VxD Programming Tutorial

VxD Programming Tutorial
Author: tbsoft

--------------------------------------------------------------------------------

I. Windows 95 DDK Installation

To install Windows 95 DDK, you generally need to install the Win32 SDK first, Because Windows 95 DDK requires the Win32 SDK's 16-bit resource compiler, but the Win32 SDK is very large (the capacity of the entire disc ), in addition, it is hard to purchase in China, and FTP sites are also rare. Even if there is, download is also very difficult. After a period of exploration, I found several simple ways to install Windows 95 DDK. The method is described as follows:
Method 1: Use a third-party resource compiler
1. Modify the Registry to simulate the situation where the Win32 SDK has been installed.
Create a registry file named win32sdk. Reg with the following content:

Regedit4

[HKEY_USERS/. Default/software/Microsoft/win32sdk]

[HKEY_USERS/. Default/software/Microsoft/win32sdk/directories]
"Install dir" = "C: // mstools"

Double-click the file in resource manager to add the content in the file to the Registry. You can install Windows 95 DDK.
2. Run the setup. EXE file in Windows 95 DDK and install Windows 95 DDK to C:/DDK.
3. Install MASM 6.11 to C:/masm611. After installation, overwrite the files in the masm611c directory of the uninstalled Windows 95 DDK to C:/masm611/bin.
4. Install visual c ++ 5.0 (4.0 is acceptable, but not 6.0) to C:/program files/devstudio/VC.
5. Create the C:/mstools/binw16 directory and copy the resource compiler. Windows 95 DDK requires a resource compiler that can compile Win32 resource source files into 16-bit resources. If Win32 SDK is available, you can directly copy the files in the binw16 directory to C:/mstools/binw16. If Win32 SDK is not available, you can use third-party resources to compile
Here, the Borland resource compiler is used as an example:
Prepare a set of Turbo MASM 5.0, decompress the unzip line. Pak file with the unpak tool, and find the following three files:

BRC. exe
Brcc32.exe
Rw32core. dll

Copy the three files to C:/mstools/binw16 and rename BRC. EXE to RC. EXE.
6. Modify config. sys to increase the environment variable space.
Add a line at the end of the config. SYS file:

Shell = C:/Windows/command. com/E: 8192/P

7, enter the Windows 95 MS-DOS mode, initialize the compiling environment (it is best to create a batch file ):

C:/masm611/binr/NEW-VARS.BAT
C:/DDK/ddkinit. Bat 32 Base
(The driver and parameters of the compiled device are different)
C:/program files/devstudio/VC/bin/vcvars32.bat

You can use Windows 95 DDK. You can ignore the warning during connection. Method 2: Use Windows 98 DDK full version Windows 98 DDK (about 30 m) including Windows 95 DDK, full SDK compiler and MASM 6.11c assembler, the installation method is very simple: install Windows 98 DDK and Visual C ++ 5.0, and then run "Check Build Environment" (compile the device driver with debugging information) or "Free Build Environment" (compile the device driver of the officially released version.

2. A VxD that intercepts Windows 95/98 File Operations

VxD -- virtual device driver, as its name implies, VxD is used to control hardware devices. Why is it a VxD that intercepts Windows 95/98 file operations? In fact, VxD can be used not only to control hardware devices, because VxD works on the Ring 0 privileged level (highest privileged level) in 80386 protection mode, generally, applications work on the Ring 3 privilege level (the lowest privilege level). Therefore, VxD can complete many functions that cannot be completed by APIs, for example, port read/write, physical memory read/write, interrupt call, and API Interception. Because of this, VxD is widely used in Windows programming. In fact, we generally consider writing Vxd to solve problems when Windows APIs cannot be solved or are difficult to solve. The VxD that intercepts Windows 95/98 file operations can be used to intercept all file operations in Windows 95/98 (Windows NT does not support VxD). What is the purpose of this VxD? The biggest possible use is virus firewall, which is used to filter file operations, and can perform dynamic virus detection and dynamic antivirus. The VxD principle is basically the same as that of the popular CIH virus. (In fact, if you want to ask why I want to write such a VxD, it is because I am the moderator of the virus version)
The name of the VxD is filehook. VxD. The source code (filehook. ASM) is as follows:

