/* 描述:过滤键盘驱动对象Kbdclass的所有设备对象 */ #include <ntddk.h> #include <ntddkbd.h> // 外部变量声明 extern POBJECT_TYPE IoDriverObjectType; // 通过驱动对象名称取得驱动对象的引用(未文档化) NTSTATUS ObReferenceObjectByName( IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN PACCESS_STATE AccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN PVOID ParseContext, OUT PVOID *Object ); // 过滤设备扩展 typedef struct _FILTER_EXT { PDEVICE_OBJECT LowerDeviceObject; } FILTER_EXT, *PFILTER_EXT; // 全局计数 ULONG gKeyCount; // 驱动入口例程 NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); // 驱动卸载例程 VOID DriverUnload( IN PDRIVER_OBJECT DriverObject ); // IRP处理例程 NTSTATUS Dispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); // 挂载例程 VOID Attach( IN PDRIVER_OBJECT DriverObject ); // Read完成例程 NTSTATUS ReadCompletionRoutine( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ); #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT, DriverEntry) #pragma alloc_text(PAGE, DriverUnload) #pragma alloc_text(PAGE, Dispatch) #pragma alloc_text(INIT, Attach) #pragma alloc_text(PAGE, ReadCompletionRoutine) #endif /* 描述:驱动入口例程 */ NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = STATUS_SUCCESS; USHORT idx; KdPrint(("DriverEntry invoke/n")); for (idx = 0; idx <= IRP_MJ_MAXIMUM_FUNCTION; ++idx) { DriverObject->MajorFunction[idx] = Dispatch; } DriverObject->DriverUnload = DriverUnload; gKeyCount = 0; Attach(DriverObject); return status; } /* 描述:驱动卸载例程 */ VOID DriverUnload( IN PDRIVER_OBJECT DriverObject ) { LARGE_INTEGER interval; PDEVICE_OBJECT curDeviceObject; KdPrint(("DriverUnload invoke/n")); // 降低当前线程的优先级,避免延时对系统的影响 KeSetPriorityThread(KeGetCurrentThread(), LOW_REALTIME_PRIORITY); curDeviceObject = DriverObject->DeviceObject; while (curDeviceObject != NULL) { IoDetachDevice(((PFILTER_EXT)curDeviceObject->DeviceExtension)->LowerDeviceObject); IoDeleteDevice(curDeviceObject); curDeviceObject = curDeviceObject->NextDevice; } interval.QuadPart = (-1) * 100 * 1000; while (gKeyCount > 0) { KeDelayExecutionThread(KernelMode, FALSE, &interval); } KdPrint(("DriverUnload ok/n")); } /* 描述:IRP处理例程 */ NTSTATUS Dispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PDEVICE_OBJECT lowerDeviceObject = ((PFILTER_EXT)DeviceObject->DeviceExtension)->LowerDeviceObject; PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp); switch (irpsp->MajorFunction) { case IRP_MJ_POWER: { KdPrint(("IRP_MJ_POWER/n")); PoStartNextPowerIrp(Irp); IoSkipCurrentIrpStackLocation(Irp); return PoCallDriver(lowerDeviceObject, Irp); break; } case IRP_MJ_PNP: { KdPrint(("IRP_MJ_PNP/n")); switch (irpsp->MinorFunction) { case IRP_MN_REMOVE_DEVICE: { KdPrint(("IRP_MN_REMOVE_DEVICE/n")); IoDetachDevice(lowerDeviceObject); IoDeleteDevice(DeviceObject); IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(lowerDeviceObject, Irp); } default: { KdPrint(("IRP_MJ_PNP -> Unknown MinorFunction : %x/n", irpsp->MinorFunction)); IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(lowerDeviceObject, Irp); } } } case IRP_MJ_READ: { KdPrint(("IRP_MJ_READ/n")); gKeyCount++; IoCopyCurrentIrpStackLocationToNext(Irp); IoSetCompletionRoutine(Irp, ReadCompletionRoutine, DeviceObject, TRUE, TRUE, TRUE); return IoCallDriver(lowerDeviceObject, Irp); } default: { KdPrint(("Unknown IRP : %x/n", irpsp->MajorFunction)); IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(lowerDeviceObject, Irp); } } } /* 描述:挂载例程 */ VOID Attach( IN PDRIVER_OBJECT DriverObject ) { NTSTATUS status; PDRIVER_OBJECT targetDriverObject; PDEVICE_OBJECT curDeviceObject; PDEVICE_OBJECT lowerDeviceObject; PDEVICE_OBJECT filterDeviceObject; UNICODE_STRING kbdClassName; KdPrint(("Attach invoke/n")); RtlInitUnicodeString(&kbdClassName, L"//Driver//Kbdclass"); status = ObReferenceObjectByName(&kbdClassName, OBJ_CASE_INSENSITIVE, NULL, 0, IoDriverObjectType, KernelMode, NULL, &targetDriverObject); if (!NT_SUCCESS(status)) { KdPrint(("ObReferenceObjectByName failed/n")); return ; } ObDereferenceObject(targetDriverObject); curDeviceObject = targetDriverObject->DeviceObject; while (curDeviceObject != NULL) { status = IoCreateDevice(DriverObject, sizeof(FILTER_EXT), NULL, curDeviceObject->DeviceType, curDeviceObject->Characteristics, FALSE, &filterDeviceObject); if (!NT_SUCCESS(status)) { KdPrint(("IoCreateDevice failed/n")); } else { lowerDeviceObject = IoAttachDeviceToDeviceStack(filterDeviceObject, curDeviceObject); if (lowerDeviceObject == NULL) { KdPrint(("IoAttachDeviceToDeviceStack failed/n")); IoDeleteDevice(filterDeviceObject); } else { ((PFILTER_EXT)filterDeviceObject->DeviceExtension)->LowerDeviceObject = lowerDeviceObject; filterDeviceObject->Flags |= lowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE); filterDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; } } curDeviceObject = curDeviceObject->NextDevice; } } /* 描述:Read完成例程 */ NTSTATUS ReadCompletionRoutine( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { KdPrint(("ReadCompletionRoutine invoke/n")); if (NT_SUCCESS(Irp->IoStatus.Status)) { ULONG len, idx; PUCHAR buf; PKEYBOARD_INPUT_DATA inputData; len = Irp->IoStatus.Information; buf = (PUCHAR)Irp->AssociatedIrp.SystemBuffer; for (idx = 0; idx < len; idx += sizeof(KEYBOARD_INPUT_DATA)) { buf += idx; inputData = (PKEYBOARD_INPUT_DATA)buf; KdPrint(("ScanCode : %x %s/n", inputData->MakeCode, inputData->Flags?"Up" : "Down")); } } gKeyCount--; if (Irp->PendingReturned) { IoMarkIrpPending(Irp); } return Irp->IoStatus.Status; }