├── README.md
├── MouseClassServiceCallbackMeme.vcxproj.user
├── MouseClassServiceCallbackMeme.vcxproj.filters
├── MouseClassServiceCallbackMeme.sln
├── MouseClassServiceCallbackMeme.vcxproj
├── main.c
└── mouse.asm


/README.md:
--------------------------------------------------------------------------------
1 | # MouseClassServiceCallbackMeme
2 | Calling "own" MouseClassServiceCallback
3 | 


--------------------------------------------------------------------------------
/MouseClassServiceCallbackMeme.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup>
4 |     <ShowAllFiles>true</ShowAllFiles>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/MouseClassServiceCallbackMeme.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClCompile Include="main.c">
23 |       <Filter>Source Files</Filter>
24 |     </ClCompile>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <MASM Include="mouse.asm">
28 |       <Filter>Source Files</Filter>
29 |     </MASM>
30 |   </ItemGroup>
31 | </Project>


--------------------------------------------------------------------------------
/MouseClassServiceCallbackMeme.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.2.32630.192
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MouseClassServiceCallbackMeme", "MouseClassServiceCallbackMeme.vcxproj", "{D2002713-76DD-4F66-921E-42F9405372B1}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM64 = Debug|ARM64
11 | 		Debug|x64 = Debug|x64
12 | 		Release|ARM64 = Release|ARM64
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Debug|ARM64.ActiveCfg = Debug|ARM64
17 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Debug|ARM64.Build.0 = Debug|ARM64
18 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Debug|ARM64.Deploy.0 = Debug|ARM64
19 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Debug|x64.ActiveCfg = Debug|x64
20 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Debug|x64.Build.0 = Debug|x64
21 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Debug|x64.Deploy.0 = Debug|x64
22 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Release|ARM64.ActiveCfg = Release|ARM64
23 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Release|ARM64.Build.0 = Release|ARM64
24 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Release|ARM64.Deploy.0 = Release|ARM64
25 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Release|x64.ActiveCfg = Release|x64
26 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Release|x64.Build.0 = Release|x64
27 | 		{D2002713-76DD-4F66-921E-42F9405372B1}.Release|x64.Deploy.0 = Release|x64
28 | 	EndGlobalSection
29 | 	GlobalSection(SolutionProperties) = preSolution
30 | 		HideSolutionNode = FALSE
31 | 	EndGlobalSection
32 | 	GlobalSection(ExtensibilityGlobals) = postSolution
33 | 		SolutionGuid = {AB3EBD45-1882-414A-A597-95D80D86AD83}
34 | 	EndGlobalSection
35 | EndGlobal
36 | 


--------------------------------------------------------------------------------
/MouseClassServiceCallbackMeme.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|x64">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>x64</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|x64">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|ARM64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>ARM64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|ARM64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>ARM64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{D2002713-76DD-4F66-921E-42F9405372B1}</ProjectGuid>
