Current Situation:
My INF installs the driver as an UpperFilter for the Keyboard class ({4D36E96B-E325-11CE-BFC1-08002BE10318}).
When I install it with devcon install, the system shows the device being affected.
However, the keyboard stops working, and Device Manager shows the device gone or malfunctioning.
In Windbg, I see "Keyboard attach failed", printed from my driver code.
``
#include "ntddk.h"
#include "ntddmou.h"
#include <stdlib.h>
#define _CRT_SECURE_NO_WARNINGS
#define KEY_DOWN 0
#define KEY_UP 1
#define KEY_SPECIAL_DOWN 2
#define KEY_SPECIAL_UP 3
int x, y;
typedef struct {
PDEVICE_OBJECT LowerDevice;
} DEVICE_EXTENSION, * PDEVICE_EXTENSION;
PDEVICE_OBJECT myKbdDevice = NULL;
BOOLEAN send = FALSE;
BOOLEAN end = FALSE;
BOOLEAN eDown = FALSE;
BOOLEAN eUp = TRUE;
int speed = 5;
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, * PKEYBOARD_INPUT_DATA;
ULONG pendingKey = 0;
VOID Unload(
IN PDRIVER_OBJECT DriverObject
)
{
UNREFERENCED_PARAMETER(DriverObject);
end = TRUE;
LARGE_INTEGER interval = { 0 };
interval.QuadPart = -10 * 1000 * 1000;
IoDetachDevice(((PDEVICE_EXTENSION)myKbdDevice->DeviceExtension)->LowerDevice);
while (pendingKey) {
KeDelayExecutionThread(KernelMode,FALSE,&interval);
}
IoDeleteDevice(myKbdDevice);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "driver unload\r\n");
}
NTSTATUS DispatchPass(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
IoCopyCurrentIrpStackLocationToNext(Irp);
return IoCallDriver(((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerDevice,Irp);
}
NTSTATUS ReadComplete(
PDEVICE_OBJECT DeviceObject,
PIRP Irp,
PVOID Context
)
{
UNREFERENCED_PARAMETER(DeviceObject);
UNREFERENCED_PARAMETER(Context);
PKEYBOARD_INPUT_DATA Keys = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
size_t structnum = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
if (Irp->IoStatus.Status == STATUS_SUCCESS)
{
x = 0;
y = 0;
BOOLEAN flag = FALSE;
//TODO
for (int i = 0; i < structnum; i++) {
if (Keys[i].Flags == KEY_SPECIAL_DOWN && Keys[i].MakeCode == 0x48) {
flag = TRUE;
y = -speed;
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "up arrow was pressed\r\n");
}
else if (Keys[i].Flags == KEY_SPECIAL_DOWN && Keys[i].MakeCode == 0x4B) {
flag = TRUE;
x = -speed;
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "left arrow was pressed\r\n");
}
else if (Keys[i].Flags == KEY_SPECIAL_DOWN && Keys[i].MakeCode == 0x4D) {
flag = TRUE;
x = speed;
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "right arrow was pressed\r\n");
}
else if (Keys[i].Flags == KEY_SPECIAL_DOWN && Keys[i].MakeCode == 0x50) {
flag = TRUE;
y = speed;
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "down arrow was pressed\r\n");
}
else if (Keys[i].Flags == KEY_DOWN && Keys[i].MakeCode == 0x12) {
flag = TRUE;
eDown = TRUE;
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "e is down\r\n");
}
else if (Keys[i].Flags == KEY_UP && Keys[i].MakeCode == 0x12) {
flag = TRUE;
eUp = TRUE;
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "e is up\r\n");
}
}
if (flag)
send = TRUE;
}
if (Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}
pendingKey--;
return Irp->IoStatus.Status;
}
NTSTATUS DispatchRead(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
if (DeviceObject == myKbdDevice) {
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp, ReadComplete, NULL, TRUE, TRUE, TRUE);
pendingKey++;
return IoCallDriver(((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerDevice, Irp);
}
else
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = sizeof(MOUSE_INPUT_DATA);
LARGE_INTEGER interval = { 0 };
interval.QuadPart = -10+100;
while (send == FALSE) {
KeDelayExecutionThread(KernelMode, FALSE, &interval);
if (end)
return STATUS_SUCCESS;
}
send = FALSE;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
}
NTSTATUS AttachKeyboardDevice(
PDRIVER_OBJECT DriverObject,PDEVICE_OBJECT PDO
)
{
// UNREFERENCED_PARAMETER(PDO);
PDEVICE_EXTENSION DevExt;
NTSTATUS status;
