2. 技术博客
  3. 使用Ubuntu下usb抓包工具(usbmon)进行数据抓取的一次记录

使用Ubuntu下usb抓包工具(usbmon)进行数据抓取的一次记录

tech2023-02-17  88

前言

使用反汇编还原的库调试打印机网络作业设置,打印出来的日志与原库有出入,在usb传输处始终有偏差。

调用反汇编还原的库:

DEBUG: Net_OnlyGetDataSizeFromReplyHdr:: In DEBUG: getNetDataByPrinterPipe:: No data need to readback DEBUG: getNetDataByPrinterPipe:: Out. rc = 1

调用原库:

DEBUG: Net_OnlyGetDataSizeFromReplyHdr:: In DEBUG: getNetDataByPrinterPipe:: readByte = 344 DEBUG: getNetDataByPrinterPipe:: malloc revBuf 344 bytes success. DEBUG: getNetDataByPrinterPipe:: Read Data Success DEBUG: getNetDataByPrinterPipe:: Receive Data, transferred = 344 DEBUG: getNetDataByPrinterPipe:: Out. rc = 1

usb传输 原库汇编片段:

.text:0000000000046C4E mov esi, [lpPrinter+220h] .text:0000000000046C54 lea rdi, aGetnetdatabypr_12 .text:0000000000046C5B xor eax, eax .text:0000000000046C5D call _DbgMsg .text:0000000000046C62 movzx esi, byte ptr [lpPrinter+220h] .text:0000000000046C69 mov rdi, [rsp+0B8h+handle] .text:0000000000046C6E mov r9d, 1388h .text:0000000000046C74 mov ecx, [rsp+0B8h+bufSize] .text:0000000000046C78 mov r8, r12 .text:0000000000046C7B mov rdx, r13 .text:0000000000046C7E call _libusb_bulk_transfer .text:0000000000046C83 errcode = rax ; int .text:0000000000046C83 test eax, eax .text:0000000000046C85 mov esi, eax .text:0000000000046C87 lea rdi, aGetnetdatabypr_13 .text:0000000000046C8E js short loc_46CCF .text:0000000000046C90 lea rdi, aGetnetdatabypr_14 .text:0000000000046C97 xor eax, eax .text:0000000000046C99 errcode = rsi ; int .text:0000000000046C99 call _DbgMsg .text:0000000000046C9E movzx esi, byte ptr [lpPrinter+21Ch] .text:0000000000046CA5 mov rdx, [rsp+0B8h+readBack] .text:0000000000046CAA mov r9d, 1388h .text:0000000000046CB0 mov rdi, [rsp+0B8h+handle] .text:0000000000046CB5 mov r8, r12 .text:0000000000046CB8 mov ecx, 20h .text:0000000000046CBD call _libusb_bulk_transfer .text:0000000000046CC2 errcode = rax ; int .text:0000000000046CC2 test eax, eax .text:0000000000046CC4 jns short loc_46CDE .text:0000000000046CC6 lea rdi, aGetnetdatabypr_15 .text:0000000000046CCD mov esi, eax .text:0000000000046CCF .text:0000000000046CCF loc_46CCF: ; CODE XREF: getNetDataByPrinterPipe+2D0↑j .text:0000000000046CCF xor eax, eax .text:0000000000046CD1 errcode = rsi ; int .text:0000000000046CD1 call _DbgMsg .text:0000000000046CD6 .text:0000000000046CD6 loc_46CD6: ; CODE XREF: getNetDataByPrinterPipe+343↓j .text:0000000000046CD6 xor r14d, r14d .text:0000000000046CD9 jmp loc_46D92 .text:0000000000046CDE ; --------------------------------------------------------------------------- .text:0000000000046CDE .text:0000000000046CDE loc_46CDE: ; CODE XREF: getNetDataByPrinterPipe+306↑j .text:0000000000046CDE inBuf = r14 ; BYTE * .text:0000000000046CDE errcode = rax ; int .text:0000000000046CDE lea rdi, aGetnetdatabypr_16 .text:0000000000046CE5 xor eax, eax .text:0000000000046CE7 call _DbgMsg .text:0000000000046CEC cmp [rsp+0B8h+transferred], 20h .text:0000000000046CF1 jz short loc_46D03 .text:0000000000046CF3 lea rdi, aGetnetdatabypr_17 .text:0000000000046CFA xor eax, eax .text:0000000000046CFC call _DbgMsg .text:0000000000046D01 jmp short loc_46CD6 .text:0000000000046D03 ; --------------------------------------------------------------------------- .text:0000000000046D03 .text:0000000000046D03 loc_46D03: ; CODE XREF: getNetDataByPrinterPipe+333↑j .text:0000000000046D03 mov rdi, [rsp+0B8h+readBack] ; readBack .text:0000000000046D08 call _Net_OnlyGetDataSizeFromReplyHdr .text:0000000000046D0D readByte = rax ; int .text:0000000000046D0D test eax, eax .text:0000000000046D0F jnz short loc_46D25 .text:0000000000046D11 lea rdi, aGetnetdatabypr_18 .text:0000000000046D18 xor r14d, r14d .text:0000000000046D1B call _DbgMsg .text:0000000000046D20 jmp loc_46DC3 .text:0000000000046D25 ; --------------------------------------------------------------------------- .text:0000000000046D25 .text:0000000000046D25 loc_46D25: ; CODE XREF: getNetDataByPrinterPipe+351↑j .text:0000000000046D25 inBuf = r14 ; BYTE * .text:0000000000046D25 readByte = rax ; int .text:0000000000046D25 lea rdi, aGetnetdatabypr_19 .text:0000000000046D2C mov esi, eax .text:0000000000046D2E movsxd r15, ebx .text:0000000000046D31 xor eax, eax .text:0000000000046D33 readByte = rsi ; int .text:0000000000046D33 call _DbgMsg

