漳州建设网站,云南专业网站建设,cms开源系统php,金坛做网站的通过直接调用Kbdclass的回调函数KeyboardClassServiceCallback直接给上层发送键盘驱动。这个方法网上已经公开#xff0c;参考Hook KeyboardClassServiceCallback实现键盘 Logger#xff0c;其他的还有很多#xff0c;可以到网上去查。简单说一下没有公开的部分#xff0c;…通过直接调用Kbdclass的回调函数KeyboardClassServiceCallback直接给上层发送键盘驱动。这个方法网上已经公开参考Hook KeyboardClassServiceCallback实现键盘 Logger其他的还有很多可以到网上去查。简单说一下没有公开的部分就是按下和松开的模拟已经扩展键的模拟。模拟主要是构造KEYBOARD_INPUT_DATA结构按下和松开的Flags分别对应KEY_MAKE、KEY_BREAK然后调用KeyboardClassServiceCallback。这里直接用的sudami的代码在此谢过懒得改了。代码如下case IOCTL_KEY_DOWN :{if (ioBuf){lKeyCode *(ULONG*)ioBuf;dprintf([KeyMouse] KeymouseDispatchDeviceControl IOCTL_KEY_DOWN 0x%x/n, lKeyCode);dwSize sizeof(KEYBOARD_INPUT_DATA);__asm {push eaxmov kid.UnitId,0 ; 构造 KEYBOARD_INPUT_DATAmov eax,lKeyCodemov kid.MakeCode,axmov kid.Flags,KEY_MAKE ;模拟按下mov kid.Reserved,0mov kid.ExtraInformation,0lea eax,dwRetpush eaxlea eax,kidadd eax,dwSizepush eaxlea eax,kidpush eaxpush g_kbDeviceObjectcall orig_KeyboardClassServiceCallback ;利用 KeyboardClassServiceCallback 模拟按键pop eax}status STATUS_SUCCESS;}break;}case IOCTL_KEY_UP:{if (ioBuf){lKeyCode *(ULONG*)ioBuf;dprintf([KeyMouse] KeymouseDispatchDeviceControl IOCTL_KEY_UP 0x%x/n, lKeyCode);dwSize sizeof(KEYBOARD_INPUT_DATA);__asm {push eaxmov kid.UnitId,0 ; 构造 KEYBOARD_INPUT_DATAmov eax,lKeyCodemov kid.MakeCode,axmov kid.Flags,KEY_BREAK ;模拟松开mov kid.Reserved,0mov kid.ExtraInformation,0lea eax,dwRetpush eaxlea eax,kidadd eax,dwSizepush eaxlea eax,kidpush eaxpush g_kbDeviceObjectcall orig_KeyboardClassServiceCallback ;利用 KeyboardClassServiceCallback 模拟按键pop eax}status STATUS_SUCCESS;}break;}扩展键的区别是按下和松开的Flags分别对应KEY_E0、KEY_E1。其他和上面的一样这里就不贴代码出来了。主要说一下扩展键有哪几个(前面是MakeCode后面代表按钮)0x1D-RIGHT CONTROL 0x38-RIGHT ALT 0x48-↑ 键 0x50-↓ 键 0x4b-← 键 0x4d-→ 键 0x5B-LEFT WIN 0x5C-RIGHT WIN重点说一下鼠标的模拟原理和键盘的一样。查找驱动mouclass.sys中的MouseClassServiceCallback函数然后获取//Device//PointerClass0设备对象指针构造MOUSE_INPUT_DATA结构然后调用MouseClassServiceCallback。难点就在与构造MOUSE_INPUT_DATA结构上面。typedef struct _MOUSE_INPUT_DATA {USHORT UnitId;USHORT Flags;union {ULONG Buttons;struct {USHORT ButtonFlags;USHORT ButtonData;};};ULONG RawButtons;LONG LastX;LONG LastY;ULONG ExtraInformation;} MOUSE_INPUT_DATA, *PMOUSE_INPUT_DATA;通过调试操作系统调用MouseClassServiceCallback的参数主要的标示有3个。Flags标志是标示鼠标的坐标属性(即相对坐标、绝对坐标等)ButtonFlags标志是左右中键按下和松开的标志LastX是鼠标X坐标与Flags标志有关LastY是鼠标Y坐标与Flags标志有关其他几项可以填0。具体模拟代码如下case IOCTL_MOUSE_LEFT_BUTTON_DOWN:{MouseFlags MOUSE_LEFT_BUTTON_DOWN;goto __MouseCallBack;}case IOCTL_MOUSE_LEFT_BUTTON_UP:{MouseFlags MOUSE_LEFT_BUTTON_UP;goto __MouseCallBack;}case IOCTL_MOUSE_RIGHT_BUTTON_DOWN:{MouseFlags MOUSE_RIGHT_BUTTON_DOWN;goto __MouseCallBack;}case IOCTL_MOUSE_RIGHT_BUTTON_UP:{MouseFlags MOUSE_RIGHT_BUTTON_UP;goto __MouseCallBack;}case IOCTL_MOUSE_MIDDLE_BUTTON_DOWN:{MouseFlags MOUSE_MIDDLE_BUTTON_DOWN;goto __MouseCallBack;}case IOCTL_MOUSE_MIDDLE_BUTTON_UP:{MouseFlags MOUSE_MIDDLE_BUTTON_UP;__MouseCallBack:mid.UnitId 0;mid.Flags MOUSE_MOVE_RELATIVE;mid.Buttons 0;mid.ButtonFlags MouseFlags;mid.RawButtons 0;mid.LastX *((ULONG*)ioBuf);mid.LastY *((ULONG*)ioBuf1);mid.ExtraInformation 0;InputDataStart mid;InputDataEnd InputDataStart1;orig_MouseClassServiceCallback(g_mouDeviceObject,InputDataStart,InputDataEnd,InputDataConsumed);status STATUS_SUCCESS;break;}case IOCTL_MOUSE_MOVE_RELATIVE:{mid.Flags MOUSE_MOVE_RELATIVE; //相对坐标goto __MouseMoveCallBack;}case IOCTL_MOUSE_MOVE_ABSOLUTE:{mid.Flags MOUSE_MOVE_ABSOLUTE; //绝对坐标goto __MouseMoveCallBack;}case IOCTL_MOUSE_VIRTUAL_DESKTOP:{mid.Flags MOUSE_VIRTUAL_DESKTOP; //虚拟桌面__MouseMoveCallBack:mid.UnitId 1;mid.Buttons 0;mid.RawButtons 0;mid.LastX *((ULONG*)ioBuf);mid.LastY *((ULONG*)ioBuf1);mid.ExtraInformation 0;InputDataStart mid;InputDataEnd InputDataStart1;orig_MouseClassServiceCallback(g_mouDeviceObject,InputDataStart,InputDataEnd,InputDataConsumed);status STATUS_SUCCESS;break;}驱动在windows XP SP2上测试通过。
