技術原理

何為符號鏈接?符號鏈接是一個別名,可以指向任意一個有名字的對象.

ZwCreateFile 不但可以打開文件,也可以打開設備對象(返回類似文件句柄的句柄)

何為PDO?字面意思是物理設備,PDO是設備棧最下面的那個設備對象

windows從擊鍵到內核

csrss.exe進程,他有一個線程是 win32!RawInputThread ,線程通過 GUID 來獲得鍵盤設備棧的 PDO 符號鏈接名

應用程序一般不能直接根據設備名打開設備,一般都通過符號鏈接名來打開.

win32!RawInputThread -> win32!OpenDevice -> ZwCreateFile 完成打開設備,并得到句柄

ZwCreateFile -> NtCreateFile -> nt!IopParseDevice -> nt!IoGetAttachedDevice 通過 PDO 獲得鍵盤設備棧最頂端的設備對象

用得到的這個設備對象 偏移 30 的棧大小作為參數 -> IoAllocateTrp 創建 IRP -> nt!ObCreateObject 創建文件對象,初始化這個文件對象

偏移 4 將 設備對象指針 賦值為 鍵盤設備棧的 PDO -> nt!IopfCallDriver 將 IRP 發往驅動,讓驅動進行相應的處理 --> 一系列返回

nt!ObOpenObjectByName -> nt!ObpCreateHandle 在進程 csrss.exe 的句柄表創建一個新的句柄,這個句柄對應的對象就是剛才創建并初始化的文件對象

文件對象中的DeviceObject 指向鍵盤設備棧的PDO

win32!RawInputThread 獲得句柄后 -> nt!ZwReadFile 向鍵盤驅動要求讀入數據 ,會創建一個 IRP_MJ_READ 的請求發給鍵盤驅動告訴鍵盤驅動要求讀入數據

鍵盤驅動通常會使這個IRP未決,等待. 即請求不會給滿足,等待來自鍵盤的數據. 發出這個請求的線程也會等待.等待讀操作完成.

當鍵盤被按下時,將觸發鍵盤中斷,引起中斷服務例程執行.鍵盤中斷服務例程由鍵盤驅動提供.

鍵盤驅動從端口讀取掃描碼,結果處理后把從鍵盤得到的數據交給 IRP ,最后結束這個請求.IRP結束將使 win32!RawInputThread 等待線程等待結束

win32!RawInputThread 對得到的數據做出處理并分發給合適的進程.

一旦數據處理完后,會立刻再調用 nt!ZwReadFile 要求讀入數據,等待鍵盤上的鍵被按下,如此循環.

一般的PS/2鍵盤的設備棧,如果沒有另外安裝其他鍵盤過濾程序,那么設備棧的情況是:

最頂層的設備對象是驅動 KbdClass 生成的<--我們綁定的是這個

中間層的設備對象是驅動 i8042prt 生成的

最底層的設備對象是驅動 ACPI 生成的

鍵盤硬件原理

鍵盤和CPU的交互方式是中斷和讀取端口,這個操作是串行的.發生一次中斷,等于鍵盤給CPU一個通知,這個通知只能通知一個事件,某個鍵被按下,或者彈起來.

CPU只接收通知并讀取端口的掃描碼,從不主動去"查看"任何鍵.為此,一個鍵實際需要兩個掃描碼,一個表示按下,一個表示彈起.

CPU一次只能讀取到端口中的一個字節,如果掃描碼是兩個字節的,則會發生兩次中斷,CPU會先后讀取掃描碼的兩個字節.

注意,在這種機制下同時按下兩個鍵之類的事情是不可能發生的.無論如何按鍵,信息傳遞都是一次一個字節串行進行的.

鍵盤的過濾

要過濾一種設備,首先要綁定它,徐亞哦找到所有代表鍵盤的設備.從之前的原理來看,可以認定的是,如果綁定了驅動 KbdClass的所有設備對象.那么代表鍵盤的設備一定在其中.可以從驅動對象設備鏈字節讀取驅動對象下面的 DeviceObject域(第二章).

