Windows 7 - Keyboard Filter Driver

Asked By no_name on 30-Nov-08 11:50 AM
I'm trying to write a keyboard filter driver for XP (32 bit). As you can see
from this code, I'm trying to filter Ctrl-Alt-Del calls. I have capturing
application based on DirectShow, and when GINA pops up, I'm losing timestaps
and video preview. So, while capturing application is active, I'm trying to
filter Ctrl-Alt-Del. It works in most of the cases, but sometimes GINA pops
up. If anybody has idea why is that so..... What am I missing??
What can happen in some cases that Ctrl-Alt-Del is not filtered? Can I
return some other value then STSTUS_SUCCESS in order to fix that?

NTSTATUS VPReadComplete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN
PVOID Context)
{
PIO_STACK_LOCATION IrpSp;
PKEYBOARD_INPUT_DATA KeyData;
KIRQL IrqLevel;
PDEVICE_EXTENSION KeyExtension;

KeyExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;

// Request completed
DbgPrint(("VideoPhillKbd ReadComplete\n"));
IrpSp = IoGetCurrentIrpStackLocation(Irp);

if(g_bMonitor && NT_SUCCESS(Irp->IoStatus.Status)){
KeyData = Irp->AssociatedIrp.SystemBuffer;
if(g_bFirstKey){
g_bFirstKey = FALSE;
KeyData->MakeCode = 0;
}
else{
//        int numKeys = Irp->IoStatus.Information /
sizeof(KEYBOARD_INPUT_DATA);
//        DbgPrint(("%d keys pressed\n", numKeys));

DbgPrint(("ScanCode: %x Flags %x Reserved %x Extra info %x\n",
KeyData->MakeCode, KeyData->Flags, KeyData->Reserved,
KeyData->ExtraInformation));

switch(KeyData->MakeCode){
case 0x1d: // left Ctrl
g_bLeftCtrl = (KeyData->Flags == 2 || KeyData->Flags == 0);
DbgPrint(("Ctrl %s\n", g_bLeftCtrl ? "Down" : "Up"));
break;
case 0x38: // left alt
g_bLeftAlt = (KeyData->Flags == 2 || KeyData->Flags == 0);
DbgPrint(("Alt %s\n", g_bLeftAlt ? "Down" : "Up"));
break;
case 0x2a:
case 0x53: // delete
g_bDelete = (KeyData->Flags == 2 || KeyData->Flags == 0);
DbgPrint(("Del %s\n", g_bDelete ? "Down" : "Up"));
break;
default:
break;
}

if(g_bLeftCtrl && g_bLeftAlt && g_bDelete){
KeyData->MakeCode = 0; // turn it off
DbgPrint(("Ctrl-Alt-Del detected\n"));
}
}
}

if(Irp->PendingReturned){
IoMarkIrpPending(Irp);
}

KeAcquireSpinLock(&KeyExtension->SpinLock, &IrqLevel);
InterlockedDecrement(&KeyExtension->IrpsInProgress);
KeReleaseSpinLock(&KeyExtension->SpinLock, IrqLevel);

// DbgPrint(("key activity\n"));
return Irp->IoStatus.Status;
}




Don Burn replied on 30-Nov-08 12:07 PM
Please let us know what the application is so we can avoid it and tell our
customers too not use it.  Sorry, but stopping Ctrl-Alt-Del means that you
have taken the last line of control away from the user, I would view this
product as MALWARE.


--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
no_name replied on 30-Nov-08 12:40 PM
The computer that runs video capture is dedicated computer. It runs 24/7. It
is important that user can check the status sometimes. If somebody press
Ctrl-Alt-Del, DirectShow will reset timestamps arriving with each video
frame and audio sample. It is also important to handle A/V sync properly. In
case of resetting timestamps if there is an A/V sync issue, it is hard to
recover. Also, DirectX will lose some surfaces and there will be no video
preview any more. Since application restarting is not an option, we have
keyboard filtering. Filtering is active only while capturing.
Customers knows that and they like the idea, so your accusations for malware
are really nothing more then ridiculous.

If you find that kind of software as malware, that is your right. You judged
that only based on technique used, but that doesn't make the software
malware. If you own a car, does that make you a killer automatically because
you can kill someone with it? Not really, until you deliberately run over
somebody.
no_name replied on 30-Nov-08 01:56 PM
I found the bug. for-loop should be used when coparing scan codes, because
more then one key could be pressed.