 23 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 24 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 25 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 26 |     <Configuration>Debug</Configuration>
 27 |     <Platform Condition="'$(Platform)' == ''">x64</Platform>
 28 |     <RootNamespace>MouseClassServiceCallbackMeme</RootNamespace>
 29 |   </PropertyGroup>
 30 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 31 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 32 |     <TargetVersion>Windows10</TargetVersion>
 33 |     <UseDebugLibraries>true</UseDebugLibraries>
 34 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 35 |     <ConfigurationType>Driver</ConfigurationType>
 36 |     <DriverType>KMDF</DriverType>
 37 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 38 |   </PropertyGroup>
 39 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 40 |     <TargetVersion>Windows10</TargetVersion>
 41 |     <UseDebugLibraries>false</UseDebugLibraries>
 42 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 43 |     <ConfigurationType>Driver</ConfigurationType>
 44 |     <DriverType>KMDF</DriverType>
 45 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 46 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 49 |     <TargetVersion>Windows10</TargetVersion>
 50 |     <UseDebugLibraries>true</UseDebugLibraries>
 51 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 52 |     <ConfigurationType>Driver</ConfigurationType>
 53 |     <DriverType>KMDF</DriverType>
 54 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
 57 |     <TargetVersion>Windows10</TargetVersion>
 58 |     <UseDebugLibraries>false</UseDebugLibraries>
 59 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 60 |     <ConfigurationType>Driver</ConfigurationType>
 61 |     <DriverType>KMDF</DriverType>
 62 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 63 |   </PropertyGroup>
 64 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 65 |   <ImportGroup Label="ExtensionSettings" />
 66 |   <ImportGroup Label="PropertySheets">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <PropertyGroup Label="UserMacros" />
 70 |   <PropertyGroup />
 71 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 72 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 73 |   </PropertyGroup>
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 75 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
 78 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
 81 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 82 |   </PropertyGroup>
 83 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 84 |     <DriverSign>
 85 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 86 |     </DriverSign>
 87 |   </ItemDefinitionGroup>
 88 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 89 |     <DriverSign>
 90 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 91 |     </DriverSign>
 92 |     <Link>
 93 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
 94 |     </Link>
 95 |   </ItemDefinitionGroup>
 96 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
 97 |     <DriverSign>
 98 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
 99 |     </DriverSign>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
102 |     <DriverSign>
103 |       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
104 |     </DriverSign>
105 |   </ItemDefinitionGroup>
106 |   <ItemGroup>
107 |     <FilesToPackage Include="$(TargetPath)" />
108 |   </ItemGroup>
109 |   <ItemGroup>
110 |     <ClCompile Include="main.c" />
111 |   </ItemGroup>
112 |   <ItemGroup>
113 |     <MASM Include="mouse.asm">
114 |       <FileType>Document</FileType>