另一種獲取驅動下的所有設備對象的分發是調用函數 IoEnumerateDeviceObjectList ,這個函數可以枚舉出一個驅動下的所有設備.

設備擴展,專門定義的一個結構

typedef struct _C2P_DEV_EXT{

//這個結構的大小

ULONG NodeSize;

//過濾設備對象

PDEVICE_OBJECT pFilterDeviceObject;

//同時調用時的保護鎖

KSPIN_LOCK IoRequestsSpinLock;

//進程間同步處理

KEVENT IoInProgressEvent;

//綁定時的設備對象

PDEVICE_OBJECT TargetDeviceObject;

//綁定前底層設備對象

PDEVICE_OBJECT LowerDeviceObject;

}C2P_DEV_EXT, *PC2P_DEV_EXT;

鍵盤過濾模塊的動態卸載

和串口過濾模塊稍有不同,這是因為鍵盤總是處在"有一個讀請求沒有完成"的狀態,計算等待5秒這個請求也未必會完成(如果沒有按鍵盤的話),這樣如果卸載了過濾驅動,那么下一次按鍵,這個請求就被處理,很可能馬上藍屏崩潰.

不完全的代碼:

#include

//鍵盤過濾驅動

//IoDriverObjectType 是全局變量,但是頭文件中沒有,所以在這里聲明

extern POBJECT_TYPE *IoDriverObjectType;

//KbdClass 驅動的名字

#define KBD_DRIVER_NAME L"\\Driver\\Kbdclass"

//ObReferenceObjectByName 未導出文檔,先聲明

NTSTATUS ObReferenceObjectByName(

PUNICODE_STRING ObjectName,

ULONG Attributes,

PACCESS_STATE AccessState,

ACCESS_MASK DesiredAccess,

POBJECT_TYPE ObjectType,

KPROCESSOR_MODE AccessMode,

PVOID ParseContext,

PVOID *Object

);

//全局變量

ULONG gC2pKeyCount = 0;

PDRIVER_OBJECT gDriverObject = NULL;

//設備擴展, 專門定義的一個結構

typedef struct _C2P_DEV_EXT{

//這個結構的大小

ULONG NodeSize;

//過濾設備對象

PDEVICE_OBJECT pFilterDeviceObject;

//同時調用時的保護鎖

KSPIN_LOCK IoRequestsSpinLock;

//進程間同步處理

KEVENT IoInProgressEvent;

//綁定時的設備對象

PDEVICE_OBJECT TargetDeviceObject;

//綁定前底層設備對象

PDEVICE_OBJECT LowerDeviceObject;

}C2P_DEV_EXT, *PC2P_DEV_EXT;

void c2pUnload(IN PDRIVER_OBJECT DriverObject);

NTSTATUS c2pDispatchGeneral(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pDispatchRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pPower(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pPnP(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pReadComplete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context);

NTSTATUS c2pAttachDevices(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

NTSTATUS c2pDevExtInit(IN PC2P_DEV_EXT devExt, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PDEVICE_OBJECT pLowerDeviceObject);

//驅動入口

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){

ULONG i;

NTSTATUS status;

KdPrint(("misaka: entering driverentry\n"));

//填寫所有的分發函數指針

for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++){

DriverObject->MajorFunction[i] = c2pDispatchGeneral;

DbgPrint("misaka: test %d..\r\n",i);

}

//單獨填寫一個讀分發函數,因為重要的是讀取按鍵的信息,其他都不重要

DriverObject->MajorFunction[IRP_MJ_READ] = c2pDispatchRead;

//單獨填寫一個 IRP_MJ_POWER 函數,這是因為這類請求中間要調用一個 PoCallDriver 和 PoStartNextPowerIrp 比較特殊

DriverObject->MajorFunction[IRP_MJ_POWER] = c2pPower;

//我們想知道什么時候綁定過的設備被卸載了(比如從機器上拔掉),專門寫一個 PNP(即插即用)分發函數

DriverObject->MajorFunction[IRP_MJ_PNP] = c2pPnP;

