Hook Distribution Function to intercept keyboard input

The comrades who care about me may have to talk about it again. Haha, this cainiao is about to talk again. Hey, I'm a newbie.

Recently, programming has become increasingly popular. Because the school has just started, so there is a lot of time, so libraries are often used. We are determined that kernel-level programming will be completed in this semester, and we have to figure out whether it is implemented or not.

Just entered the high threshold of driver design, and found that the original difficulties, kernel program design is different from the general user-layer interface program design, there is a lot of help information, online, msdn, there are a variety of topics in the Forum. In the kernel mode, there were fewer help materials, fewer Forum replies, and more difficult debugging errors than before, so I suddenly did not know what to do, and I was at a loss for a week, except for the "Hello World" Statement printed in the kernel state, all other programs are on the blue screen. The driver design error is different from the user-State programming. It is closer to the underlying things, so once there is a logical or non-syntactic error that cannot be checked by the compiler, this will cause serious system errors until the blue screen. I don't know what to do for a while. However, based on my years of experience, the most important thing to learn a programming language is not to give up, but to keep making mistakes, with continuous training, you can get a sense of condescending, so that you can write programs, not programs.

At last, Huang Tian was quite impressed. My second program, which is not too 2, was successfully debugged. It is an example of a hook keyboard-driven distribution function that intercepts keyboard input, although there are many ready-made products on the Internet, the beginner's programming cainiao focuses on their own operations. This process is painful. I have been writing for a long time, reading a lot of information, debugging countless times, after countless blue screens, I finally saw my keyboard input on dbgview. At that time, I was very happy.

The following is my hook code. Although it does not check its stability, that is, when the pointer of the distribution function is replaced, IRP is sent, but I have tested that it can run, in addition, I did not write a driver to uninstall the module. That is to say, once the hook starts, it cannot be stopped unless the computer is disabled. After all, I am a newbie. I just use some simple functions to comfort myself.

The Code is as follows:

# Include "WDM. H"
# Include <ntddk. h>

# Define kbd_driver_name l "// driver // kbdclass"

Ulong gc2pkeycount = 0; // Number of IRPs recorded by global variables
Extern pobject_type iodriverobjecttype; // declare this function
Pdriver_dispatch olddispatchread; // entry address of the original irp_mj_read Function

 

Ntstatus onreadcompletion (in pdriver_object driverobject,
In pirp,
In pvoid Context
) // Complete the Function
{
Pio_stack_location irpsp;
Ulong buf_len = 0;
Puchar Buf = NULL;
Size_t I;

Irpsp = iogetcurrentirpstacklocation (IRP );
If (nt_success (IRP-> iostatus. Status ))
{
Buf = IRP-> associatedirp. systembuffer;
Buf_len = IRP-> iostatus. Information;
For (I = 0; I <= buf_len; ++ I)
{
Dbuplint ("% 2x/R/N", Buf [I]);
}
}
Gc2pkeycount --;
If (IRP-> pendingreturned)
{
Iomarkirppending (IRP );
}
Return IRP-> iostatus. status;
}

Ntstatus newdispatchread (in pdevice_object pdeviceobject, in pirp) // New Distribution Function
{
Pio_stack_location irpsp; // The following content is newly added to the new distribution function.
Irpsp = iogetcurrentirpstacklocation (IRP );

Irpsp-> control = sl_invoke_on_success | sl_invoke_on_error | sl_invoke_on_cancel;

// Retain the original completion function, if any
Irpsp-> context = irpsp-> completionroutine;
Irpsp-> completionroutine = (pio_completion_routine) onreadcompletion;
Dbuplint ("callback function set.../N ");
Gc2pkeycount ++;
Return olddispatchread (pdeviceobject, IRP); // call the original distribution function to complete the expected content
}

 

Void driverunload (pdriver_object driverobject) // uninstall the function, which should be improved.
{
Dbuplint ("successful! ");
}

Ntstatus DriverEntry (in pdriver_object driverobject, in punicode_string registrypath) // entry function
{

Pdriver_object kbddriverobject;
Unicode_string unintnamestring;
Ntstatus status = NULL;
Ntstatus obreferenceobjectbyname (punicode_string objectname, // declare first
Ulong attributes,
Paccess_state accessstate,
Access_mask desiredaccess,
Pobject_type objecttype,
Kprocessor_mode accessmode,
Pvoid parsecontext,
Pvoid * object );

Rtlinitunicodestring (& unintnamestring, kbd_driver_name); // initialize to 0
Status = obreferenceobjectbyname (// get and open the device
& Unintnamestring,
Obj_case_insensitive,
Null,
0,
Iodriverobjecttype,
Kernelmode,
Null,
& Kbddriverobject );
If (! Nt_success (Status ))
{
Dbuplint ("cannot get the KBD object/N ");
Return status_unsuccessful;
}
Else
{
Ulong I;
// Pdriver_dispatch olddispatchfunctions [irp_mj_maximum_function + 1];
Olddispatchread = kbddriverobject-> majorfunction [irp_mj_read]; // Save the entry address of the original irp_mj_read Function
Interlockedexchangepointer (& kbddriverobject-> majorfunction [irp_mj_read], newdispatchread); // replace it with the address of the custom New Distribution Function
Obdereferenceobject (kbddriverobject); // do not forget to cancel the call
}

Driverobject-> driverunload = driverunload;
Return STATUS_SUCCESS;
}