115 |     </MASM>
116 |   </ItemGroup>
117 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
118 |   <ImportGroup Label="ExtensionTargets" />
119 | </Project>


--------------------------------------------------------------------------------
/main.c:
--------------------------------------------------------------------------------
  1 | #include <ntifs.h>
  2 | 
  3 | /*
  4 |  * Old project, what can be used for mouse input manipulation
  5 | */
  6 | 
  7 | typedef int BOOL;
  8 | typedef unsigned int DWORD;
  9 | typedef ULONG_PTR QWORD;
 10 | 
 11 | #pragma warning(disable : 4201)
 12 | typedef struct _MOUSE_INPUT_DATA {
 13 | 	USHORT UnitId;
 14 | 	USHORT Flags;
 15 | 	union {
 16 | 	ULONG Buttons;
 17 | 	struct {
 18 | 	USHORT ButtonFlags;
 19 | 	USHORT ButtonData;
 20 | 	};
 21 | 	};
 22 | 	ULONG  RawButtons;
 23 | 	LONG   LastX;
 24 | 	LONG   LastY;
 25 | 	ULONG  ExtraInformation;
 26 | } MOUSE_INPUT_DATA, *PMOUSE_INPUT_DATA;
 27 | 
 28 | typedef VOID
 29 | (*MouseClassServiceCallbackFn)(
 30 | 	PDEVICE_OBJECT DeviceObject,
 31 | 	PMOUSE_INPUT_DATA InputDataStart,
 32 | 	PMOUSE_INPUT_DATA InputDataEnd,
 33 | 	PULONG InputDataConsumed
 34 | );
 35 | 
 36 | typedef struct _MOUSE_OBJECT
 37 | {
 38 | 	PDEVICE_OBJECT              mouse_device;
 39 | 	MouseClassServiceCallbackFn service_callback;
 40 | 	BOOL                        use_mouse;
 41 | } MOUSE_OBJECT, * PMOUSE_OBJECT;
 42 | 
 43 | 
 44 | 
 45 | MOUSE_OBJECT gMouseObject;
 46 | QWORD _KeAcquireSpinLockAtDpcLevel;
 47 | QWORD _KeReleaseSpinLockFromDpcLevel;
 48 | QWORD _IofCompleteRequest;
 49 | QWORD _IoReleaseRemoveLockEx;
 50 | 
 51 | 
 52 | 
 53 | 
 54 | NTSYSCALLAPI
 55 | POBJECT_TYPE* IoDriverObjectType;
 56 | 
 57 | VOID MouseClassServiceCallback(
 58 | 	PDEVICE_OBJECT DeviceObject,
 59 | 	PMOUSE_INPUT_DATA InputDataStart,
 60 | 	PMOUSE_INPUT_DATA InputDataEnd,
 61 | 	PULONG InputDataConsumed
 62 | );
 63 | 
 64 | NTSYSCALLAPI
 65 | NTSTATUS
 66 | ObReferenceObjectByName(
 67 |       __in PUNICODE_STRING ObjectName,
 68 |       __in ULONG Attributes,
 69 |       __in_opt PACCESS_STATE AccessState,
 70 |       __in_opt ACCESS_MASK DesiredAccess,
 71 |       __in POBJECT_TYPE ObjectType,
 72 |       __in KPROCESSOR_MODE AccessMode,
 73 |       __inout_opt PVOID ParseContext,
 74 |       __out PVOID *Object
 75 |   );
 76 | 
 77 | 
 78 | void NtSleep(DWORD milliseconds)
 79 | {
 80 | 	QWORD ms = milliseconds;
 81 | 	ms = (ms * 1000) * 10;
 82 | 	ms = ms * -1;
 83 | #ifdef _KERNEL_MODE
 84 | 	KeDelayExecutionThread(KernelMode, 0, (PLARGE_INTEGER)&ms);
 85 | #else
 86 | 	NtDelayExecution(0, (PLARGE_INTEGER)&ms);
 87 | #endif
 88 | }
 89 | 
 90 | void mouse_move(long x, long y, unsigned short button_flags);
 91 | 
 92 | VOID
 93 | DriverUnload(
 94 | 	_In_ struct _DRIVER_OBJECT* DriverObject
 95 | )
 96 | {
 97 | 	UNREFERENCED_PARAMETER(DriverObject);
 98 | 	DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] MouseClassServiceCallbackMeme.sys is closed\n");
 99 | }
100 | 
101 | QWORD _KeAcquireSpinLockAtDpcLevel;
102 | QWORD _KeReleaseSpinLockFromDpcLevel;
103 | QWORD _IofCompleteRequest;
104 | QWORD _IoReleaseRemoveLockEx;
105 | 
106 | NTSTATUS DriverEntry(
107 | 	_In_ PDRIVER_OBJECT  DriverObject,
108 | 	_In_ PUNICODE_STRING RegistryPath
109 | )
110 | {
111 | 	UNREFERENCED_PARAMETER(DriverObject);
112 | 	UNREFERENCED_PARAMETER(RegistryPath);
113 | 
114 | 	/* Microsoft compiler is sometimes retarded, thats why we have to do this non sense */
115 | 	/* It would otherwise generate wrapper functions around, and it would cause system BSOD */