//卸載函數

DriverObject->DriverUnload = c2pUnload;

//綁定所有的鍵盤設備

status = c2pAttachDevices(DriverObject, RegistryPath);

return status;

}

//卸載函數

#define ?DELAY_ONE_MICROSECOND ?(-10)

#define ?DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)

#define ?DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)

void c2pUnload(IN PDRIVER_OBJECT DriverObject){

PDEVICE_OBJECT DeviceObject;

PDEVICE_OBJECT OldDeviceObject;

PC2P_DEV_EXT devExt;

LARGE_INTEGER lDelay;

PRKTHREAD CurrentThread;

lDelay = RtlConvertLongToLargeInteger(100 * DELAY_ONE_MILLISECOND);

CurrentThread = KeGetCurrentThread();

//把當前線程設置為低實時模式,以便盡可能少的影響其他程序

KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY);

UNREFERENCED_PARAMETER(DriverObject);

KdPrint(("misaka: driverentry unloading...\n"));

//遍歷所有設備并一律解除綁定,刪除所有的設備

DeviceObject = DriverObject->DeviceObject;

while (DeviceObject){

PC2P_DEV_EXT devExt;

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

//只解除綁定

IoDetachDevice(devExt->TargetDeviceObject);

devExt->TargetDeviceObject = NULL;

DbgPrint("misaka: detach finished\r\n");

DeviceObject = DeviceObject->NextDevice;

}

DbgPrint("misaka: ------------------------------------ %d.\r\n", gC2pKeyCount);

//gC2pKeyCount全局變量,等待請求完成才卸載

while (gC2pKeyCount){

KeDelayExecutionThread(KernelMode, FALSE, &lDelay);

}

//這個是產出驅動對象的,但是好像沒有效果,只要停止驅動之后就不能再次啟動了.可能是驅動沒有卸載干凈

//但是如果照著教程寫的話,如果停止直接藍屏...

//目前的情況是在win7 64位系統中啟動驅動后可以獲取按鍵消息...

//IoDeleteDevice(pDeviceObject);

//devExt->pFilterDeviceObject = NULL;

//DbgPrint("misaka: detach finished\r\n");

DbgPrint("misaka: bye ,driver unload successfully.\r\n");

return;

}

//鍵盤請求的處理 - 通常處理 - 直接跳過,發送到真實設備對象上

NTSTATUS c2pDispatchGeneral(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

KdPrint(("misaka: other diapatch!\n"));

IoSkipCurrentIrpStackLocation(Irp);

return IoCallDriver(((PC2P_DEV_EXT)DeviceObject->DeviceExtension)->LowerDeviceObject, Irp);

}

//鍵盤請求的處理 - 讀請求

NTSTATUS c2pDispatchRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

NTSTATUS status = STATUS_SUCCESS;

PC2P_DEV_EXT devExt;

PIO_STACK_LOCATION currentIrpStack;

KEVENT waitEvent;

KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);

if (Irp->CurrentLocation == 1){

ULONG ReturnedInformation = 0;

KdPrint(("misaka: dispatch encountered bogus current location\n"));

status = STATUS_INVALID_DEVICE_REQUEST;

Irp->IoStatus.Status = status;

Irp->IoStatus.Information = ReturnedInformation;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return (status);

}

//全局變量計數器+1

gC2pKeyCount++;

//得到設備擴展,獲得下一個設備的指針

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

//設置回掉函數并把IRP傳遞下去,讀處理結束,等待讀請求完成

currentIrpStack = IoGetCurrentIrpStackLocation(Irp);

IoCopyCurrentIrpStackLocationToNext(Irp);

IoSetCompletionRoutine(Irp, c2pReadComplete, DeviceObject, TRUE, TRUE, TRUE);

DbgPrint("read : number = %d\r\n", gC2pKeyCount);

return IoCallDriver(devExt->LowerDeviceObject, Irp);

