ourvxd.rar

?A FIRST INTRODUCTION TO VxD

I will introduce you some basic aspects about
the VxD programming (don't you think I have much
more idea than you, this is my first W95 VxD :-)

First you must know that a VxD can do everything
we want, no more Ring3 restrictions, you can
stop completely the system, read or write any
memory address, hook all interrupts or exceptions,
take control of the IO ports, for that reason
I recomend you to reverse a little WinIce so you
could see how these great programmers do it, also
is a good idea study a little VxDMonitor,FileMonitor
and RegMonitor all from Bryce Cogswell and Mark
Russinovich, BTW I have been able to create my
VxD thanks to they sourcers, M$ documentation about
this makes laught.

A VxD has two parts, one is the Initialization Part
of Code that is discardable, so when the VxD has been
loaded and initializated, the memory area of this code
(and it data) is freed, and a locked (permanent) part
that is only released when the VxD is unloaded.

At the initialization you must perform the critical
actions like hooking int,s ,devices, API,s ,etc.

Well no more words and lets see it with an example,
lets try to intercept timing functions of W95 so
we will use it as a TSR for reversing purposes.
I will use Hedit 2.0 because it is a 'small'
program (although 340Kb is a little overbloated)
so everyone could download the program and follow
the example easily. Hedit get the system time and
then compares it with another stored value and
if the system_time is lower than the stored value
a good guy is asummed, so we can tell the program
we are in the year 1088 and then we will be good guys
(quite obvious).

If you read my WinIce essay, you will remember that
W95 uses the Old Int 21h service 2Ah in order to get
the system time, so we will path these service.

Our VxD will check all time requests by hooking the
Int 21h service 2Ah and then will check if the caller
is Hedit gives it a good guy date otherwise lets DOS
give the correct date. Easy is it?

BTW, I have also added a complete service list with
the codes, so you can monitor (or intercept) every
call to a service using next function:

?mov?eax,Service_ID
?mov?esi,Our_New_Procedure
?VmmCall?Hook_Device_Service
?jc?Not_Installed
?mov?[Real_Proc],esi

Our_New_Proc:
?Do ?something
?jmp?[Real_Proc]

????? THE SOURCE (vxdbody.asm)

.386p
?.xlist
?include?vmm.inc
?include vwin32.inc
.list

;===============================================================
;???????????????????????? S O M E?? E Q U =============================

VXDBODYName????????????? EQU???? <'VXDBODY VXD????? '> ;Must be 16 chars
VXDBODYRev?????????????? EQU???? 00H

VXDBODY_MAJOR_VERSION??? EQU???? 1
VXDBODY_MINOR_VERSION??? EQU???? 0

ErrorCode?????????????? EQU 0FFFFFFFFh

;===================================================
; ???? P U B L I C?? D A T A
;======================================================

VXD_LOCKED_DATA_SEG

FLAGS?? dd 0
SYS_VM? dd 0
LD????? dd 0

VXD_LOCKED_DATA_ENDS

;===================================
;D E V I C E?? D E C L A R A T I O N
;===================================

VXD_LOCKED_CODE_SEG

DECLARE_VIRTUAL_DEVICE VXDBODY,? \
??????? VXDBODY_MAJOR_VERSION,?? \
??????? VXDBODY_MINOR_VERSION,?? \
??????? VXDBODY_Control, ,?????? \
?UNDEFINED_INIT_ORDER

;=================
;M A I N?? C O D E
;=================

public VXDBODY_Control
VXDBODY_Control PROC NEAR

??????? Control_Dispatch SYS_DYNAMIC_DEVICE_INIT,?????? VXDBODY_Device_Init
??????? Control_Dispatch SYS_DYNAMIC_DEVICE_EXIT,?????? VXDBODY_Device_Exit
??????? Control_Dispatch W32_DEVICEIOCONTROL,?????????? VXDBODY_ioctl
?clc
?ret

VXDBODY_Control ENDP

Public VXDBODY_ioctl
BeginProc VXDBODY_ioctl

?mov?ecx,[esi].dwIoControlCode?; get ioctl code
??????? cmp???? ecx,1
??????? je????? Function1
??????? cmp???? ecx,2
??????? je????? Function2
??????? jmp???? RetSuccess

Function1:
??????? ;Here everything you want
??????? ;No more Ring3 limitations
??????? jmp???? RetSuccess

Function2:
??????? ;Here other function
??????? ;and so on.
??????? jmp???? RetSuccess

RetSuccess:
??????? xor???? eax, eax???? ;return zero = success
?clc
?ret
RetFail:
??????? mov???? eax,ErrorCode
??????? stc
??????? ret

