技術(shù)原理

何為符號鏈接?符號鏈接是一個別名,可以指向任意一個有名字的對象.

ZwCreateFile 不但可以打開文件,也可以打開設(shè)備對象(返回類似文件句柄的句柄)

何為PDO?字面意思是物理設(shè)備,PDO是設(shè)備棧最下面的那個設(shè)備對象

windows從擊鍵到內(nèi)核

csrss.exe進(jìn)程,他有一個線程是 win32!RawInputThread ,線程通過 GUID 來獲得鍵盤設(shè)備棧的 PDO 符號鏈接名

應(yīng)用程序一般不能直接根據(jù)設(shè)備名打開設(shè)備,一般都通過符號鏈接名來打開.

win32!RawInputThread -> win32!OpenDevice -> ZwCreateFile 完成打開設(shè)備,并得到句柄

ZwCreateFile -> NtCreateFile -> nt!IopParseDevice -> nt!IoGetAttachedDevice 通過 PDO 獲得鍵盤設(shè)備棧最頂端的設(shè)備對象

用得到的這個設(shè)備對象 偏移 30 的棧大小作為參數(shù) -> IoAllocateTrp 創(chuàng)建 IRP -> nt!ObCreateObject 創(chuàng)建文件對象,初始化這個文件對象

偏移 4 將 設(shè)備對象指針 賦值為 鍵盤設(shè)備棧的 PDO -> nt!IopfCallDriver 將 IRP 發(fā)往驅(qū)動,讓驅(qū)動進(jìn)行相應(yīng)的處理 --> 一系列返回

nt!ObOpenObjectByName -> nt!ObpCreateHandle 在進(jìn)程 csrss.exe 的句柄表創(chuàng)建一個新的句柄,這個句柄對應(yīng)的對象就是剛才創(chuàng)建并初始化的文件對象

文件對象中的DeviceObject 指向鍵盤設(shè)備棧的PDO

win32!RawInputThread 獲得句柄后 -> nt!ZwReadFile 向鍵盤驅(qū)動要求讀入數(shù)據(jù) ,會創(chuàng)建一個 IRP_MJ_READ 的請求發(fā)給鍵盤驅(qū)動告訴鍵盤驅(qū)動要求讀入數(shù)據(jù)

鍵盤驅(qū)動通常會使這個IRP未決,等待. 即請求不會給滿足,等待來自鍵盤的數(shù)據(jù). 發(fā)出這個請求的線程也會等待.等待讀操作完成.

當(dāng)鍵盤被按下時,將觸發(fā)鍵盤中斷,引起中斷服務(wù)例程執(zhí)行.鍵盤中斷服務(wù)例程由鍵盤驅(qū)動提供.

鍵盤驅(qū)動從端口讀取掃描碼,結(jié)果處理后把從鍵盤得到的數(shù)據(jù)交給 IRP ,最后結(jié)束這個請求.IRP結(jié)束將使 win32!RawInputThread 等待線程等待結(jié)束

win32!RawInputThread 對得到的數(shù)據(jù)做出處理并分發(fā)給合適的進(jìn)程.

一旦數(shù)據(jù)處理完后,會立刻再調(diào)用 nt!ZwReadFile 要求讀入數(shù)據(jù),等待鍵盤上的鍵被按下,如此循環(huán).

一般的PS/2鍵盤的設(shè)備棧,如果沒有另外安裝其他鍵盤過濾程序,那么設(shè)備棧的情況是:

最頂層的設(shè)備對象是驅(qū)動 KbdClass 生成的<--我們綁定的是這個

中間層的設(shè)備對象是驅(qū)動 i8042prt 生成的

最底層的設(shè)備對象是驅(qū)動 ACPI 生成的

鍵盤硬件原理

鍵盤和CPU的交互方式是中斷和讀取端口,這個操作是串行的.發(fā)生一次中斷,等于鍵盤給CPU一個通知,這個通知只能通知一個事件,某個鍵被按下,或者彈起來.

CPU只接收通知并讀取端口的掃描碼,從不主動去"查看"任何鍵.為此,一個鍵實(shí)際需要兩個掃描碼,一個表示按下,一個表示彈起.

CPU一次只能讀取到端口中的一個字節(jié),如果掃描碼是兩個字節(jié)的,則會發(fā)生兩次中斷,CPU會先后讀取掃描碼的兩個字節(jié).

注意,在這種機(jī)制下同時按下兩個鍵之類的事情是不可能發(fā)生的.無論如何按鍵,信息傳遞都是一次一個字節(jié)串行進(jìn)行的.

