Find device attached to keyboard device

OSR_Community_User · December 27, 2007, 10:19am

Hi,
That is the question, the DeviceTree show that is posible, i only need a hint to start working.
Best Regards
Yohamnes.

Don_Burn_1 · December 27, 2007, 10:51am

IIRC DeviceTree does some undocumented and unrecommended things in the
kernel to get the data it displays. Remember it is a test tool, not a
production tool.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntdev…
> Hi,
> That is the question, the DeviceTree show that is posible, i only need a
> hint to start working.
> Best Regards
> Yohamnes.
>

OSR_Community_User · December 27, 2007, 11:06am

Thanks Don, but i don’t want to release any product, i only want to win a personal battle with a kernel keylogger in my machine (a test machine), i am an student yet and i like to know how, that’s all. Also if i achieve to do that undocumented things, my knowledge about the OS will be increased.
Thanks in advance.

OSR_Community_User · December 27, 2007, 11:36am

Hi, this could be work???

IoGetDeviceObjectPointer() to obtain the device object pointer to \device\keyboardclass0
and then IoGetAttachedDeviceReference to see is someone is attached.

I read quickly this functions so forgive me any mistake, that would word??

Thanks,
Yohamnes

Daniel_Terhell · December 27, 2007, 12:08pm

You could probably enumerate device objects and see if they belong to the
keyboard stack. Likely need to use undocumented fields of object types to
enumerate device objects in the system. Another approach is that you
enumerate first all driver objects and from there enumerate device objects
created by those drivers. But remember there are too many ways of monitoring
keystrokes in Windows, most of them in user mode. Any program which claims
to detect key loggers in Windows is doing only a partial job.

Regards,

Daniel Terhell
Resplendence Software Projects
http://www.resplendence.com

wrote in message news:xxxxx@ntdev…
> Hi,
> That is the question, the DeviceTree show that is posible, i only need a
> hint to start working.
> Best Regards
> Yohamnes.
>

Maxim_S_Shatskih · December 30, 2007, 10:13am

> keyboard stack. Likely need to use undocumented fields of object types to

enumerate device objects in the system.

This only works if some debugging GlobalFlag bit (“maintain a list of objects
of each type”) is set.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Daniel_Terhell · December 30, 2007, 12:08pm

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> This only works if some debugging GlobalFlag bit (“maintain a list of
> objects
> of each type”) is set.
>

From what I remember device objects and driver objects are registered this
way by default. This global flag is only if you want to have all objects
types administered this way.

In any case it’s a research project only so he can set those flags and he
can also use ZwEnumerateDriverObjects as well as the object directory
functions to get there.

/Daniel