 0x9
ULONG Key = 0x0
LARGE_INTEGER ByteOffset
LONGLONG QuadPart = 0x0
PDEVICE_OBJECT DeviceObject = 0xff589f08 ((0xFF589F08) \Driver\Ctrl2cap)
PFILE_OBJECT FileObject = 0x81a35a30
PIO_COMPLETION_ROUTINE CompletionRoutine = 0x0
PVOID Context = 0x0
ULONG PacketType = 0x835fafb4
PFILE_OBJECT OriginalFileObject = 0x81a35a30
KAPC Apc
USHORT Type = 0x0
USHORT Size = 0x0
ULONG Spare0 = 0x0
PETHREAD Thread = 0x0
LIST_ENTRY ApcListEntry
LIST_ENTRY *Flink = 0x0
LIST_ENTRY *Blink = 0xffa14020
PVOID KernelRoutine = 0x0
PVOID RundownRoutine = 0x0
PVOID NormalRoutine = 0x835fafb4
PVOID NormalContext = 0x835fafb4
PVOID SystemArgument1 = 0x81a35a30
PVOID SystemArgument2 = 0x0
CHAR ApcStateIndex = 0x0
CHAR ApcMode = 0x0
CHAR Inserted = 0x0
PVOID CompletionKey = 0x0