键盘过滤驱动

  1 #include <ntddk.h>
  2 #include <ntddkbd.h>
  3 #include <Ntstrsafe.h>
  4 
  5 DRIVER_INITIALIZE       DriverEntry;
  6 DRIVER_UNLOAD           UnloadDevice;
  7 IO_COMPLETION_ROUTINE   ReadCompleteCallBack;
  8 DRIVER_DISPATCH         DispatchGen;
  9 __drv_dispatchType(IRP_MJ_POWER)    DRIVER_DISPATCH    DispatchPower;
 10 __drv_dispatchType(IRP_MJ_PNP)      DRIVER_DISPATCH    DispatchPnP;
 11 __drv_dispatchType(IRP_MJ_READ)     DRIVER_DISPATCH    DispatchRead;
 12 
 13 #define KBD_DEVICE_NAME (L"\Device\KeyboardClass")
 14 #define DEVICE_NUM      (16)
 15 
 16 typedef struct _KEY_LOG_DEV_EXT
 17 {
 18     PDEVICE_OBJECT  pLowerDevObj;
 19 } KEY_LOG_DEV_EXT, *P_KEY_LOG_DEV_EXT;
 20 
 21 extern  POBJECT_TYPE    IoDriverObjectType;
 22 ULONG   g_ulKeyCount    = 0;
 23 
 24 int AttachDevice(PDRIVER_OBJECT In_pDriObj)
 25 {
 26     ULONG   uli     = 0;
 27 
 28     for (uli = 0; uli < DEVICE_NUM; uli ++)
 29     {
 30         PFILE_OBJECT    pFileObj        = NULL;
 31         PDEVICE_OBJECT  pTargetDevObj   = NULL;
 32         PDEVICE_OBJECT  pFilterDevObj   = NULL;
 33         PDEVICE_OBJECT  pLowerDevObj    = NULL;
 34         WCHAR           aWCDevName[32]  = {0};
 35         UNICODE_STRING  unstrDevName    = {0};
 36 
 37         if (!NT_SUCCESS(RtlStringCchPrintfW(aWCDevName, 32, L"%s%u", KBD_DEVICE_NAME, uli)))
 38         {
 39             goto tab_continue;
 40         }
 41         RtlInitUnicodeString(&unstrDevName, aWCDevName);
 42 
 43         if (!NT_SUCCESS(IoGetDeviceObjectPointer(&unstrDevName, FILE_ALL_ACCESS, &pFileObj, &pTargetDevObj)))
 44         {
 45             goto tab_continue;
 46         }
 47 
 48         if (!NT_SUCCESS(IoCreateDevice(In_pDriObj, sizeof(KEY_LOG_DEV_EXT), NULL, pTargetDevObj->DeviceType, pTargetDevObj->Characteristics, FALSE, &pFilterDevObj)))
 49         {
 50             goto tab_continue;
 51         }
 52 
 53         pLowerDevObj = IoAttachDeviceToDeviceStack(pFilterDevObj, pTargetDevObj);
 54         if (pLowerDevObj == NULL)
 55         {
 56             IoDeleteDevice(pFilterDevObj);
 57             pFilterDevObj = NULL;
 58             goto tab_continue;
 59         }
 60 
 61         RtlZeroMemory(pFilterDevObj->DeviceExtension, sizeof(KEY_LOG_DEV_EXT));
 62         ((P_KEY_LOG_DEV_EXT)(pFilterDevObj->DeviceExtension))->pLowerDevObj = pLowerDevObj;
 63 
 64         pFilterDevObj->DeviceType       =   pLowerDevObj->DeviceType;
 65         pFilterDevObj->Characteristics  =   pLowerDevObj->Characteristics;
 66         pFilterDevObj->StackSize        =   pLowerDevObj->StackSize + 1;
 67         pFilterDevObj->Flags            |=  pLowerDevObj->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE);
 68 
 69 tab_continue:
 70         if (pTargetDevObj != NULL)
 71         {
 72             ObDereferenceObject(pTargetDevObj);
 73         }
 74         if (pFileObj != NULL)
 75         {
 76             ObDereferenceObject(pFileObj);
 77         }
 78     }
 79 
 80     return 0;
 81 }
 82 
 83 VOID UnloadDevice(PDRIVER_OBJECT In_pDriObj)
 84 {
 85     LARGE_INTEGER   liSleepTime = {0};
 86     PDEVICE_OBJECT  pDevObj     = NULL;
 87     PRKTHREAD       CurrentThread;
 88 
 89     if (In_pDriObj == NULL)
 90     {
 91         return;
 92     }
 93 
 94     liSleepTime     = RtlConvertLongToLargeInteger(1000 * 1000 * 1000);
 95     CurrentThread   = KeGetCurrentThread();
 96     KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY);
 97 
 98     pDevObj = In_pDriObj->DeviceObject;
 99     while (pDevObj != NULL)
100     {
101         IoDetachDevice(((P_KEY_LOG_DEV_EXT)(pDevObj->DeviceExtension))->pLowerDevObj);
102         IoDeleteDevice(pDevObj);
103         pDevObj = pDevObj->NextDevice;
104     }
105 
106     while (g_ulKeyCount != 0)
107     {
108         KeDelayExecutionThread(KernelMode, FALSE, &liSleepTime);
109     }
110 }
111 
112 NTSTATUS DispatchGen(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP)
113 {
114     if (In_pDevObj == NULL || In_pIRP == NULL)
115     {
116         return STATUS_SEVERITY_ERROR;
117     }
118 
119     IoSkipCurrentIrpStackLocation(In_pIRP);
120     return IoCallDriver(((P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension))->pLowerDevObj, In_pIRP);
121 }
122 
123 NTSTATUS DispatchPower(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP)
124 {
125     if (In_pDevObj == NULL || In_pIRP == NULL)
126     {
127         return STATUS_SEVERITY_ERROR;
128     }
129 
130     PoStartNextPowerIrp(In_pIRP);
131     IoSkipCurrentIrpStackLocation(In_pIRP);
132     return PoCallDriver(((P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension))->pLowerDevObj, In_pIRP);
133 }
134 
135 NTSTATUS DispatchPnP(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP)
136 {
137     NTSTATUS            ntsRetVal   = STATUS_SUCCESS;
138     P_KEY_LOG_DEV_EXT   pDevExt     = NULL; 
139     PIO_STACK_LOCATION  pIRPStack   = NULL;
140 
141     if (In_pDevObj == NULL || In_pIRP == NULL)
142     {
143         ntsRetVal = STATUS_SEVERITY_ERROR;
144         goto fun_ret;
145     }
146 
147     pDevExt     = (P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension);
148     pIRPStack   = IoGetCurrentIrpStackLocation(In_pIRP);
149     if (pDevExt == NULL || pIRPStack == NULL)
150     {
151         ntsRetVal = STATUS_SEVERITY_ERROR;
152         goto fun_ret;
153     }
154 
155     IoSkipCurrentIrpStackLocation(In_pIRP);
156     ntsRetVal = IoCallDriver(pDevExt->pLowerDevObj, In_pIRP);
157     if (pIRPStack->MinorFunction == IRP_MN_REMOVE_DEVICE)
158     {
159         IoDetachDevice(pDevExt->pLowerDevObj);
160         IoDeleteDevice(In_pDevObj);
161     }
162 
163 fun_ret:
164     return ntsRetVal;
165 }
166 
167 NTSTATUS ReadCompleteCallBack(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP, PVOID In_pvContext)
