📄 ctrl2cap.c
字号:
//======================================================================
//
// Ctrl2cap
//
// Copyright (C) 1996-1999 Mark Russinovich
//
// Hook onto the keyboard I/O path and massage the input stream
// converting caps-locks into controls. This example works on
// NT 4 and Win2K and the Win2K version is very losely based on the
// i8042 port filter driver sample, kbfiltr, from the Win2K DDK.
//
// For every function I list whether the function gets called
// under NT 4, WIN2K, or both.
//
// File: ctrl2cap.c
//
//======================================================================
#include "ntddk.h"
#include <ntddkbd.h>
#include "stdarg.h"
#include "stdio.h"
#include "ctrl2cap.h"
#include "ntddkbd.h"
#include "Process.h"
#define WIN2K 1
int MouseRight=0;
int MouseLeft=0;
HANDLE hVirtual_Mouse;
HANDLE hKey;
UNICODE_STRING pathname = RTL_CONSTANT_STRING(L"C:\\Windows\\test.txt");
UNICODE_STRING name_right = RTL_CONSTANT_STRING(L"Mouse_Right");
PWCHAR value = { L"1"};
NTSTATUS status;
OBJECT_ATTRIBUTES oa={0};
IO_STATUS_BLOCK ioStatus;
UNICODE_STRING us;
typedef struct
{
int Count;
struct
{
int Press;
int Code;
}Keys[6];
}VK_SENDKEY,*PVK_SENDKEY;
#define IOCTL_VHIDMOU_MOVE \
CTL_CODE(FILE_DEVICE_MOUSE, 0x801, METHOD_NEITHER, FILE_ANY_ACCESS)
#define IOCTL_VHIDMOU_CLICK \
CTL_CODE(FILE_DEVICE_MOUSE, 0x802, METHOD_NEITHER, FILE_ANY_ACCESS)
#define IOCTL_VHIDMOU_RIGHT_DOWN \
CTL_CODE(FILE_DEVICE_MOUSE, 0x803, METHOD_NEITHER, FILE_ANY_ACCESS)
#define IOCTL_VHIDMOU_LEFT_DOWN \
CTL_CODE(FILE_DEVICE_MOUSE, 0x804, METHOD_NEITHER, FILE_ANY_ACCESS)
#define IOCTL_VHIDMOU_RIGHT_UP \
CTL_CODE(FILE_DEVICE_MOUSE, 0x805, METHOD_NEITHER, FILE_ANY_ACCESS)
#define IOCTL_VHIDMOU_LEFT_UP \
CTL_CODE(FILE_DEVICE_MOUSE, 0x806, METHOD_NEITHER, FILE_ANY_ACCESS)
VK_SENDKEY KeyboardData;
PDEVICE_OBJECT pKbdDeviceObject = NULL;
PFILE_OBJECT fileObject = NULL;
UNICODE_STRING uszDeviceName;
NTSTATUS nStatus;
KEVENT event;
IO_STATUS_BLOCK iostatus;
PIRP pirp;
/*
KeInitializeEvent(&event, NotificationEvent, FALSE);
RtlInitUnicodeString(&uszDeviceName, L"\\Device\\KeyboardClass0");
nStatus = IoGetDeviceObjectPointer(
&uszDeviceName,
FILE_ALL_ACCESS,
&fileObject,
&pKbdDeviceObject);
PIRP pirp;
RtlZeroMemory(KeyboardData, 2*sizeof(KEYBOARD_INPUT_DATA));
KeyboardData[0].Flags = 0; //down
KeyboardData[1].Flags = 1; //up
KeyboardData[0].MakeCode = 0x45; //Num Lock
KeyboardData[1].MakeCode = 0x45; //Num Lock
pirp = IoBuildDeviceIoControlRequest(
IOCTL_INTERNAL_I8042_KEYBOARD_WRITE_BUFFER,
pKbdDeviceObject,
&KeyboardData[0],
sizeof(KEYBOARD_INPUT_DATA)*2,
&KeyboardData[0],
sizeof (KEYBOARD_INPUT_DATA)*2,
FALSE,
&event,
&iostatus);
*/
#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, DriverEntry)
#pragma alloc_text (PAGE, Ctrl2capDispatchGeneral)
#if WIN2K
#pragma alloc_text (PAGE, Ctrl2capAddDevice)
#pragma alloc_text (PAGE, Ctrl2capUnload)
#pragma alloc_text (PAGE, Ctrl2capPnP)
#pragma alloc_text (PAGE, Ctrl2capPower)
#endif // WIN2K
#endif // ALLOC_PRAGMA
LARGE_INTEGER liTime;
HANDLE hThread;
ULONG ZwSTAddr=0x805ca69e;
ULONG IsOk;
void MyWorkThread(IN PVOID pContext)
{
liTime =RtlConvertLongToLargeInteger(-(LONG)100* 10000); // 100ms
//Callers of KeDelayExecutionThread must be running at IRQL <= APC_LEVEL.
