|
阅读:1756回复:0
请教:关于键盘过滤驱动中获取进程名的问题
我想在ctrl2cap的基础上加上判断是那个程序接受按键的功能,修改Ctrl2capReadComplete如下
但是获得的进程名称始终不对 IRP里面获取的始终是csrss.exe PsGetCurrentProcess获取到的有几中可能 Idle explorer.exe monitor.exe csrss.exe 请有经验的人帮帮忙,谢谢! (虚拟机 WinXP系统SP2,DriverMonitor调试) NTSTATUS Ctrl2capReadComplete( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { PIO_STACK_LOCATION IrpSp; PKEYBOARD_INPUT_DATA KeyData; int numKeys, i; //方法1 从IRP获得进程 PETHREAD pthread=Irp->Tail.Overlay.Thread; PEPROCESS pProcess=PsGetThreadProcess(pthread); PEPROCESS pProcess1=PsGetCurrentProcess( ); //方法2 从PsGetCurrentProcess获得进程 IrpSp = IoGetCurrentIrpStackLocation( Irp ); if( NT_SUCCESS( Irp->IoStatus.Status ) ) { _asm int 3; KeyData = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer; numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA); for( i = 0; i < numKeys; i++ ) { DbgPrint(("ScanCode: %x ", KeyData.MakeCode )); DbgPrint(("%s :", KeyData.Flags ? "Up" : "Down" )); PCHAR pProcPath =(PCHAR)((ULONG)pProcess+0x174); DbgPrint(("IRP进程名:%s /",pProcPath)); PCHAR pProcPath1 =(PCHAR)((ULONG)pProcess1+0x174); DbgPrint(("PsGetCurrentProcess进程名:%s \n",pProcPath1)); } } // Mark the Irp pending if required if( Irp->PendingReturned ) { IoMarkIrpPending( Irp ); } return Irp->IoStatus.Status; } |
|
