技术原理

何为符号链接?符号链接是一个别名,可以指向任意一个有名字的对象.

ZwCreateFile 不但可以打开文件,也可以打开设备对象(返回类似文件句柄的句柄)

何为PDO?字面意思是物理设备,PDO是设备栈最下面的那个设备对象

windows从击键到内核

csrss.exe进程,他有一个线程是 win32!RawInputThread ,线程通过 GUID 来获得键盘设备栈的 PDO 符号链接名

应用程序一般不能直接根据设备名打开设备,一般都通过符号链接名来打开.

win32!RawInputThread -> win32!OpenDevice -> ZwCreateFile 完成打开设备,并得到句柄

ZwCreateFile -> NtCreateFile -> nt!IopParseDevice -> nt!IoGetAttachedDevice 通过 PDO 获得键盘设备栈最顶端的设备对象

用得到的这个设备对象 偏移 30 的栈大小作为参数 -> IoAllocateTrp 创建 IRP -> nt!ObCreateObject 创建文件对象,初始化这个文件对象

偏移 4 将 设备对象指针 赋值为 键盘设备栈的 PDO -> nt!IopfCallDriver 将 IRP 发往驱动,让驱动进行相应的处理 --> 一系列返回

nt!ObOpenObjectByName -> nt!ObpCreateHandle 在进程 csrss.exe 的句柄表创建一个新的句柄,这个句柄对应的对象就是刚才创建并初始化的文件对象

文件对象中的DeviceObject 指向键盘设备栈的PDO

win32!RawInputThread 获得句柄后 -> nt!ZwReadFile 向键盘驱动要求读入数据 ,会创建一个 IRP_MJ_READ 的请求发给键盘驱动告诉键盘驱动要求读入数据

键盘驱动通常会使这个IRP未决,等待. 即请求不会给满足,等待来自键盘的数据. 发出这个请求的线程也会等待.等待读操作完成.

当键盘被按下时,将触发键盘中断,引起中断服务例程执行.键盘中断服务例程由键盘驱动提供.

键盘驱动从端口读取扫描码,结果处理后把从键盘得到的数据交给 IRP ,最后结束这个请求.IRP结束将使 win32!RawInputThread 等待线程等待结束

win32!RawInputThread 对得到的数据做出处理并分发给合适的进程.

一旦数据处理完后,会立刻再调用 nt!ZwReadFile 要求读入数据,等待键盘上的键被按下,如此循环.

一般的PS/2键盘的设备栈,如果没有另外安装其他键盘过滤程序,那么设备栈的情况是:

最顶层的设备对象是驱动 KbdClass 生成的<--我们绑定的是这个

中间层的设备对象是驱动 i8042prt 生成的

最底层的设备对象是驱动 ACPI 生成的

键盘硬件原理

键盘和CPU的交互方式是中断和读取端口,这个操作是串行的.发生一次中断,等于键盘给CPU一个通知,这个通知只能通知一个事件,某个键被按下,或者弹起来.

CPU只接收通知并读取端口的扫描码,从不主动去"查看"任何键.为此,一个键实际需要两个扫描码,一个表示按下,一个表示弹起.

CPU一次只能读取到端口中的一个字节,如果扫描码是两个字节的,则会发生两次中断,CPU会先后读取扫描码的两个字节.

注意,在这种机制下同时按下两个键之类的事情是不可能发生的.无论如何按键,信息传递都是一次一个字节串行进行的.

键盘的过滤

要过滤一种设备,首先要绑定它,徐亚哦找到所有代表键盘的设备.从之前的原理来看,可以认定的是,如果绑定了驱动 KbdClass的所有设备对象.那么代表键盘的设备一定在其中.可以从驱动对象设备链字节读取驱动对象下面的 DeviceObject域(第二章).

另一种获取驱动下的所有设备对象的分发是调用函数 IoEnumerateDeviceObjectList ,这个函数可以枚举出一个驱动下的所有设备.

