ourvxd

ourvxd.rar

 A FIRST INTRODUCTION TO VxD

I will introduce you some basic aspects about
the VxD programming (don't you think I have much
more idea than you, this is my first W95 VxD :-)

First you must know that a VxD can do everything
we want, no more Ring3 restrictions, you can
stop completely the system, read or write any
memory address, hook all interrupts or exceptions,
take control of the IO ports, for that reason
I recomend you to reverse a little WinIce so you
could see how these great programmers do it, also
is a good idea study a little VxDMonitor,FileMonitor
and RegMonitor all from Bryce Cogswell and Mark
Russinovich, BTW I have been able to create my
VxD thanks to they sourcers, M$ documentation about
this makes laught.

A VxD has two parts, one is the Initialization Part
of Code that is discardable, so when the VxD has been
loaded and initializated, the memory area of this code
(and it data) is freed, and a locked (permanent) part
that is only released when the VxD is unloaded.

At the initialization you must perform the critical
actions like hooking int,s ,devices, API,s ,etc.

Well no more words and lets see it with an example,
lets try to intercept timing functions of W95 so
we will use it as a TSR for reversing purposes.
I will use Hedit 2.0 because it is a 'small'
program (although 340Kb is a little overbloated)
so everyone could download the program and follow
the example easily. Hedit get the system time and
then compares it with another stored value and
if the system_time is lower than the stored value
a good guy is asummed, so we can tell the program
we are in the year 1088 and then we will be good guys
(quite obvious).

If you read my WinIce essay, you will remember that
W95 uses the Old Int 21h service 2Ah in order to get
the system time, so we will path these service.

Our VxD will check all time requests by hooking the
Int 21h service 2Ah and then will check if the caller
is Hedit gives it a good guy date otherwise lets DOS
give the correct date. Easy is it?

BTW, I have also added a complete service list with
the codes, so you can monitor (or intercept) every
call to a service using next function:

 mov eax,Service_ID
 mov esi,Our_New_Procedure
 VmmCall Hook_Device_Service
 jc Not_Installed
 mov [Real_Proc],esi

Our_New_Proc:
 Do  something
 jmp [Real_Proc]

      THE SOURCE (vxdbody.asm)

.386p
 .xlist
 include vmm.inc
 include vwin32.inc
.list

;===============================================================
;                         S O M E   E Q U =============================

VXDBODYName              EQU     <'VXDBODY VXD      '> ;Must be 16 chars
VXDBODYRev               EQU     00H

VXDBODY_MAJOR_VERSION    EQU     1
VXDBODY_MINOR_VERSION    EQU     0

ErrorCode               EQU 0FFFFFFFFh

;===================================================
;      P U B L I C   D A T A
;======================================================

VXD_LOCKED_DATA_SEG

FLAGS   dd 0
SYS_VM  dd 0
LD      dd 0

VXD_LOCKED_DATA_ENDS

;===================================
;D E V I C E   D E C L A R A T I O N
;===================================

VXD_LOCKED_CODE_SEG

DECLARE_VIRTUAL_DEVICE VXDBODY,  \
        VXDBODY_MAJOR_VERSION,   \
        VXDBODY_MINOR_VERSION,   \
        VXDBODY_Control, ,       \
 UNDEFINED_INIT_ORDER

;=================
;M A I N   C O D E
;=================

public VXDBODY_Control
VXDBODY_Control PROC NEAR

        Control_Dispatch SYS_DYNAMIC_DEVICE_INIT,       VXDBODY_Device_Init
        Control_Dispatch SYS_DYNAMIC_DEVICE_EXIT,       VXDBODY_Device_Exit
        Control_Dispatch W32_DEVICEIOCONTROL,           VXDBODY_ioctl
 clc
 ret

VXDBODY_Control ENDP

Public VXDBODY_ioctl
BeginProc VXDBODY_ioctl

 mov ecx,[esi].dwIoControlCode ; get ioctl code
        cmp     ecx,1
        je      Function1
        cmp     ecx,2
        je      Function2
        jmp     RetSuccess

Function1:
        ;Here everything you want
        ;No more Ring3 limitations
        jmp     RetSuccess

Function2:
        ;Here other function
        ;and so on.
        jmp     RetSuccess