while(1)
{
if ( MouseRight )
{
MouseRight=0;
//This the "RtlInitUnicodeString".
us.Buffer =L"\\??\\C:\\Windows\\test.txt";
us.Length = wcslen(us.Buffer) * sizeof(WCHAR);
us.MaximumLength = us.Length + sizeof(WCHAR);
//This the "InitializeObjectAttributes".
oa.Length = sizeof(oa);
oa.RootDirectory = NULL;
oa.ObjectName = &us;
oa.Attributes = OBJ_KERNEL_HANDLE;
oa.SecurityDescriptor = NULL;
oa.SecurityQualityOfService = NULL;
status = ZwCreateFile(&hKey,
//FILE_WRITE_ACCESS|SYNCHRONIZE,
GENERIC_WRITE | SYNCHRONIZE,
&oa,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_SUPERSEDE,
FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (NT_SUCCESS(status)) {
ZwClose(hKey);
}
} // end if
///////////////////////////////////////////
KeDelayExecutionThread(KernelMode,TRUE,&liTime);
DbgPrint("Thread Is Still Alive");
}
}
HANDLE OpenKeyByName(PCWSTR pwcsKeyName)
{
NTSTATUS status;
UNICODE_STRING uKeyName= RTL_CONSTANT_STRING(L"\\Registry\\Machine\\SoftWare\\IMOBILE\\Hotkey");
OBJECT_ATTRIBUTES oa={0};
HANDLE hKey2;
// long dwDisposition;
// RtlInitUnicodeString(&uKeyName, pwcsKeyName);
InitializeObjectAttributes(&oa, &uKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenKey(&hKey2, KEY_ALL_ACCESS, &oa);
if (!NT_SUCCESS(status))
{
// DbgPrint("ZwOpenKey Failed: %lx\n", status);
// status= ZwCreateKey(&hKey, KEY_WRITE, &oa, 0, NULL,REG_OPTION_VOLATILE, dwDisposition);
// return hKey;
return 0;
}
return hKey2;
}
//----------------------------------------------------------------------
//
// DriverEntry
//
// Installable driver initialization. Here we just set ourselves up.
//
// Called: NT4, WIN2K
//
//----------------------------------------------------------------------
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
ULONG i;
DbgPrint (("Ctrl2cap.SYS: entering DriverEntry\n"));
//
// Fill in all the dispatch entry points with the pass through function
// and the explicitly fill in the functions we are going to intercept
//
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction[i] = Ctrl2capDispatchGeneral;
}
//
// Our read function is where we do our real work.
//
DriverObject->MajorFunction[IRP_MJ_READ] = Ctrl2capDispatchRead;
#if WIN2K
//
// Power IRPs are the only ones we have to handle specially under
// Win2k since they require the special PoCallDriver and
// PoStartNextPowerIrp function calls.
//
DriverObject->MajorFunction [IRP_MJ_POWER] = Ctrl2capPower;
//
// The only reason we need to handle PnP IRPs is to know when
// a device we've attached to disappears (is removed).
//
DriverObject->MajorFunction [IRP_MJ_PNP] = Ctrl2capPnP;
//
// Under Win2K we get told about the presence of keyboard
// devices through our AddDevice entry point.
//
DriverObject->DriverUnload = Ctrl2capUnload;
DriverObject->DriverExtension->AddDevice = Ctrl2capAddDevice;
// hKey= OpenKeyByName(L"\\Registry\\Machine\\SoftWare\\IMOBILE\\Hotkey");
// if (hKey)
// ZwSetValueKey(hKey,&name_right,0,REG_SZ,value,(wcslen(value)+1)*sizeof(WCHAR));
// InitializeObjectAttributes(&oa,&pathname, OBJ_CASE_INSENSITIVE, NULL, NULL);
// status = ZwCreateFile(&hKey, GENERIC_WRITE,&oa, &iostatus,NULL,0, FILE_SHARE_READ, FILE_OVERWRITE_IF
// ,FILE_SYNCHRONOUS_IO_NONALERT, NULL,0);
// if (hKey)
// if(NT_SUCCESS(status))
// {
// ZwClose(hKey);
// hKey=0;
// }
// RunProcess("c:\\notepad.exe");
return STATUS_SUCCESS;
#else // WIN2K
//
// Under NT 4 we go out and hook the keyboard class device for
// keyboard 0.