116 | 	_KeAcquireSpinLockAtDpcLevel = (QWORD)KeAcquireSpinLockAtDpcLevel;
117 | 	_KeReleaseSpinLockFromDpcLevel = (QWORD)KeReleaseSpinLockFromDpcLevel;
118 | 	_IofCompleteRequest = (QWORD)IofCompleteRequest;
119 | 	_IoReleaseRemoveLockEx = (QWORD)IoReleaseRemoveLockEx;
120 | 	
121 | 
122 | 	DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] MouseClassServiceCallbackMeme.sys is launched\n");
123 | 	DriverObject->DriverUnload = DriverUnload;
124 | 
125 | 
126 | 	for (int i = 0; i < 32; i++) {
127 | 		NtSleep(100);
128 | 		DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] Moving mouse\n");
129 | 
130 | 		mouse_move(0, -10, 0);
131 | 	}
132 | 
133 | 
134 | 	return STATUS_SUCCESS;
135 | }
136 | 
137 | BOOL mouse_open(void)
138 | {
139 | 	// https://github.com/nbqofficial/norsefire
140 | 
141 | 	if (gMouseObject.use_mouse == 0) {
142 | 
143 | 		UNICODE_STRING class_string;
144 | 		RtlInitUnicodeString(&class_string, L"\\Driver\\MouClass");
145 | 	
146 | 
147 | 		PDRIVER_OBJECT class_driver_object = NULL;
148 | 		NTSTATUS status = ObReferenceObjectByName(&class_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&class_driver_object);
149 | 		if (!NT_SUCCESS(status)) {
150 | 			gMouseObject.use_mouse = 0;
151 | 			return 0;
152 | 		}
153 | 
154 | 		UNICODE_STRING hid_string;
155 | 		RtlInitUnicodeString(&hid_string, L"\\Driver\\MouHID");
156 | 	
157 | 
158 | 		PDRIVER_OBJECT hid_driver_object = NULL;
159 | 	
160 | 		status = ObReferenceObjectByName(&hid_string, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&hid_driver_object);
161 | 		if (!NT_SUCCESS(status))
162 | 		{
163 | 			if (class_driver_object) {
164 | 				ObfDereferenceObject(class_driver_object);
165 | 			}
166 | 			gMouseObject.use_mouse = 0;
167 | 			return 0;
168 | 		}
169 | 
170 | 		PVOID class_driver_base = NULL;
171 | 
172 | 
173 | 		PDEVICE_OBJECT hid_device_object = hid_driver_object->DeviceObject;
174 | 		while (hid_device_object && !gMouseObject.service_callback)
175 | 		{
176 | 			PDEVICE_OBJECT class_device_object = class_driver_object->DeviceObject;
177 | 			while (class_device_object && !gMouseObject.service_callback)
178 | 			{
179 | 				if (!class_device_object->NextDevice && !gMouseObject.mouse_device)
180 | 				{
181 | 					gMouseObject.mouse_device = class_device_object;
182 | 				}
183 | 
184 | 				PULONG_PTR device_extension = (PULONG_PTR)hid_device_object->DeviceExtension;
185 | 				ULONG_PTR device_ext_size = ((ULONG_PTR)hid_device_object->DeviceObjectExtension - (ULONG_PTR)hid_device_object->DeviceExtension) / 4;
186 | 				class_driver_base = class_driver_object->DriverStart;
187 | 				for (ULONG_PTR i = 0; i < device_ext_size; i++)
188 | 				{
189 | 					if (device_extension[i] == (ULONG_PTR)class_device_object && device_extension[i + 1] > (ULONG_PTR)class_driver_object)
190 | 					{
191 | 						gMouseObject.service_callback = (MouseClassServiceCallbackFn)(device_extension[i + 1]);
192 | 					
193 | 						break;
194 | 					}
195 | 				}
196 | 				class_device_object = class_device_object->NextDevice;
197 | 			}
198 | 			hid_device_object = hid_device_object->AttachedDevice;
199 | 		}
200 | 	
201 | 		if (!gMouseObject.mouse_device)
202 | 		{
203 | 			PDEVICE_OBJECT target_device_object = class_driver_object->DeviceObject;
204 | 			while (target_device_object)
205 | 			{
206 | 				if (!target_device_object->NextDevice)
207 | 				{
208 | 					gMouseObject.mouse_device = target_device_object;
209 | 					break;
210 | 				}
211 | 				target_device_object = target_device_object->NextDevice;
212 | 			}
213 | 		}
214 | 
