首页
社区
课程
招聘
未解决 [求助] 鼠标过滤驱动是不是不能用 attach 的方法?
发表于: 2024-1-14 17:10 1995

未解决 [求助] 鼠标过滤驱动是不是不能用 attach 的方法?

2024-1-14 17:10
1995

环境: VMWare -> Windows 10 x64
代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#pragma once
 
#include <ntifs.h>
#include <ntstrsafe.h>
#include <ntddkbd.h>
#include <ntddmou.h>
 
#define KILLRULE_NTDEVICE_NAME L"\\Device\\KillRuleDrv"
PDEVICE_OBJECT deviceObject = NULL;
 
typedef struct _MY_EXTENSION {
    PDEVICE_OBJECT lowerDeviceObject;
}MY_EXTENSION;
 
 
ULONG PendingCount = 0;
 
VOID DriverUnload(
    _In_ struct _DRIVER_OBJECT* DriverObject
) {
    IoDetachDevice(((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject);
    IoDeleteDevice(deviceObject);
    LARGE_INTEGER lDelay = { 0 };
    lDelay.QuadPart = -10 * 1000 * 1000;
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DriverUnload PendingCount is %d\n", PendingCount));
    while (PendingCount) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KeDelayExecutionThread PendingCount is %d\n", PendingCount));
        KeDelayExecutionThread(KernelMode, FALSE, &lDelay);
    }
 
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DriverUnload.\n"));
}
 
NTSTATUS IrpPass(
    _In_ struct _DEVICE_OBJECT* DeviceObject,
    _Inout_ struct _IRP* Irp
) {
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "IrpPass.\n"));
    IoCopyCurrentIrpStackLocationToNext(Irp);
    IoCallDriver(((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject, Irp);
    return STATUS_SUCCESS;
 
}
 
NTSTATUS MyCompletionRoutine(
    _In_ PDEVICE_OBJECT DeviceObject,
    _In_ PIRP Irp,
    _In_reads_opt_(_Inexpressible_("varies")) PVOID Context
) {
    IoGetCurrentIrpStackLocation(Irp);
    // https://learn.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
    MOUSE_INPUT_DATA* data = (MOUSE_INPUT_DATA*)Irp->AssociatedIrp.SystemBuffer;
    int structNum = Irp->IoStatus.Information / sizeof(MOUSE_INPUT_DATA);
 
    if (Irp->IoStatus.Status == STATUS_SUCCESS) {
        for (int i = 0; i < structNum; i++) {
            KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Preesed key is %d\n", data[i].ButtonFlags));
        }
    }
 
    if (Irp->PendingReturned) {
        IoMarkIrpPending(Irp);
    }
    PendingCount--;
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "PendingCount is %d\n", PendingCount));
    return Irp->IoStatus.Status;
}
 
NTSTATUS ReadFileDevice(
    _In_ struct _DEVICE_OBJECT* DeviceObject,
    _Inout_ struct _IRP* Irp
) {
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ReadFileDevice\n"));
    IoCopyCurrentIrpStackLocationToNext(Irp);
 
    IoSetCompletionRoutine(Irp, MyCompletionRoutine, NULL, TRUE, TRUE, TRUE);
    PendingCount++;
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "PendingCount is %d\n", PendingCount));
 
    NTSTATUS status = IoCallDriver(((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject, Irp);
    return status;
}
 
NTSTATUS AttachToDevice(PDEVICE_OBJECT SourceDevice)
{
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "AttachToDevice is start\n"));
    NTSTATUS status = STATUS_SUCCESS;
    UNICODE_STRING KbdDeviceName = RTL_CONSTANT_STRING(L"\\Device\\PointerClass0");
    status = IoAttachDevice(deviceObject, &KbdDeviceName, &((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject);
    if (NT_SUCCESS(status)) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "AttachToDevice is success\n"));
    }
    else {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "AttachToDevice is failed\n"));
    }
    return status;
}
 
NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
)
{
    //MiProcessLoaderEntry = (pMiProcessLoaderEntry)0xfffff80534b88ee4; // 这是用 dp 来定位的
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DriverEntry\n"));
    //KdBreakPoint();
 
    UNREFERENCED_PARAMETER(RegistryPath);
 
    UNICODE_STRING deviceName;
    UNICODE_STRING symbolicLinkName;
 
    RtlInitUnicodeString(&deviceName, KILLRULE_NTDEVICE_NAME);
 
    for (int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) {
        DriverObject->MajorFunction[i] = IrpPass; // 其他的照常
    }
 
    DriverObject->DriverUnload = DriverUnload;
    DriverObject->MajorFunction[IRP_MJ_READ] = ReadFileDevice; // 要读键盘[设备] 端口的值
 
    NTSTATUS status = IoCreateDevice(
        DriverObject,
        sizeof(MY_EXTENSION), // 因为要用到,所以要给
        &deviceName,
        FILE_DEVICE_MOUSE,
        0,
        TRUE,
        &deviceObject);
    if (!NT_SUCCESS(status)) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to create device (0x%X)\n", status));
        return status;
    }
    deviceObject->Flags |= DO_BUFFERED_IO;
    deviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
 
    RtlZeroMemory(deviceObject->DeviceExtension, sizeof(MY_EXTENSION));
 
    status = AttachToDevice(deviceObject);
    if (NT_SUCCESS(status)) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Success to attach device (0x%X)\n", status));
    }
    else {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to attach device (0x%X)\n", status));
        IoDeleteDevice(deviceObject);
        return status;
    }
 
 
 
    status = STATUS_SUCCESS;
 
    return status;
}

这样之后没法像视频中那样出现log,就是压根不进 ReadFileDevice 这个函数中,不知道是为什么。


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 119
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
大概确实不行,但是可以用 IoAttachDeviceToDeviceStack
2024-1-17 22:06
0
游客
登录 | 注册 方可回帖
返回
//