逆向还原出来的代码片段:

// 发送writeBuf中指令到打印机 rsl = libusb_bulk_transfer(handle, lpPrinter->usb.printer_EP_OUT, writeBuf, bufSize, &transferred, 5000); if( rsl != 0 ) { DbgMsg("getNetDataByPrinterPipe:: (1)Error during control transfer: errorcode = %d", rsl); revBuf = NULL; rc = 0; free(writeBuf); goto func_end; } DbgMsg("getNetDataByPrinterPipe:: Write command success"); // 接收打印机返回指令保存到replyHeader rsl = libusb_bulk_transfer(handle, lpPrinter->usb.printer_EP_IN, replyHeader, sizeof(replyHeader), &transferred, 5000); if( rsl != 0 ) { DbgMsg("getNetDataByPrinterPipe:: (2)Error libusb_bulk_transfer transfer: errorcode = %d", rsl); revBuf = NULL; rc = 0; free(writeBuf); goto func_end; } DbgMsg("getNetDataByPrinterPipe:: Read ReplyHeader Success"); // 接收的字节数是否与replyHeader数组长度相等,相等则接收成功 if( transferred != sizeof(replyHeader) ) { DbgMsg("getNetDataByPrinterPipe:: transferred != %d", sizeof(replyHeader)); revBuf = NULL; rc = 0; free(writeBuf); goto func_end; } //replyHeader中是否有回读指令 readByte = Net_OnlyGetDataSizeFromReplyHdr(replyHeader); if( !readByte ) { DbgMsg("getNetDataByPrinterPipe:: No data need to readback"); revBuf = NULL; rc = 1; free(writeBuf); goto func_end; } DbgMsg("getNetDataByPrinterPipe:: readByte = %d", readByte);

终究还是我才疏学浅,对半天汇编找不到哪里错了。于是抓取原库usb传输数据与还原库的数据对比查看。

正文

usbmon是ubuntu下内置的usb抓包工具。

neko@neko:~$ ls /lib/modules/4.15.0-20-generic/kernel/drivers/usb/mon/ usbmon.ko

使用方法 1)运行 sudo mount -t debugfs none /sys/kernel/debug (一般已经默认挂载) 2)运行 sudo modprobe usbmon 3)查看能够识别到的设备号:sudo ls /sys/kernel/debug/usb/usbmon

neko@neko:~$ sudo ls /sys/kernel/debug/usb/usbmon 0s 0u 1s 1t 1u 2s 2t 2u

4)查看需要监控的总线编号(Bus):sudo cat /sys/kernel/debug/usb/devices

neko@neko:~$ sudo cat /sys/kernel/debug/usb/devices T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 12 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=0638 ProdID=2e0f Rev= 0.01 S: Manufacturer=ZHONGCHU S: Product=ZHONGCHU ZC-P6900DN S: SerialNumber=AAAAAAA C:* #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr= 2mA I:* If#= 0 Alt= 0 #EPs= 5 Cls=06(still) Sub=ff Prot=ff Driver=(none) E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 32 Ivl=64ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=07(print) Sub=01 Prot=02 Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms T: Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2 B: Alloc= 17/900 us ( 2%), #Int= 1, #Iso= 0 D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0001 Rev= 4.15 S: Manufacturer=Linux 4.15.0-20-generic uhci_hcd S: Product=UHCI Host Controller S: SerialNumber=0000:02:00.0 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=255ms