设备扩展,专门定义的一个结构

typedef struct _C2P_DEV_EXT{

//这个结构的大小

ULONG NodeSize;

//过滤设备对象

PDEVICE_OBJECT pFilterDeviceObject;

//同时调用时的保护锁

KSPIN_LOCK IoRequestsSpinLock;

//进程间同步处理

KEVENT IoInProgressEvent;

//绑定时的设备对象

PDEVICE_OBJECT TargetDeviceObject;

//绑定前底层设备对象

PDEVICE_OBJECT LowerDeviceObject;

}C2P_DEV_EXT, *PC2P_DEV_EXT;

键盘过滤模块的动态卸载

和串口过滤模块稍有不同,这是因为键盘总是处在"有一个读请求没有完成"的状态,计算等待5秒这个请求也未必会完成(如果没有按键盘的话),这样如果卸载了过滤驱动,那么下一次按键,这个请求就被处理,很可能马上蓝屏崩溃.

不完全的代码:

#include

//键盘过滤驱动

//IoDriverObjectType 是全局变量,但是头文件中没有,所以在这里声明

extern POBJECT_TYPE *IoDriverObjectType;

//KbdClass 驱动的名字

#define KBD_DRIVER_NAME L"\\Driver\\Kbdclass"

//ObReferenceObjectByName 未导出文档,先声明

NTSTATUS ObReferenceObjectByName(

PUNICODE_STRING ObjectName,

ULONG Attributes,

PACCESS_STATE AccessState,

ACCESS_MASK DesiredAccess,

POBJECT_TYPE ObjectType,

KPROCESSOR_MODE AccessMode,

PVOID ParseContext,

PVOID *Object

);

//全局变量

ULONG gC2pKeyCount = 0;

PDRIVER_OBJECT gDriverObject = NULL;

//设备扩展, 专门定义的一个结构

typedef struct _C2P_DEV_EXT{

//这个结构的大小

ULONG NodeSize;

//过滤设备对象

PDEVICE_OBJECT pFilterDeviceObject;

//同时调用时的保护锁

KSPIN_LOCK IoRequestsSpinLock;

//进程间同步处理

KEVENT IoInProgressEvent;

//绑定时的设备对象

PDEVICE_OBJECT TargetDeviceObject;

//绑定前底层设备对象

PDEVICE_OBJECT LowerDeviceObject;

}C2P_DEV_EXT, *PC2P_DEV_EXT;

void c2pUnload(IN PDRIVER_OBJECT DriverObject);

NTSTATUS c2pDispatchGeneral(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pDispatchRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pPower(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pPnP(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pReadComplete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context);

NTSTATUS c2pAttachDevices(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

NTSTATUS c2pDevExtInit(IN PC2P_DEV_EXT devExt, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PDEVICE_OBJECT pLowerDeviceObject);

//驱动入口

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){

ULONG i;

NTSTATUS status;

KdPrint(("misaka: entering driverentry\n"));

//填写所有的分发函数指针

for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++){

DriverObject->MajorFunction[i] = c2pDispatchGeneral;

DbgPrint("misaka: test %d..\r\n",i);

}

//单独填写一个读分发函数,因为重要的是读取按键的信息,其他都不重要

DriverObject->MajorFunction[IRP_MJ_READ] = c2pDispatchRead;

//单独填写一个 IRP_MJ_POWER 函数,这是因为这类请求中间要调用一个 PoCallDriver 和 PoStartNextPowerIrp 比较特殊

DriverObject->MajorFunction[IRP_MJ_POWER] = c2pPower;

//我们想知道什么时候绑定过的设备被卸载了(比如从机器上拔掉),专门写一个 PNP(即插即用)分发函数

DriverObject->MajorFunction[IRP_MJ_PNP] = c2pPnP;

//卸载函数

DriverObject->DriverUnload = c2pUnload;

//绑定所有的键盘设备

status = c2pAttachDevices(DriverObject, RegistryPath);

return status;

}

//卸载函数

#define  DELAY_ONE_MICROSECOND  (-10)

#define  DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)

#define  DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)

void c2pUnload(IN PDRIVER_OBJECT DriverObject){

PDEVICE_OBJECT DeviceObject;