215 | 		ObfDereferenceObject(class_driver_object);
216 | 		ObfDereferenceObject(hid_driver_object);
217 | 
218 | 		if (gMouseObject.mouse_device && gMouseObject.service_callback) {
219 | 			gMouseObject.use_mouse = 1;
220 | 		}
221 | 
222 | 	}
223 | 
224 | 	return gMouseObject.mouse_device && gMouseObject.service_callback;
225 | }
226 | 
227 | #define KeMRaiseIrql(a,b) *(b) = KfRaiseIrql(a)
228 | void mouse_move(long x, long y, unsigned short button_flags)
229 | {
230 | 	KIRQL irql;
231 | 	ULONG input_data;
232 | 	MOUSE_INPUT_DATA mid = { 0 };
233 | 	mid.LastX = x;
234 | 	mid.LastY = y;
235 | 	mid.ButtonFlags = button_flags;
236 | 	if (!mouse_open()) {
237 | 		return;
238 | 	}
239 | 	mid.UnitId = 1;
240 | 	KeMRaiseIrql(DISPATCH_LEVEL, &irql);	
241 | 	MouseClassServiceCallback(gMouseObject.mouse_device, &mid, (PMOUSE_INPUT_DATA)&mid + 1, &input_data);
242 | 	KeLowerIrql(irql);
243 | }
244 | 


--------------------------------------------------------------------------------
/mouse.asm:
--------------------------------------------------------------------------------
  1 | EXTERNDEF _KeAcquireSpinLockAtDpcLevel:PROC
  2 | EXTERNDEF _KeReleaseSpinLockFromDpcLevel:PROC
  3 | EXTERNDEF _IofCompleteRequest:PROC
  4 | EXTERNDEF _IoReleaseRemoveLockEx:PROC
  5 | EXTERNDEF memmove:PROC
  6 | 
  7 | .data
  8 | WPP_RECORDER_INITIALIZED dq 0;
  9 | WPP_GLOBAL_Control dq 0;
 10 | .code
 11 | 
 12 | WPP_RECORDER_SF proc
 13 | 	ret
 14 | WPP_RECORDER_SF endp
 15 | 
 16 | MouseClassReadCopyData proc
 17 | 	mov    r11,rsp
 18 | 	mov    QWORD PTR [r11+8h],rbx
 19 | 	mov    QWORD PTR [r11+10h],rbp
 20 | 	mov    QWORD PTR [r11+18h],rsi
 21 | 	push   rdi
 22 | 	push   r12
 23 | 	push   r13
 24 | 	push   r14
 25 | 	push   r15
 26 | 	sub    rsp,50h
 27 | 	inc    DWORD PTR [rcx+0a8h]
 28 | 	mov    rsi,rdx
 29 | 	mov    eax,DWORD PTR [rcx+54h]
 30 | 	mov    rdi,rcx
 31 | 	mov    r13,QWORD PTR [rdx+0b8h]
 32 | 	lea    ebp,[rax+rax*2]
 33 | 	mov    ebx,DWORD PTR [r13+8h]
 34 | 	shl    ebp,3h
 35 | 	mov    edx,DWORD PTR [rdi+88h]
 36 | 	cmp    ebp,ebx
 37 | 	cmovae ebp,ebx
 38 | 	sub    edx,DWORD PTR [rdi+78h]
 39 | 	add    edx,DWORD PTR [rdi+68h]
 40 | 	mov    r12d,ebp
 41 | 	cmp    ebp,edx
 42 | 	cmovae r12d,edx
 43 | 	mov    r14,QWORD PTR [rsi+18h]
 44 | 	mov    rdx,QWORD PTR [rdi+78h]
 45 | 	mov    rcx,r14
 46 | 	mov    r8d,r12d
 47 | 	mov    r15d,r12d
 48 | 	call   memmove
 49 | 	add    r14,r15
 50 | 	mov    ebx,ebp
 51 | 	sub    ebx,r12d
 52 | 	je     J1A5
 53 | 	mov    rdx,QWORD PTR [rdi+68h]
 54 | 	mov    r8,rbx
 55 | 	mov    rcx,r14
 56 | 	call   memmove
 57 | 	mov    rcx,QWORD PTR [rdi+68h]
 58 | 	add    rcx,rbx
 59 | 	mov    QWORD PTR [rdi+78h],rcx
 60 | 	jmp    J1B0
 61 | J1A5:
 62 | 	add    QWORD PTR [rdi+78h],r15
 63 | J1B0:
 64 | 	mov    ebx,ebp
 65 | 	mov    rax,0aaaaaaaaaaaaaaabh
 66 | 	mul    rbx
 67 | 	shr    rdx,4h
 68 | 	sub    DWORD PTR [rdi+54h],edx
 69 | 	jne    J1FF
 70 | 	mov    BYTE PTR [rdi+42h],1h
 71 | J1FF:
 72 | 	mov    QWORD PTR [rsi+38h],rbx
 73 | 	lea    r11,[rsp+50h]
 74 | 	mov    rbx,QWORD PTR [r11+30h]
 75 | 	xor    eax,eax
 76 | 	mov    rsi,QWORD PTR [r11+40h]
 77 | 	mov    DWORD PTR [r13+8h],ebp
 78 | 	mov    rbp,QWORD PTR [r11+38h]
 79 | 	mov    rsp,r11
 80 | 	pop    r15
 81 | 	pop    r14
 82 | 	pop    r13
 83 | 	pop    r12
 84 | 	pop    rdi
 85 | 	ret
 86 | MouseClassReadCopyData endp
 87 | 
 88 | 
 89 | 
 90 | 
 91 | MouseClassDequeueRead proc
 92 | 	xor    edx,edx
 93 | 	lea    r8,[rcx+98h]
 94 | J9:
 95 | 	mov    rcx,QWORD PTR [r8]
 96 | 	cmp    rcx,r8
 97 | 	je     J47
 98 | 	cmp    QWORD PTR [rcx+8h],r8
 99 | 	jne    J4C
100 | 	mov    rax,QWORD PTR [rcx]
101 | 	cmp    QWORD PTR [rax+8h],rcx
102 | 	jne    J4C
103 | 	mov    QWORD PTR [r8],rax
104 | 	lea    rdx,[rcx-0a8h]
105 | 	mov    QWORD PTR [rax+8h],r8
106 | 	xor    eax,eax
107 | 	xchg   QWORD PTR [rdx+68h],rax
108 | 	test   rax,rax
109 | 	jne    J42
110 | 	mov    QWORD PTR [rcx+8h],rcx
111 | 	xor    edx,edx
112 | 	mov    QWORD PTR [rcx],rcx
113 | J42:
114 | 	test   rdx,rdx
115 | 	je     J9
116 | J47:
117 | 	mov    rax,rdx
118 | 	ret
119 | 	int    3
120 | J4C:
121 | 	mov    ecx,3h
122 | 	int    29h
123 | MouseClassDequeueRead endp
124 | 
125 | 
126 | MouseClassServiceCallback proc
127 | 	mov    rax,rsp
128 | 	mov    QWORD PTR [rax+8h],rbx
129 | 	mov    QWORD PTR [rax+10h],rsi
130 | 	mov    QWORD PTR [rax+18h],rdi
131 | 	mov    QWORD PTR [rax+20h],r9
132 | 	push   rbp
133 | 	push   r12
134 | 	push   r13
135 | 	push   r14
136 | 	push   r15
137 | 	mov    rbp,rsp
138 | 	sub    rsp,70h
139 | 	mov    r13,r9
140 | 	mov    rbx,r8
141 | 	mov    r14,rdx
142 | 	mov    r15,rcx
143 | 
144 | 
145 | 
146 | 	
147 | 	lea    rax, WPP_RECORDER_INITIALIZED
148 | 	xor    esi,esi
149 | 	cmp    WPP_RECORDER_INITIALIZED, rax
150 | 	jne    J61
151 | 	mov    rcx,QWORD PTR WPP_GLOBAL_Control
152 | 	cmp    WORD PTR [rcx+48h],si
153 | 	je     J61
154 | 	mov    rcx,QWORD PTR [rcx+40h]
155 | 	lea    r9d,[rsi+32h]
156 | 	lea    r8d,[rsi+3h]
157 | 	mov    dl,5h
158 | 	call   WPP_RECORDER_SF
159 | 
160 | J61:
161 | 
162 | 
163 | 	mov    rdi,QWORD PTR [r15+40h]
164 | 	sub    ebx,r14d
165 | 	mov    r12d,esi
166 | 	mov    DWORD PTR [r13+0h],esi
167 | 	lea    rcx,[rdi+90h]
168 | 	call   QWORD PTR _KeAcquireSpinLockAtDpcLevel
169 | 	nop    DWORD PTR [rax+rax*1+0h]
170 | 	lea    rax,[rbp-10h]
171 | 	mov    rcx,rdi
172 | 	mov    QWORD PTR [rbp-8h],rax
173 | 	lea    rax,[rbp-10h]
174 | 	mov    QWORD PTR [rbp-10h],rax
175 | 	call   MouseClassDequeueRead
176 | 	mov    rsi,rax
177 | 	xor    r9d,r9d
178 | 	mov    rax,0aaaaaaaaaaaaaaabh
179 | 	test   rsi,rsi
180 | 	je     J1aa
181 | 	mov    r13,QWORD PTR [rsi+0b8h]
182 | 	mov    r12d,ebx
183 | 	mov    r8d,DWORD PTR [r13+8h]
184 | 	cmp    ebx,r8d
185 | 	cmovae r12d,r8d
186 | 	mul    r12
187 | 	mov    rax,QWORD PTR [rbp+48h]
188 | 	shr    rdx,4h
189 | 	add    DWORD PTR [rax],edx
190 | 	lea    rax, WPP_RECORDER_INITIALIZED
191 | 	cmp    WPP_RECORDER_INITIALIZED,rax
192 | 	jne    J11d
193 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
194 | 	cmp    WORD PTR [rcx+48h],r9w
195 | 	je     J11d
196 | 	mov    rax,QWORD PTR [rsi+18h]
197 | 	mov    rcx,QWORD PTR [rcx+40h]
198 | 	mov    QWORD PTR [rsp+50h],rax
199 | 	mov    QWORD PTR [rsp+48h],r14
200 | 	mov    DWORD PTR [rsp+40h],r8d
201 | 	mov    DWORD PTR [rsp+38h],ebx
202 | 	mov    QWORD PTR [rsp+30h],rsi
203 | 	mov    QWORD PTR [rsp+28h],r15
204 | 	call   WPP_RECORDER_SF
205 | 
206 | J11d:
207 | 
208 | 	mov    rax,0fffff78000000014h
209 | 	mov    rax,QWORD PTR [rax]
210 | 	lea    rdx,WPP_RECORDER_INITIALIZED
211 | 	cmp    WPP_RECORDER_INITIALIZED,rdx
212 | 	jne    J15e
213 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
214 | 	mov    DWORD PTR [rsp+40h],r12d
215 | 	mov    QWORD PTR [rsp+38h],rax
216 | 	mov    QWORD PTR [rsp+30h],rsi
217 | 	mov    rcx,QWORD PTR [rcx+40h]
218 | 	mov    QWORD PTR [rsp+28h],r15
219 | 	call   WPP_RECORDER_SF
220 | 
221 | J15e:
222 | 
223 | 	mov    rcx,QWORD PTR [rsi+18h]
224 | 	mov    r8,r12
225 | 	mov    rdx,r14
226 | 	call   memmove
227 | 	mov    QWORD PTR [rsi+38h],r12
228 | 	lea    rcx,[rbp-10h]
229 | 	xor    r8d,r8d
230 | 	mov    DWORD PTR [rsi+30h],r8d
231 | 	add    rsi,0a8h
232 | 	mov    DWORD PTR [r13+8h],r12d
