[寒江独钓] IRP HOOK 键盘过滤之替换原键盘分发函数
标 题: [IRP HOOK] 键盘过滤驱动学习
作 者: 0xFFFFCCCC
时 间: 2012-05-20
链 接: http://hi.baidu.com/pushad/item/0a78c3ba0812e6afeaba9399
MajorFunction.h #ifndef _MAJORFUNCTION_HEADERS_ #define _MAJORFUNCTION_HEADERS_ #include <ntddk.h> #define DELAY_ONE_MILLISECOND 1000000 extern POBJECT_TYPE *IoDriverObjectType; extern NTSTATUS ObReferenceObjectByName( IN PUNICODE_STRING ObjectPath, IN ULONG Attributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext OPTIONAL, OUT PVOID *ObjectPtr); PDRIVER_DISPATCH OldMajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1]; #endif
#include "MajorFunction.h" // 原键盘驱动分发统一处理 NTSTATUS OldKeyBoardDispath(PDEVICE_OBJECT DeviceObject, PIRP pIrp) { NTSTATUS Status = STATUS_UNSUCCESSFUL; PIO_STACK_LOCATION irpStack = NULL; irpStack = IoGetCurrentIrpStackLocation(pIrp); Status = OldMajorFunction[irpStack->MajorFunction](DeviceObject, pIrp); DbgPrint("IRP_MJ_FUNCTIOIN complete successful!\n"); return Status; } // HOOK 函数, 替换键盘原来的MajorFunction NTSTATUS MajorFunctionHook(PDRIVER_OBJECT DriverObject) { NTSTATUS Status = STATUS_UNSUCCESSFUL; PDRIVER_OBJECT KeyBoardDriverObject = NULL; UNICODE_STRING KeyBoardDriverName; PFILE_OBJECT pFileObject = NULL; int nIndex = 0; RtlInitUnicodeString(&KeyBoardDriverName, L"\\Driver\\Kbdclass"); Status = ObReferenceObjectByName(&KeyBoardDriverName, OBJ_CASE_INSENSITIVE,\ NULL, 0, IoDriverObjectType, KernelMode, NULL, &KeyBoardDriverObject); if (!NT_SUCCESS(Status)) { DbgPrint("in MajorFunctionHook Get ObReferenceObjectByName by KeyBoardDriverObject Error\n"); goto Exit0; } //保存及设置新键盘的MajorFunction for(nIndex = 0; nIndex < IRP_MJ_MAXIMUM_FUNCTION; nIndex++) { OldMajorFunction[nIndex] = KeyBoardDriverObject->MajorFunction[nIndex]; InterlockedExchangePointer(&KeyBoardDriverObject->MajorFunction[nIndex], DriverObject->MajorFunction[nIndex]); } DbgPrint("IRP_MJ_FUNCTION Hook Successful!\n"); // 解除引用 ObDereferenceObject(KeyBoardDriverObject); Exit0: return Status; } // 卸载函数 NTSTATUS UnLoadDriver(PDRIVER_OBJECT DriverObject) { NTSTATUS Status = STATUS_UNSUCCESSFUL; int nIndex = 0; PDRIVER_OBJECT KeyBoardDriverObject = NULL; UNICODE_STRING KeyBoardName; LARGE_INTEGER Delay; RtlInitUnicodeString(&KeyBoardName, L"\\Driver\\Kbdclass"); Status = ObReferenceObjectByName(&KeyBoardName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType,\ KernelMode, NULL, &KeyBoardDriverObject); if (!NT_SUCCESS(Status)) { DbgPrint("UnloadDriver Get Keyboard Driver Object Error\n"); goto Exit0; } // 交换原来的分发函数 for (nIndex; nIndex < IRP_MJ_MAXIMUM_FUNCTION; nIndex++) { InterlockedExchangePointer(&KeyBoardDriverObject->MajorFunction[nIndex], OldMajorFunction[nIndex]); } DbgPrint("Change MajorFunction Successful!\n"); Delay = RtlConvertLongToLargeInteger(5* DELAY_ONE_MILLISECOND); // 延时等待完成 KeDelayExecutionThread(KernelMode, FALSE, &Delay); ObReferenceObject(KeyBoardDriverObject); Exit0: return Status; } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegisterPath) { NTSTATUS Status = STATUS_UNSUCCESSFUL; int nIndex = 0; // 设置新的键盘分发函数 for (nIndex; nIndex < IRP_MJ_MAXIMUM_FUNCTION; nIndex++) { DriverObject->MajorFunction[nIndex] = OldKeyBoardDispath; } DriverObject->DriverUnload = UnLoadDriver; Status = MajorFunctionHook(DriverObject); return Status; }