通過直接調用Kbdclass的回調函數KeyboardClassServiceCallback直接給上層發送鍵盤驅動。這個方法網上已經公開,參考Hook KeyboardClassServiceCallback實作鍵盤 Logger,其他的還有很多,可以到網上去查。
簡單說一下沒有公開的部分,就是按下和松開的模拟,已經擴充鍵的模拟。
模拟主要是構造KEYBOARD_INPUT_DATA結構,按下和松開的Flags分别對應KEY_MAKE、KEY_BREAK,然後調用KeyboardClassServiceCallback。這裡直接用的sudami的代碼,在此謝過,懶得改了。代碼如下:
case IOCTL_KEY_DOWN :
{
if (ioBuf)
{
lKeyCode = *(ULONG*)ioBuf;
dprintf("[KeyMouse] KeymouseDispatchDeviceControl IOCTL_KEY_DOWN = 0x%x/n", lKeyCode);
dwSize = sizeof(KEYBOARD_INPUT_DATA);
__asm {
push eax
mov kid.UnitId,0 ; 構造 KEYBOARD_INPUT_DATA
mov eax,lKeyCode
mov kid.MakeCode,ax
mov kid.Flags,KEY_MAKE ;模拟按下
mov kid.Reserved,0
mov kid.ExtraInformation,0
lea eax,dwRet
push eax
lea eax,kid
add eax,dwSize
push eax
lea eax,kid
push eax
push g_kbDeviceObject
call orig_KeyboardClassServiceCallback ;利用 KeyboardClassServiceCallback 模拟按鍵
pop eax
}
status = STATUS_SUCCESS;
}
break;
}
case IOCTL_KEY_UP:
{
if (ioBuf)
{
lKeyCode = *(ULONG*)ioBuf;
dprintf("[KeyMouse] KeymouseDispatchDeviceControl IOCTL_KEY_UP = 0x%x/n", lKeyCode);
dwSize = sizeof(KEYBOARD_INPUT_DATA);
__asm {
push eax
mov kid.UnitId,0 ; 構造 KEYBOARD_INPUT_DATA
mov eax,lKeyCode
mov kid.MakeCode,ax
mov kid.Flags,KEY_BREAK ;模拟松開
mov kid.Reserved,0
mov kid.ExtraInformation,0
lea eax,dwRet
push eax
lea eax,kid
add eax,dwSize
push eax
lea eax,kid
push eax
push g_kbDeviceObject
call orig_KeyboardClassServiceCallback ;利用 KeyboardClassServiceCallback 模拟按鍵
pop eax
}
status = STATUS_SUCCESS;
}
break;
}
擴充鍵的差別是按下和松開的Flags分别對應KEY_E0、KEY_E1。其他和上面的一樣,這裡就不貼代碼出來了。主要說一下擴充鍵有哪幾個:(前面是MakeCode,後面代表按鈕)
0x1D-RIGHT CONTROL 0x38-RIGHT ALT 0x48-↑ 鍵 0x50-↓ 鍵 0x4b-← 鍵 0x4d-→ 鍵 0x5B-LEFT WIN 0x5C-RIGHT WIN
重點說一下滑鼠的模拟,原理和鍵盤的一樣。查找驅動mouclass.sys中的MouseClassServiceCallback函數,然後擷取//Device//PointerClass0裝置對象指針,構造MOUSE_INPUT_DATA結構,然後調用MouseClassServiceCallback。難點就在與構造MOUSE_INPUT_DATA結構上面。
typedef struct _MOUSE_INPUT_DATA {
USHORT UnitId;
USHORT Flags;
union {
ULONG Buttons;
struct {
USHORT ButtonFlags;
USHORT ButtonData;
};
};
ULONG RawButtons;
LONG LastX;
LONG LastY;
ULONG ExtraInformation;
} MOUSE_INPUT_DATA, *PMOUSE_INPUT_DATA;
通過調試作業系統調用MouseClassServiceCallback的參數,主要的标示有3個。
Flags标志是标示滑鼠的坐标屬性(即相對坐标、絕對坐标等)
ButtonFlags标志是左右中鍵按下和松開的标志
LastX是滑鼠X坐标,與Flags标志有關
LastY是滑鼠Y坐标,與Flags标志有關
其他幾項可以填0。
具體模拟代碼如下:
case IOCTL_MOUSE_LEFT_BUTTON_DOWN:
{
MouseFlags = MOUSE_LEFT_BUTTON_DOWN;
goto __MouseCallBack;
}
case IOCTL_MOUSE_LEFT_BUTTON_UP:
{
MouseFlags = MOUSE_LEFT_BUTTON_UP;
goto __MouseCallBack;
}
case IOCTL_MOUSE_RIGHT_BUTTON_DOWN:
{
MouseFlags = MOUSE_RIGHT_BUTTON_DOWN;
goto __MouseCallBack;
}
case IOCTL_MOUSE_RIGHT_BUTTON_UP:
{
MouseFlags = MOUSE_RIGHT_BUTTON_UP;
goto __MouseCallBack;
}
case IOCTL_MOUSE_MIDDLE_BUTTON_DOWN:
{
MouseFlags = MOUSE_MIDDLE_BUTTON_DOWN;
goto __MouseCallBack;
}
case IOCTL_MOUSE_MIDDLE_BUTTON_UP:
{
MouseFlags = MOUSE_MIDDLE_BUTTON_UP;
__MouseCallBack:
mid.UnitId = 0;
mid.Flags = MOUSE_MOVE_RELATIVE;
mid.Buttons = 0;
mid.ButtonFlags = MouseFlags;
mid.RawButtons = 0;
mid.LastX = *((ULONG*)ioBuf);
mid.LastY = *((ULONG*)ioBuf+1);
mid.ExtraInformation = 0;
InputDataStart = ∣
InputDataEnd = InputDataStart+1;
orig_MouseClassServiceCallback(
g_mouDeviceObject,
InputDataStart,
InputDataEnd,
&InputDataConsumed
);
status = STATUS_SUCCESS;
break;
}
case IOCTL_MOUSE_MOVE_RELATIVE:
{
mid.Flags = MOUSE_MOVE_RELATIVE; //相對坐标
goto __MouseMoveCallBack;
}
case IOCTL_MOUSE_MOVE_ABSOLUTE:
{
mid.Flags = MOUSE_MOVE_ABSOLUTE; //絕對坐标
goto __MouseMoveCallBack;
}
case IOCTL_MOUSE_VIRTUAL_DESKTOP:
{
mid.Flags = MOUSE_VIRTUAL_DESKTOP; //虛拟桌面
__MouseMoveCallBack:
mid.UnitId = 1;
mid.Buttons = 0;
mid.RawButtons = 0;
mid.LastX = *((ULONG*)ioBuf);
mid.LastY = *((ULONG*)ioBuf+1);
mid.ExtraInformation = 0;
InputDataStart = ∣
InputDataEnd = InputDataStart+1;
orig_MouseClassServiceCallback(
g_mouDeviceObject,
InputDataStart,
InputDataEnd,
&InputDataConsumed
);
status = STATUS_SUCCESS;
break;
}
驅動在windows XP SP2上測試通過。
版權聲明:本文為CSDN部落客「weixin_34249678」的原創文章,遵循CC 4.0 BY-SA版權協定,轉載請附上原文出處連結及本聲明。
原文連結:https://blog.csdn.net/weixin_34249678/article/details/91961891
![作業系統(python)多程序學習[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)