233 | 	mov    rax,QWORD PTR [rbp-8h]
234 | 	cmp    QWORD PTR [rax],rcx
235 | 	jne    J495
236 | 	mov    r13,QWORD PTR [rbp+48h]
237 | 	lea    rcx,[rbp-10h]
238 | 	mov    QWORD PTR [rsi],rcx
239 | 	mov    QWORD PTR [rsi+8h],rax
240 | 	mov    QWORD PTR [rax],rsi
241 | 	mov    QWORD PTR [rbp-8h],rsi
242 | 
243 | J1aa:
244 | 
245 | 	mov    eax,r12d
246 | 	add    r14,rax
247 | 	sub    ebx,r12d
248 | 	lea    r12,WPP_RECORDER_INITIALIZED
249 | 	xor    esi,esi
250 | 	cmp    WPP_RECORDER_INITIALIZED,r12
251 | 	jne    J1e4
252 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
253 | 	cmp    WORD PTR [rcx+48h],si
254 | 	je     J1e4
255 | 	mov    rcx,QWORD PTR [rcx+40h]
256 | 	mov    DWORD PTR [rsp+30h],ebx
257 | 	mov    QWORD PTR [rsp+28h],r15
258 | 	call   WPP_RECORDER_SF
259 | 
260 | J1e4:
261 | 
262 | 	test   ebx,ebx
263 | 	je     J41d
264 | 	cmp    WPP_RECORDER_INITIALIZED,r12
265 | 	jne    J22f
266 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
267 | 	cmp    WORD PTR [rcx+48h],si
268 | 	je     J22f
269 | 	mov    eax,DWORD PTR [rdi+54h]
270 | 	mov    r9d,36h
271 | 	mov    rcx,QWORD PTR [rcx+40h]
272 | 	mov    DWORD PTR [rsp+38h],ebx
273 | 	lea    edx,[rax+rax*2]
274 | 	mov    eax,DWORD PTR [rdi+88h]
275 | 	shl    edx,3h
276 | 	sub    eax,edx
277 | 	mov    DWORD PTR [rsp+30h],eax
278 | 	mov    QWORD PTR [rsp+28h],r15
279 | 	call   WPP_RECORDER_SF
280 | 
281 | J22f:
282 | 
283 | 	mov    ecx,DWORD PTR [rdi+88h]
284 | 	cmp    ecx,ebx
285 | 	mov    r12d,ecx
286 | 	cmovae r12d,ebx
287 | 	sub    ecx,DWORD PTR [rdi+70h]
288 | 	mov    ebx,DWORD PTR [rdi+68h]
289 | 	add    ebx,ecx
290 | 	lea    rax,WPP_RECORDER_INITIALIZED
291 | 	cmp    WPP_RECORDER_INITIALIZED,rax
292 | 	jne    J287
293 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
294 | 	cmp    WORD PTR [rcx+48h],si
295 | 	je     J287
296 | 	mov    rcx,QWORD PTR [rcx+40h]
297 | 	mov    r9d,38h
298 | 	mov    DWORD PTR [rsp+38h],ebx
299 | 	mov    DWORD PTR [rsp+30h],r12d
300 | 	mov    QWORD PTR [rsp+28h],r15
301 | 	call   WPP_RECORDER_SF
302 | 	lea    rax,WPP_RECORDER_INITIALIZED
303 | 
304 | J287:
305 | 
306 | 	cmp    r12d,ebx
307 | 	mov    esi,r12d
308 | 	cmovae esi,ebx
309 | 	cmp    WPP_RECORDER_INITIALIZED,rax
310 | 	jne    J2cc
311 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
312 | 	xor    eax,eax
313 | 	cmp    WORD PTR [rcx+48h],ax
314 | 	je     J2cc
315 | 	mov    rcx,QWORD PTR [rcx+40h]
316 | 	lea    r9d,[rax+39h]
317 | 	mov    rax,QWORD PTR [rdi+70h]
318 | 	mov    QWORD PTR [rsp+40h],rax
319 | 	mov    QWORD PTR [rsp+38h],r14
320 | 	mov    DWORD PTR [rsp+30h],esi
321 | 	mov    QWORD PTR [rsp+28h],r15
322 | 	call   WPP_RECORDER_SF
323 | 
324 | J2cc:
325 | 
326 | 	mov    rcx,QWORD PTR [rdi+70h]
327 | 	mov    rdx,r14
328 | 	mov    r8d,esi
329 | 	mov    ebx,esi
330 | 	call   memmove
331 | 	add    QWORD PTR [rdi+70h],rbx
332 | 	add    r14,rbx
333 | 	mov    rdx,QWORD PTR [rdi+68h]
334 | 	mov    eax,DWORD PTR [rdi+88h]
335 | 	mov    rcx,QWORD PTR [rdi+70h]
336 | 	add    rax,rdx
337 | 	cmp    rcx,rax
338 | 	jb     J301
339 | 	mov    QWORD PTR [rdi+70h],rdx
340 | 	mov    rcx,rdx
341 | 
342 | J301:
343 | 
344 | 	mov    ebx,r12d
345 | 	sub    ebx,esi
346 | 	je     J362
347 | 	lea    rdx,WPP_RECORDER_INITIALIZED
348 | 	mov    rax,rcx
349 | 	cmp    WPP_RECORDER_INITIALIZED,rdx
350 | 	jne    J350
351 | 	mov    rdx, QWORD PTR WPP_GLOBAL_Control
352 | 	xor    r8d,r8d
353 | 	cmp    WORD PTR [rdx+48h],r8w
354 | 	je     J350
355 | 	mov    QWORD PTR [rsp+40h],rcx
356 | 	lea    r9d,[r8+03ah]
357 | 	mov    rcx,QWORD PTR [rdx+40h]
358 | 	mov    QWORD PTR [rsp+38h],r14