根据设备的信息,如PID、VID、设备描述等,找到对应设备,则可知总线编号。 如我要找的设备信息如下,则对应的总线编号应为Bus=01,即我要监控的usb总线号为01

P: Vendor=0638 ProdID=2e0f Rev= 0.01 S: Manufacturer=ZHONGCHU S: Product=ZHONGCHU ZC-P6900DN

4)监听总线号所对应的usb数据包:cat /sys/kernel/debug/usb/usbmon/xu 这里x是总线号,我要监控的是Bus=01,故x对应1。若是想监听全部的数据包,x应为0

调用原库抓取的数据包:

neko@neko:~$ sudo cat /sys/kernel/debug/usb/usbmon/1u ffff952ac43140c0 3004133315 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 < ffff952ac43140c0 3004133626 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a ffff952ac43140c0 3004133753 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 < ffff952ac43140c0 3004134909 C Ci:1:012:0 0 4 = 04030904 ffff952ac43140c0 3004134983 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 < ffff952ac43140c0 3004137237 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100 ffff952ac6b58d80 3004427176 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac6b58d80 3004427585 C Bo:1:012:1 0 114 > ffff952ac6b58d80 3004427627 S Bi:1:012:1 -115 32 < ffff952ac6b58d80 3004441157 C Bi:1:012:1 0 32 = 23524553 4f504552 07018133 00000000 58010000 f7280000 00000000 00000000 ffff952ac6b58d80 3004441297 S Bi:1:012:1 -115 344 < ffff952ac6b58d80 3004442327 C Bi:1:012:1 0 344 = 9033c3ec 88550000 00000000 65000000 01000000 1b000000 2f6f7267 2f667265 ffff952ac6b58d80 3004442827 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac6b58d80 3004444242 C Bo:1:012:1 0 114 > ffff952ac6b58d80 3004444319 S Bi:1:012:1 -115 32 < ffff952ac6b58d80 3004451656 C Bi:1:012:1 0 32 = 23524553 4f504552 07018134 00000000 06000000 c4010000 00000000 00000000 ffff952ac6b58d80 3004451827 S Bi:1:012:1 -115 6 < ffff952ac6b58d80 3004453138 C Bi:1:012:1 0 6 = 00023251 59e6 ffff952ac6b58d80 3004453593 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac6b58d80 3004454791 C Bo:1:012:1 0 114 > ffff952ac6b58d80 3004454851 S Bi:1:012:1 -115 32 < ffff952ac6b58d80 3004459528 C Bi:1:012:1 0 32 = 23524553 4f504552 07018135 00000000 06000000 00000000 00000000 00000000 ffff952ac6b58d80 3004459665 S Bi:1:012:1 -115 6 < ffff952ac6b58d80 3004460768 C Bi:1:012:1 0 6 = 00000000 0000 ffff952ac43e5bc0 3019919468 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 < ffff952ac43e5bc0 3019919821 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a ffff952ac43e5bc0 3019920003 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 < ffff952ac43e5bc0 3019921667 C Ci:1:012:0 0 4 = 04030904 ffff952ac43e5bc0 3019921765 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 < ffff952ac43e5bc0 3019923118 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100 ffff952ac6b58cc0 3020193373 S Bo:1:012:1 -115 458 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac6b58cc0 3020193645 C Bo:1:012:1 0 458 > ffff952ac6b58cc0 3020193688 S Bi:1:012:1 -115 32 < ffff952ac6b58cc0 3020200401 C Bi:1:012:1 0 32 = 23524553 4f504552 07018236 00000000 00000000 00000000 00000000 00000000