168 {
169     static unsigned char s_ucFirstFlag = 1;
170 
171     if (In_pDevObj == NULL || In_pIRP == NULL || In_pvContext == NULL)
172     {
173         return STATUS_SEVERITY_ERROR;
174     }
175 
176     if (NT_SUCCESS(In_pIRP->IoStatus.Status))
177     {
178         size_t  i       = 0;
179         size_t  szSize  = In_pIRP->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
180         PKEYBOARD_INPUT_DATA    pKeyData    = (PKEYBOARD_INPUT_DATA)(In_pIRP->AssociatedIrp.SystemBuffer);
181         if (s_ucFirstFlag == 1 && szSize >= 1)
182         {
183             s_ucFirstFlag = 0;
184             if (pKeyData[0].Flags % 2 == 1)
185             {
186                 DbgPrint("%u	%u
", pKeyData[0].MakeCode, pKeyData[0].Flags - 1);
187                 DbgPrint("==================================
");
188             }
189         }
190         for (i = 0; i < szSize; i ++)
191         {
192             DbgPrint("%u	%u
", pKeyData[i].MakeCode, pKeyData[i].Flags);
193         }
194         DbgPrint("==================================
");
195     }
196 
197     InterlockedDecrement(&g_ulKeyCount);
198 
199     if(In_pIRP->PendingReturned)
200     {
201         IoMarkIrpPending(In_pIRP); 
202     }
203     return In_pIRP->IoStatus.Status;
204 }
205 
206 NTSTATUS DispatchRead(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP)
207 {
208     if (In_pDevObj == NULL || In_pIRP == NULL)
209     {
210         return STATUS_SEVERITY_ERROR;
211     }
212 
213     if (In_pIRP->CurrentLocation == 1)
214     {
215         In_pIRP->IoStatus.Status        = STATUS_INVALID_DEVICE_REQUEST; 
216         In_pIRP->IoStatus.Information   = 0;
217         IoCompleteRequest(In_pIRP, IO_NO_INCREMENT);
218         return STATUS_INVALID_DEVICE_REQUEST;
219     }
220 
221     InterlockedIncrement(&g_ulKeyCount);
222 
223     IoCopyCurrentIrpStackLocationToNext(In_pIRP);
224     IoSetCompletionRoutine(In_pIRP, ReadCompleteCallBack, In_pDevObj, TRUE, TRUE, TRUE);
225     return IoCallDriver(((P_KEY_LOG_DEV_EXT)(In_pDevObj->DeviceExtension))->pLowerDevObj, In_pIRP);
226 }
227 
228 NTSTATUS DriverEntry(PDRIVER_OBJECT In_pDriObj, PUNICODE_STRING In_punstrRegPath)
229 {
230     ULONG   uli = 0;
231 
232     if (In_pDriObj == NULL || In_punstrRegPath == NULL)
233     {
234         return STATUS_SEVERITY_ERROR;
235     }
236 
237     for (uli = 0; uli <= IRP_MJ_MAXIMUM_FUNCTION; uli ++)
238     {
239         In_pDriObj->MajorFunction[uli] = DispatchGen;
240     }
241     In_pDriObj->MajorFunction[IRP_MJ_READ]  = DispatchRead;
242     In_pDriObj->MajorFunction[IRP_MJ_POWER] = DispatchPower;
243     In_pDriObj->MajorFunction[IRP_MJ_PNP]   = DispatchPnP;
244     In_pDriObj->DriverUnload = UnloadDevice;
245 
246     if (AttachDevice(In_pDriObj) != 0)
247     {
248         return STATUS_SEVERITY_ERROR;
249     }
250     return STATUS_SUCCESS;
251 }

