[求助]键盘过滤驱动一挂接就蓝屏。。。-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]键盘过滤驱动一挂接就蓝屏。。。

发表于: 2010-2-18 17:55 7848

[求助]键盘过滤驱动一挂接就蓝屏。。。

pcie

2010-2-18 17:55

7848

谁能帮助一下我写了个挂接键盘的驱动但是只要一运行到IoAttachDevice 函数就蓝屏了
没想通是怎么回事都折磨一个多星期了望高人指点.... 我把代码贴出来

key.cpp
==================================================
#include "key.h"
#include "HookKbd.h"

NTSTATUS DispatchPassDown(PDEVICE_OBJECT pDeviceObject,PIRP pIrp);
VOID keyunload(IN PDRIVER_OBJECT pDriverObject);
NTSTATUS HookKeyboard(IN PDRIVER_OBJECT pDriverObject);

//驱动入口点
#pragma INITCODE
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath)
{
KdPrint(("进入驱动入口点\n"));
NTSTATUS status;
for (int i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
pDriverObject->MajorFunction[i]=DispatchPassDown;
}
status=HookKeyboard(pDriverObject);
if (!NT_SUCCESS(status))
{
KdPrint(("创建和附加设备失败\n"));
}

pDriverObject->DriverUnload=keyunload;

KdPrint(("退出驱动入口点\n"));
return STATUS_SUCCESS;
}

//卸载例程
#pragma PAGEDCODE
VOID keyunload(IN PDRIVER_OBJECT pDriverObject)
{
KdPrint(("进入驱动卸载keyunload函数\n"));

PDEVICE_OBJECT pNextObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING pLinkName;

pNextObj = pDriverObject->DeviceObject;
while (pNextObj != NULL)
{
pDevExt = (PDEVICE_EXTENSION)pNextObj->DeviceExtension;
      if (pDevExt->pkeyboardDevice!=NULL)
      {
//脱离键盘挂接
         IoDetachDevice(pDevExt->pkeyboardDevice);
      }
//删除符号链接
//pLinkName = pDevExt->ustrSymLinkName;
//IoDeleteSymbolicLink(&pLinkName);
pNextObj = pNextObj->NextDevice;
//删除设备
IoDeleteDevice( pDevExt->pDevice );
}

KdPrint(("退出驱动卸载keyunload函数\n"));
return;
}

//派遣函数向下一层设备转发
#pragma LOCKEDCODE
NTSTATUS DispatchPassDown(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
PDEVICE_EXTENSION pDevExt;

pDevExt=(PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
IoSkipCurrentIrpStackLocation(pIrp);
return IoCallDriver(pDevExt->pDevice,pIrp);
}

=====================================================

hookkdb.h
====================================================

#pragma once

#include "key.h"

//创建设备并附加到键盘上
#pragma LOCKEDCODE
NTSTATUS HookKeyboard(IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status={0};
UNICODE_STRING devName,symLinkName,keyName;//设备名符号名键盘名
PDEVICE_OBJECT pkeyDevice=NULL,pAttachedDevice=NULL;
PDEVICE_EXTENSION pDevExt=NULL;
//创建设备
//RtlInitUnicodeString(&devName,L"\\Device\\keyDevice");
status=IoCreateDevice(pDriverObject,
sizeof(DEVICE_EXTENSION),
NULL,          //&devName,
FILE_DEVICE_KEYBOARD,
0,
TRUE,
&pkeyDevice
);

if (!NT_SUCCESS(status))
{return status;}
KdPrint(("创建设备成功pkeyDevice\n"));

//创建符号连接
//RtlInitUnicodeString(&symLinkName,L"\\??\\keyddxx");
//status = IoCreateSymbolicLink(&symLinkName,&devName);
//if (!NT_SUCCESS(status))
//{
//IoDeleteDevice(pkeyDevice);
//return status;
//}

pkeyDevice->Flags=pkeyDevice->Flags | (DO_BUFFERED_IO | DO_POWER_PAGABLE);
pkeyDevice->Flags=pkeyDevice->Flags & ~DO_DEVICE_INITIALIZING;

RtlZeroMemory(pkeyDevice->DeviceExtension,sizeof(DEVICE_EXTENSION));
pDevExt=(PDEVICE_EXTENSION)pkeyDevice->DeviceExtension;

CCHAR namebuffer[64]="\\Device\\KeyboardClass0";
STRING namestring;
RtlInitAnsiString(&namestring,namebuffer);
RtlAnsiStringToUnicodeString(&keyName,&namestring,TRUE);
status=IoAttachDevice(pkeyDevice,&keyName,&pAttachedDevice);
if (!NT_SUCCESS(status))
{
KdPrint(("附加到键盘失败\n"));
pDevExt->pDevice=pkeyDevice;
//pDevExt->ustrDeviceName=devName;
//pDevExt->ustrSymLinkName=symLinkName;
pDevExt->pkeyboardDevice=NULL;
}
RtlFreeUnicodeString(&keyName);

//填充设备扩展
pDevExt->pDevice=pkeyDevice;
//pDevExt->ustrDeviceName=devName;
//pDevExt->ustrSymLinkName=symLinkName;
pDevExt->pkeyboardDevice=pAttachedDevice;

return status;
}

======================================================

key.h
=======================================================

#pragma once

#ifdef __cplusplus
extern "C"
{
#endif
#include <NTDDK.h>
#ifdef __cplusplus
}
#endif

#define PAGEDCODE code_seg("PAGE")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")

#define PAGEDDATA data_seg("PAGE")
#define LOCKEDDATA data_seg()
#define INITDATA data_seg("INIT")

#define arraysize(p) (sizeof(p)/sizeof((p)[0]))

typedef struct _DEVICE_EXTENSION
{
PDEVICE_OBJECT pDevice;       //自己的设备
UNICODE_STRING ustrDeviceName; //设备名称
UNICODE_STRING ustrSymLinkName; //符号链接名
PDEVICE_OBJECT pkeyboardDevice; //键盘
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#系统底层

收藏・0

免费・0

支持

最新回复 (6)
pcie 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 12 粉丝 0 关注私信	pcie 2 楼我只是想看看挂接能不能成功然后再往下写结果测试连挂接都失败就没写了。。。请各位朋友帮助一下。。。。我用windbg调试了源码只要一运行IoAttachDevice函数就蓝屏了 2010-2-18 17:56 0
贾宝玉雪币： 11 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 55 回帖 298 粉丝 1 关注私信	贾宝玉 3 楼好长的代码啊，也不写简单的思路 2010-2-18 20:21 0
pcie 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 12 粉丝 0 关注私信	pcie 4 楼不长啊。。。就是附加键盘驱动但是一附加就蓝屏 2010-2-19 16:48 0
OildFish 雪币： 48 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 22 粉丝 0 关注私信	OildFish 5 楼蓝屏的 Code 呢？在 WinDbg 里面 !analyze -v 输出一下分析信息，看看 Call Stack。 2010-2-19 16:56 0
skypismire 雪币： 75 活跃值： (883) 能力值： ( LV6，RANK：90 ) 在线值：发帖 95 回帖 706 粉丝 3 关注私信	skypismire 1 6 楼拿来跟踪了一下,也弄不明白,就那么几个参数,参数也看不出哪里有问题,只是有一处" Warning: AttachedDevice must point to a global memory location, such as the driver's device extension. "我改了,改用设备扩展的内存,问题依旧. 不过不一定非得用它IoAttachDevice,实在是弄不明白,绕过去先,等后面驱动玩多了,说不定会恍然大悟,我把bugcheck信息帖出来,望高手指点一二 ******************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 804ef120, The address that the exception occurred at Arg3: f8979a44, Exception Record Address Arg4: f8979740, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx" FAULTING_IP: nt!IopfCallDriver+28 804ef120 8b7108 mov esi,dword ptr [ecx+8] EXCEPTION_RECORD: f8979a44 -- (.exr 0xfffffffff8979a44) ExceptionAddress: 804ef120 (nt!IopfCallDriver+0x00000028) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000008 Attempt to read from address 00000008 CONTEXT: f8979740 -- (.cxr 0xfffffffff8979740) eax=00000002 ebx=82862b70 ecx=00000000 edx=8260c968 esi=82974b58 edi=8260c978 eip=804ef120 esp=f8979b0c ebp=f8979b18 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 nt!IopfCallDriver+0x28: 804ef120 8b7108 mov esi,dword ptr [ecx+8] ds:0023:00000008=???????? Resetting default scope PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx" EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000008 READ_ADDRESS: 00000008 FOLLOWUP_IP: test!DispatchPassDown+26 [g:\wdk32\test\test.c @ 72] f8c314b6 8be5 mov esp,ebp BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from f8c314b6 to 804ef120 STACK_TEXT: f8979b0c f8c314b6 82826708 f8979b60 804ef129 nt!IopfCallDriver+0x28 f8979b18 804ef129 82826650 8260c968 8260c968 test!DispatchPassDown+0x26 [g:\wdk32\test\test.c @ 72] f8979b28 80579f6a 82862b58 00000000 00000000 nt!IopfCallDriver+0x31 f8979b60 805b1b16 00862b70 82862b58 00000000 nt!IopDeleteFile+0x132 f8979b7c 80523bd1 82862b70 00000000 82862b70 nt!ObpRemoveObjectRoutine+0xe0 f8979ba0 8056cd24 f8979c27 f8c31867 00000018 nt!ObfDereferenceObject+0x5f f8979bd4 f8c3163e 82826650 800004a8 f8979c64 nt!IoAttachDevice+0x8a f8979c68 f8c316e7 82974b58 80577780 0000001b test!HookKeyboard+0xfe [g:\wdk32\test\test.c @ 117] f8979c7c 805777ff 82974b58 825f6000 00000000 test!DriverEntry+0x47 [g:\wdk32\test\test.c @ 150] f8979d4c 8057790f 80000444 00000001 00000000 nt!IopLoadDriver+0x66d f8979d74 80535c12 80000444 00000000 82bb73c8 nt!IopLoadUnloadDriver+0x45 f8979dac 805c71ec f6e41cf4 00000000 00000000 nt!ExpWorkerThread+0x100 f8979ddc 80542de2 80535b12 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 FAULTING_SOURCE_CODE: 68: 69: pDevExt=(PDEVICE_EXTENSION)pDeviceObject->DeviceExtension; 70: IoSkipCurrentIrpStackLocation(pIrp); 71: return IoCallDriver(pDevExt->pDevice,pIrp); > 72: } 73: 74: 75: NTSTATUS HookKeyboard(IN PDRIVER_OBJECT pDriverObject) 76: { 77: NTSTATUS status={0}; SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: test!DispatchPassDown+26 FOLLOWUP_NAME: MachineOwner MODULE_NAME: test IMAGE_NAME: test.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4b7e60ee STACK_COMMAND: .cxr 0xfffffffff8979740 ; kb FAILURE_BUCKET_ID: 0x7E_test!DispatchPassDown+26 BUCKET_ID: 0x7E_test!DispatchPassDown+26 Followup: MachineOwner --------- 2010-2-19 18:42 0
fcrong 雪币： 238 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 7 粉丝 0 关注私信	fcrong 7 楼试下把#pragma INITCODE 去掉 2010-5-17 19:52 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

pcie

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
pcie 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 12 粉丝 0 关注私信	pcie 2 楼我只是想看看挂接能不能成功然后再往下写结果测试连挂接都失败就没写了。。。请各位朋友帮助一下。。。。我用windbg调试了源码只要一运行IoAttachDevice函数就蓝屏了 2010-2-18 17:56 0
贾宝玉雪币： 11 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 55 回帖 298 粉丝 1 关注私信	贾宝玉 3 楼好长的代码啊，也不写简单的思路 2010-2-18 20:21 0
pcie 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 12 粉丝 0 关注私信	pcie 4 楼不长啊。。。就是附加键盘驱动但是一附加就蓝屏 2010-2-19 16:48 0
OildFish 雪币： 48 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 22 粉丝 0 关注私信	OildFish 5 楼蓝屏的 Code 呢？在 WinDbg 里面 !analyze -v 输出一下分析信息，看看 Call Stack。 2010-2-19 16:56 0
skypismire 雪币： 75 活跃值： (883) 能力值： ( LV6，RANK：90 ) 在线值：发帖 95 回帖 706 粉丝 3 关注私信	skypismire 1 6 楼拿来跟踪了一下,也弄不明白,就那么几个参数,参数也看不出哪里有问题,只是有一处" Warning: AttachedDevice must point to a global memory location, such as the driver's device extension. "我改了,改用设备扩展的内存,问题依旧. 不过不一定非得用它IoAttachDevice,实在是弄不明白,绕过去先,等后面驱动玩多了,说不定会恍然大悟,我把bugcheck信息帖出来,望高手指点一二 ******************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 804ef120, The address that the exception occurred at Arg3: f8979a44, Exception Record Address Arg4: f8979740, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx" FAULTING_IP: nt!IopfCallDriver+28 804ef120 8b7108 mov esi,dword ptr [ecx+8] EXCEPTION_RECORD: f8979a44 -- (.exr 0xfffffffff8979a44) ExceptionAddress: 804ef120 (nt!IopfCallDriver+0x00000028) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000008 Attempt to read from address 00000008 CONTEXT: f8979740 -- (.cxr 0xfffffffff8979740) eax=00000002 ebx=82862b70 ecx=00000000 edx=8260c968 esi=82974b58 edi=8260c978 eip=804ef120 esp=f8979b0c ebp=f8979b18 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 nt!IopfCallDriver+0x28: 804ef120 8b7108 mov esi,dword ptr [ecx+8] ds:0023:00000008=???????? Resetting default scope PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx" EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000008 READ_ADDRESS: 00000008 FOLLOWUP_IP: test!DispatchPassDown+26 [g:\wdk32\test\test.c @ 72] f8c314b6 8be5 mov esp,ebp BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from f8c314b6 to 804ef120 STACK_TEXT: f8979b0c f8c314b6 82826708 f8979b60 804ef129 nt!IopfCallDriver+0x28 f8979b18 804ef129 82826650 8260c968 8260c968 test!DispatchPassDown+0x26 [g:\wdk32\test\test.c @ 72] f8979b28 80579f6a 82862b58 00000000 00000000 nt!IopfCallDriver+0x31 f8979b60 805b1b16 00862b70 82862b58 00000000 nt!IopDeleteFile+0x132 f8979b7c 80523bd1 82862b70 00000000 82862b70 nt!ObpRemoveObjectRoutine+0xe0 f8979ba0 8056cd24 f8979c27 f8c31867 00000018 nt!ObfDereferenceObject+0x5f f8979bd4 f8c3163e 82826650 800004a8 f8979c64 nt!IoAttachDevice+0x8a f8979c68 f8c316e7 82974b58 80577780 0000001b test!HookKeyboard+0xfe [g:\wdk32\test\test.c @ 117] f8979c7c 805777ff 82974b58 825f6000 00000000 test!DriverEntry+0x47 [g:\wdk32\test\test.c @ 150] f8979d4c 8057790f 80000444 00000001 00000000 nt!IopLoadDriver+0x66d f8979d74 80535c12 80000444 00000000 82bb73c8 nt!IopLoadUnloadDriver+0x45 f8979dac 805c71ec f6e41cf4 00000000 00000000 nt!ExpWorkerThread+0x100 f8979ddc 80542de2 80535b12 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 FAULTING_SOURCE_CODE: 68: 69: pDevExt=(PDEVICE_EXTENSION)pDeviceObject->DeviceExtension; 70: IoSkipCurrentIrpStackLocation(pIrp); 71: return IoCallDriver(pDevExt->pDevice,pIrp); > 72: } 73: 74: 75: NTSTATUS HookKeyboard(IN PDRIVER_OBJECT pDriverObject) 76: { 77: NTSTATUS status={0}; SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: test!DispatchPassDown+26 FOLLOWUP_NAME: MachineOwner MODULE_NAME: test IMAGE_NAME: test.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4b7e60ee STACK_COMMAND: .cxr 0xfffffffff8979740 ; kb FAILURE_BUCKET_ID: 0x7E_test!DispatchPassDown+26 BUCKET_ID: 0x7E_test!DispatchPassDown+26 Followup: MachineOwner --------- 2010-2-19 18:42 0
fcrong 雪币： 238 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 7 粉丝 0 关注私信	fcrong 7 楼试下把#pragma INITCODE 去掉 2010-5-17 19:52 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复