Deviceiocontrol interface

zhaozj2021-02-17  42

Deviceiocontrol interface

In this section we will have to learn dynamic VXD, especially how to create, load, and use.

Click here to download the example

VXD interface

VXD provides a total of four interfaces.

l Vxd Services VXD service

l v86 interface v86 interface

l Protected-Mode (PM) Interface protection mode interface

l Win32 DeviceIocontrol Interface Win32 Equipment Input Output Control Interface

We already know the VXD service, the V86 and the protection mode interface are called by the V86 and the protection mode program. Because the V86 and the protected mode program are 16-bit, we cannot use the two interfaces in the Win32 application. In Windows 95, Microsoft adds another interface to Win32 applications so Win32 application can call VXD services: DeviceIOControl interface (device input and output control interface)

Deviceiocontrol interface

Simply put, the DeviceIocontrol interface is a method for calling VXD internal functions for Win32 programs. Don't confuse the DeviceIocontrol interface call function and use the VXD service call function, both methods are different. For example, Deviceiocontrol Function1 may be different from vxd service1. You should give the DeviceIocontrol function as a separate function that only provides for Win32 applications.

In terms of Win32 program:

First use createfile to open / load an VXD. If the call is successful, VXD will create / add to the memory and create the handle of the VXD to Eax.

Then you call the DeviceIocontrolaPi function to select the function you want to run. The DeviceIocontrol function follows the following grammar:

Deviceiocontrol Proto Hdevice: DWORD, /

DWIOCONTROLCODE: DWORD, /

Lpinbuffer: DWORD, /

Ninbuffersize: DWORD, /

LPOUTBUFFER: DWORD, /

NOUTBUFFERSIZE: DWORD, /

LPBYTESRETURNED: DWORD, /

Lpoverlapped: dword

l HDevice is a VXD handle returned from CreateFile.

l DWIOControlCode is used to develop a VXD will be processed. You should get a list of possible dwiocontrolcode values ​​before you want to use it.

l LinBuffer is a buffer address that contains VXD to complete the data set by DWIOControlCode. If this operation does not require data, you can pass it to NULL.

l NINBUFFERSIZE is the size of the address of the buffer pointed to the LPinBuffer.

l LPOUTBUFFER is a buffer to output the output data after the VXD program is successful. If this operation does not have any return values, this value can be null.

l NoutBuffersize is the size of the buffer pointed to the LPOUTBuffer.

l LPBYTESRETURNED is the address of a DWORD type variable. This variable is used to receive the size of the data written in the LPOUTBuffer.

l If you want to set the operation asynchronous, lpoverlapped is a pointer to an Overlapped structure. If you want to wait until the operation is complete, this value is null.

In terms of VXD:

The VXD program must handle the W32_Deviceiocontrol message. When VXD receives the W32_Deviceiocontrol message, its register is as follows: l EBX is the handle of the VM.

l ESI is a pointer to the Diocparams structure. DiocParams contains information transmitted from Win32 program.

DiocParams is defined as follows:

Diocparams Struc

INTERNAL1 DD?

VMHANDLE DD?

INTERNAL2 DD?

DWIOCONTROLCODE DD?

LPVINBUFFER DD?

CBINBUFFER DD?

LPVOUTBUFFER DD?

CBOUTBUFFER DD?

LPCBBYTESRETURNED DD?

LPOOVERLAPPED DD?

HDEVICE DD?

TagProcess DD?

Diocparams Ends

l INTERNAL1 is a pointer to the WIN32 application application user register structure.

l vmhandle virtual machine handle

l INTERNAL2 is a handle of a device description block (DDB).

l DWIOCONTROLCODE, LPVINBUFFER, CBINBUFFER, LPVOTBUFFER, CBOUFFER, LPCBBYTESRETURNED, LPOVERLAPPED are parameters transmitted to the DeviceIocontrol API.

l HDevice is a Ring-3 device handle.

l TagProces is the label of the process.

In the DiocParams structure, there is information from the Win32 application to your VXD from the Win32 application.

Your VXD is at least to handle Dioc_Open (transfer to dwiocontrolcode), that is when the Win32 program calls CreateFile opens your VXD to you vxd. If your VXD is ready, it must return 0 in EAX and CreateFile will succeed. If your VXD is not ready, it must return a non-zero value in the EAS and CreateFile will fail. In addition to Dioc_Open, when the Win32 program turns off this device handle, your VXD will receive DIOC_CloseHandle from VWIN32.