鍵盤的過濾

要過濾一種設(shè)備,首先要綁定它,徐亞哦找到所有代表鍵盤的設(shè)備.從之前的原理來看,可以認(rèn)定的是,如果綁定了驅(qū)動 KbdClass的所有設(shè)備對象.那么代表鍵盤的設(shè)備一定在其中.可以從驅(qū)動對象設(shè)備鏈字節(jié)讀取驅(qū)動對象下面的 DeviceObject域(第二章).

另一種獲取驅(qū)動下的所有設(shè)備對象的分發(fā)是調(diào)用函數(shù) IoEnumerateDeviceObjectList ,這個函數(shù)可以枚舉出一個驅(qū)動下的所有設(shè)備.

設(shè)備擴(kuò)展,專門定義的一個結(jié)構(gòu)

typedef struct _C2P_DEV_EXT{

//這個結(jié)構(gòu)的大小

ULONG NodeSize;

//過濾設(shè)備對象

PDEVICE_OBJECT pFilterDeviceObject;

//同時調(diào)用時的保護(hù)鎖

KSPIN_LOCK IoRequestsSpinLock;

//進(jìn)程間同步處理

KEVENT IoInProgressEvent;

//綁定時的設(shè)備對象

PDEVICE_OBJECT TargetDeviceObject;

//綁定前底層設(shè)備對象

PDEVICE_OBJECT LowerDeviceObject;

}C2P_DEV_EXT, *PC2P_DEV_EXT;

鍵盤過濾模塊的動態(tài)卸載

和串口過濾模塊稍有不同,這是因?yàn)殒I盤總是處在"有一個讀請求沒有完成"的狀態(tài),計算等待5秒這個請求也未必會完成(如果沒有按鍵盤的話),這樣如果卸載了過濾驅(qū)動,那么下一次按鍵,這個請求就被處理,很可能馬上藍(lán)屏崩潰.

不完全的代碼:

#include

//鍵盤過濾驅(qū)動

//IoDriverObjectType 是全局變量,但是頭文件中沒有,所以在這里聲明

extern POBJECT_TYPE *IoDriverObjectType;

//KbdClass 驅(qū)動的名字

#define KBD_DRIVER_NAME L"\\Driver\\Kbdclass"

//ObReferenceObjectByName 未導(dǎo)出文檔,先聲明

NTSTATUS ObReferenceObjectByName(

PUNICODE_STRING ObjectName,

ULONG Attributes,

PACCESS_STATE AccessState,

ACCESS_MASK DesiredAccess,

POBJECT_TYPE ObjectType,

KPROCESSOR_MODE AccessMode,

PVOID ParseContext,

PVOID *Object

);

//全局變量

ULONG gC2pKeyCount = 0;

PDRIVER_OBJECT gDriverObject = NULL;

//設(shè)備擴(kuò)展, 專門定義的一個結(jié)構(gòu)

typedef struct _C2P_DEV_EXT{

//這個結(jié)構(gòu)的大小

ULONG NodeSize;

//過濾設(shè)備對象

PDEVICE_OBJECT pFilterDeviceObject;

//同時調(diào)用時的保護(hù)鎖

KSPIN_LOCK IoRequestsSpinLock;

//進(jìn)程間同步處理

KEVENT IoInProgressEvent;

//綁定時的設(shè)備對象

PDEVICE_OBJECT TargetDeviceObject;

//綁定前底層設(shè)備對象

PDEVICE_OBJECT LowerDeviceObject;

}C2P_DEV_EXT, *PC2P_DEV_EXT;

void c2pUnload(IN PDRIVER_OBJECT DriverObject);

NTSTATUS c2pDispatchGeneral(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pDispatchRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pPower(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pPnP(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS c2pReadComplete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context);

NTSTATUS c2pAttachDevices(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

NTSTATUS c2pDevExtInit(IN PC2P_DEV_EXT devExt, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PDEVICE_OBJECT pLowerDeviceObject);

//驅(qū)動入口

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){

ULONG i;

NTSTATUS status;

KdPrint(("misaka: entering driverentry\n"));

//填寫所有的分發(fā)函數(shù)指針

for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++){

DriverObject->MajorFunction[i] = c2pDispatchGeneral;

DbgPrint("misaka: test %d..\r\n",i);

}

//單獨(dú)填寫一個讀分發(fā)函數(shù),因?yàn)橹匾氖亲x取按鍵的信息,其他都不重要

DriverObject->MajorFunction[IRP_MJ_READ] = c2pDispatchRead;

