Home
Karlann is a Windows kernel keylogger. Poc driver get the keyboard scancode by intercepting the IRP that WIN32K sent to KBDClass, then send the character converted from Scancode to Server through UDP.
Get the keyboard input of notepad.exe
1.hKeyboard->FileObject->DeviceObject of Win32k.sys is replaced to the DeviceObject of Poc.sys,
so the Poc driver can intercept each IRP that WIN32K sent to KBDClass for reading keyboard input.
2.The point is how to get the FileObject, which is set in Irp->IrpSp->FileObject by ZwReadFile.
Kbdclass will queue the IRP into it's linked list when there is no keyboard input.
The linked list is in the DeviceExtension of Kbdclass.sys which can be accessed by a fixed offset.
So when we get the List Head, we can use KeyboardClassDequeueRead to get the IRP and the FileObject.
3.The FileObject->DeviceObject will be restored in IoCancelIrp routine PocCancelOperation when keyboard is removed.
4.The libwsk library adjusted from c++ to c is used for sending characters through UDP.
5.Add function key mapping in Kbd.c->PocConfigureKeyMapping.
6.Support Windows 7 x86 - Windows 10 x86.
DeviceExtension->RemoveLock(DeviceExtension + REMOVE_LOCK_OFFET_DE)
DeviceExtension->SpinLock(DeviceExtension + SPIN_LOCK_OFFSET_DE)
DeviceExtension->ReadQueue(DeviceExtension + READ_QUEUE_OFFSET_DE)
kbdclass!KeyboardClassDequeueRead(rewrite in Poc driver)
1.It is recommended to run in Windows 7 x86/x64 6.1(7601)SP1 - Windows 10 x86/X64 21H1 (19043.1889) environment.
System version: 0903 0905 0906
Windows 7 x64 6.1(7601) SP1 PASS
Windows 8 x64 6.2(9200) NOTESTED PASS PASS
Windows 8.1x64 6.3(9600) PASS NOTESTED NT
Windows 10 x64 1511(10586.164) PASS PASS PASS
Windows 10 x64 1607(14393.447) PASS PASS PASS
Windows 10 x64 1703(15063.0) PASS PASS NT
Windows 10 x64 1709(16299.15) PASS PASS PASS
Windows 10 x64 1809(17763.2928) PASS PASS PASS
Windows 10 x64 21H1(19043.1889) PASS PASS PASS
Windows 7 x86 6.1(7601) SP1 PASS
Windows 10 x86 1909(18363.592) PASS
2.Set POC_IP_ADDRESS and POC_UDP_PORT in global.h, set Project->Properties->Driver Setting->Target OS VSERION as the corresponding version, use Visual Studio 2019 to compile the Release X86/X64 Poc driver
Drivers can't be compiled in Debug version,
because the struct IO_REMOVE_LOCK has different definitions under Debug and Release.
3.The system turns on the test mode, cmd is run as an administrator, enter bcdedit /set testsigning on and restart the computer
4.Drive log output (optional)
Find the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
Create a new one Debug Print Filter, create a new dword value "default" under this key, the hexadecimal is 0xF, and then restart the computer
DebugView as administrator, set `Capture->Capture Kernel` to display driver log
5.Use osrloader to load the driver
6.Use SocketTest to listen to the port set in global.h.
Karlann, and all its submodules and repos, unless a license is otherwise specified, are licensed under GPLv3 LICENSE.
Dependencies are licensed by their own.
For educational purposes only, use at your own responsibility.
And using this program might render your computer into an unstable state.
https://github.com/Aekras1a/Labs/tree/master/Labs/WinDDK/7600.16385.1/src/input/kbdclass
https://github.com/ZoloZiak/WinNT4/tree/master/private/ntos/dd/kbdclass
https://github.com/ZoloZiak/WinNT4/tree/master/private/ntos/dd/i8042prt
https://github.com/reactos/reactos/tree/master/drivers/hid/kbdhid
https://github.com/ZoloZiak/WinNT4/tree/master/private/ntos/w32/ntuser/kernel
https://github.com/HighSchoolSoftwareClub/Windows-Research-Kernel-WRK-
https://download.microsoft.com/download/1/6/1/161ba512-40e2-4cc9-843a-923143f3456c/translate.pdf
https://github.com/ParkHanbum/HypervisorKeylogger
https://github.com/minglinchen/WinKernelDev/tree/master/Kb_sniff_Mp
https://github.com/MiroKaku/libwsk
https://github.com/akshath/SocketTest