键盘类驱动分发函数HOOK蓝屏
代码如下:
#include <wdm.h>
#define KBD_DRIVER_NAME L"\\Driver\\Kbdclass"
extern POBJECT_TYPE IoDriverObjectType;
typedef struct _C2P_DEV_EXT
{
PDEVICE_OBJECT TargetDeviceObject;
} C2P_DEV_EXT, *PC2P_DEV_EXT;
NTSTATUS
ObReferenceObjectByName(
PUNICODE_STRING ObjectName,
ULONG Attributes,
PACCESS_STATE AccessState,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID ParseContext,
PVOID *Object
);
NTSTATUS MyFilterDispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp)
{
KdPrint(("分发函数已经被我替换\n"));
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(((PC2P_DEV_EXT)
pDeviceObject->DeviceExtension)->TargetDeviceObject, Irp);
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
ULONG i;
NTSTATUS status;
PDRIVER_OBJECT KbdDriverObject = NULL;
PDEVICE_OBJECT pTargetDeviceObject=NULL;
UNICODE_STRING uniNtNameString;
KIRQL oldirql;
PC2P_DEV_EXT devExt;
PDRIVER_DISPATCH OldDispatchFunctions[IRP_MJ_MAXIMUM_FUNCTION+1];
RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME);
status = ObReferenceObjectByName (
&uniNtNameString,
OBJ_CASE_INSENSITIVE,
NULL,
0,
IoDriverObjectType,
KernelMode,
NULL,
&KbdDriverObject
);
// 如果失败了就直接返回
if(!NT_SUCCESS(status))
{
KdPrint(("MyAttach: Couldn't get the MyTest Device Object\n"));
return( status );
}
else
{
ObDereferenceObject(DriverObject);
}
//得到第一个设备
pTargetDeviceObject=KbdDriverObject->DeviceObject;
while(pTargetDeviceObject)
{
devExt=(PC2P_DEV_EXT)(pTargetDeviceObject->DeviceExtension);
devExt->TargetDeviceObject=pTargetDeviceObject;
pTargetDeviceObject=pTargetDeviceObject->NextDevice;
}
KeRaiseIrql(DISPATCH_LEVEL, &oldirql);
for(i=0; i<=IRP_MJ_MAXIMUM_FUNCTION; i++)
{
//存储原驱动分发函数指针
OldDispatchFunctions=KbdDriverObject->MajorFunction;
//进行原子交易操作
InterlockedExchangePointer(&KbdDriverObject->MajorFunction, MyFilterDispatch);
}
KeLowerIrql(oldirql);
return status;
}
为什么安装服务后 一启动服务就蓝屏呢
[解决办法]
去掉KeRaiseIrql()与KeLowerIrql()的调用,你的DriverEntry()运行在PASSIVE_LEVEL