; Filehook. VxD -- intercepts VxD for Windows 95/98 File Operations

. 386 P

. Xlist

Include vmm. inc
Include vwin32.inc
Include shell. inc

MASM = 1

Include ifs. inc
Include ifsmgr. inc

. List

; VxD Declaration

Declare_virtual_device
Filehook, 1, 0, vxd_control, undefined_device_id ,,,

; Protection mode data segment

Vxd_data_seg
Prev_file_system_api_hook dd 0
In_file_system_api_hook db 0
Message1 dB 'open file! ', 0
Caption1 dB 'filehook', 0
Vxd_data_ends

; Protection mode code segment

Vxd_code_seg

; System Control Process

Beginproc vxd_control
Control_dispatch sys_dynamic_device_init, vxd_device_init
Control_dispatch sys_dynamic_device_exit, vxd_device_exit
Control_dispatch w32_deviceiocontrol, vxd_ioctl
CLC
RET
Endproc vxd_control

IOCTL control (device I/O Control) Process

Beginproc vxd_ioctl
; Get the deviceiocontrol code
MoV ECx, [ESI. dwiocontrolcode]
CMP ECx, 1
JZ install_file_system_api_hook
CMP ECx, 2
JZ uninstall_file_system_api_hook
JMP vxd_ioctl_exit

Install the file system API hook

Install_file_system_api_hook:
MoV eax, offset32 file_system_api_hook
Vxdcall ifsmgr_installfilesystemapihook
Or eax, eax
JZ error_handler
; Save the API hook address of the previous File System
MoV prev_file_system_api_hook, eax
JMP vxd_ioctl_exit

; Remove the file system API hook

Uninstall_file_system_api_hook:
MoV eax, offset32 file_system_api_hook
Vxdcall ifsmgr_removefilesystemapihook
CMP eax, 0 ffffffffh
JZ error_handler
JMP vxd_ioctl_exit

IOCTL control process ends

Vxd_ioctl_exit:
XOR eax, eax
CLC
RET

; Error handling

Error_handler:
MoV eax, 0 ffffffffh
STC
RET
Endproc vxd_ioctl

; Vxd_device_exit Process

Beginproc vxd_device_exit
CLC
RET
Endproc vxd_device_exit

; File system API hook process (C language call method)

Beginproc file_system_api_hook, cCall
Argvar fsdfnaddr, DWORD
Argvar functionnum, DWORD
Argvar drive, DWORD
Argvar resourceflags, DWORD
Argvar codePage, DWORD
Argvar Pir, DWORD
Enterproc
Pushad
; Prevent re-entry
CMP byte PTR in_file_system_api_hook, 00 h
Jnz prev_hook
; Is it true to open a file?
Cmp dword ptr functionnum, ifsfn_open
Jnz prev_hook
; Set the reimport flag
INC byte PTR in_file_system_api_hook
; Get the current VM handle
Vmmcall get_cur_vm_handle
; Display message box
MoV eax, mb_iconasterisk + mb_ OK
MoV ECx, offset32 message1
MoV EDI, offset32 caption1
MoV ESI, 0
MoV edX, 0
Vxdcall shell_message
; Cancel re-entry mark
Dec byte PTR in_file_system_api_hook

; Go to the API hook address of the previous File System

Prev_hook:
Popad
Leaveproc
MoV eax, prev_file_system_api_hook
JMP [eax]
Return
Endproc file_system_api_hook

Vxd_code_ends

; Protection Mode Initialization code segment

Vxd_icode_seg

; Vxd_device_init Process

Beginproc vxd_device_init
CLC
RET
Endproc vxd_device_init

Vxd_icode_ends

End

The VxD processes three system control messages in the device control process (vxd_control process), namely sys_dynamic_device_init (Dynamic VxD initialization) and sys_dynamic_device_exit (Dynamic VxD exit) and w32_deviceiocontrol (device I/O Control). The corresponding message processing processes are vxd_device_init, vxd_device_exit, and vxd_ioctl. In the vxd_device_init process and vxd_device_exit process, only the carry mark is cleared and returned (indicating success). The vxd_ioctl process is an interface for communications between Windows 95/98 applications and VxD, which completes the installation and removal of file system API hooks, [ESI. dwiocontrolcode] indicates the device I/O control code. When the control code is 1, the file system API hook is installed, and when the control code is 2, the file system API hook is removed. File_system_api_hook is the file system API hook process. As a simple instance, the hook process determines whether a file is opened. If yes, a simple message box is displayed, then jump to the previous file hook (equivalent to the old file system API portal ). If you need to expand the function, you can add code in this process. To assemble and connect VxD, a module definition file and an nmake file are required (you can also manually assemble and connect to VxD ). Both files can be directly modified using the module definition file and the nmake file in the generic instance in DDK. The module definition file (filehook. Def) is as follows:

