Simone键盘过滤驱动学习
的有关信息介绍如下:
键盘过滤驱动学习 本文关键词:过滤,键盘,驱动,学习
键盘过滤驱动学习 本文简介:***[寒江独钓]IRPHOOK键盘过滤之替换原键盘分发函数MajorF***MAJORFUNCTION_HEADERS_#define_MAJORFUNCTION_
键盘过滤驱动学习 本文内容:
***
[寒江独钓]
IRP
HOOK
键盘过滤之替换原键盘分发函数
MajorFunction.h
#ifndef
_MAJORFUNCTION_HEADERS_
#define
_MAJORFUNCTION_HEADERS_
#include
#define
DELAY_ONE_MILLISECOND
***
extern
POBJECT_TYPEIoDriverObjectType;
extern
NTSTATUS
ObReferenceObjectByName(
IN
PUNICODE_STRING
ObjectPath,IN
ULONG
Attributes,IN
PACCESS_STATE
PassedAccessState
OPTIONAL,IN
ACCESS_MASK
DesiredAccess
OPTIONAL,IN
POBJECT_TYPE
ObjectType,IN
KPROCESSOR_MODE
AccessMode,IN
OUT
PVOID
ParseContext
OPTIONAL,OUT
PVOIDObjectPtr);
PDRIVER_DISPATCH
OldMajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1];
#endif
#include
“MajorFunction.h“//
原键盘驱动分发统一处理
NTSTATUS
OldKeyBoardDispath(PDEVICE_OBJECT
DeviceObject,PIRP
pIrp)
{
NTSTATUS
Status
=
STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION
irpStack
=
NULL;
irpStack
=
IoGetCurrentIrpStackLocation(pIrp);
Status
=
OldMajorFunction[irpStack->MajorFunction](DeviceObject,pIrp);
DbgPrint(“IRP_MJ_FUNCTIOIN
complete
successful!\n“);
return
Status;
}
//
HOOK
函数,
替换键盘原来的MajorFunction
NTSTATUS
MajorFunctionHook(PDRIVER_OBJECT
DriverObject)
{
NTSTATUS
Status
=
STATUS_UNSUCCESSFUL;
PDRIVER_OBJECT
KeyBoardDriverObject
=
NULL;
UNICODE_STRING
KeyBoardDriverName;
PFILE_OBJECT
pFileObject
=
NULL;
int
nIndex
=
0;
RtlInitUnicodeString(
Status
=
ObReferenceObjectByName(
if
(!NT_SUCCESS(Status))
{
DbgPrint(“in
MajorFunctionHook
Get
ObReferenceObjectByName
by
KeyBoardDriverObject
Error\n“);
goto
Exit0;
}
//保存及设置新键盘的MajorFunction
for(nIndex
=
0;
nIndex
MajorFunction[nIndex];
InterlockedExchangePointer(
}
DbgPrint(“IRP_MJ_FUNCTION
Hook
Successful!\n“);
//
解除引用
ObDereferenceObject(KeyBoardDriverObject);
Exit0:
return
Status;
}
//
卸载函数
NTSTATUS
UnLoadDriver(PDRIVER_OBJECT
DriverObject)
{
NTSTATUS
Status
=
STATUS_UNSUCCESSFUL;
int
nIndex
=
0;
PDRIVER_OBJECT
KeyBoardDriverObject
=
NULL;
UNICODE_STRING
KeyBoardName;
LARGE_INTEGER
Delay;
RtlInitUnicodeString(
Status
=
ObReferenceObjectByName(
if
(!NT_SUCCESS(Status))
{
DbgPrint(“UnloadDriver
Get
Keyboard
Driver
Object
Error\n“);
goto
Exit0;
}
//
交换原来的分发函数
for
(nIndex;
nIndex
MajorFunction[nIndex],OldMajorFunction[nIndex]);
}
DbgPrint(“Change
MajorFunction
Successful!\n“);
Delay
=
RtlConvertLongToLargeInteger(5*
DELAY_ONE_MILLISECOND);
//
延时等待完成
KeDelayExecutionThread(KernelMode,FALSE,ObReferenceObject(KeyBoardDriverObject);
Exit0:
return
Status;
}
NTSTATUS
DriverEntry(PDRIVER_OBJECT
DriverObject,PUNICODE_STRING
RegisterPath)
{
NTSTATUS
Status
=
STATUS_UNSUCCESSFUL;
int
nIndex
=
0;
//
设置新的键盘分发函数
for
(nIndex;
nIndex
MajorFunction[nIndex]
=
OldKeyBoardDispath;
}
DriverObject->DriverUnload
=
UnLoadDriver;
Status
=
MajorFunctionHook(DriverObject);
return
Status;
}