PDEVICE_OBJECT OldDeviceObject;

PC2P_DEV_EXT devExt;

LARGE_INTEGER lDelay;

PRKTHREAD CurrentThread;

lDelay = RtlConvertLongToLargeInteger(100 * DELAY_ONE_MILLISECOND);

CurrentThread = KeGetCurrentThread();

//把当前线程设置为低实时模式,以便尽可能少的影响其他程序

KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY);

UNREFERENCED_PARAMETER(DriverObject);

KdPrint(("misaka: driverentry unloading...\n"));

//遍历所有设备并一律解除绑定,删除所有的设备

DeviceObject = DriverObject->DeviceObject;

while (DeviceObject){

PC2P_DEV_EXT devExt;

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

//只解除绑定

IoDetachDevice(devExt->TargetDeviceObject);

devExt->TargetDeviceObject = NULL;

DbgPrint("misaka: detach finished\r\n");

DeviceObject = DeviceObject->NextDevice;

}

DbgPrint("misaka: ------------------------------------ %d.\r\n", gC2pKeyCount);

//gC2pKeyCount全局变量,等待请求完成才卸载

while (gC2pKeyCount){

KeDelayExecutionThread(KernelMode, FALSE, &lDelay);

}

//这个是产出驱动对象的,但是好像没有效果,只要停止驱动之后就不能再次启动了.可能是驱动没有卸载干净

//但是如果照着教程写的话,如果停止直接蓝屏...

//目前的情况是在win7 64位系统中启动驱动后可以获取按键消息...

//IoDeleteDevice(pDeviceObject);

//devExt->pFilterDeviceObject = NULL;

//DbgPrint("misaka: detach finished\r\n");

DbgPrint("misaka: bye ,driver unload successfully.\r\n");

return;

}

//键盘请求的处理 - 通常处理 - 直接跳过,发送到真实设备对象上

NTSTATUS c2pDispatchGeneral(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

KdPrint(("misaka: other diapatch!\n"));

IoSkipCurrentIrpStackLocation(Irp);

return IoCallDriver(((PC2P_DEV_EXT)DeviceObject->DeviceExtension)->LowerDeviceObject, Irp);

}

//键盘请求的处理 - 读请求

NTSTATUS c2pDispatchRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

NTSTATUS status = STATUS_SUCCESS;

PC2P_DEV_EXT devExt;

PIO_STACK_LOCATION currentIrpStack;

KEVENT waitEvent;

KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);

if (Irp->CurrentLocation == 1){

ULONG ReturnedInformation = 0;

KdPrint(("misaka: dispatch encountered bogus current location\n"));

status = STATUS_INVALID_DEVICE_REQUEST;

Irp->IoStatus.Status = status;

Irp->IoStatus.Information = ReturnedInformation;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return (status);

}

//全局变量计数器+1

gC2pKeyCount++;

//得到设备扩展,获得下一个设备的指针

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

//设置回掉函数并把IRP传递下去,读处理结束,等待读请求完成

currentIrpStack = IoGetCurrentIrpStackLocation(Irp);

IoCopyCurrentIrpStackLocationToNext(Irp);

IoSetCompletionRoutine(Irp, c2pReadComplete, DeviceObject, TRUE, TRUE, TRUE);

DbgPrint("read : number = %d\r\n", gC2pKeyCount);

return IoCallDriver(devExt->LowerDeviceObject, Irp);

}

//键盘请求的处理 - 电源相关请求

NTSTATUS c2pPower(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

KdPrint(("misaka: Power\n"));

PC2P_DEV_EXT devExt;

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

PoStartNextPowerIrp(Irp);

IoSkipCurrentIrpStackLocation(Irp);

return PoCallDriver(devExt->LowerDeviceObject, Irp);

}

//键盘请求的处理 - 档设备被拔出时,解除绑定,并删除过滤设备

NTSTATUS c2pPnP(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

PC2P_DEV_EXT devExt;

PIO_STACK_LOCATION irpStack;

