Background process of Windows 9x

Background process of Windows 9xTime added: 01-1-6 04:47:20 pm

 

Huang Fei, Software Center, Shante company, Xianxia Road, Shanghai

---- 1. Background Process

---- There is a powerful service manager in WindowsNT, which manages some background processes that implement important functions, such as ftp. HTTP. ras. network Message, etc. These background processes are called services. They can be loaded at system startup and run at a higher priority, it can be said that it is a device driver very close to the core of the system. in Windows 95, Microsoft does not provide such a highly centralized manager. However, we can see from the pview provided by VC that there are also secret background processes on the desktop, such as javasray, power management, etc. in fact, these are the background processes of Windows 95 management. Windows 95 does not provide the Service Manager, instead it is a simple registration interface, which can be called a service under Windows 95 (but strictly speaking, there is no service in Windows 95). Similarly, through this registration interface, we can make our programs run first as the system starts, and finally stop as the system shuts down, it is combined with the operating system to implement many unique functions. in my actual work, I carefully analyzed the Windows95 interface and found that it is equally effective in windows97 and the latest Windows98. through this mechanism, the unattended monitoring under windows95.98 is successfully implemented. the following are the analysis results and some preparation knowledge about this interface.

---- 2. Introduction to the process database (PDB)

---- In the core data structure of windows, there is an important process management structure called process database, which is located in the public memory heap of Kernel32. You can use getcurrentprocessid (...) the pointer pointing to this structure is obtained. The following is the composition of some PDB, which is directly related to the service mark byte at the PDB offset of 21h. Based on the pseudo code analysis, we can clearly see that the service process registered as Windows 95 or Windows 98 is only to set the mark byte in its corresponding PDB to 1.

Offset length description
========================================================== ====
+ 00 h DWORD type // Kernel32 object type
+ 04 h dword creference // reference count
+ 08 h DWORD un1 // unknown
+ 0ch DWORD psomeevent // point to k32obj_event pointer
+ 10 h DWORD terminationstatus // activity flag or return value
+ 14 h DWORD un2 // unknown
...
+ 21 h byte flags1 // service tag,
// "1" is a service process,
// "0" common process
...
+ 24 h dword ppsp // dos PSP pointer
...
========================================================== ====
---- 3. Real-time access port

---- (1) the simple service interface provided by Windows95 is a 32-bit API: registerserviceprocess, the true interpretation of this API is not obtained in online help of VC ++, the writer does not need to perform inverse analysis on this API. The following is the pseudo code of this API in kernel32.dll of Windows 95. we can clearly see how window95's internal department to the bottom is done, and its actual non-constant simplicity.

Bool registerserviceprocess
(DWORD dwprocessid, DWORD dwtype)
{
Handle dwpid;
If (dwprocessid = NULL)
Dwpid = dwcurrentprocessid;
// Get global Kernel32 variable
Else
// Call some kernel functions
If (dwpid = checkpid (dwprocessid) = NULL)
Return false;
If (dwtype = 1)
{
* (Byte *) (dwpid + 0x21) | = 0x01;
Return true;
}
If (dwtype = 0)
{
* (Byte *) (dwpid + 0x21) & = 0xfe;
Return true;
}
Return false;
}
The following shows the original function:
Bool registerserviceprocess (DWORD dwpid, DWORD dwtype)
Parameter: dwpid: process ID. null indicates the current process.
Dwtype: rsp_simple_service is registered
Rsp_unregister_service cancels registration
Return Value: true: the call is successful.
False: Call failed
---- (2) In addition, in order to enable the service process to run after boot, the loading method is provided in the registry of windows95: add your own applications to key "mycomputer/HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices" by means of a sequential command line, this allows you to enable automatic loading. however, if you do not have this key in the machine, you can create one yourself.

---- 4. Example

---- The following is an example. All the code has been tested by windows95. Windows98 beta3. You can add it to your project file.

---- Header file:

// File: Service. h
// The head file of "service. cpp"
// Note: 1. You must use C ++ Compiler
// 2. The platform is Win32 (winnt & Win95)

# Ifndef _ service_h
# DEFINE _ service_h

/////////////////////////////////////
//// // Used for Win95 Service
// Micros
# Define rsp_simple_service 1
# Define rsp_unregister_service 0

// Function types for getprocaddress
# Define registerserviceprocess_profile
(DWORD (_ stdcall *) (DWORD, DWORD ))

// Service fuctions in Win95
Bool w95serviceregister (DWORD dwtype );
Bool w95startservice (DWORD dwtype );