调用逆向还原的库抓取的数据:

neko@neko:~$ sudo cat /sys/kernel/debug/usb/usbmon/1u ffff952aefab2540 3248502374 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 < ffff952aefab2540 3248502807 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a ffff952aefab2540 3248503007 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 < ffff952aefab2540 3248504003 C Ci:1:012:0 0 4 = 04030904 ffff952ac43e4900 3248505240 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 < ffff952ac43e4900 3248506024 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100 ffff952ac43e5380 3248788561 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac43e5380 3248788829 C Bo:1:012:1 0 114 > ffff952ac43e5380 3248788958 S Bi:1:012:1 -115 32 < ffff952ac43e5380 3248794049 C Bi:1:012:1 0 32 = 23524553 4f504552 07018133 00010000 00000000 00000000 00000000 00000000 ffff952ac43e5380 3248795935 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac43e5380 3248796883 C Bo:1:012:1 0 114 > ffff952ac43e5380 3248797023 S Bi:1:012:1 -115 32 < ffff952ac43e5380 3248803548 C Bi:1:012:1 0 32 = 23524553 4f504552 07018134 00010000 00000000 00000000 00000000 00000000 ffff952ac43e5380 3248805724 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac43e5380 3248806825 C Bo:1:012:1 0 114 > ffff952ac43e5380 3248806963 S Bi:1:012:1 -115 32 < ffff952ac43e5380 3248813440 C Bi:1:012:1 0 32 = 23524553 4f504552 07018135 00010000 00000000 00000000 00000000 00000000 ffff952ac43152c0 3251683411 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 < ffff952ac43152c0 3251683764 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a ffff952ac43152c0 3251683898 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 < ffff952ac43152c0 3251685598 C Ci:1:012:0 0 4 = 04030904 ffff952ac43152c0 3251685695 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 < ffff952ac43152c0 3251686886 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100 ffff952aefab29c0 3601628752 S Ci:1:012:0 s a1 00 0000 0000 0400 1024 < ffff952aefab29c0 3601629096 C Ci:1:012:0 0 103 = 00674d46 473a5a48 4f4e4743 4855203b 434d443a 4d465058 444d413b 4d444c3a ffff952aefab29c0 3601629223 S Ci:1:012:0 s 80 06 0300 0000 00ff 255 < ffff952aefab29c0 3601630282 C Ci:1:012:0 0 4 = 04030904 ffff952aefab29c0 3601630398 S Ci:1:012:0 s 80 06 0303 0409 00ff 255 < ffff952aefab29c0 3601631788 C Ci:1:012:0 0 16 = 10034100 41004100 41004100 41004100 ffff952aefab2840 3601941687 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952aefab2840 3601941951 C Bo:1:012:1 0 114 > ffff952aefab2840 3601942101 S Bi:1:012:1 -115 32 < ffff952aefab2840 3601947329 C Bi:1:012:1 0 32 = 23524553 4f504552 07018133 00010000 00000000 00000000 00000000 00000000 ffff952aefab2840 3601951485 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952aefab2840 3601951996 C Bo:1:012:1 0 114 > ffff952aefab2840 3601952184 S Bi:1:012:1 -115 32 < ffff952aefab2840 3601956917 C Bi:1:012:1 0 32 = 23524553 4f504552 07018134 00010000 00000000 00000000 00000000 00000000 ffff952ac43e4cc0 3601961587 S Bo:1:012:1 -115 114 = 1b252d31 32333435 5840504a 4c20454e 54455220 4c414e47 55414745 203d2052 ffff952ac43e4cc0 3601962277 C Bo:1:012:1 0 114 > ffff952ac43e4cc0 3601962619 S Bi:1:012:1 -115 32 < ffff952ac43e4cc0 3601966634 C Bi:1:012:1 0 32 = 23524553 4f504552 07018135 00010000 00000000 00000000 00000000 00000000

这里writeBuf发送的是114个字节数据,replyHeader接收32个字节数据。经对比看到发送的数据内容一致,而接收回来的数据内容不一样。按理来说发出去的一样,接收回来的也应该一样。目前还在找原因,解决问题了再更新。

要分析usb抓包后的数据,具体的数据格式如何解析,可以参考Linux内核源码库目录下的文档 : kernel\doc\Documentation\usb\usbmon.txt 或内核官方网站文档

有大佬能看出来的还请留言指点迷津,感谢!

最新回复(0)