鼠标过滤驱动

mi-key2025-01-12 13:11

文章目录

概述

其编写过程大体与键盘过滤驱动相似,只需要切换一下附加的目标设备以及创建的设备类型等。但在该操作后依然无法捕获到Vmware创建的win7操作系统的鼠标irp信息,于是通过在获取鼠标驱动,遍历其所有的设备进而附加,这样便可以获取到鼠标的irp信息。

代码

c 复制代码 
#include<ntifs.h>

typedef struct
{
	PDEVICE_OBJECT LowerKbdDevice;
}DEVICE_EXTENTION,*PDEVICE_EXTENTION;

extern POBJECT_TYPE* IoDriverObjectType;

typedef struct _MOUSE_INPUT_DATA {
	USHORT UnitId;
	USHORT Flags;
	union {
		ULONG Buttons;
		struct {
			USHORT ButtonFlags;
			USHORT ButtonData;
		};
	};
	ULONG  RawButtons;
	LONG   LastX;
	LONG   LastY;
	ULONG  ExtraInformation;
} MOUSE_INPUT_DATA, * PMOUSE_INPUT_DATA;

ULONG pendingkey = 0;

NTSTATUS NTAPI ObReferenceObjectByName(PUNICODE_STRING ObjectName,
	ULONG Attributes,
	PACCESS_STATE AccessState,
	ACCESS_MASK DesiredAccess,
	POBJECT_TYPE ObjectType,
	KPROCESSOR_MODE AccessMode,
	PVOID ParseContext OPTIONAL,
	PVOID* Object);

VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
	LARGE_INTEGER interval = { 0 };
	PDEVICE_OBJECT DeviceObject = DriverObject->DeviceObject;
	
	interval.QuadPart = -10 * 1000 * 1000;

	while (DeviceObject)
	{
		IoDetachDevice(((PDEVICE_EXTENTION)DeviceObject->DeviceExtension)->LowerKbdDevice);
		DeviceObject = DeviceObject->NextDevice;
	}
	
	//判断是否还有未处理的IRP
	while (pendingkey)
	{
		KeDelayExecutionThread(KernelMode, FALSE, &interval);
	}
	DeviceObject = DriverObject->DeviceObject;
	while (DeviceObject)
	{
		IoDeleteDevice(DeviceObject);
		DeviceObject = DeviceObject->NextDevice;
	}
	
	KdPrint(("驱动卸载结束!\n"));
}

NTSTATUS ReadComplete(PDEVICE_OBJECT DeviceObject, PIRP irp, PVOID Context)
{
	PMOUSE_INPUT_DATA KeyBuffer = (PMOUSE_INPUT_DATA)irp->AssociatedIrp.SystemBuffer;
	
	int structnum = irp->IoStatus.Information / sizeof(MOUSE_INPUT_DATA);
	if (irp->IoStatus.Status == STATUS_SUCCESS)
	{
		for (int i = 0; i < structnum; i++)
		{
			KdPrint(("ButtonFlags = %x\n", KeyBuffer->ButtonFlags));
		}
	}
	//处理完成需要将标志位设置,以声明以完成此irp的返回处理
	if (irp->PendingReturned)
	{
		IoMarkIrpPending(irp);
	}

	pendingkey--;
	return irp->IoStatus.Status;
}

NTSTATUS DispatchPass(PDEVICE_OBJECT pDeviceObject,PIRP irp)
{
	IoCopyCurrentIrpStackLocationToNext(irp);
	return IoCallDriver(((PDEVICE_EXTENTION)pDeviceObject->DeviceExtension)->LowerKbdDevice, irp);
}

NTSTATUS DispatchRead(PDEVICE_OBJECT pDeviceObject, PIRP irp)
{
	IoCopyCurrentIrpStackLocationToNext(irp);

	IoSetCompletionRoutine(irp,ReadComplete,NULL,TRUE,TRUE,TRUE,TRUE);

	pendingkey++;
	return IoCallDriver(((PDEVICE_EXTENTION)pDeviceObject->DeviceExtension)->LowerKbdDevice, irp);
}