NTSTATUS status = STATUS_SUCCESS;

KIRQL oldIrql;

KEVENT event;

//获得真实设备

devExt = (PC2P_DEV_EXT)(DeviceObject->DeviceExtension);

irpStack = IoGetCurrentIrpStackLocation(Irp);

switch (irpStack->MinorFunction){

case IRP_MN_REMOVE_DEVICE:

KdPrint(("misaka: IRP_MN_REMOVE_DEVICE\n"));

//先把请求下发

IoSkipCurrentIrpStackLocation(Irp);

IoCallDriver(devExt->LowerDeviceObject, Irp);

//然后解除绑定

IoDetachDevice(devExt->LowerDeviceObject);

//删除生成的虚拟设备

IoDeleteDevice(DeviceObject);

status = STATUS_SUCCESS;

break;

default:

//其他类型的IRP,全部直接下发

IoSkipCurrentIrpStackLocation(Irp);

status = IoCallDriver(devExt->LowerDeviceObject, Irp);

}

return status;

}

//读请求完成后的回掉函数

NTSTATUS c2pReadComplete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context){

PIO_STACK_LOCATION IrpSp;

ULONG buf_len = 0;

PUCHAR buf = NULL;

size_t i;

IrpSp = IoGetCurrentIrpStackLocation(Irp);

//如果请求成功执行(如果失败则没有获取的意义了)

if (NT_SUCCESS(Irp->IoStatus.Status)){

//获得读请求完成后的输出缓冲区

buf = Irp->AssociatedIrp.SystemBuffer;

//获得这个缓冲区的长度,一般来说,不管返回值有多长都保存在 Information 中

buf_len = (ULONG)Irp->IoStatus.Information;

//这里可以进一步处理,这里只是简单的打印出所有的扫描码

for (i = 0; i < buf_len; ++i){

DbgPrint("misaka: read %2x\r\n", buf[i]);

}

}

gC2pKeyCount--;

if (Irp->PendingReturned){

IoMarkIrpPending(Irp);

}

DbgPrint("call : number = %d\r\n", gC2pKeyCount);

return Irp->IoStatus.Status;

}

//打开驱动对象 KbdClass,绑定其下的所有设备

NTSTATUS c2pAttachDevices(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){

NTSTATUS status = 0;

UNICODE_STRING uniNtNameString;

PC2P_DEV_EXT devExt;

PDEVICE_OBJECT pFilterDeviceObject = NULL;

PDEVICE_OBJECT pTargetDeviceObject = NULL;

PDEVICE_OBJECT pLowerDeviceObject = NULL;

PDRIVER_OBJECT KbdDriverObject = NULL;

KdPrint(("misaka:my attach\n"));

//初始化字符串,就是KbdClass驱动的名字

RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME);

//打开驱动对象

status = ObReferenceObjectByName(

&uniNtNameString,

OBJ_CASE_INSENSITIVE,

NULL,

0,

*IoDriverObjectType,

KernelMode,

NULL,

(PVOID*)&KbdDriverObject

);

//如果打开失败直接返回

if (!NT_SUCCESS(status)){

KdPrint(("misaka:couldn't get the device object\n"));

return (status);

} else{

//调用 ObReferenceObjectByName 对导致对驱动对象的引用计数增加,这里进行解引用

//改: 应该是打开设备对象的指针,而不是驱动对象

ObDereferenceObject(KbdDriverObject);

DbgPrint("misaka: open filter driver ok\r\n");

}

//设备链中的第一个设备

pTargetDeviceObject = KbdDriverObject->DeviceObject;

//遍历设备链

while (pTargetDeviceObject){

//生成一个过滤设备,也就是对所有设备创建过滤设备

status = IoCreateDevice(

IN DriverObject,

IN sizeof(PC2P_DEV_EXT),

IN NULL,

IN pTargetDeviceObject->DeviceType,

IN pTargetDeviceObject->Characteristics,

IN FALSE,

OUT &pFilterDeviceObject

);

