AntiJiggler

The "Mouse Jiggler" and similar products seem like a great tool for a prank or some mischief at first sight - but they can be pretty dangerous if used for evil purposes.

This will give you an idea:



Whether you're thinking about forensics experts or data thieves, one thing is certain: you should be able to counter something like the Mouse Jiggler pretty easily.

Its stated purpose is to prevent the computer password prompt from being displayed: so why don't we simply lock the desktop immediately when a new input device (mouse or keyboard) is attached to the machine? If the new hardware was attached for a legitimate reason, the user can enter his password and continue working - if he does not have a password he will have a hard time getting back to the desktop.


AntiJiggler's only GUI feature: a message presented on the Logon screen.


The program below is extremely simple. It's only ~200 lines (including whitespace, debug output and comments), and about half of that is there to wrangle the display name of the new device from Windows' depths and display it on the screen.

AntiJiggler does not require administrative privileges to do its job - or even to install.

Here's how you receive and dispatch device notifications:

// get HID interface class GUID
GUID hidGuid;
HidD_GetHidGuid(&hidGuid);

// init notification filter
DEV_BROADCAST_DEVICEINTERFACE NotificationFilter = {0};
NotificationFilter.dbcc_size = sizeof(DEV_BROADCAST_DEVICEINTERFACE);
NotificationFilter.dbcc_devicetype = DBT_DEVTYP_DEVICEINTERFACE;
NotificationFilter.dbcc_classguid = hidGuid;

// register notifications for HID devices
HDEVNOTIFY hdn = RegisterDeviceNotification(hWnd, &NotificationFilter, 
	DEVICE_NOTIFY_WINDOW_HANDLE);

// start processing messages
while (GetMessage (&msg, NULL, 0,0)) {
	TranslateMessage(&msg);
	DispatchMessage(&msg);
}

// clean up
UnregisterDeviceNotification(hdn);

And here's how you handle them in your WndProc:

// the only message we care about
case WM_DEVICECHANGE:
	// is a device being attached?
	if (wParam == DBT_DEVICEARRIVAL) {
		DEV_BROADCAST_HDR* pHdr = (DEV_BROADCAST_HDR*)lParam;
		// correct type of device?
		if (pHdr->dbch_devicetype == DBT_DEVTYP_DEVICEINTERFACE) {
			// get struct pointer and display message
			DEV_BROADCAST_DEVICEINTERFACE* pIface = 
				(DEV_BROADCAST_DEVICEINTERFACE*)lParam;
			// lock the workstation
			LockWorkStation();
			// display a message to the user
			DisplayLockedMsg(pIface);
		}
	}
	break;

The app is tiny: in its current state, less than 60 kilobytes. There's no setup program and no user interface - just put it somewhere and make sure it starts every time you log on. You can drop it straight into your Startup folder if you like. You might want to consider renaming the executable before putting it to use so a simple look at the process list won't reveal its existence.

To get rid of AntiJiggler after it's been "installed", simply kill the process if it's running and delete the executable.

Fairly obvious improvement ideas:

  • Detect and handle products from different vendors differently. (I don't know the USB VID or PID for the Mouse Jiggler.)
  • Perform tasks other than locking the workstation (maybe run an external program to dismount TrueCrypt volumes?)
  • Allow for a customizable hotkey sequence to bypass locking the workstation (e.g. hold down left shift + left alt while plugging in the mouse into your laptop to prevent the screen from locking)

    AntiJiggler is distributed under the MIT license. As usual, no warranties are implied or expressly granted.

    Copyright (c) 2007, Marton Anka

    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


    You can download the source code from here: antijiggler-1.0.src.zip (10 kB)
    Win32 binary (runs on x86/x64 XP & Vista): antijiggler-1.0.bin.zip (31 kB)