NTSTATUS MyAttachDevice(PDRIVER_OBJECT pDriverObject)
{
	UNICODE_STRING kbdName = RTL_CONSTANT_STRING(L"\\Driver\\MouClass");
	PDRIVER_OBJECT TargetDriverObject = NULL;
	PDEVICE_OBJECT CurrentDeviceObject = NULL;
	PDEVICE_OBJECT myKbdDevice = NULL;
	PDEVICE_OBJECT lowDevice = NULL;
	NTSTATUS status = ObReferenceObjectByName(&kbdName,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,&TargetDriverObject);
	if (!NT_SUCCESS(status))
	{
		DbgPrint("Open Mouse Driver Failed\n");
		return status;
	}
	else
	{
		// 解引用
		ObDereferenceObject(TargetDriverObject);
	}
	
	CurrentDeviceObject = TargetDriverObject->DeviceObject;
	//循环附加到目标驱动上的所有设备栈上
	while (CurrentDeviceObject)
	{
		NTSTATUS status = IoCreateDevice(pDriverObject, sizeof(DEVICE_EXTENTION), NULL, 0, FILE_DEVICE_MOUSE, FALSE, &myKbdDevice);
		if (!NT_SUCCESS(status))
		{
			myKbdDevice = CurrentDeviceObject = NULL;
			return status;
		}
		RtlZeroMemory(myKbdDevice->DeviceExtension, sizeof(DEVICE_EXTENTION));

		lowDevice = IoAttachDeviceToDeviceStack(myKbdDevice, CurrentDeviceObject);
		if (!lowDevice)
		{
			IoDeleteDevice(myKbdDevice);
			myKbdDevice = NULL;
			return status;
		}
		((PDEVICE_EXTENTION)myKbdDevice->DeviceExtension)->LowerKbdDevice = lowDevice;

		myKbdDevice->Flags |= DO_BUFFERED_IO;
		myKbdDevice->Flags &= ~DO_DEVICE_INITIALIZING;
		CurrentDeviceObject = CurrentDeviceObject->NextDevice;
	}
	
	return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
	int i = 0;
	NTSTATUS Status = STATUS_SUCCESS;
	
	for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		pDriverObject->MajorFunction[i] = DispatchPass;
	}

	pDriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;

	Status = MyAttachDevice(pDriverObject);
	if (!NT_SUCCESS(Status))
	{
		KdPrint(("AttachDevice ERROR!\n"));
	}
	else
	{
		KdPrint(("AttachDevice SUCCESS!\n"));
	}

	pDriverObject->DriverUnload = DriverUnload;
	return Status;
}

参考资料

Revised Mouse and Keyboard Filter Driver

相关推荐
网络安全创新研究院1 小时前
飞网揭秘:个人网络与团队网络功能对比
安全
有梦想的攻城狮2 小时前
Java 11中的Collections类详解
java·windows·python·java11·collections
忒可君2 小时前
C# winform FTP功能
开发语言·windows·c#
十五年专注C++开发3 小时前
CMake进阶: CMake Modules---简化CMake配置的利器
linux·c++·windows·cmake·自动化构建
Warren983 小时前
软件测试-Selenium学习笔记
java·javascript·笔记·学习·selenium·测试工具·安全
degree5203 小时前
全平台轻量浏览器推荐|支持Win/macOS/Linux,极速加载+隐私保护+扩展插件,告别广告与数据追踪!
windows·macos·电脑
字节跳动安全中心3 小时前
智能体防御 | 一文了解3种系统提示词加固方法
安全·llm
Geehy极海半导体4 小时前
APM32芯得 EP.29 | 基于APM32F103的USB键盘与虚拟串口复合设备配置详解
计算机外设·usb·usb配置
黑客影儿7 小时前
黑客哲学之学习笔记系列(三)
笔记·学习·程序人生·安全·职场和发展·网络攻击模型·学习方法
XY_墨莲伊7 小时前
【网络安全实验报告】实验六: 病毒防护实验
安全·web安全
热门推荐
01UV安装并设置国内源02DeepSeek更新!速览DeepSeek V3.1新特性03Qwen3-Coder 快速上手教程 | Qwen Code + Claude Code04KGG转MP3工具|非KGM文件|解密音频05蜘蛛磁力 搜索引擎大全,如何使用蜘蛛磁力查找磁力链接06【2025.08.06最新版】Android Studio下载、安装及配置记录(自动下载sdk)072025最新国内服务器可用docker源仓库地址大全(2025年8月更新)08阿里开源首个图像生成基础模型——Qwen-Image本地部署教程,超强中文渲染能力刷新SOTA!09NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南10TRAE 规则(Rules)配置指南:个人习惯、团队规范与最佳实践