//如果创建过滤设备失败,直接退出

if (!NT_SUCCESS(status)){

KdPrint(("misaka: couldn't create the filter device object\n"));

return (status);

}

DbgPrint("misaka: create filter driver ok\r\n");

//绑定 pLowerDeviceObject 是绑定之后得到的下一个设备(真实的设备)

pLowerDeviceObject = IoAttachDeviceToDeviceStack(pFilterDeviceObject, pTargetDeviceObject);

//如果绑定失败则放弃之前的操作,退出

if (!pLowerDeviceObject){

KdPrint(("misaka: couldn't attach to device object\n"));

IoDeleteDevice(pFilterDeviceObject);

pFilterDeviceObject = NULL;

return (status);

}

DbgPrint("misaka: attach filter driver ok\r\n");

//设备扩展

devExt = (PC2P_DEV_EXT)(pFilterDeviceObject->DeviceExtension);

c2pDevExtInit(

devExt,

pFilterDeviceObject,

pTargetDeviceObject,

pLowerDeviceObject

);

//

pFilterDeviceObject->DeviceType = pLowerDeviceObject->DeviceType;

pFilterDeviceObject->Characteristics = pLowerDeviceObject->Characteristics;

pFilterDeviceObject->StackSize = pLowerDeviceObject->StackSize + 1;

pFilterDeviceObject->Flags |= pLowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE);

//移动到下一个设备,继续遍历

pTargetDeviceObject = pTargetDeviceObject->NextDevice;

}

return status;

}

//c2p驱动扩展设置函数

NTSTATUS c2pDevExtInit(IN PC2P_DEV_EXT devExt, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PDEVICE_OBJECT pLowerDeviceObject){

memset(devExt, 0, sizeof(C2P_DEV_EXT));

devExt->NodeSize = sizeof(C2P_DEV_EXT);

devExt->pFilterDeviceObject = pFilterDeviceObject;

KeInitializeSpinLock(&(devExt->IoRequestsSpinLock));

KeInitializeEvent(&(devExt->IoInProgressEvent), NotificationEvent, FALSE);

devExt->TargetDeviceObject = pTargetDeviceObject;

devExt->LowerDeviceObject = pLowerDeviceObject;

return (STATUS_SUCCESS);

}

misaka: entering driverentry

misaka: test 0..

misaka: test 1..

misaka: test 2..

misaka: test 3..

misaka: test 4..

misaka: test 5..

misaka: test 6..

misaka: test 7..

misaka: test 8..

misaka: test 9..

misaka: test 10..

misaka: test 11..

misaka: test 12..

misaka: test 13..

misaka: test 14..

misaka: test 15..

misaka: test 16..

misaka: test 17..

misaka: test 18..

misaka: test 19..

misaka: test 20..

misaka: test 21..

misaka: test 22..

misaka: test 23..

misaka: test 24..

misaka: test 25..

misaka: test 26..

misaka:my attach

misaka: open filter driver ok

misaka: create filter driver ok

misaka: attach filter driver ok

misaka: create filter driver ok

misaka: attach filter driver ok

read : number = 1

misaka: read  0

misaka: read  0

misaka: read 21

misaka: read  0

misaka: read  1

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

read : number = 1

misaka: read  0

misaka: read  0

misaka: read 22

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

read : number = 1

misaka: read  0

misaka: read  0

misaka: read 22

misaka: read  0

misaka: read  1

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

read : number = 1

misaka: read  0

misaka: read  0

misaka: read 23

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

read : number = 1

misaka: read  0

misaka: read  0

misaka: read 23

misaka: read  0

misaka: read  1

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

read : number = 1

misaka: read  0

misaka: read  0

misaka: read 24

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

read : number = 1

misaka: read  0

misaka: read  0

misaka: read 24

misaka: read  0

misaka: read  1

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

read : number = 1

misaka: driverentry unloading...

misaka: detach finished

misaka: detach finished

misaka: ------------------------------------ 1.

misaka: read  0

misaka: read  0

misaka: read 20

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

misaka: read  0

call : number = 0

misaka: bye ,driver unload successfully.