//單獨(dú)填寫一個 IRP_MJ_POWER 函數(shù),這是因?yàn)檫@類請求中間要調(diào)用一個 PoCallDriver 和 PoStartNextPowerIrp 比較特殊

DriverObject->MajorFunction[IRP_MJ_POWER] = c2pPower;

//我們想知道什么時候綁定過的設(shè)備被卸載了(比如從機(jī)器上拔掉),專門寫一個 PNP(即插即用)分發(fā)函數(shù)

DriverObject->MajorFunction[IRP_MJ_PNP] = c2pPnP;

//卸載函數(shù)

DriverObject->DriverUnload = c2pUnload;

//綁定所有的鍵盤設(shè)備

status = c2pAttachDevices(DriverObject, RegistryPath);

return status;

}

//卸載函數(shù)

#define ?DELAY_ONE_MICROSECOND ?(-10)

#define ?DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)

#define ?DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)

void c2pUnload(IN PDRIVER_OBJECT DriverObject){

PDEVICE_OBJECT DeviceObject;

PDEVICE_OBJECT OldDeviceObject;

PC2P_DEV_EXT devExt;

LARGE_INTEGER lDelay;

PRKTHREAD CurrentThread;

lDelay = RtlConvertLongToLargeInteger(100 * DELAY_ONE_MILLISECOND);

CurrentThread = KeGetCurrentThread();

//把當(dāng)前線程設(shè)置為低實(shí)時模式,以便盡可能少的影響其他程序

KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY);

UNREFERENCED_PARAMETER(DriverObject);

KdPrint(("misaka: driverentry unloading...\n"));

//遍歷所有設(shè)備并一律解除綁定,刪除所有的設(shè)備

DeviceObject = DriverObject->DeviceObject;

while (DeviceObject){

PC2P_DEV_EXT devExt;

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

//只解除綁定

IoDetachDevice(devExt->TargetDeviceObject);

devExt->TargetDeviceObject = NULL;

DbgPrint("misaka: detach finished\r\n");

DeviceObject = DeviceObject->NextDevice;

}

DbgPrint("misaka: ------------------------------------ %d.\r\n", gC2pKeyCount);

//gC2pKeyCount全局變量,等待請求完成才卸載

while (gC2pKeyCount){

KeDelayExecutionThread(KernelMode, FALSE, &lDelay);

}

//這個是產(chǎn)出驅(qū)動對象的,但是好像沒有效果,只要停止驅(qū)動之后就不能再次啟動了.可能是驅(qū)動沒有卸載干凈

//但是如果照著教程寫的話,如果停止直接藍(lán)屏...

//目前的情況是在win7 64位系統(tǒng)中啟動驅(qū)動后可以獲取按鍵消息...

//IoDeleteDevice(pDeviceObject);

//devExt->pFilterDeviceObject = NULL;

//DbgPrint("misaka: detach finished\r\n");

DbgPrint("misaka: bye ,driver unload successfully.\r\n");

return;

}

//鍵盤請求的處理 - 通常處理 - 直接跳過,發(fā)送到真實(shí)設(shè)備對象上

NTSTATUS c2pDispatchGeneral(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

KdPrint(("misaka: other diapatch!\n"));

IoSkipCurrentIrpStackLocation(Irp);

return IoCallDriver(((PC2P_DEV_EXT)DeviceObject->DeviceExtension)->LowerDeviceObject, Irp);

}

//鍵盤請求的處理 - 讀請求

NTSTATUS c2pDispatchRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

NTSTATUS status = STATUS_SUCCESS;

PC2P_DEV_EXT devExt;

PIO_STACK_LOCATION currentIrpStack;

KEVENT waitEvent;

KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);

if (Irp->CurrentLocation == 1){

ULONG ReturnedInformation = 0;

KdPrint(("misaka: dispatch encountered bogus current location\n"));

status = STATUS_INVALID_DEVICE_REQUEST;

Irp->IoStatus.Status = status;

Irp->IoStatus.Information = ReturnedInformation;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return (status);

}

//全局變量計數(shù)器+1

gC2pKeyCount++;

//得到設(shè)備擴(kuò)展,獲得下一個設(shè)備的指針

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

//設(shè)置回掉函數(shù)并把IRP傳遞下去,讀處理結(jié)束,等待讀請求完成

currentIrpStack = IoGetCurrentIrpStackLocation(Irp);

IoCopyCurrentIrpStackLocationToNext(Irp);

