changeofpace/MouClassInputInjection changeofpace/MouClassInputInjection

  • Stars
    star
    286
  • Rank 144,690 (Top 3 %)
  • Language
    C++
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
changeofpace/MouClassInputInjection
github

changeofpace

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

MouClassInputInjection implements a kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices.

MouClassInputInjection

MouClassInputInjection implements a kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices.

The MouClass Input Injection module injects input by invoking a mouse class service callback to copy synthesized packets to the mouse class data queue in the target HID USB mouse device stack. This module uses the MouHid Hook Manager from the MouHidInputHook project to dynamically resolve packet data rules for the mouse device stacks on the host machine. The following is a list of enforced rules for injected packets:

  1. Button and movement data packets are transferred to the correct data queues.

  2. The UnitId field matches the device id of the device object which contains the correct data queue.

  3. Movement data packets must contain the same type of movement data, relative or absolute, as packets generated by the physical mouse device.

  4. Movement data packets must specify the MOUSE_VIRTUAL_DESKTOP indicator flag if packets generated by the physical mouse device specify this flag.

MouHidInputHook

The MouHid Monitor feature of the MouHidInputHook project can be used to learn the packet data rules for mouse devices and environments. Users can utilize this feature to debug how mouse actions, e.g., moving the mouse or clicking a mouse button, are represented as a sequence of one or more data packets.

The project README contains an analysis of the input processing system in the Windows kernel. The MouClassInputInjection injection technique is based on this analysis.

Motivation

This project is designed to be a stealthy, PatchGuard safe means of input injection for video game hack developers. Specifically, this technique enables hack developers to write triggerbots and aimbots which cannot be detected by user mode anti-cheat software. The technique has the following stealth features:

  1. The driver does not open process handles for the target process. Anti-cheat software generally audit handle access to the protected video game process.

  2. Mouse events for injected packets are not marked with the LLMHF_INJECTED or LLMHF_LOWER_IL_INJECTED flags.

  3. Synthesized packets are validated against the packet data rules for the HID USB mouse device stacks on the host machine. Anti-cheat software can utilize input hooks, e.g., SetWindowsHookExA and WM_INPUT, to monitor mouse input data. Malformed data may indicate that a process is injecting input.

Note: This technique has not been tested against kernel mode anti-cheat software.

Projects

MouClassInputInjection

The core driver project which implements the injection interface.

MouiiCL

A command line MouClassInputInjection client which allows users to inject mouse button data and mouse movement data via text commands.

Mouse Device Stacks

A HID USB mouse device has one or more HID USB mouse device stacks in the device tree. These device stacks implement the device interface for reading button data and movement data from the physical mouse device. The number of device stacks required for a mouse device depends on the presence of third party mouse filter drivers. The following image depicts the mouse device stacks for Windows 7 SP1 x64 when no third party filter drivers are active:

There is one HID USB mouse device stack for button data and movement data. All data packets from the physical mouse device are transferred to the data queue contained in the \Device\PointerClass0 device object.

In contrast, the following image depicts the mouse device stacks for Windows 7 SP1 x64 when the VMware vmusbmouse filter driver is active:

There are two HID USB mouse device stacks. The \Device\PointerClass2 device stack receives movement data packets, and the \Device\PointerClass3 device stack receives button data packets. The VMware Tools package installs the vmusbmouse filter driver to smooth mouse movement. This filter driver hooks into the input data stream by modifying the CONNECT_DATA object sent down the mouse movement device stack during device initialization.

Limitations

  • The mouse cursor does not visually update to reflect injected packets for absolute movement when the vmusbmouse filter driver is active.
  • The MouClassInputInjection driver will fail to initialize if the MouHid Monitor feature of the MouHidInputHook driver is active.

Notes

  • The MouClassInputInjection project was developed for Windows 7 SP1 x64. Support for other platforms is unknown.
  • The MouClassInputInjection injection technique is PatchGuard safe.

More Repositories

1

VivienneVMM

VivienneVMM is a stealthy debugging framework implemented via an Intel VT-x hypervisor.
C++
775
star
2

Self-Remapping-Code

This program remaps its image to prevent the page protection of pages contained in the image from being modified via NtProtectVirtualMemory.
C++
558
star
3

Overwatch-Dump-Fix

x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.
C
240
star
4

MouHidInputHook

MouHidInputHook enables users to filter, modify, and inject mouse input data packets into the input data stream of HID USB mouse devices without modifying the mouse device stacks.
C++
239
star
5

Force-Page-Protection

This x64dbg plugin sets the page protection for memory mapped views in scenarios which cause NtProtectVirtualMemory to fail.
C
106
star
6

PE-Header-Dump-Utilities

This x64dbg plugin adds several commands for dumping PE header information by address.
C
60
star
7

Hex-Rays-Deep-Compile

Improves Hex-Rays output through batch decompilation.
C++
45
star
8

x64dbg-Anti-Debug-POC

viewing page boundaries of pages with PAGE_NOACCESS protection reveals the presence of x64dbg.
C++
21
star
9

Remote-Process-Cookie-for-Windows-7

Obtain remote process cookies by performing a brute-force attack on ntdll.RtlDecodePointer using known pointer encodings.
C++
21
star
10

Simple-Injector

basic dll injector using Qt
C++
17
star
11

Find-Exported-Xrefs

Given a global name in IDA Pro, find all xrefs which are contained in an exported function.
Python
10
star
12

Enumerate-GetKeyState-Calls-Using-Varying-nVirtKey

IDAPython script. Bookmark all instances of calls to GetAsyncKeyState and GetKeyState which use a varying value (e.g. not const shift/ctrl/alt modifiers) for the nVirtKey arg.
Python
4
star