# Endif

CPP file:
// File: Service. cpp --- implement the service

# Include "service. H"
/////////////////////////////////////
//// // Used for Win95 Service
Log on to the service subprocess:
/////////////////////////////////////////
////////////////////////////////////////
// Define: bool
W95serviceregister (DWORD dwtype)
// Parameters: dwtype --- flag
Register or unregister the service
// Rsp_simple_service means register
// Rsp_unregister_service means unregister
// Return: true --- Call success;
False --- Call failer

Bool w95serviceregister (DWORD dwtype)
{
// Function address defination
DWORD (_ stdcall * hookregisterserviceprocess)
(DWORD dwprocessid, DWORD dwtype );

// Get address of Function
Hookregisterserviceprocess =
Registerserviceprocess_profile
Getprocaddress
(Getmodulehandle ("Kernel32 "),
Text ("registerserviceprocess "));

// Register the Win95 Service
If (hookregisterserviceprocess (null, dwtype) = 0)
Return false;
Return true;
}
---- Add the subprocess of the table to the workbook:

# Define SERVICE_NAME text ("service ")
// Define: bool w95startservice (DWORD dwtype)
// Parameters: dwtype --- flag
Register or unregister the service
// Rsp_simple_service means register
// Rsp_unregister_service means unregister
// Return: true --- Call success; false --- Call failer

Bool w95startservice (DWORD dwtype)
{
// Local variables
Tchar lpszbuff [256];
Lptstr lpszstr = lpszbuff + 128;
Lptstr lpszname = lpszbuff;
Handle hkey = NULL;
DWORD dwstrcb = 0;
DWORD dwvaluetype = 0;

// Get service name currently
Lpszname = getcommandline ();
For (INT I = _ tcslen (lpszname)-1; I> = 0; I --)
{
If (lpszname [I]! = '"') & (Lpszname [I]! = ''))
Break;
Else if (lpszname [I] = '"')
Lpszname [I] = '/0 ';
}
If (lpszname [0] = '"')
Lpszname = lpszname + 1;

// Registe as start up service
If (regopenkeyex (HKEY_LOCAL_MACHINE,
Text ("software // Microsoft // windows //
CurrentVersion // runservices "),
0,
Key_query_value | key_set_value,
& Hkey )! = Error_success)
{
If (regcreatekey (HKEY_LOCAL_MACHINE,
Text ("software // Microsoft //
Windows // CurrentVersion // runservices "),
& Hkey )! = Error_success)
{
// Debugout ("regcreatekey () error! ");
Return false;
}
}

Dwvaluetype = REG_SZ;
Dwstrcb = 128;

// Take value
If (regqueryvalueex (hkey,
SERVICE_NAME,
0,
& Dwvaluetype,
(Lpbyte) lpszstr,
& Dwstrcb) = error_success)

{
// Find this key value
If (_ tcscmp (lpszstr, lpszname) = 0)
{
// Remove the service
If (dwtype = rsp_unregister_service)
{
If (regdeletevalue (hkey, SERVICE_NAME)
= Error_success)
{
Regclosekey (hkey );
Return true;
}
Regclosekey (hkey );
Return false;
}
// Already exist service
If (dwtype = rsp_simple_service)
{
// Debugout ("already registed! ");
Regclosekey (hkey );
Return true;
}
}
// Not find it
} // No this value

// Unregiste return
If (dwtype = rsp_unregister_service)
{
Regclosekey (hkey );
Return true;
}

// No this value then create it
If (dwtype = rsp_simple_service)
{
Dwstrcb = 128;

// Set Value
If (regsetvalueex (hkey,
SERVICE_NAME,
0,
REG_SZ,
(Const byte *) lpszname,
Dwstrcb )! = Error_success)
{
// Debugout ("regsetvalueex () error! ");
Regclosekey (hkey );

Return false;
}
Regclosekey (hkey );
Return true;
}

// Unknow type
Regclosekey (hkey );
Return false;
}
---- Main process sequence:

// Winmain function is the entry of the this program
Int apientry winmain (hinstance,
Hinstance hprevinstance,
Lpstr lpcmdline,
Int ncmdshow)
{
If (w95serviceregister (rsp_simple_service ))
{
W95startservice (rsp_simple_service );
}

MessageBox (null, "Sample Service", "service", mb_ OK );
Unreferenced_parameter (hinstance );
Unreferenced_parameter (lpcmdline );
Unreferenced_parameter (ncmdshow );
Unreferenced_parameter (hprevinstance );
Return 0;
}

---- Run this program. After MessageBox pops up, It exits from windows to the logon status. You will see that MessageBox remains open until it is responded or the system shuts down. therefore, to create a system-level background process in Windows 95, you do not have to write a VxD program that is easy to cause system confusion. I think the method described in this article is more convenient and effective when the hardware part permits.