[求助] 鼠标过滤驱动是不是不能用 attach 的方法？-求助问答-看雪-安全社区|安全招聘|kanxue.com

未解决 [求助] 鼠标过滤驱动是不是不能用 attach 的方法？

发表于: 2024-1-14 17:10 1994

未解决 [求助] 鼠标过滤驱动是不是不能用 attach 的方法？

学会规则

2024-1-14 17:10

1994

环境: VMWare -> Windows 10 x64
代码如下:

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

#pragma once
 
#include <ntifs.h>
#include <ntstrsafe.h>
#include <ntddkbd.h>
#include <ntddmou.h>
 
#define KILLRULE_NTDEVICE_NAME L"\\Device\\KillRuleDrv"
PDEVICE_OBJECT deviceObject = NULL;
 
typedef struct _MY_EXTENSION {
    PDEVICE_OBJECT lowerDeviceObject;
}MY_EXTENSION;
 
 
ULONG PendingCount = 0;
 
VOID DriverUnload(
    _In_ struct _DRIVER_OBJECT* DriverObject
) {
    IoDetachDevice(((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject);
    IoDeleteDevice(deviceObject);
    LARGE_INTEGER lDelay = { 0 };
    lDelay.QuadPart = -10 * 1000 * 1000;
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DriverUnload PendingCount is %d\n", PendingCount));
    while (PendingCount) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KeDelayExecutionThread PendingCount is %d\n", PendingCount));
        KeDelayExecutionThread(KernelMode, FALSE, &lDelay);
    }
 
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DriverUnload.\n"));
}
 
NTSTATUS IrpPass(
    _In_ struct _DEVICE_OBJECT* DeviceObject,
    _Inout_ struct _IRP* Irp
) {
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "IrpPass.\n"));
    IoCopyCurrentIrpStackLocationToNext(Irp);
    IoCallDriver(((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject, Irp);
    return STATUS_SUCCESS;
 
}
 
NTSTATUS MyCompletionRoutine(
    _In_ PDEVICE_OBJECT DeviceObject,
    _In_ PIRP Irp,
    _In_reads_opt_(_Inexpressible_("varies")) PVOID Context
) {
    IoGetCurrentIrpStackLocation(Irp);
    // https://learn.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
    MOUSE_INPUT_DATA* data = (MOUSE_INPUT_DATA*)Irp->AssociatedIrp.SystemBuffer;
    int structNum = Irp->IoStatus.Information / sizeof(MOUSE_INPUT_DATA);
 
    if (Irp->IoStatus.Status == STATUS_SUCCESS) {
        for (int i = 0; i < structNum; i++) {
            KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Preesed key is %d\n", data[i].ButtonFlags));
        }
    }
 
    if (Irp->PendingReturned) {
        IoMarkIrpPending(Irp);
    }
    PendingCount--;
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "PendingCount is %d\n", PendingCount));
    return Irp->IoStatus.Status;
}
 
NTSTATUS ReadFileDevice(
    _In_ struct _DEVICE_OBJECT* DeviceObject,
    _Inout_ struct _IRP* Irp
) {
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ReadFileDevice\n"));
    IoCopyCurrentIrpStackLocationToNext(Irp);
 
    IoSetCompletionRoutine(Irp, MyCompletionRoutine, NULL, TRUE, TRUE, TRUE);
    PendingCount++;
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "PendingCount is %d\n", PendingCount));
 
    NTSTATUS status = IoCallDriver(((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject, Irp);
    return status;
}
 
NTSTATUS AttachToDevice(PDEVICE_OBJECT SourceDevice)
{
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "AttachToDevice is start\n"));
    NTSTATUS status = STATUS_SUCCESS;
    UNICODE_STRING KbdDeviceName = RTL_CONSTANT_STRING(L"\\Device\\PointerClass0");
    status = IoAttachDevice(deviceObject, &KbdDeviceName, &((MY_EXTENSION*)deviceObject->DeviceExtension)->lowerDeviceObject);
    if (NT_SUCCESS(status)) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "AttachToDevice is success\n"));
    }
    else {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "AttachToDevice is failed\n"));
    }
    return status;
}
 
NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
)
{
    //MiProcessLoaderEntry = (pMiProcessLoaderEntry)0xfffff80534b88ee4; // 这是用 dp 来定位的
    KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "DriverEntry\n"));
    //KdBreakPoint();
 
    UNREFERENCED_PARAMETER(RegistryPath);
 
    UNICODE_STRING deviceName;
    UNICODE_STRING symbolicLinkName;
 
    RtlInitUnicodeString(&deviceName, KILLRULE_NTDEVICE_NAME);
 
    for (int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) {
        DriverObject->MajorFunction[i] = IrpPass; // 其他的照常
    }
 
    DriverObject->DriverUnload = DriverUnload;
    DriverObject->MajorFunction[IRP_MJ_READ] = ReadFileDevice; // 要读键盘[设备] 端口的值
 
    NTSTATUS status = IoCreateDevice(
        DriverObject,
        sizeof(MY_EXTENSION), // 因为要用到，所以要给
        &deviceName,
        FILE_DEVICE_MOUSE,
        0,
        TRUE,
        &deviceObject);
    if (!NT_SUCCESS(status)) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to create device (0x%X)\n", status));
        return status;
    }
    deviceObject->Flags |= DO_BUFFERED_IO;
    deviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
 
    RtlZeroMemory(deviceObject->DeviceExtension, sizeof(MY_EXTENSION));
 
    status = AttachToDevice(deviceObject);
    if (NT_SUCCESS(status)) {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Success to attach device (0x%X)\n", status));
    }
    else {
        KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Failed to attach device (0x%X)\n", status));
        IoDeleteDevice(deviceObject);
        return status;
    }
 
 
 
    status = STATUS_SUCCESS;
 
    return status;
}

这样之后没法像视频中那样出现log，就是压根不进 ReadFileDevice 这个函数中，不知道是为什么。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持

最新回复 (1)
学会规则雪币： 119 能力值： ( LV1，RANK：0 ) 在线值：发帖 5 回帖 28 粉丝 1 关注私信	学会规则 2 楼大概确实不行，但是可以用 IoAttachDeviceToDeviceStack 2024-1-17 22:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

学会规则

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
学会规则雪币： 119 能力值： ( LV1，RANK：0 ) 在线值：发帖 5 回帖 28 粉丝 1 关注私信	学会规则 2 楼大概确实不行，但是可以用 IoAttachDeviceToDeviceStack 2024-1-17 22:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复