|
阅读:1467回复:0
键盘类驱动分发函数HOOK蓝屏
代码如下:
#include <wdm.h> #define KBD_DRIVER_NAME L"\\Driver\\Kbdclass" extern POBJECT_TYPE IoDriverObjectType; typedef struct _C2P_DEV_EXT { PDEVICE_OBJECT TargetDeviceObject; } C2P_DEV_EXT, *PC2P_DEV_EXT; NTSTATUS ObReferenceObjectByName( PUNICODE_STRING ObjectName, ULONG Attributes, PACCESS_STATE AccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID ParseContext, PVOID *Object ); NTSTATUS MyFilterDispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp) { KdPrint(("分发函数已经被我替换\n")); IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(((PC2P_DEV_EXT) pDeviceObject->DeviceExtension)->TargetDeviceObject, Irp); } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { ULONG i; NTSTATUS status; PDRIVER_OBJECT KbdDriverObject = NULL; PDEVICE_OBJECT pTargetDeviceObject=NULL; UNICODE_STRING uniNtNameString; KIRQL oldirql; PC2P_DEV_EXT devExt; PDRIVER_DISPATCH OldDispatchFunctions[IRP_MJ_MAXIMUM_FUNCTION+1]; RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME); status = ObReferenceObjectByName ( &uniNtNameString, OBJ_CASE_INSENSITIVE, NULL, 0, IoDriverObjectType, KernelMode, NULL, &KbdDriverObject ); // 如果失败了就直接返回 if(!NT_SUCCESS(status)) { KdPrint(("MyAttach: Couldn't get the MyTest Device Object\n")); return( status ); } else { ObDereferenceObject(DriverObject); } //得到第一个设备 pTargetDeviceObject=KbdDriverObject->DeviceObject; while(pTargetDeviceObject) { devExt=(PC2P_DEV_EXT)(pTargetDeviceObject->DeviceExtension); devExt->TargetDeviceObject=pTargetDeviceObject; pTargetDeviceObject=pTargetDeviceObject->NextDevice; } KeRaiseIrql(DISPATCH_LEVEL, &oldirql); for(i=0; i<=IRP_MJ_MAXIMUM_FUNCTION; i++) { //存储原驱动分发函数指针 OldDispatchFunctions=KbdDriverObject->MajorFunction; //进行原子交易操作 InterlockedExchangePointer(&KbdDriverObject->MajorFunction, MyFilterDispatch); } KeLowerIrql(oldirql); return status; } 为什么安装服务后 一启动服务就蓝屏呢 |
|