IoSetCompletionRoutine(Irp, c2pReadComplete, DeviceObject, TRUE, TRUE, TRUE);

DbgPrint("read : number = %d\r\n", gC2pKeyCount);

return IoCallDriver(devExt->LowerDeviceObject, Irp);

}

//鍵盤請求的處理 - 電源相關(guān)請求

NTSTATUS c2pPower(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

KdPrint(("misaka: Power\n"));

PC2P_DEV_EXT devExt;

devExt = (PC2P_DEV_EXT)DeviceObject->DeviceExtension;

PoStartNextPowerIrp(Irp);

IoSkipCurrentIrpStackLocation(Irp);

return PoCallDriver(devExt->LowerDeviceObject, Irp);

}

//鍵盤請求的處理 - 檔設(shè)備被拔出時,解除綁定,并刪除過濾設(shè)備

NTSTATUS c2pPnP(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

PC2P_DEV_EXT devExt;

PIO_STACK_LOCATION irpStack;

NTSTATUS status = STATUS_SUCCESS;

KIRQL oldIrql;

KEVENT event;

//獲得真實(shí)設(shè)備

devExt = (PC2P_DEV_EXT)(DeviceObject->DeviceExtension);

irpStack = IoGetCurrentIrpStackLocation(Irp);

switch (irpStack->MinorFunction){

case IRP_MN_REMOVE_DEVICE:

KdPrint(("misaka: IRP_MN_REMOVE_DEVICE\n"));

//先把請求下發(fā)

IoSkipCurrentIrpStackLocation(Irp);

IoCallDriver(devExt->LowerDeviceObject, Irp);

//然后解除綁定

IoDetachDevice(devExt->LowerDeviceObject);

//刪除生成的虛擬設(shè)備

IoDeleteDevice(DeviceObject);

status = STATUS_SUCCESS;

break;

default:

//其他類型的IRP,全部直接下發(fā)

IoSkipCurrentIrpStackLocation(Irp);

status = IoCallDriver(devExt->LowerDeviceObject, Irp);

}

return status;

}

//讀請求完成后的回掉函數(shù)

NTSTATUS c2pReadComplete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context){

PIO_STACK_LOCATION IrpSp;

ULONG buf_len = 0;

PUCHAR buf = NULL;

size_t i;

IrpSp = IoGetCurrentIrpStackLocation(Irp);

//如果請求成功執(zhí)行(如果失敗則沒有獲取的意義了)

if (NT_SUCCESS(Irp->IoStatus.Status)){

//獲得讀請求完成后的輸出緩沖區(qū)

buf = Irp->AssociatedIrp.SystemBuffer;

//獲得這個緩沖區(qū)的長度,一般來說,不管返回值有多長都保存在 Information 中

buf_len = (ULONG)Irp->IoStatus.Information;

//這里可以進(jìn)一步處理,這里只是簡單的打印出所有的掃描碼

for (i = 0; i < buf_len; ++i){

DbgPrint("misaka: read %2x\r\n", buf[i]);

}

}

gC2pKeyCount--;

if (Irp->PendingReturned){

IoMarkIrpPending(Irp);

}

DbgPrint("call : number = %d\r\n", gC2pKeyCount);

return Irp->IoStatus.Status;

}

//打開驅(qū)動對象 KbdClass,綁定其下的所有設(shè)備

NTSTATUS c2pAttachDevices(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){

NTSTATUS status = 0;

UNICODE_STRING uniNtNameString;

PC2P_DEV_EXT devExt;

PDEVICE_OBJECT pFilterDeviceObject = NULL;

PDEVICE_OBJECT pTargetDeviceObject = NULL;

PDEVICE_OBJECT pLowerDeviceObject = NULL;

PDRIVER_OBJECT KbdDriverObject = NULL;

KdPrint(("misaka:my attach\n"));

//初始化字符串,就是KbdClass驅(qū)動的名字

RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME);

//打開驅(qū)動對象

status = ObReferenceObjectByName(

&uniNtNameString,

OBJ_CASE_INSENSITIVE,

NULL,

0,

*IoDriverObjectType,

KernelMode,

NULL,

(PVOID*)&KbdDriverObject

);

//如果打開失敗直接返回

if (!NT_SUCCESS(status)){

KdPrint(("misaka:couldn't get the device object\n"));

return (status);

} else{

//調(diào)用 ObReferenceObjectByName 對導(dǎo)致對驅(qū)動對象的引用計數(shù)增加,這里進(jìn)行解引用

//改: 應(yīng)該是打開設(shè)備對象的指針,而不是驅(qū)動對象

ObDereferenceObject(KbdDriverObject);