}

//鍵盤請求的處理 - 電源相關請求

NTSTATUS c2pPower(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

KdPrint(("misaka: Power\n"));

PC2P_DEV_EXT devExt;

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

PoStartNextPowerIrp(Irp);

IoSkipCurrentIrpStackLocation(Irp);

return PoCallDriver(devExt->LowerDeviceObject, Irp);

}

//鍵盤請求的處理 - 檔設備被拔出時,解除綁定,并刪除過濾設備

NTSTATUS c2pPnP(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

PC2P_DEV_EXT devExt;

PIO_STACK_LOCATION irpStack;

NTSTATUS status = STATUS_SUCCESS;

KIRQL oldIrql;

KEVENT event;

//獲得真實設備

devExt = (PC2P_DEV_EXT)(DeviceObject->DeviceExtension);

irpStack = IoGetCurrentIrpStackLocation(Irp);

switch (irpStack->MinorFunction){

case IRP_MN_REMOVE_DEVICE:

KdPrint(("misaka: IRP_MN_REMOVE_DEVICE\n"));

//先把請求下發

IoSkipCurrentIrpStackLocation(Irp);

IoCallDriver(devExt->LowerDeviceObject, Irp);

//然后解除綁定

IoDetachDevice(devExt->LowerDeviceObject);

//刪除生成的虛擬設備

IoDeleteDevice(DeviceObject);

status = STATUS_SUCCESS;

break;

default:

//其他類型的IRP,全部直接下發

IoSkipCurrentIrpStackLocation(Irp);

status = IoCallDriver(devExt->LowerDeviceObject, Irp);

}

return status;

}

//讀請求完成后的回掉函數

NTSTATUS c2pReadComplete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context){

PIO_STACK_LOCATION IrpSp;

ULONG buf_len = 0;

PUCHAR buf = NULL;

size_t i;

IrpSp = IoGetCurrentIrpStackLocation(Irp);

//如果請求成功執行(如果失敗則沒有獲取的意義了)

if (NT_SUCCESS(Irp->IoStatus.Status)){

//獲得讀請求完成后的輸出緩沖區

buf = Irp->AssociatedIrp.SystemBuffer;

//獲得這個緩沖區的長度,一般來說,不管返回值有多長都保存在 Information 中

buf_len = (ULONG)Irp->IoStatus.Information;

//這里可以進一步處理,這里只是簡單的打印出所有的掃描碼

for (i = 0; i < buf_len; ++i){

DbgPrint("misaka: read %2x\r\n", buf[i]);

}

}

gC2pKeyCount--;

if (Irp->PendingReturned){

IoMarkIrpPending(Irp);

}

DbgPrint("call : number = %d\r\n", gC2pKeyCount);

return Irp->IoStatus.Status;

}

//打開驅動對象 KbdClass,綁定其下的所有設備

NTSTATUS c2pAttachDevices(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){

NTSTATUS status = 0;

UNICODE_STRING uniNtNameString;

PC2P_DEV_EXT devExt;

PDEVICE_OBJECT pFilterDeviceObject = NULL;

PDEVICE_OBJECT pTargetDeviceObject = NULL;

PDEVICE_OBJECT pLowerDeviceObject = NULL;

PDRIVER_OBJECT KbdDriverObject = NULL;

KdPrint(("misaka:my attach\n"));

//初始化字符串,就是KbdClass驅動的名字

RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME);

//打開驅動對象

status = ObReferenceObjectByName(

&uniNtNameString,

OBJ_CASE_INSENSITIVE,

NULL,

0,

*IoDriverObjectType,

KernelMode,

NULL,

(PVOID*)&KbdDriverObject

);

//如果打開失敗直接返回

if (!NT_SUCCESS(status)){

KdPrint(("misaka:couldn't get the device object\n"));

return (status);

} else{

//調用 ObReferenceObjectByName 對導致對驅動對象的引用計數增加,這里進行解引用

//改: 應該是打開設備對象的指針,而不是驅動對象

ObDereferenceObject(KbdDriverObject);

