Assembly Tutorial: Customer Register structure

Source: Internet
Author: User
Tags execution

We will learn another important structure in this tutorial, called the Customer register structure. In this article, V86 refers to the virtual 8086 mode. Download the example program here


VxDs is very different from a normal win32/win16/dos application. In most cases, when other applications are working properly, they are dormant. They work like a supervisor, and their role is to monitor ring-3 applications and correct them when they make a mistake. The following are typical examples of their work:

1, when the interruption occurred

2. VMM gets control

3, VMM Storage Register group value when

4. VMM services when you interrupt or invoke other VxDs to do this work

5. When the VMM returns control to the interrupted program

In the process above, it is interesting that VMM has only one way to affect the interrupted application, that is, to modify the stored register image. For example, the VMM thinks that the interrupted program should return to another address, modifying the value of the CS:IP in the stored register image, which will begin executing at the new CS:IP when the program is reassigned.

VMM stores register values at breakpoints in the client register structure.

Client_reg_struc struc
Client_edi DD?
Client_esi DD?
Client_ebp DD?
Client_res0 DD?
Client_ebx DD?
Client_edx DD?
Client_ecx DD?
Client_eax DD?
Client_error DD?
Client_eip DD?
Client_cs DW?
Client_res1 DW?
Client_eflags DD?
Client_esp DD?
Client_ss DW?
Client_res2 DW?
Client_es DW?
Client_res3 DW?
Client_ds DW?
Client_res4 DW?
Client_fs DW?
Client_res5 DW?
Client_gs DW?
Client_res6 DW?
Client_alt_eip DD?
Client_alt_cs DW?
Client_res7 DW?
Client_alt_eflags DD?
Client_alt_esp DD?
Client_alt_ss DW?
Client_res8 DW?
Client_alt_es DW?
Client_res9 DW?
Client_alt_ds DW?
Client_res10 DW?
Client_alt_fs DW?
Client_res11 DW?
Client_alt_gs DW?
client_res12 DW?
Client_reg_struc ENDS

You can see that this structure is divided into two parts: Client_xxx and Client_alt_xxx. In this note, there may be two running threads in a given VM: V86 and protection mode. When the V86 program is running, if an interrupt is generated, the client_xxx will contain a register image of the V86 program, and CLIENT_ALT_XXX will contain the register image of the protection mode program. Correspondingly, when the protection mode program is running, if an interrupt is generated, CLIENT_XXX will contain the register image of the protection mode program, CLIENT_ALT_XXX will contain the register image of the V86 program. Client_resx is reserved and not used.

After viewing this structure, you may have a problem: how to change a byte in a register, such as Al? The above structure only describes the word and the two-word size register group. Don't worry, look for it in That has two additional structures for this: Client_word_reg_struc and Client_byte_reg_struc. If you want to access the register in Word or byte size, convert Client_reg_struc to Client_word_reg_struc or Client_byte_reg_struc according to your needs.

Next question: How do we get a pointer to the client register structure?

This is quite simple: generally, when VMM calls our VxD, the address of the client register structure is placed in the EBP. The client register structure here is the current VM. You can get this pointer from the handle of the VM. Remember that the VM's handle is the linear address of the VM control block.

cb_s Struc
Cb_vm_status DD?
Cb_high_linear DD?
Cb_client_pointer DD?
Cb_vmid DD?
Cb_signature DD?
cb_s ENDS

Cb_client_pointer contains pointers to the client register structure of the VM. For example, you can use the code below to get pointers to the client register structure in the current VM:

Vmmcall Get_cur_vm_handle; Return to the current VM handle in EBX
Assume Ebx:ptr cb_s
mov Ebp,[ebx+cb_client_pointer]; Pointer to client reg struct

Now that we know the client register structure, we can start working with it. We will use the client register structure to transfer the value of the Register group to a DOS interrupt, that is, int 21h, function 2h, display a character. This DOS service places the characters to be displayed in a DL. If we send a bell character (07h) to this service, a beep will be made through the PC horn.

Remember, int 21h is a DOS service, so it's available in V86 mode, how do we call a V86 interrupt in a VxD? One approach is to use the Exec_int service. This VMM service places the interrupt number to be invoked in the EAX. It simulates the specified interrupt and then returns to the calling VM. However, it must be invoked in a nested execution block. Nested execution blocks are included in begin_nest_v86_exec (or begin_nest_exec) and end_nest_exec. If we are going to call int 21h function 2h, we need to convert the Client_ah and CLIENT_DL of the CLIENT_BYTE_REG_STRUC structure within the nested execution block, and then place the value 21h in the EAX. When everything is ready, call Exec_int.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.