DbgPrint("misaka: open filter driver ok\r\n");

}

//設(shè)備鏈中的第一個設(shè)備

pTargetDeviceObject = KbdDriverObject->DeviceObject;

//遍歷設(shè)備鏈

while (pTargetDeviceObject){

//生成一個過濾設(shè)備,也就是對所有設(shè)備創(chuàng)建過濾設(shè)備

status = IoCreateDevice(

IN DriverObject,

IN sizeof(PC2P_DEV_EXT),

IN NULL,

IN pTargetDeviceObject->DeviceType,

IN pTargetDeviceObject->Characteristics,

IN FALSE,

OUT &pFilterDeviceObject

);

//如果創(chuàng)建過濾設(shè)備失敗,直接退出

if (!NT_SUCCESS(status)){

KdPrint(("misaka: couldn't create the filter device object\n"));

return (status);

}

DbgPrint("misaka: create filter driver ok\r\n");

//綁定 pLowerDeviceObject 是綁定之后得到的下一個設(shè)備(真實(shí)的設(shè)備)

pLowerDeviceObject = IoAttachDeviceToDeviceStack(pFilterDeviceObject, pTargetDeviceObject);

//如果綁定失敗則放棄之前的操作,退出

if (!pLowerDeviceObject){

KdPrint(("misaka: couldn't attach to device object\n"));

IoDeleteDevice(pFilterDeviceObject);

pFilterDeviceObject = NULL;

return (status);

}

DbgPrint("misaka: attach filter driver ok\r\n");

//設(shè)備擴(kuò)展

devExt = (PC2P_DEV_EXT)(pFilterDeviceObject->DeviceExtension);

c2pDevExtInit(

devExt,

pFilterDeviceObject,

pTargetDeviceObject,

pLowerDeviceObject

);

//

pFilterDeviceObject->DeviceType = pLowerDeviceObject->DeviceType;

pFilterDeviceObject->Characteristics = pLowerDeviceObject->Characteristics;

pFilterDeviceObject->StackSize = pLowerDeviceObject->StackSize + 1;

pFilterDeviceObject->Flags |= pLowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE);

//移動到下一個設(shè)備,繼續(xù)遍歷

pTargetDeviceObject = pTargetDeviceObject->NextDevice;

}

return status;

}

//c2p驅(qū)動擴(kuò)展設(shè)置函數(shù)

NTSTATUS c2pDevExtInit(IN PC2P_DEV_EXT devExt, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PDEVICE_OBJECT pLowerDeviceObject){

memset(devExt, 0, sizeof(C2P_DEV_EXT));

devExt->NodeSize = sizeof(C2P_DEV_EXT);

devExt->pFilterDeviceObject = pFilterDeviceObject;

KeInitializeSpinLock(&(devExt->IoRequestsSpinLock));

KeInitializeEvent(&(devExt->IoInProgressEvent), NotificationEvent, FALSE);

devExt->TargetDeviceObject = pTargetDeviceObject;

devExt->LowerDeviceObject = pLowerDeviceObject;

return (STATUS_SUCCESS);

}

misaka: entering driverentry

misaka: test 0..

misaka: test 1..

misaka: test 2..

misaka: test 3..

misaka: test 4..

misaka: test 5..

misaka: test 6..

misaka: test 7..

misaka: test 8..

misaka: test 9..

misaka: test 10..

misaka: test 11..

misaka: test 12..

misaka: test 13..

misaka: test 14..

misaka: test 15..

misaka: test 16..

misaka: test 17..

misaka: test 18..

misaka: test 19..

misaka: test 20..

misaka: test 21..

misaka: test 22..

misaka: test 23..

misaka: test 24..

misaka: test 25..

misaka: test 26..

misaka:my attach

misaka: open filter driver ok

misaka: create filter driver ok

misaka: attach filter driver ok

misaka: create filter driver ok

misaka: attach filter driver ok

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 21

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 22

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 22

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 23

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 23

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 24

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: read ?0

misaka: read ?0

misaka: read 24

misaka: read ?0

misaka: read ?1

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

read : number = 1

misaka: driverentry unloading...

misaka: detach finished

misaka: detach finished

misaka: ------------------------------------ 1.

misaka: read ?0

misaka: read ?0

misaka: read 20

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

misaka: read ?0

call : number = 0

misaka: bye ,driver unload successfully.