VxD filehook dynamic

Description 'file system API hook program'

Segments
_ Lptext class 'lcode' preload nondiscardable
_ Ltext class 'lcode' preload nondiscardable
_ Ldata class 'lcode' preload nondiscardable
_ Text class 'lcode' preload nondiscardable
_ DATA class 'lcode' preload nondiscardable
Const class 'lcode' preload nondiscardable
_ TLS class 'lcode' preload nondiscardable
_ BSS class 'lcode' preload nondiscardable
_ Lmsgtable class 'mcode' preload nondiscardable iopl
_ Lmsgdata class 'mcode' preload nondiscardable iopl
_ Imsgtable class 'mcode' preload discardable iopl
_ Imsgdata class 'mcode' preload discardable iopl
_ Itext class 'decode' discardable
_ Idata class 'decode' discardable
_ Ptext class 'pcode' nondiscardable
_ Pmsgtable class 'mcode' nondiscardable iopl
_ Pmsgdata class 'mcode' nondiscardable iopl
_ Pdata class 'pdata' nondiscardable shared
_ Stext class 'scode' resident
_ Sdata class 'scode' resident
_ Dbostart class 'dbocode' preload nondiscardable conforming
_ Dbocode class 'dbocode' preload nondiscardable conforming
_ Dbodata class 'dbocode' preload nondiscardable conforming
_ 16 icode class '16code' preload discardable
_ RCODE class 'rcode'

Exports
Filehook_ddb @ 1

The nmake file is as follows:

! Ifdef master_make
Build_bits = 32
Build_type = base
! Include $ (ddkroot)/master. mk
! Endif

Name = filehook

# Supply the location of a 16-bit linker

Link =

# Definitions for the debug level

! Ifdef debug
Ddebug =-ddeblevel = 1-ddebug
! Else
Ddebug =-ddeblevel = 0
! Endif

# Definitions for MASM 6 extends er

ASM = ML
Aflags =-coff-dbld_coff-dis_32-W2-C-cx-ZM-dmasm6 $ (ddebug)
Asmenv = ML
Lflags =/VxD/nod

# MASM 6 only inference rules

. ASM. OBJ:
Set $ (asmenv) = $ (aflags)
$ (ASM)-fo $ *. OBJ $ <

ALL: $ (name). VxD

Objs = filehook. OBJ

Filehook. OBJ: filehook. ASM

$ (Name). VxD: $ (name). Def $ (objs)
Link @ <$ (name). lnk
$ (Lflags)
/Out: $ (name). VxD
/Map: $ (name). Map
/DEF: $ (name). Def
$ (Objs)
<
Mapsym-s-o $ (name). sym $ (name). Map

Clean:
-@ Del *. OBJ
-@ Del *. VxD
-@ Del *. Exp
-@ Del *. Lib
-@ Del *. Map
-@ Del *. sym

With these two files, run nmake to assemble and connect VxD.

3. Communication between Windows 95/98 applications and VxD

For communications between Windows 95/98 applications and VxD, The deviceiocontrol function is generally used,
Here is an example source code (fhtest. c) as follows:

// Intercept the Windows 95/98 File Operation Test Program

# Include
# Include "tchar. H"

# Define install_file_system_api_hook 1
# Define uninstall_file_system_api_hook 2

Static tchar szappname [] = _ T ("fhtest ");
Static tchar szapptitle [] = _ T ("intercept Windows 95/98 file operation test program ");
Static handle hdevice;

Lresult callback wndproc (hwnd, uint message, wparam
Wparam, lparam );

