Задача следующая: нужно записывать в лог все действия пользователя с мышью (перемещения курсора и нажатия кнопок).
Наверняка кто-то уже решил данную задачу. Сам я разработкой драйверов никогда не занимался и сейчас пребываю в полной растерянности...
Вначале хотел вызвать ZwOpenFile из функции MouFilter_ServiceCallback (пример WinDDK C:\WinDDK\7600.16385.1\src\input\moufiltr\moufiltr.c).
Но это невозможно.
Решил вызвать ZwOpenFile с помощью WdfWorkItemEnqueue(hWorkItem), но не могу скомпилировать пример...
/*--
Copyright (c) 2008 Microsoft Corporation
Module Name:
moufiltr.c
Abstract:
Environment:
Kernel mode only- Framework Version
Notes:
--*/
#include "moufiltr.h"
#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, DriverEntry)
#pragma alloc_text (PAGE, MouFilter_EvtDeviceAdd)
#pragma alloc_text (PAGE, MouFilter_EvtIoInternalDeviceControl)
#endif
#pragma warning(push)
#pragma warning(disable:4055) // type case from PVOID to PSERVICE_CALLBACK_ROUTINE
#pragma warning(disable:4152) // function/data pointer conversion in expression
#define NT_FILE_NAME L"\\??\\c:\\log.txt"
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
Installable driver initialization entry point.
This entry point is called directly by the I/O system.
--*/
{
WDF_DRIVER_CONFIG config;
NTSTATUS status;
//PWORKER_ITEM_CONTEXT context;
WDF_OBJECT_ATTRIBUTES attributes;
WDF_WORKITEM_CONFIG workitemConfig;
WDFWORKITEM hWorkItem;
DebugPrint(("Mouse Filter Driver Sample - Driver Framework Edition.\n"));
DebugPrint(("Built %s %s\n", __DATE__, __TIME__));
// Initiialize driver config to control the attributes that
// are global to the driver. Note that framework by default
// provides a driver unload routine. If you create any resources
// in the DriverEntry and want to be cleaned in driver unload,
// you can override that by manually setting the EvtDriverUnload in the
// config structure. In general xxx_CONFIG_INIT macros are provided to
// initialize most commonly used members.
WDF_DRIVER_CONFIG_INIT(
&config,
MouFilter_EvtDeviceAdd
);
//
// Create a framework driver object to represent our driver.
//
status = WdfDriverCreate(DriverObject,
RegistryPath,
WDF_NO_OBJECT_ATTRIBUTES,
&config,
WDF_NO_HANDLE); // hDriver optional
if (!NT_SUCCESS(status)) {
DebugPrint( ("WdfDriverCreate failed with status 0x%x\n", status));
}
WDF_OBJECT_ATTRIBUTES_INIT(&attributes);
WDF_OBJECT_ATTRIBUTES_SET_CONTEXT_TYPE(
&attributes,
WORKER_ITEM_CONTEXT
);
attributes.ParentObject = FdoData->WdfDevice;
WDF_WORKITEM_CONFIG_INIT(
&workitemConfig,
MouFilter_CallbackFunction
);
status = WdfWorkItemCreate(
&workitemConfig,
&attributes,
&hWorkItem
);
return status;
}
NTSTATUS
MouFilter_EvtDeviceAdd(
IN WDFDRIVER Driver,
IN PWDFDEVICE_INIT DeviceInit
)
/*++
Routine Description:
EvtDeviceAdd is called by the framework in response to AddDevice
call from the PnP manager. Here you can query the device properties
using WdfFdoInitWdmGetPhysicalDevice/IoGetDeviceProperty and based
on that, decide to create a filter device object and attach to the
function stack.
If you are not interested in filtering this particular instance of the
device, you can just return STATUS_SUCCESS without creating a framework
device.
Arguments:
Driver - Handle to a framework driver object created in DriverEntry
DeviceInit - Pointer to a framework-allocated WDFDEVICE_INIT structure.
Return Value:
NTSTATUS
--*/
{
WDF_OBJECT_ATTRIBUTES deviceAttributes;
NTSTATUS status;
WDFDEVICE hDevice;
WDF_IO_QUEUE_CONFIG ioQueueConfig;
UNREFERENCED_PARAMETER(Driver);
PAGED_CODE();
DebugPrint(("Enter FilterEvtDeviceAdd \n"));
//
// Tell the framework that you are filter driver. Framework
// takes care of inherting all the device flags & characterstics
// from the lower device you are attaching to.
//
WdfFdoInitSetFilter(DeviceInit);
WdfDeviceInitSetDeviceType(DeviceInit, FILE_DEVICE_MOUSE);
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttributes,
DEVICE_EXTENSION);
//
// Create a framework device object. This call will in turn create
// a WDM deviceobject, attach to the lower stack and set the
// appropriate flags and attributes.
//
status = WdfDeviceCreate(&DeviceInit, &deviceAttributes, &hDevice);
if (!NT_SUCCESS(status)) {
DebugPrint(("WdfDeviceCreate failed with status code 0x%x\n", status));
return status;
}
//
// Configure the default queue to be Parallel. Do not use sequential queue
// if this driver is going to be filtering PS2 ports because it can lead to
// deadlock. The PS2 port driver sends a request to the top of the stack when it
// receives an ioctl request and waits for it to be completed. If you use a
// a sequential queue, this request will be stuck in the queue because of the
// outstanding ioctl request sent earlier to the port driver.
//
WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE(&ioQueueConfig,
WdfIoQueueDispatchParallel);
//
// Framework by default creates non-power managed queues for
// filter drivers.
//
ioQueueConfig.EvtIoInternalDeviceControl = MouFilter_EvtIoInternalDeviceControl;
status = WdfIoQueueCreate(hDevice,
&ioQueueConfig,
WDF_NO_OBJECT_ATTRIBUTES,
WDF_NO_HANDLE // pointer to default queue
);
if (!NT_SUCCESS(status)) {
DebugPrint( ("WdfIoQueueCreate failed 0x%x\n", status));
return status;
}
return status;
}
VOID
MouFilter_DispatchPassThrough(
__in WDFREQUEST Request,
__in WDFIOTARGET Target
)
/*++
Routine Description:
Passes a request on to the lower driver.
--*/
{
//
// Pass the IRP to the target
//
WDF_REQUEST_SEND_OPTIONS options;
BOOLEAN ret;
NTSTATUS status = STATUS_SUCCESS;
//
// We are not interested in post processing the IRP so
// fire and forget.
//
WDF_REQUEST_SEND_OPTIONS_INIT(&options,
WDF_REQUEST_SEND_OPTION_SEND_AND_FORGET);
ret = WdfRequestSend(Request, Target, &options);
if (ret == FALSE) {
status = WdfRequestGetStatus (Request);
DebugPrint( ("WdfRequestSend failed: 0x%x\n", status));
WdfRequestComplete(Request, status);
}
return;
}
VOID
MouFilter_EvtIoInternalDeviceControl(
IN WDFQUEUE Queue,
IN WDFREQUEST Request,
IN size_t OutputBufferLength,
IN size_t InputBufferLength,
IN ULONG IoControlCode
)
/*++
Routine Description:
This routine is the dispatch routine for internal device control requests.
There are two specific control codes that are of interest:
IOCTL_INTERNAL_MOUSE_CONNECT:
Store the old context and function pointer and replace it with our own.
This makes life much simpler than intercepting IRPs sent by the RIT and
modifying them on the way back up.
IOCTL_INTERNAL_I8042_HOOK_MOUSE:
Add in the necessary function pointers and context values so that we can
alter how the ps/2 mouse is initialized.
NOTE: Handling IOCTL_INTERNAL_I8042_HOOK_MOUSE is *NOT* necessary if
all you want to do is filter MOUSE_INPUT_DATAs. You can remove
the handling code and all related device extension fields and
functions to conserve space.
--*/
{
PDEVICE_EXTENSION devExt;
PCONNECT_DATA connectData;
PINTERNAL_I8042_HOOK_MOUSE hookMouse;
NTSTATUS status = STATUS_SUCCESS;
WDFDEVICE hDevice;
size_t length;
UNREFERENCED_PARAMETER(OutputBufferLength);
UNREFERENCED_PARAMETER(InputBufferLength);
PAGED_CODE();
hDevice = WdfIoQueueGetDevice(Queue);
devExt = FilterGetData(hDevice);
switch (IoControlCode) {
//
// Connect a mouse class device driver to the port driver.
//
case IOCTL_INTERNAL_MOUSE_CONNECT:
//
// Only allow one connection.
//
if (devExt->UpperConnectData.ClassService != NULL) {
status = STATUS_SHARING_VIOLATION;
break;
}
//
// Copy the connection parameters to the device extension.
//
status = WdfRequestRetrieveInputBuffer(Request,
sizeof(CONNECT_DATA),
&connectData,
&length);
if(!NT_SUCCESS(status)){
DebugPrint(("WdfRequestRetrieveInputBuffer failed %x\n", status));
break;
}
devExt->UpperConnectData = *connectData;
//
// Hook into the report chain. Everytime a mouse packet is reported to
// the system, MouFilter_ServiceCallback will be called
//
connectData->ClassDeviceObject = WdfDeviceWdmGetDeviceObject(hDevice);
connectData->ClassService = MouFilter_ServiceCallback;
break;
//
// Disconnect a mouse class device driver from the port driver.
//
case IOCTL_INTERNAL_MOUSE_DISCONNECT:
//
// Clear the connection parameters in the device extension.
//
// devExt->UpperConnectData.ClassDeviceObject = NULL;
// devExt->UpperConnectData.ClassService = NULL;
status = STATUS_NOT_IMPLEMENTED;
break;
//
// Attach this driver to the initialization and byte processing of the
// i8042 (ie PS/2) mouse. This is only necessary if you want to do PS/2
// specific functions, otherwise hooking the CONNECT_DATA is sufficient
//
case IOCTL_INTERNAL_I8042_HOOK_MOUSE:
DebugPrint(("hook mouse received!\n"));
// Get the input buffer from the request
// (Parameters.DeviceIoControl.Type3InputBuffer)
//
status = WdfRequestRetrieveInputBuffer(Request,
sizeof(INTERNAL_I8042_HOOK_MOUSE),
&hookMouse,
&length);
if(!NT_SUCCESS(status)){
DebugPrint(("WdfRequestRetrieveInputBuffer failed %x\n", status));
break;
}
//
// Set isr routine and context and record any values from above this driver
//
devExt->UpperContext = hookMouse->Context;
hookMouse->Context = (PVOID) devExt;
if (hookMouse->IsrRoutine) {
devExt->UpperIsrHook = hookMouse->IsrRoutine;
}
hookMouse->IsrRoutine = (PI8042_MOUSE_ISR) MouFilter_IsrHook;
//
// Store all of the other functions we might need in the future
//
devExt->IsrWritePort = hookMouse->IsrWritePort;
devExt->CallContext = hookMouse->CallContext;
devExt->QueueMousePacket = hookMouse->QueueMousePacket;
status = STATUS_SUCCESS;
break;
//
// Might want to capture this in the future. For now, then pass it down
// the stack. These queries must be successful for the RIT to communicate
// with the mouse.
//
case IOCTL_MOUSE_QUERY_ATTRIBUTES:
default:
break;
}
if (!NT_SUCCESS(status)) {
WdfRequestComplete(Request, status);
return ;
}
MouFilter_DispatchPassThrough(Request,WdfDeviceGetIoTarget(hDevice));
}
BOOLEAN
MouFilter_IsrHook (
PVOID DeviceExtension,
PMOUSE_INPUT_DATA CurrentInput,
POUTPUT_PACKET CurrentOutput,
UCHAR StatusByte,
PUCHAR DataByte,
PBOOLEAN ContinueProcessing,
PMOUSE_STATE MouseState,
PMOUSE_RESET_SUBSTATE ResetSubState
)
/*++
Remarks:
i8042prt specific code, if you are writing a packet only filter driver, you
can remove this function
Arguments:
DeviceExtension - Our context passed during IOCTL_INTERNAL_I8042_HOOK_MOUSE
CurrentInput - Current input packet being formulated by processing all the
interrupts
CurrentOutput - Current list of bytes being written to the mouse or the
i8042 port.
StatusByte - Byte read from I/O port 60 when the interrupt occurred
DataByte - Byte read from I/O port 64 when the interrupt occurred.
This value can be modified and i8042prt will use this value
if ContinueProcessing is TRUE
ContinueProcessing - If TRUE, i8042prt will proceed with normal processing of
the interrupt. If FALSE, i8042prt will return from the
interrupt after this function returns. Also, if FALSE,
it is this functions responsibilityt to report the input
packet via the function provided in the hook IOCTL or via
queueing a DPC within this driver and calling the
service callback function acquired from the connect IOCTL
Return Value:
Status is returned.
--+*/
{
PDEVICE_EXTENSION devExt;
BOOLEAN retVal = TRUE;
devExt = DeviceExtension;
if (devExt->UpperIsrHook) {
retVal = (*devExt->UpperIsrHook) (devExt->UpperContext,
CurrentInput,
CurrentOutput,
StatusByte,
DataByte,
ContinueProcessing,
MouseState,
ResetSubState
);
if (!retVal || !(*ContinueProcessing)) {
return retVal;
}
}
*ContinueProcessing = TRUE;
return retVal;
}
VOID
MouFilter_ServiceCallback(
IN PDEVICE_OBJECT DeviceObject,
IN PMOUSE_INPUT_DATA Start,
IN PMOUSE_INPUT_DATA End,
IN OUT PULONG Consumed
)
/*++
Routine Description:
Called when there are mouse packets to report to the RIT. You can do
anything you like to the packets. For instance:
o Drop a packet altogether
o Mutate the contents of a packet
o Insert packets into the stream
Arguments:
DeviceObject - Context passed during the connect IOCTL
InputDataStart - First packet to be reported
InputDataEnd - One past the last packet to be reported. Total number of
packets is equal to InputDataEnd - InputDataStart
InputDataConsumed - Set to the total number of packets consumed by the RIT
(via the function pointer we replaced in the connect
IOCTL)
Return Value:
Status is returned.
--*/
{
PDEVICE_EXTENSION devExt;
WDFDEVICE hDevice;
PMOUSE_INPUT_DATA pCur;
PMY_CONTEXT_TYPE context;
/*char *buffer; //указатель на записываемые данные.
int size; //размер элемента в байтах.
int count; //максимальное число записываемых элементов.
FILE *stream; //указатель на структуру типа FILE.
long list[100];
int numwritten;
count=100;
size=sizeof(long);
buffer=(char *)list;
stream=fopen("\\\\.\\pipe\\moufiltr", "r+b");
numwritten = fwrite((char *)list, sizeof(long), count,
stream);
fclose(stream);*/
context = GetWorkItemContext(hWorkItem);
//context->FdoData = FdoData;
//context->Argument1 = Context1;
//context->Argument2 = Context2;
WdfWorkItemEnqueue(hWorkItem);
hDevice = WdfWdmDeviceGetWdfDeviceHandle(DeviceObject);
devExt = FilterGetData(hDevice);
for (pCur = Start; pCur < End; pCur++)
{
DebugPrint("pCur");
//if (pCur->ButtonFlags & MOUSE_RIGHT_BUTTON_DOWN) { devExt->RightButtonDown = TRUE ; }
//else if (pCur->ButtonFlags & MOUSE_RIGHT_BUTTON_UP { devExt->RightButtonDown = FALSE; }
//if (devExt->RightButtonDown) { pCur->LastY = -pCur->LastY; } // invert Y
}
//
// UpperConnectData must be called at DISPATCH
//
(*(PSERVICE_CALLBACK_ROUTINE) devExt->UpperConnectData.ClassService)(
devExt->UpperConnectData.ClassDeviceObject,
Start,
End,
Consumed
);
}
VOID
MouFilter_CallbackFunction(
IN WDFWORKITEM hWorkItem
)
{
/*PMY_CONTEXT_TYPE context;
LONG result;
OBJECT_ATTRIBUTES oa;
IO_STATUS_BLOCK iosb;
HANDLE hFile;
UNICODE_STRING g_usFileName;
context = GetWorkItemContext(hWorkItem);
//
// Do work here.
//
/*RtlInitUnicodeString(&g_usFileName,NT_FILE_NAME);
InitializeObjectAttributes(&oa,&g_usFileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,NULL);
if (ZwOpenFile(&hFile,FILE_APPEND_DATA|SYNCHRONIZE,&oa,&iosb,
FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT)==STATUS_SUCCESS)
{
if (ZwWriteFile(&hFile,0,NULL,NULL,&iosb,
&InputDataStart->MakeCode,4,NULL,NULL)==STATUS_SUCCESS);
ZwClose(hFile);
}*/
//
// Reset object state.
//
/*result = InterlockedExchange(
(PLONG)&context->WorkItemState,
WORKITEM_STATE_FREE
);
ASSERT(result == WORKITEM_STATE_BUSY);
return;*/
}
#pragma warning(pop)
Ошибки компиляции:
1>errors in directory c:\winddk\7600.16385.1\src\input\moufiltr
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(32) : error C2061: syntax error : identifier 'context'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(32) : error C2059: syntax error : ';'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(37) : error C2143: syntax error : missing ')' before '&'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(37) : error C2143: syntax error : missing '{' before '&'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(37) : error C2059: syntax error : '&'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(37) : error C2059: syntax error : ')'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(41) : error C2059: syntax error : '&'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(42) : error C2143: syntax error : missing '{' before '.'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(42) : error C2059: syntax error : '.'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(45) : error C2143: syntax error : missing ')' before '&'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(45) : error C2143: syntax error : missing '{' before '&'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(45) : error C2059: syntax error : '&'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(47) : error C2059: syntax error : ')'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(53) : error C2099: initializer is not a constant
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(515) : error C2065: 'PMY_CONTEXT_TYPE' : undeclared identifier
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(515) : error C2146: syntax error : missing ';' before identifier 'context'
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(515) : error C2065: 'context' : undeclared identifier
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(531) : error C2065: 'context' : undeclared identifier
1>c:\winddk\7600.16385.1\src\input\moufiltr\moufiltr.c(531) : error C4013: 'GetWorkItemContext' undefined; assuming extern returning int
1>link : error LNK1181: cannot open input file 'c:\winddk\7600.16385.1\src\input\moufiltr\objfre_win7_x86\i386\moufiltr.obj'
M>Решил вызвать ZwOpenFile с помощью WdfWorkItemEnqueue(hWorkItem)...
Мысль верная, в том смысле, что передавать накопленные данные приложению следует в workitem-функции на irql=0 или просто ставить в очередь (пока не заберут запросом на чтение или device I/O), при чём передаём туда контекст, выделенный из NonPagedPool (ибо irql=2, вызываемся из ISR, в документации это
указано), а очередь организовываем уже из PagedPool и лучше для неё
lookaside-списки использовать, ибо данных будет, скорее всего, много и просадку производительности лучше уменьшить сразу, насколько возможно.
M>...но не могу скомпилировать пример...
Ну так тебе же компилятор русским языком пишет, что с типом PMY_CONTEXT_TYPE у тебя что-то не так. Зачем комментировать всё подряд начал, не там проблему ищешь, разберись, что у тебя с объявлением этого типа, объявлен ли он вообще и, если да, то виден ли оттуда, где непосредственно используешь (файл moufiltr.c, строка 32). И это ещё что за ересь — fopen/fwrite/etc — в драйвере? Это тут тебе не приложение консольное main() сотоварищи.
Задача следующая: нужно записывать в лог все действия пользователя с мышью (перемещения курсора и нажатия кнопок).
а SetWindowsHookEx(WH_KEYBOARD_LL, ..) для этой задачи не подходит ? нужен именно фильтр-драйвер ?