DbgPrint("misaka: open filter driver ok\r\n");

}

//設備鏈中的第一個設備

pTargetDeviceObject = KbdDriverObject->DeviceObject;

//遍歷設備鏈

while (pTargetDeviceObject){

//生成一個過濾設備,也就是對所有設備創建過濾設備

status = IoCreateDevice(

IN DriverObject,

IN sizeof(PC2P_DEV_EXT),

IN NULL,

IN pTargetDeviceObject->DeviceType,

IN pTargetDeviceObject->Characteristics,

IN FALSE,

OUT &pFilterDeviceObject

);

//如果創建過濾設備失敗,直接退出

if (!NT_SUCCESS(status)){

KdPrint(("misaka: couldn't create the filter device object\n"));

return (status);

}

DbgPrint("misaka: create filter driver ok\r\n");

//綁定 pLowerDeviceObject 是綁定之后得到的下一個設備(真實的設備)

pLowerDeviceObject = IoAttachDeviceToDeviceStack(pFilterDeviceObject, pTargetDeviceObject);

//如果綁定失敗則放棄之前的操作,退出

if (!pLowerDeviceObject){

KdPrint(("misaka: couldn't attach to device object\n"));

IoDeleteDevice(pFilterDeviceObject);

pFilterDeviceObject = NULL;

return (status);

}

DbgPrint("misaka: attach filter driver ok\r\n");

//設備擴展

devExt = (PC2P_DEV_EXT)(pFilterDeviceObject->DeviceExtension);

c2pDevExtInit(

devExt,

pFilterDeviceObject,

pTargetDeviceObject,

pLowerDeviceObject

);

//

pFilterDeviceObject->DeviceType = pLowerDeviceObject->DeviceType;

pFilterDeviceObject->Characteristics = pLowerDeviceObject->Characteristics;

pFilterDeviceObject->StackSize = pLowerDeviceObject->StackSize + 1;

pFilterDeviceObject->Flags |= pLowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE);

//移動到下一個設備,繼續遍歷

pTargetDeviceObject = pTargetDeviceObject->NextDevice;

}

return status;

}

//c2p驅動擴展設置函數

NTSTATUS c2pDevExtInit(IN PC2P_DEV_EXT devExt, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PDEVICE_OBJECT pLowerDeviceObject){

memset(devExt, 0, sizeof(C2P_DEV_EXT));

devExt->NodeSize = sizeof(C2P_DEV_EXT);

devExt->pFilterDeviceObject = pFilterDeviceObject;

KeInitializeSpinLock(&(devExt->IoRequestsSpinLock));

KeInitializeEvent(&(devExt->IoInProgressEvent), NotificationEvent, FALSE);

devExt->TargetDeviceObject = pTargetDeviceObject;

devExt->LowerDeviceObject = pLowerDeviceObject;

return (STATUS_SUCCESS);

}

misaka: entering driverentry

misaka: test 0..

misaka: test 1..

misaka: test 2..

misaka: test 3..

misaka: test 4..

misaka: test 5..

misaka: test 6..

misaka: test 7..

misaka: test 8..

misaka: test 9..

misaka: test 10..

misaka: test 11..

misaka: test 12..

misaka: test 13..

misaka: test 14..

misaka: test 15..

misaka: test 16..

misaka: test 17..

misaka: test 18..

misaka: test 19..

misaka: test 20..

misaka: test 21..

misaka: test 22..

misaka: test 23..

misaka: test 24..

misaka: test 25..

misaka: test 26..

misaka:my attach

misaka: open filter driver ok

misaka: create filter driver ok

misaka: attach filter driver ok

misaka: create filter driver ok

misaka: attach filter driver ok

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 21

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 22

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 22

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 23

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 23

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 24

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 24

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: driverentry unloading...

misaka: detach finished

misaka: detach finished

misaka: ------------------------------------ 1.

misaka: read ?0

misaka: read ?0

misaka: read 20

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

misaka: bye ,driver unload successfully.