I have developed an advanced audio filter designed to effectively “mute” the microphone by replacing its system buffer with zeros. The primary objective of this kernel filter is to safeguard users’ privacy. In cases where users wish to prevent any applications from accessing their microphone, the kernel driver steps in to substitute recorded data with zeros. Consequently, applications like Zoom, Teams, and others will receive no audio input from the microphone.
`Irp = WdfRequestWdmGetIrp(Request);
pStreamHdr = (PKSSTREAM_HEADER)Irp->AssociatedIrp.SystemBuffer;
if (pStreamHdr ) {
//assign a new buf and mdl
if (Irp->MdlAddress) {
pMdlBufferOut = (PUCHAR)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
LOG_INFO("Data Used %u", pStreamHdr->DataUsed);
if (pMdlBufferOut != NULL)
{
RtlFillBytes(pMdlBufferOut, pStreamHdr->DataUsed, 95);
}
}
}`
I employed the WDF framework to develop this kernel driver, and within this driver, I intercepted the **IOCTL_KS_READ_STREAM **control code. By utilizing the MmGetSystemAddressForMdlSafe function, I obtained access to the system buffer. Subsequently, I employed the **RtlFillBytes **function to populate this buffer with data 95. This approach works perfectly when dealing with external USB microphones. However, it does not work for the built-in microphones on laptops.
In my efforts to troubleshoot this issue, I use DbgView to monitor the log. Interestingly, I observed a continuous stream of **IOCTL_KS_READ_STREAM **events originating from USB-connected microphones. However, I detected no such events for the built-in laptop microphones. Despite extensive contemplation, I remain baffled by the underlying cause of this disparity. Could anyone offer some guidance or insights on this matter? Your assistance would be greatly appreciated. Thank you.