359 | 	mov    DWORD PTR [rsp+30h],ebx
360 | 	mov    QWORD PTR [rsp+28h],r15
361 | 	call   WPP_RECORDER_SF
362 | 	mov    rax,QWORD PTR [rdi+70h]
363 | 
364 | J350:
365 | 
366 | 	mov    r8,rbx
367 | 	mov    rdx,r14
368 | 	mov    rcx,rax
369 | 	call   memmove
370 | 	add    QWORD PTR [rdi+70h],rbx
371 | 
372 | J362:
373 | 
374 | 	mov    ecx,r12d
375 | 	mov    rax,0aaaaaaaaaaaaaaabh
376 | 	mul    rcx
377 | 	shr    rdx,4h
378 | 	add    DWORD PTR [rdi+54h],edx
379 | 	mov    ecx,DWORD PTR [r13+0h]
380 | 	add    ecx,edx
381 | 	mov    eax,ecx
382 | 	mov    DWORD PTR [r13+0h],ecx
383 | 	lea    r12,WPP_RECORDER_INITIALIZED
384 | 	xor    esi,esi
385 | 	cmp    WPP_RECORDER_INITIALIZED,r12
386 | 	jne    J41d
387 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
388 | 	cmp    WORD PTR [rcx+48h],si
389 | 	je     J41d
390 | 	mov    rcx,QWORD PTR [rcx+40h]
391 | 	mov    DWORD PTR [rsp+48h],eax
392 | 	mov    rax,QWORD PTR [rdi+78h]
393 | 	mov    QWORD PTR [rsp+40h],rax
394 | 	mov    rax,QWORD PTR [rdi+70h]
395 | 	mov    QWORD PTR [rsp+38h],rax
396 | 	mov    eax,DWORD PTR [rdi+54h]
397 | 	mov    DWORD PTR [rsp+30h],eax
398 | 	mov    QWORD PTR [rsp+28h],r15
399 | 	call   WPP_RECORDER_SF
400 | 	jmp    J41d
401 | 
402 | J3d5:
403 | 
404 | 	mov    rcx,rdi
405 | 	call   MouseClassDequeueRead
406 | 	mov    rbx,rax
407 | 	test   rax,rax
408 | 	je     J422
409 | 	mov    rdx,rax
410 | 	mov    rcx,rdi
411 | 	call   MouseClassReadCopyData
412 | 	mov    DWORD PTR [rbx+30h],eax
413 | 	lea    rcx,[rbp-10h]
414 | 	mov    rdx,QWORD PTR [rbp-8h]
415 | 	lea    rax,[rbx+0a8h]
416 | 	cmp    QWORD PTR [rdx],rcx
417 | 	jne    J495
418 | 	mov    QWORD PTR [rax+8h],rdx
419 | 	lea    rcx,[rbp-10h]
420 | 	mov    QWORD PTR [rax],rcx
421 | 	mov    QWORD PTR [rdx],rax
422 | 	mov    QWORD PTR [rbp-8h],rax
423 | 
424 | J41d:
425 | 
426 | 	cmp    DWORD PTR [rdi+54h],esi
427 | 
428 | 
429 | 	ja     J3d5
430 | 
431 | J422:
432 | 
433 | 	lea    rcx,[rdi+90h]
434 | 	call   QWORD PTR _KeReleaseSpinLockFromDpcLevel
435 | 	nop    DWORD PTR [rax+rax*1+0h]
436 | 
437 | J435:
438 | 
439 | 	mov    rbx,QWORD PTR [rbp-10h]
440 | 	lea    rax,[rbp-10h]
441 | 	cmp    rbx,rax
442 | 	je     J49c
443 | 	lea    rax,[rbp-10h]
444 | 	cmp    QWORD PTR [rbx+8h],rax
445 | 	jne    J495
446 | 	mov    rax,QWORD PTR [rbx]
447 | 	cmp    QWORD PTR [rax+8h],rbx
448 | 	jne    J495
449 | 	lea    rcx,[rbp-10h]
450 | 	mov    QWORD PTR [rbp-10h],rax
451 | 	mov    QWORD PTR [rax+8h],rcx
452 | 	mov    dl,6h
453 | 	lea    rcx,[rbx-0a8h]
454 | 	call   QWORD PTR _IofCompleteRequest
455 | 	nop    DWORD PTR [rax+rax*1+0h]
456 | 	lea    rcx,[rdi+20h]
457 | 	mov    r8d,20h
458 | 	lea    rdx,[rbx-0a8h]
459 | 	call   QWORD PTR _IoReleaseRemoveLockEx
460 | 	nop    DWORD PTR [rax+rax*1+0h]
461 | 	jmp    J435
462 | 
463 | J495:
464 | 
465 | 	mov    ecx,3h
466 | 	int    29h
467 | 
468 | J49C:
469 | 
470 | 	cmp    WPP_RECORDER_INITIALIZED,r12
471 | 	jne    J4c7
472 | 	mov    rcx, QWORD PTR WPP_GLOBAL_Control
473 | 	cmp    WORD PTR [rcx+48h],si
474 | 	je     J4c7
475 | 	mov    rcx,QWORD PTR [rcx+40h]
476 | 	mov    r9d,3ch
477 | 	mov    dl,5h
478 | 	lea    r8d,[r9-39h]
479 | 	call   WPP_RECORDER_SF
480 | 
481 | J4c7:
482 | 
483 | 	lea    r11,[rsp+70h]
484 | 	mov    rbx,QWORD PTR [r11+30h]
485 | 	mov    rsi,QWORD PTR [r11+38h]
486 | 	mov    rdi,QWORD PTR [r11+40h]
487 | 	mov    rsp,r11
488 | 	pop    r15
489 | 	pop    r14
490 | 	pop    r13
491 | 	pop    r12
492 | 	pop    rbp
493 | 	ret
494 | MouseClassServiceCallback endp
495 | 
496 | end
497 | 
498 | 


--------------------------------------------------------------------------------