EndProc VXDBODY_ioctl

BeginProc Our_Int_Handler

??????? pushad
??????? mov???? eax,[ebp.Client_EAX]
??????? cmp???? ax,2A00h??????????????? ;Get_System_Time DOS function?
??????? jne???? Let_DOS_Work
???????
??????? xor???? eax,eax
??????? mov???? FLAGS,eax??;Must be zero

??????? VxDCall VWIN32_GetCurrentProcessHandle
??????? mov???? eax,[eax+38h]
??????? or????? al,7
??????? mov???? LD,eax??? ??;Store the Local Descriptor

??????? VmmCall Get_Sys_VM_Handle
??????? mov???? SYS_VM,ebx

??????? VmmCall _SelectorMapFlat

??????? add???? eax,0F2h??????? ;Now eax points to the caller name
??????? mov???? ebx,[eax]
??????? cmp???? ebx,'ideH'????? ;Hedit inverted
??????? jne???? Let_DOS_Work
??????? mov???? bl,[eax+4]
??????? cmp???? bl,'t'
??????? jne???? Let_DOS_Work

??????? mov???? [ebp.Client_AX],1????? ;Day of week
??????? mov???? [ebp.Client_CX],1088?? ;Year
??????? mov???? [ebp.Client_DX],0101h? ;Day and Month

Is_Hedit:
??????? popad
??????? clc???? ;consume the interrupt
??????? ret

Let_DOS_Work:
??????? popad
?? ?stc?? ; don't consume the interrupt
?? ?ret

EndProc Our_Int_Handler

Public VXDBODY_Device_Exit
BeginProc VXDBODY_Device_Exit

??????? mov???? eax, 21h
??????? mov???? esi, OFFSET32 Our_Int_Handler
??????? VMMCall UnHook_V86_Int_Chain
?clc
?ret

EndProc VXDBODY_Device_Exit

VXD_LOCKED_CODE_ENDS

VXD_ICODE_SEG

BeginProc VXDBODY_Device_Init

??????? mov???? eax, 21h
??????? mov???? esi, OFFSET32 Our_Int_Handler
?? ?VMMCall Hook_V86_Int_Chain
?clc
?ret

EndProc VXDBODY_Device_Init

VXD_ICODE_ENDS

end

??THE DEFINITIONS (vxdbody.def)

VXD VXDBODY DYNAMIC
SEGMENTS
?_LPTEXT??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
?_LTEXT??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
?_LDATA??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
?_TEXT??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
?_DATA??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
?CONST??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
?_TLS??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
?_BSS??CLASS 'LCODE'?? PRELOAD NONDISCARDABLE
??????? _MSGTABLE?CLASS 'MCODE'?PRELOAD NONDISCARDABLE IOPL
??????? _MSGDATA?CLASS 'MCODE'?PRELOAD NONDISCARDABLE IOPL
??????? _IMSGTABLE?CLASS 'MCODE'?PRELOAD DISCARDABLE IOPL
??????? _IMSGDATA?CLASS 'MCODE'?PRELOAD DISCARDABLE IOPL
??????? _ITEXT??CLASS 'ICODE'?? DISCARDABLE
?_IDATA??CLASS 'ICODE'?? DISCARDABLE
?_PTEXT??CLASS 'PCODE'?? NONDISCARDABLE
?_PDATA??CLASS 'PDATA'?? NONDISCARDABLE SHARED
?_STEXT??CLASS 'SCODE'?? RESIDENT
?_SDATA??CLASS 'SCODE'?? RESIDENT
?_DBOSTART?CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
?_DBOCODE?CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
?_DBODATA?CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
?_16ICODE?CLASS '16ICODE' PRELOAD DISCARDABLE
?_RCODE??CLASS 'RCODE'
EXPORTS
??????? VXDBODY_DDB

??THE MAKEFILE (makefile.?? )

OBJECTS = vxdbody.obj

vxdbody.vxd:???? $(OBJECTS) vxdbody.def
??????? LINK.EXE @<<
-VXD -OUT:vxdbody.VXD
-DEF:vxdbody.def
-MERGE:.data=_LDATA -MERGE:.bss=_LDATA -MERGE:_PDATA=_PTEXT
-COMMENT:"vxdbody VXD"
$(OBJECTS)
<<
???????
.asm.obj:
??????? set ML=-coff -DBLD_COFF -DIS_32 -nologo -W3 -Zd -c -Cx -DMASM6 -DINITLOG -DDEBLEVEL=1 -DDEBUG -Fl
?ml -Fo$*.obj $<

vxdbody.obj:???? vxdbody.asm

Also I attach a simple programm that opens our vxd and closes it,
and (not implemented yet) sends orders to our vxd.

Soon more (but you must work at your own)

+rcg 1998