Int winapi winmain (hinstance, hinstance
Hprevinstance, lpstr lpcmdline, int ncmdshow)
{
Hwnd;
Wndclassex wcex;
MSG;
// This program cannot be run in Windows NT
If (getversion () <0 x80000000)
{
MessageBox (null, _ T ("this program cannot be run in Windows NT!
"), Szapptitle, mb_iconinformation | mb_ OK );
Return false;
}
If (! Hprevinstance)
{
Wcex. cbsize = sizeof (wndclassex );
Wcex. Style = cs_hredraw | cs_vredraw;
Wcex. lpfnwndproc = wndproc;
Wcex. cbclsextra = 0;
Wcex. cbwndextra = 0;
Wcex. hinstance = hinstance;
Wcex. hicon = loadicon (hinstance, idi_application );
Wcex. hcursor = loadcursor (null, idc_arrow );
Wcex. hbrbackground = (hbrush) (color_window + 1 );
Wcex. lpszmenuname = NULL;
Wcex. lpszclassname = szappname;
Wcex. hiconsm = loadicon (hinstance, idi_application );
If (! Registerclassex (& wcex) return false;
}
Hwnd = createwindow (szappname, szapptitle, ws_overlappedwindow, cw_usedefault,
0, 0, hinstance, null );
If (! Hwnd) return false;
Showwindow (hwnd, ncmdshow );
Updatewindow (hwnd );
While (getmessage (& MSG, 0, 0 ))
{
Translatemessage (& MSG );
Dispatchmessage (& MSG );
}
Return msg. wparam;
}

Lresult callback wndproc (hwnd, uint message, wparam, lparam)
{
HDC;
Paintstruct pS;
Dword cb;
Bool bresult;
Switch (Message)
{
Case wm_create:

Hdevice = createfile ("//. // filehook. VxD", 0, 0, null, 0, file_flag_delete_on_close, null );
If (hdevice! = Invalid_handle_value)
{

Bresult = deviceiocontrol (hdevice, install_file_system_api_hook, null, 0, null, 0, & CB, 0 );
If (bresult) MessageBox (hwnd, _ T ("file system API hook installed successfully! "), Szapptitle, mb_iconinformation | mb_ OK );
Else MessageBox (hwnd, _ T ("file system API hook cannot be installed! "), Szapptitle, mb_iconinformation | mb_ OK );
}
Else
{
MessageBox (hwnd, _ T ("filehook. VxD cannot be opened!
"), Szapptitle, mb_iconinformation | mb_ OK );
}
Break;
Case wm_paint:
HDC = beginpaint (hwnd, & PS );
Endpaint (hwnd, & PS );
Break;
Case wm_destroy:
If (hdevice! = Invalid_handle_value)
{

Bresult = deviceiocontrol (hdevice, uninstall_file_system_api_hook, null, 0, null, 0, & CB, 0 );
If (bresult) MessageBox (hwnd, _ T ("file system API hook Removal
Successful! "), Szapptitle, mb_iconinformation | mb_ OK );
Else MessageBox (hwnd, _ T ("the file system API hook cannot be removed!
"), Szapptitle, mb_iconinformation | mb_ OK );
Closehandle (hdevice );
}
Else
{
MessageBox (hwnd, _ T ("filehook. VxD cannot be opened! "), Szapptitle, mb_iconinformation | mb_ OK );
}
Postquitmessage (0 );
Break;
Default:
Return defwindowproc (hwnd, message, wparam, lparam );
}
Return 0;
}

This program uses the createfile function to dynamically load VxD, then uses the deviceiocontrol function to send the device I/O control code to VxD, install and remove the file system API hook, and finally uses the closehandle function to dynamically remove VxD. When running this program, if the file system API hook is successfully installed, "file system API hook is successfully installed!" is displayed !" In the message box. Then, as long as you open the file, "Open File!" is displayed !" Message box. When you exit the program, if the file API hook is successfully removed, "file API hook is successfully removed !" .

Iv. Summary

The above example demonstrates a complete method to intercept VxD of the Windows 95/98 file system API and The VxD communication between Windows 95/98 applications. The VxD can be used as a basic framework and can be used for virus, firewall, and other software with slight modifications. In fact, VxD functions are far more than that. Taking full advantage of VxD functions, You can compile many advanced applications that cannot be compiled using APIs. This tutorial is just a simple VxD programming example. Due to the limitations of the level of the author, the time is relatively small, and the writing is relatively simple. Please forgive me. You are also welcome to discuss it. For more information about the vmm, VxD, and API functions used in this tutorial, see the relevant manual or help.