概述

其編寫過程大體與鍵盤過濾驅動相似，只需要切換一下附加的目標設備以及創建的設備類型等。但在該操作后依然無法捕獲到Vmware創建的win7操作系統的鼠標irp信息，于是通過在獲取鼠標驅動，遍歷其所有的設備進而附加，這樣便可以獲取到鼠標的irp信息。

代碼

#include<ntifs.h>typedef struct
{PDEVICE_OBJECT LowerKbdDevice;
}DEVICE_EXTENTION,*PDEVICE_EXTENTION;extern POBJECT_TYPE* IoDriverObjectType;typedef struct _MOUSE_INPUT_DATA {USHORT UnitId;USHORT Flags;union {ULONG Buttons;struct {USHORT ButtonFlags;USHORT ButtonData;};};ULONG  RawButtons;LONG   LastX;LONG   LastY;ULONG  ExtraInformation;
} MOUSE_INPUT_DATA, * PMOUSE_INPUT_DATA;ULONG pendingkey = 0;NTSTATUS NTAPI ObReferenceObjectByName(PUNICODE_STRING ObjectName,ULONG Attributes,PACCESS_STATE AccessState,ACCESS_MASK DesiredAccess,POBJECT_TYPE ObjectType,KPROCESSOR_MODE AccessMode,PVOID ParseContext OPTIONAL,PVOID* Object);VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{LARGE_INTEGER interval = { 0 };PDEVICE_OBJECT DeviceObject = DriverObject->DeviceObject;interval.QuadPart = -10 * 1000 * 1000;while (DeviceObject){IoDetachDevice(((PDEVICE_EXTENTION)DeviceObject->DeviceExtension)->LowerKbdDevice);DeviceObject = DeviceObject->NextDevice;}//判斷是否還有未處理的IRPwhile (pendingkey){KeDelayExecutionThread(KernelMode, FALSE, &interval);}DeviceObject = DriverObject->DeviceObject;while (DeviceObject){IoDeleteDevice(DeviceObject);DeviceObject = DeviceObject->NextDevice;}KdPrint(("驅動卸載結束！\n"));
}NTSTATUS ReadComplete(PDEVICE_OBJECT DeviceObject, PIRP irp, PVOID Context)
{PMOUSE_INPUT_DATA KeyBuffer = (PMOUSE_INPUT_DATA)irp->AssociatedIrp.SystemBuffer;int structnum = irp->IoStatus.Information / sizeof(MOUSE_INPUT_DATA);if (irp->IoStatus.Status == STATUS_SUCCESS){for (int i = 0; i < structnum; i++){KdPrint(("ButtonFlags = %x\n", KeyBuffer->ButtonFlags));}}//處理完成需要將標志位設置，以聲明以完成此irp的返回處理if (irp->PendingReturned){IoMarkIrpPending(irp);}pendingkey--;return irp->IoStatus.Status;
}NTSTATUS DispatchPass(PDEVICE_OBJECT pDeviceObject,PIRP irp)
{IoCopyCurrentIrpStackLocationToNext(irp);return IoCallDriver(((PDEVICE_EXTENTION)pDeviceObject->DeviceExtension)->LowerKbdDevice, irp);
}NTSTATUS DispatchRead(PDEVICE_OBJECT pDeviceObject, PIRP irp)
{IoCopyCurrentIrpStackLocationToNext(irp);IoSetCompletionRoutine(irp,ReadComplete,NULL,TRUE,TRUE,TRUE,TRUE);pendingkey++;return IoCallDriver(((PDEVICE_EXTENTION)pDeviceObject->DeviceExtension)->LowerKbdDevice, irp);
}NTSTATUS MyAttachDevice(PDRIVER_OBJECT pDriverObject)
{UNICODE_STRING kbdName = RTL_CONSTANT_STRING(L"\\Driver\\MouClass");PDRIVER_OBJECT TargetDriverObject = NULL;PDEVICE_OBJECT CurrentDeviceObject = NULL;PDEVICE_OBJECT myKbdDevice = NULL;PDEVICE_OBJECT lowDevice = NULL;NTSTATUS status = ObReferenceObjectByName(&kbdName,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,&TargetDriverObject);if (!NT_SUCCESS(status)){DbgPrint("Open Mouse Driver Failed\n");return status;}else{// 解引用ObDereferenceObject(TargetDriverObject);}CurrentDeviceObject = TargetDriverObject->DeviceObject;//循環附加到目標驅動上的所有設備棧上while (CurrentDeviceObject){NTSTATUS status = IoCreateDevice(pDriverObject, sizeof(DEVICE_EXTENTION), NULL, 0, FILE_DEVICE_MOUSE, FALSE, &myKbdDevice);if (!NT_SUCCESS(status)){myKbdDevice = CurrentDeviceObject = NULL;return status;}RtlZeroMemory(myKbdDevice->DeviceExtension, sizeof(DEVICE_EXTENTION));lowDevice = IoAttachDeviceToDeviceStack(myKbdDevice, CurrentDeviceObject);if (!lowDevice){IoDeleteDevice(myKbdDevice);myKbdDevice = NULL;return status;}((PDEVICE_EXTENTION)myKbdDevice->DeviceExtension)->LowerKbdDevice = lowDevice;myKbdDevice->Flags |= DO_BUFFERED_IO;myKbdDevice->Flags &= ~DO_DEVICE_INITIALIZING;CurrentDeviceObject = CurrentDeviceObject->NextDevice;}return STATUS_SUCCESS;
}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{int i = 0;NTSTATUS Status = STATUS_SUCCESS;for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++){pDriverObject->MajorFunction[i] = DispatchPass;}pDriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;Status = MyAttachDevice(pDriverObject);if (!NT_SUCCESS(Status)){KdPrint(("AttachDevice ERROR!\n"));}else{KdPrint(("AttachDevice SUCCESS!\n"));}pDriverObject->DriverUnload = DriverUnload;return Status;
}

參考資料

Revised Mouse and Keyboard Filter Driver