Hello guys.
I am coding a new tricky tool using a kernel driver and I want to make my program pop-up when I press a key, just like SoftIce for example.
There are in the windows 2000 DDK an example of a keyboard input filter in ring0, based on a hook, but I wanted to make it different :
I want to know if there are QUICK methods to do it, using ints or direct port access.
If someone could tell me how we can read keyboard input using IN/OUT instructions with 60h and 64h ports, or which interrupt has to be hooked, how do they function ( I think under NT systems it is interrupt 31h )
it would b veeeeeery nice !
Thanks, syn

Hiya,

If you opt to write a keyboard filter, I can give you a few pointers as I've just recently written one.

It is, however, possible to hook the keyboard directly. For details on the keyboard see:

h**p://cs.smith.edu/~thiebaut/ArtOfAssembly/CH20/CH20-2.html

Cheers,
Clandestiny

Hmmm.... I said I wanted to do that under windows 2000. I think the ArtOfAsm link only works under win9x...
I tested it and even when I try different keystrokes, the in al, 60h always return me the same byte. And if it works, it doesn't help me on how to rightly code this...

look at http://www.sysinternals.com/ntw2k/source/ctrl2cap.shtml
also look at http://www.anticracking.sk/EliCZ/import/Build3.rar source code
KeyboardDriver_rpuc and KeyboardDriver_filter directories.

Thanks, I'll see that and check if it is a right solution !
( I think ctrl2cap uses API way to hook, as far as I remember, and that's not my aim )
Thanks anyway !

No, Ctrl2Cap creates a filter driver to intercept the keyboard read IRPs.

-Clandestiny

Clandestiny, you're right, but me too... it wanted to say it uses 'internal' or 'native' api in the filter driver ...
I don't want to use any windows api, even native ones ! I want to directly read my scancodes with the port or by hooking an interrupt, and intercept the key being sure my program is the first to read it, before windows.