status = IoCreateDevice(DriverObject,sizeof(DEVICE_EXTENSION),NULL,FILE_DEVICE_KEYBOARD,0,FALSE,&myKbdDevice);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Device creation failed\r\n");
return status;
}
myKbdDevice->Flags |= DO_BUFFERED_IO;
myKbdDevice->Flags &= ~DO_DEVICE_INITIALIZING;
RtlZeroMemory(myKbdDevice->DeviceExtension, sizeof(DEVICE_EXTENSION));
DevExt = (PDEVICE_EXTENSION)myKbdDevice->DeviceExtension;
PDEVICE_OBJECT lowerKbd = DevExt->LowerDevice;
status = IoAttachDeviceToDeviceStackSafe(myKbdDevice, PDO,lowerKbd );
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ERROR: IoAttachDeviceToDeviceStack()\r\n");
IoDeleteDevice(myKbdDevice);
return status;
}
return STATUS_SUCCESS;
}
NTSTATUS CompletionRoutine(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context) {
UNREFERENCED_PARAMETER(DeviceObject);
UNREFERENCED_PARAMETER(Irp);
PKEVENT event = (PKEVENT)Context;
KeSetEvent(event, 0, FALSE);
return STATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUS DispatchPnp(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
UNREFERENCED_PARAMETER(DeviceObject);
PDEVICE_OBJECT lowerDevice = ((PDEVICE_EXTENSION)myKbdDevice->DeviceExtension)->LowerDevice;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION IrpStack = IoGetCurrentIrpStackLocation(Irp);
KEVENT event;
switch (IrpStack->MinorFunction) {
case(IRP_MN_START_DEVICE):
IoCopyCurrentIrpStackLocationToNext(Irp);
KeInitializeEvent(&event, NotificationEvent, FALSE);
IoSetCompletionRoutine(Irp, (PIO_COMPLETION_ROUTINE)CompletionRoutine, &event, TRUE, TRUE, TRUE);
status = IofCallDriver(lowerDevice, Irp);
if (status == STATUS_PENDING) {
KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, NULL);
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
break;
case(IRP_MN_SURPRISE_REMOVAL):
IoSkipCurrentIrpStackLocation(Irp);
status = IofCallDriver(lowerDevice, Irp);
break;
case(IRP_MN_REMOVE_DEVICE):
Irp->IoStatus.Status = STATUS_SUCCESS;
IoSkipCurrentIrpStackLocation(Irp);
IoCallDriver(lowerDevice, Irp);
IoDetachDevice(lowerDevice);
IoDeleteDevice(myKbdDevice);
break;
default:
IoSkipCurrentIrpStackLocation(Irp);
IoCallDriver(lowerDevice, Irp);
break;
}
return status;
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
UNREFERENCED_PARAMETER(RegistryPath);
x = 400;
y = 400;
NTSTATUS status = STATUS_UNSUCCESSFUL;
DriverObject->DriverUnload = Unload;
for (int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction[i] = DispatchPass;
}
DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;
DriverObject->DriverExtension->AddDevice = AttachKeyboardDevice;
DriverObject->MajorFunction[IRP_MJ_PNP] = DispatchPnp;
if (!NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "attaching keyboard device failed\r\n");
return status;
}
else
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "attaching keyboard device succeeds\r\n");
return status;
```Preformatted text
}
the INF file
; githubkbftlr.inf - Keyboard Filter Driver INF (DDK-Style)
[Version]
Signature="$WINDOWS NT$"
Class=Keyboard
ClassGuid={4D36E96B-E325-11CE-BFC1-08002BE10318}
Provider=%ManufacturerName%
DriverVer=05/11/2025,1.0.0.0
CatalogFile=githubkbftlr.cat ; Optional, only needed for signed driver
PnpLockdown=1
[DestinationDirs]
DefaultDestDir = 12
DriverCopyFiles = 12
[SourceDisksNames]
1 = %DiskName%,,,
[SourceDisksFiles]
githubkbftlr.sys = 1
[Manufacturer]
%ManufacturerName%=Standard,NTamd64
[Standard.NTamd64]
%DriverDesc%=InstallSection, *HID_DEVICE_SYSTEM_KEYBOARD
[InstallSection]
CopyFiles = DriverCopyFiles
Include = keyboard.inf
Needs = STANDARD_Inst
[InstallSection.HW]
AddReg = UpperFilterReg
Include = keyboard.inf
Needs = STANDARD_Inst.HW
[InstallSection.Services]
AddService = githubkbftlr, 0x00000002, ServiceInstallSection
Include = keyboard.inf
Needs = STANDARD_Inst.Services
[UpperFilterReg]
HKR, , UpperFilters, 0x00010008, "githubkbftlr"
[ServiceInstallSection]
DisplayName = %DriverDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\githubkbftlr.sys
[DriverCopyFiles]
githubkbftlr.sys
[Strings]
ManufacturerName = "Seraj Corporation"
DriverDesc = "GitHub Keyboard Filter Driver"
DiskName = "GitHub Keyboard Filter Driver Disk"