Minimized dynamic VXD framework loaded by CreateFile:

.386p include vmm.inc include vwin32.inc

Declare_virtual_device dynavxd, 1,0, dynavxd_control, / undefined_Device_id, undefined_init_order

Begin_Control_Dispatch Dynavxd Control_Dispatch W32_DeviceioControl, ONDEVICEIOCONTROL END_CONTROL_DISPATCH DYNAVXD

VxD_PAGEABLE_CODE_SEG BeginProc OnDeviceIoControl assume esi: ptr DIOCParams .if [esi] .dwIoControlCode == DIOC_Open xor eax, eax .endif ret EndProc OnDeviceIoControl VxD_PAGEABLE_CODE_ENDS

end

; ------------------------------------------------- -------------------------------------------------- -----------------------------; Module definition file; ---------------- -------------------------------------------------- -------------------------------------------------- ------------- Vxd Dynavxd Dynamic

SEGMENTS _LPTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _LTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _LDATA CLASS 'LCODE' PRELOAD NONDISCARDABLE _TEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _DATA CLASS 'LCODE' PRELOAD NONDISCARDABLE CONST CLASS 'LCODE' PRELOAD NONDISCARDABLE _TLS CLASS 'LCODE' PRELOAD NONDISCARDABLE _BSS CLASS 'LCODE' PRELOAD NONDISCARDABLE _LMGTABLE CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL _LMSGDATA CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL _IMSGTABLE CLASS 'MCODE' PRELOAD DISCARDABLE IOPL _IMSGDATA CLASS 'MCODE' PRELOAD DISCARDABLE IOPL _ITEXT CLASS 'ICODE' DISCARDABLE _IDATA CLASS 'ICODE' Discardable _ptext class 'pcode' Nondiscardable _pmsgtable class 'mcode' Nondiscardable Iopl _pmsgdata class 'mcode' Nondiscardable Iopl _pdata class 'pdata' Nondiscard ABLE SHARED _STEXT CLASS 'SCODE' RESIDENT _SDATA CLASS 'SCODE' RESIDENT _DBOSTART CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING _DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING _DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING _16ICODE CLASS '16ICODE' PRELOAD DISCARDABLE _RCODE CLASS 'RCODE' EXPORTS DYNAVXD_DDB @ 1

Complete example:

Below is a source code for the Win32 application of the VXD internal function by calling dynamic VXD and calls the VXD internal function.

Vxdloader.asm

.386 .model flat, stdcall include windows.inc include kernel32.inc includelib kernel32.lib include user32.inc includelib user32.lib.data AppName db "DeviceIoControl", 0 VxDName db "//./shellmsg.vxd",0 Success DB "the vxd is successfully loaded!", 0 Failure DB "The vxd is not loaded!", 0 unload DB "The vxd is now unloaded!", 0 msgtitle db "deviceiocontrol example", 0 msgtext db "I'm Called ! from a VxD ", 0 InBuffer dd offset msgTitle dd offset MsgText .data hVxD dd .code start:?? invoke CreateFile, addr VxDName, 0,0,0,0, FILE_FLAG_DELETE_ON_CLOSE, 0 .if eax = INVALID_HANDLE_VALUE mov hVxD,! eax invoke MessageBox, NULL, addr Success, addr AppName, MB_OK MB_ICONINFORMATION invoke DeviceIoControl, hVxD, 1, addr InBuffer, 8, NULL, NULL, NULL, NULL invoke CloseHandle, hVxD invoke MessageBox, NULL, addr Unload, addr AppName, MB_OK MB_ICONIKMATION .ELSE INVOKE Messagebox, NULL, AddR Failure, Null, MB_OK MB_ICONER Ror .ndif Invoke EXITPROCESS, NULL End Start

The following source code is a dynamic VXD called by vxdloader.asm. Shellmsg.asm

.386p include vmm.inc include vwin32.inc include shell.inc

Declare_virtual_device shellmsg, 1,0, shellmsg_control, / undefined_Device_id, undefined_init_order

Begin_Control_Dispatch shellmsg control_dispatch w32_deviceioControl, ONDEVICEIOCONTROL END_CONTROL_DISPATCH shellmsg

VXD_PAGEABLE_DATA_SEG PTIL DD? PMESSAGE DD? VXD_PAGEABLE_DATA_ENDS

VxD_PAGEABLE_CODE_SEG BeginProc OnDeviceIoControl assume esi: ptr DIOCParams .if [esi] .dwIoControlCode == DIOC_Open xor eax, eax .elseif [esi] .dwIoControlCode == 1 mov edi, [esi] .lpvInBuffer; --------- --------------------------; Copy The Message Title to Buffer; ---------------- ------------------- VMMCall_lstrlen, <[EDI]> Inc Eax Push Eax Vmmcall_heapallocate, Mov Ptitle, Eax Pop Eax Vmmcall_LSTRCPYN, ; -----------------------------------; Copy the Message Text to Buffer ; ----------------------------------- Vmmcall_lstrlen, <[EDI 4]> Inc EAX PUSH EAX VMMCall _HeapAllocate, mov pMessage, eax pop eax VMMCall _lstrcpyn, mov edi, pTitle mov ecx, pMessage mov eax, MB_OK VMMCall Get_Sys_VM_Handle VxD Call shell_sysmodal_message vmmcall _heapfree, ptitle, 0 vmmcall _heapfree, pimentage, 0 xor EAX, EAX .Endif Ret EndProc ONDEVICEIOCONTROL VXD_PAGEABLE_CODE_ENDSEND

analysis:

We start with VxDLoader.asm.

Invoke CreateFile, addrVxDName, 0,0,0,0, FILE_FLAG_DELETE_ON_CLOSE, 0 .if eax! = INVALID_HANDLE_VALUE mov hVxD, eax .... .else invoke MessageBox, NULL, addr Failure, NULL, MB_OK MB_ICONERROR .endif

We call CREATEFILE to load dynamic VXD. Note the file_flag_delete_on_close tag. This flag notifies Windows to uninstall VXD when the VXD handle returns from the CreateFile. If CREATEFILE is successful, we save the VXD handle.

invoke MessageBox, NULL, addr Success, addr AppName, MB_OK MB_ICONINFORMATION invoke DeviceIoControl, hVxD, 1, addr InBuffer, 8, NULL, NULL, NULL, NULL invoke CloseHandle, hVxD invoke MessageBox, NULL, addr Unload, addr AppName, MB_OK MB_ICONINFORMATION When VXD is loaded / uninstalled, this program displays a message box. It makes dwiocontrolcode = 1 and then calls DeviceIocontrol. Pass the address of the Inbuffer to LPINBuffer and pass the Inbuffer size to Ninbuffersize. Inbuffer is an array including two elements: Each element is an address of a string.

Msgtitle DB "Deviceiocontrol Example", 0 MSGText DB "I'm Called from a VXD!", 0 Inbuffer DD Offset Msgtitle DD Offset Msgtext

Now let's take a look at this VXD.

It only processes the W32_Deviceiocontrol message. When the W32_DeviceioControl message is sent, call the ONDEVICEIOCONTROL function.

Beginproc ONDEVICEIOCONTROL Assume ESI: Ptr Diocparams .IF [ESI] .dwiocontrolcode == Dioc_open xor Eax, EAX

ONDEVICEIOCONTROL handles Dioc_Open, return 0 in EAS.

.ELSEIF [ESI] .dwiocontrolcode == 1 MOV EDI, [ESI] .lpvinbuffer

It also handles Control Code equal to 1. The first thing it does is to take out the data in lpyinbuffer. This data is two DWORD values ​​that are transmitted to the LPinBuffer of the DeviceIocontrol API. It puts the address that points to the DWORD array in EDI. The first DWORD is a string address as a message box title. The second DWORD is a string address as a message box text.

; -----------------------------------; Copy the Message Title to Buffer; ------ ----------------------------- Vmmcall_lstrlen, <[EDI]> Inc Eax Push Eax Vmmcall_Heapallocate, MOV Ptitle, Eax Pop Eax Vmmcall_lstrcpyn,

It calls VMM service lstrlen to calculate the length of the message box title. LSTRLEN returns the length of the string in Eax. We add this length to 1 to the end marker NULL. Next We assign a large enough to accommodate strings by calling HeapAllocate and its end tag NULL memory. Plus the Heapzeroinit tag to make HeapAllocate clear this memory. HeapAllocate returns the address of this memory in EAX. We then copy string to our application from the address space of Win32 App to our application. We do the same operation to the string to do the message box text.

MOV EDI, PTIE MOV ECX, PMESSAGE MOV EAX, MB_OK VMMCALL GET_SYS_VM_HANDLE VXDCALL SHELL_SYSMODAL_MESSAGE We put the address of the title and text exist in EDI and ECX, respectively. Place the desired marker in EAX, get the VM handle of the system VM by calling get_sys_vm_handle. Then call shell_sysbodal_message. Shell_sysmodal_message is the mode version of the system shell_message. It freeze the system until the user reacts the message box.

Vmmcall_heapfree, ptitle, 0 vmmcall _heapfree, PMessage, 0

When shell_systemodal_message returns, we release memory with _heapfree.

to sum up:

The DeviceIocontrol interface makes your Win32 application use dynamic VXD as a Ring-0 DLL extension.

转载请注明原文地址:https://www.9cbs.com/read-30106.html

New Post(0)