Hello all, I'm not much of a reverse engineer, but I'm trying to figure out how my mouse software communicates with the HID drivers. I need the control codes to pass onto DeviceIOControl() particularly.
Thing is, I have a rather nice 9 button mouse but the software sucks, everytime I want to play a game with the extra buttons, I have to launch the software and edit them one-by-one. Then switch them back when I go back to windows cause the buttons are really useful for browsers

The logitech and microsoft intellipoint software both work with my mouse, so it can't be a trade secret?

Like I said, I probably wont be able to reverse engineer it, so I was wondering if anyone has come across the control codes I need to change the button bindings?

Hi

I don't have any suitable setup to study, but I might guess your mouse software installs its own filter driver attached to the lower level port driver i8042prt.sys, or the upper level class driver mouclass.sys. The fact that Logitech or Intellimouse both recognize and can remap your mouse buttons may only mean that they are intercepting the mouse button clicks (via their own filter drivers) and remapping them using their own internal IO Control codes.

If you want to find the IOCTL codes your mouse uses, your choices may be:

1. Disassemble the main exe file your mouse uses, which may be a control panel extension file (.cpl), and get the codes directly from any DeviceIOControl calls. The second parameter pushed to the API DeviceIOControl is the dwIoControlCode. You won't necessarily recognize what they do offhand, but you should be able to get their values.

2. Disassemble the filter driver (assuming a secondary driver isn't used to handle IOCTL) and find the dispatch routine for the device control requests. If you were able to recognize what you were disassembling, the IOCTL codes are accessible through a structure Irp-> Parameters.DeviceIoControl.IoControlCode.

3. Try DriverSpyNt by Jeremy Collake, with this software you should be able to hook your installed mouse device and record any IRP_MJ_DEVICE_CONTROL requests and the IOCTL codes used as you play with your mouse software.


How you might use these IOCTL codes afterwards I'm not sure. The button mapping info should be stored in the registry or an .ini file, you may be able to do a quick reg or script hack or small program, to change the current mapping that way. However this may not work if there still needs to be communication with the filter driver to in some way "update" the current mapping. What ideas did you have in mind?

Regards,
Kayaker

Thanks so much for replying.

I took a look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB, and one of the keys has a reference to mouclass.sys I believe, so it probably uses that upper level driver.

1. I tried debugging (even if I'm not very good at it) the mouse properties program (which btw, is this -> c:\WINDOWS\system32\control.exe Mouse). The second parameter is a pointer to the data sent to the mouse right? but in my newby-ness, I could see the address that it points to, but I didn't know how to actually view the data.

2. I have no idea how to accomplish this.

3. Will try this right after I finish this post thanks for the info.

Well, I already attempted to change the registry setting where the button bindings are kept, and it doesn't work. The mouse properties screen reflects that change, but the mouse will still be bound to the old settings, so I assumed there should be some kind of communication through DeviceIOControl to the mouse drivers (and there is, as I stated afterwards).

So what I'm gonna do is use the CreateFile() function to open the mouse device, DeviceIOControl to change whatever button bindings the user has configured, and update the registry accordingly. Only thing missing is the control codes

Well, off to try that DriverSpyNT!

Uranus, just have a look at:

IFSKIT\src\input\pnpi8042
IFSKIT\src\input\mouclass
IFSKIT\src\input\moufiltr

You will find there FULL source code of these drivers. Probably common DDK also has it. Also read in DDK docs the following sections:

I8042prt Driver Reference
Mouclass Driver Reference
Moufiltr Driver Reference

thanks for the IFSKIT tip, but I can't seem to find it anywhere!

Anyway, I tried DriverSpyNT, and got about 80 calls to DeviceIOControl whenever I change a mouse button. Most of them are identical, but the weird thing is that I tried to bind several buttons and I can't find a difference anywhere! Those 80 calls seem to be the same regardless of what binding you choose. Perhaps it just changes the registry and tells the mouse driver to update its bindings from the registry?