//支持USB键盘
#define USB_DIRVER_NAME (L"\Driver\HidUsb")
#define USBKDB_DEVICE_NAME  (L"\Driver\kbdhid")

extern "C" extern   POBJECT_TYPE    *IoDriverObjectType;
extern "C"
    NTKERNELAPI
    NTSTATUS
    ObReferenceObjectByName(
    IN PUNICODE_STRING ObjectName,
    IN ULONG Attributes,
    IN PACCESS_STATE PassedAccessState,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_TYPE ObjectType,
    IN KPROCESSOR_MODE AccessMode,
    IN OUT PVOID ParseContext, 
    OUT PVOID * Object
    );

int AttachUsbDevice(PDRIVER_OBJECT In_pDriObj)
{
    int             iRetVal             = 0;
    PDRIVER_OBJECT  pUsbDriverObj       = NULL;
    UNICODE_STRING  unstrUsbDriverName  = {0};
    NTSTATUS        nsRefObjRetVal      = STATUS_SUCCESS;
    PDEVICE_OBJECT  pTargetDevObj       = NULL;

    RtlInitUnicodeString(&unstrUsbDriverName, USB_DIRVER_NAME);
　　//所有Win7下调用这个函数失败的请注意第五个参数以及上面的声明。不靠谱的XP，不靠谱的国产书，不靠谱的网上代码。
    nsRefObjRetVal = ObReferenceObjectByName(&unstrUsbDriverName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID *)&pUsbDriverObj);
    if (!NT_SUCCESS(nsRefObjRetVal) || pUsbDriverObj == NULL)
        goto fun_ret;

    pTargetDevObj = pUsbDriverObj->DeviceObject;
    while (pTargetDevObj)
    {
        BOOLEAN         BFound      = FALSE;
        PDEVICE_OBJECT  pAttDevObj  = pTargetDevObj->AttachedDevice;
        if (pAttDevObj == NULL)
        {
            pTargetDevObj = pTargetDevObj->NextDevice;
            continue;
        }

        while (pAttDevObj)
        {
            if (MmIsAddressValid(pAttDevObj->DriverObject->DriverName.Buffer)
                && pAttDevObj->DriverObject->DriverName.Length == wcslen(USBKDB_DEVICE_NAME) * sizeof(WCHAR))
            {
                if (_wcsicmp(pAttDevObj->DriverObject->DriverName.Buffer, USBKDB_DEVICE_NAME) == 0)
                {
                    BFound = TRUE;
                    break;
                }
            }
            pAttDevObj = pAttDevObj->AttachedDevice;
        }

        if (BFound != FALSE)
        {
            PDEVICE_OBJECT  pLowerDevObj    = NULL;
            PDEVICE_OBJECT  pFilterDevObj   = NULL;
            P_KEY_LOG_DEV_EXT   pDevExt     = NULL;

            if (NT_SUCCESS(IoCreateDevice(In_pDriObj, sizeof(KEY_LOG_DEV_EXT), NULL, pTargetDevObj->DeviceType, pTargetDevObj->Characteristics, FALSE, &pFilterDevObj)))
            {
                pLowerDevObj = IoAttachDeviceToDeviceStack(pFilterDevObj, pTargetDevObj);
                if (pLowerDevObj != NULL)
                {
                    pDevExt = (P_KEY_LOG_DEV_EXT)pFilterDevObj->DeviceExtension;
                    RtlZeroMemory(pDevExt, sizeof(KEY_LOG_DEV_EXT));
                    pDevExt->pLowerDevObj   = pLowerDevObj;
                    pDevExt->ulDevType      = DEVICE_TYPE_FLT;

                    pFilterDevObj->DeviceType       =   pLowerDevObj->DeviceType;
                    pFilterDevObj->Characteristics  =   pLowerDevObj->Characteristics;
                    pFilterDevObj->StackSize        =   pLowerDevObj->StackSize + 1;
                    pFilterDevObj->Flags            |=  pLowerDevObj->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE);
                }
                else
                    IoDeleteDevice(pFilterDevObj);
            }
        }

        pTargetDevObj = pTargetDevObj->NextDevice;
    }

fun_ret:
    if (NT_SUCCESS(nsRefObjRetVal) && pUsbDriverObj != NULL)
    {
        ObDereferenceObject(pUsbDriverObj);
    }
    return iRetVal;
}