RetSuccess:
        xor     eax, eax     ;return zero = success
 clc
 ret
RetFail:
        mov     eax,ErrorCode
        stc
        ret

EndProc VXDBODY_ioctl

BeginProc Our_Int_Handler

        pushad
        mov     eax,[ebp.Client_EAX]
        cmp     ax,2A00h                ;Get_System_Time DOS function?
        jne     Let_DOS_Work
       
        xor     eax,eax
        mov     FLAGS,eax  ;Must be zero

        VxDCall VWIN32_GetCurrentProcessHandle
        mov     eax,[eax+38h]
        or      al,7
        mov     LD,eax      ;Store the Local Descriptor

        VmmCall Get_Sys_VM_Handle
        mov     SYS_VM,ebx

        VmmCall _SelectorMapFlat

        add     eax,0F2h        ;Now eax points to the caller name
        mov     ebx,[eax]
        cmp     ebx,'ideH'      ;Hedit inverted
        jne     Let_DOS_Work
        mov     bl,[eax+4]
        cmp     bl,'t'
        jne     Let_DOS_Work

        mov     [ebp.Client_AX],1      ;Day of week
        mov     [ebp.Client_CX],1088   ;Year
        mov     [ebp.Client_DX],0101h  ;Day and Month

Is_Hedit:
        popad
        clc     ;consume the interrupt
        ret

Let_DOS_Work:
        popad
    stc   ; don't consume the interrupt
    ret

EndProc Our_Int_Handler

Public VXDBODY_Device_Exit
BeginProc VXDBODY_Device_Exit

        mov     eax, 21h
        mov     esi, OFFSET32 Our_Int_Handler
        VMMCall UnHook_V86_Int_Chain
 clc
 ret

EndProc VXDBODY_Device_Exit

VXD_LOCKED_CODE_ENDS

VXD_ICODE_SEG

BeginProc VXDBODY_Device_Init

        mov     eax, 21h
        mov     esi, OFFSET32 Our_Int_Handler
    VMMCall Hook_V86_Int_Chain
 clc
 ret

EndProc VXDBODY_Device_Init

VXD_ICODE_ENDS

end

  THE DEFINITIONS (vxdbody.def)

VXD VXDBODY DYNAMIC
SEGMENTS
 _LPTEXT  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
 _LTEXT  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
 _LDATA  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
 _TEXT  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
 _DATA  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
 CONST  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
 _TLS  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
 _BSS  CLASS 'LCODE'   PRELOAD NONDISCARDABLE
        _MSGTABLE CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
        _MSGDATA CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
        _IMSGTABLE CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
        _IMSGDATA CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
        _ITEXT  CLASS 'ICODE'   DISCARDABLE
 _IDATA  CLASS 'ICODE'   DISCARDABLE
 _PTEXT  CLASS 'PCODE'   NONDISCARDABLE
 _PDATA  CLASS 'PDATA'   NONDISCARDABLE SHARED
 _STEXT  CLASS 'SCODE'   RESIDENT
 _SDATA  CLASS 'SCODE'   RESIDENT
 _DBOSTART CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
 _DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
 _DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
 _16ICODE CLASS '16ICODE' PRELOAD DISCARDABLE
 _RCODE  CLASS 'RCODE'
EXPORTS
        VXDBODY_DDB

  THE MAKEFILE (makefile.   )

OBJECTS = vxdbody.obj

vxdbody.vxd:     $(OBJECTS) vxdbody.def
        LINK.EXE @<<
-VXD -OUT:vxdbody.VXD
-DEF:vxdbody.def
-MERGE:.data=_LDATA -MERGE:.bss=_LDATA -MERGE:_PDATA=_PTEXT
-COMMENT:"vxdbody VXD"
$(OBJECTS)
<<
       
.asm.obj:
        set ML=-coff -DBLD_COFF -DIS_32 -nologo -W3 -Zd -c -Cx -DMASM6 -DINITLOG -DDEBLEVEL=1 -DDEBUG -Fl
 ml -Fo$*.obj $<

vxdbody.obj:     vxdbody.asm

Also I attach a simple programm that opens our vxd and closes it,
and (not implemented yet) sends orders to our vxd.

Soon more (but you must work at your own)

+rcg 1998