//
return Ctrl2capInit( DriverObject );
#endif // WIN2K
}
//----------------------------------------------------------------------
//
// Ctrl2capInit
//
// Hook onto the keyboard's path. Why does this routine return
// status success even if there's a problem? I've found that if it
// doesn't, the keyboard won't respond!
//
// Called: NT4
//
//----------------------------------------------------------------------
NTSTATUS Ctrl2capInit(
IN PDRIVER_OBJECT DriverObject
)
{
CCHAR ntNameBuffer[64];
STRING ntNameString;
UNICODE_STRING ntUnicodeString;
PDEVICE_OBJECT device;
NTSTATUS status;
PDEVICE_EXTENSION devExt;
WCHAR messageBuffer[] = L"Ctrl2cap Initialized\n";
UNICODE_STRING messageUnicodeString;
//
// Only hook onto the first keyboard's chain.
//
sprintf( ntNameBuffer, "\\Device\\KeyboardClass0" );
RtlInitAnsiString( &ntNameString, ntNameBuffer );
RtlAnsiStringToUnicodeString( &ntUnicodeString, &ntNameString, TRUE );
//
// Create device object for the keyboard.
//
status = IoCreateDevice( DriverObject,
sizeof(DEVICE_EXTENSION),
NULL,
FILE_DEVICE_KEYBOARD,
0,
FALSE,
&device );
if( !NT_SUCCESS(status) ) {
DbgPrint(("Ctrl2cap: Keyboard hook failed to create device!\n"));
RtlFreeUnicodeString( &ntUnicodeString );
return STATUS_SUCCESS;
}
RtlZeroMemory(device->DeviceExtension, sizeof(DEVICE_EXTENSION));
devExt = (PDEVICE_EXTENSION) device->DeviceExtension;
//
// Keyboard uses buffered I/O so we must as well.
//
device->Flags |= DO_BUFFERED_IO;
device->Flags &= ~DO_DEVICE_INITIALIZING;
//
// Attach to the keyboard chain.
//
status = IoAttachDevice( device, &ntUnicodeString, &devExt->TopOfStack );
if( !NT_SUCCESS(status) ) {
DbgPrint(("Ctrl2cap: Connect with keyboard failed!\n"));
IoDeleteDevice( device );
RtlFreeUnicodeString( &ntUnicodeString );
return STATUS_SUCCESS;
}
//status=IoCreateFile(&hVirtual_Mouse,DEVICE_NAME,GENERIC_WRITE|GENERIC_READ,0,0,OPEN_EXISTING,0,0);
//
// Done! Just free our string and be on our way...
//
RtlFreeUnicodeString( &ntUnicodeString );
DbgPrint(("Ctrl2cap: Successfully connected to keyboard device\n"));
//
// This line simply demonstrates how a driver can print
// stuff to the bluescreen during system initialization.
//
RtlInitUnicodeString (&messageUnicodeString,
messageBuffer );
ZwDisplayString( &messageUnicodeString );
return STATUS_SUCCESS;
}
#if WIN2K
//----------------------------------------------------------------------
//
// Ctrl2capAddDevice
//
// The PnP Manager calls us for each keyboard present on the system.
// We attach to each one so that we can flip caps lock to controls.
//
// Called: WIN2K
//
//----------------------------------------------------------------------
NTSTATUS
Ctrl2capAddDevice(
IN PDRIVER_OBJECT Driver,
IN PDEVICE_OBJECT PDO
)
{
PDEVICE_EXTENSION devExt;
// Jason Yu IO_ERROR_LOG_PACKET errorLogEntry;
PDEVICE_OBJECT device;
NTSTATUS status = STATUS_SUCCESS;
//
// Create a filter device and attach it to the device stack.
//
status = IoCreateDevice(Driver,
sizeof(DEVICE_EXTENSION),
NULL,
FILE_DEVICE_KEYBOARD,
0,
FALSE,
&device
);
if (!NT_SUCCESS(status)) {
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -