This is a mirror of official site: http://jasper-net.blogspot.com/

Keyboard Hooking In Kernel

| Thursday, May 12, 2011
Introduction

Please imagine that there's no input signal from the keyboard. It can be used to secure a computer from anybody. For example, if you leave the computer, you can lock the keyboard in this way. After returning to your computer, you can type specific keys to unlock the computer. So the other man who doesn't know your secret password can't access your computer. This can be implemented through Keyboard Hooking.

What is keyboard hooking?

We also called it keyboard filtering. And it can be explained in a simple manner. The user presses the key and from Keyboard device driver sends signals to User's application. And we hook the stream of that.

Keyboard hooking can be accomplished in several ways. In Userland and Kernelland. 
You can see userland sample from Adam Roderick J's article. 
He shows keyboard hooking skills in userland and few articles also explain keyboard hooking. But using this technique, you can't hook several times by several applications and it can also be uninstalled easily. So I'll introduce another way to hook keyboard in Kernelland. I focused on Driver Hooking in this article. You can not only stop key signals, but also modify signals from User by using this technique, then it can become a virus or malware. But I don't want that. Then how can it be implemented? Let's see together.

How To Use

Place Application.exe and HK_KBD.sys in the same folder, and execute Application.exe. Then press any key. You can see that there's no input from key. OK! That's it!

Using the Code

First, we should find keyboard device object handle. In order to do, you should list all the devices of your computer. And from them, you should find Keyboard Class Device.
You can implement that in the following way:

 Collapse
NTSTATUS
KeyFlt_CreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
...
switch (stack->MajorFunction)
{
case IRP_MJ_CREATE:
{
...
RtlInitUnicodeString(&uniOa, L"\\Device");

InitializeObjectAttributes(
&oa,
&uniOa,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);

status = ZwOpenDirectoryObject(
&hDir,
DIRECTORY_ALL_ACCESS,
&oa
);
if(!NT_SUCCESS(status))
{
break;
}

pBuffer = ExAllocatePoolWithTag
(PagedPool, ALLOC_SIZE, Tag);

Read more: Codeproject

Posted via email from Jasper-net

0 comments: