Everyone knows that the CIH virus discussed all day uses VXD technology, mastering VXD programming, is equal to breaking CIH virus myths, thoroughly removing CIH viruses. Learn this article carefully. Vxd introduction
This article describes the role of VXD. If the standard VXD provided by Windows 95 is not 100% compatible support for your hardware or software, you need to create VXDs for your hardware or software (including 16-bit and 32-bit software). If you want Windows users to use some new features of your hardware or software, you can also create vxd. This article describes how to write VXD, describe the structure, procedures, and calls required to create VXD, and give the steps to create and test VXD. Vxd can be static or dynamically loaded, the following content is mainly described in static VXD, but both regarding the contents of the format and functionality apply.
What is VXD
VXD is a 32-bit executable program, such as a system resource such as a hardware device or installed software, so that several applications can use these resources simultaneously. Windows allows multitasking based on Windows-based applications by using VXD. VXD handles interrupts in connection with Windows and performs I / O operations for applications that need to perform I / O operation, and does not affect other applications. Most VXD management hardware devices, there are also some VXD management or instead of software related to it, such as normal ROM BIOS. The VXD can contain device-related codes that must be performed on the appropriate device, or rely on other software to perform these to perform operations. In any case, VXD will preserve records of the device status for each application, ensuring that both the application continues to perform the device is in the correct state. Some VXDs only manage installation software, such as MS-DOS device drivers, or TSR programs, which typically contains simulation of these software or protects the data of these software for data being running. VXD is sometimes used to improve the performance of the installed software, Intel compatible CPU executes 32-bit VXD more efficient than executing 16-bit MS-DOS device drivers or TSR programs.
Standard VXD
Windows includes a variety of VXDs to support public hardware devices and installation software. In some cases, you may need to modify VXD to provide new features or support non-standard hardware. Windows offers many VXDs that are not ready to modify, but can assist other VXDs. For example: Many VXDs use the V86 Memory Manager (V86MMGR) and virtual programmable interrupt controller device (VPICD) to save V86 mode memory and allow hardware interrupt requests. To obtain the help of developing VXD, the Windows 95 Device Driver Development Kit (DDK) includes a source code for a large number of available device drivers.
Create VXD
You can create VXDs by modifying VXD examples or writing themselves. You can write VXD in assembly language, or you can write some VXD in a high-level language (such as C language). To create a VXD, you need the following steps: 1. Read the Hardware Manual for describing this model hardware VXD. 2. Write the required control processes, VXD services, and API functions. 3. Establish a module definition file that logs the appropriate module name and leads the required device description block. 4, assembly connection vxd. 5, use the debug version of Windows 95 to test VXD, you have to get more information about debugging VXD, see the relevant information (you can use Soft-ICE debugging-translator's note). 6. Establish an installation file (INF file) for VXD and related files, and install VXD by modifying registration information and copying files to Windows System Directory and Copy Directory. 7. Establish the final release package. Raise the window kicky XD.
How do you need to start?
This article assumes that you are an experienced assembly language programmer, and it is familiar with the instructions and system structure of Intel compatible processors. In some special cases, you should also understand the following: Protection mode and virtual 8086 (ie V86 - Translator Note) mode. Flat memory mode interrupt and exception handling protection and privileged segment and page memory management and error handling input and output protection and error handling
This article also assumes that you have skilled in the characteristics of expertise and the corresponding ordinary ROM BIOS and other installable software.
Write a VXD
In many cases, write a VXD used to replace a standard VXD provided by Windows 95. However, in most cases, writing a VXD is used to support new hardware devices or software. In this case, it is often manually created for a VXD than the VXD that already exists. The reason is that most VXDs are devices. of. However, the source code of VXD needs to be analyzed as much as possible because they may contain generic formats and structures, and how to use VMM and VXD services to implement useful features. Write a VXD requires the following steps: 1. Create a VXD framework that contains the basic parts of the VXD segment, VXD description, device control process, processing system control message process, and the basic part of the API process. 2, join the real mode initialization process (optional). 3. Complete the process of processing initialization messages. These processes should be able to initialize the control block, allocate global memory, and install interrupts, I / O capture, and page error callback processes. 4. Complete the callback process of different interrupts and errors. 5. To join the service table definition and instructions (optional). 6. Complete the API process (optional) 7, complete the process of processing the system control message to establish and delete the virtual machine. During writing a VXD, you can install the VXD and run Windows under the debugger control, set the breakpoint to monitor the interrupt of the VXD management in this VXD, which can help you find that the VXD is working correctly.
VXD segment
VXD can contain some combinations of the following five segments: 1, VXD_CODE segment: protection mode code segment (must). This section contains VXD system control processes, callback processes, services, and API processes. This paragraph is defined with the macro vxd_code_seg and vxd_code_ends, or it can be named _ltext. 2, vxd_data paragraph: Protection mode data segment (must). This segment includes device description tables, service tables, and partial VXD global data. This paragraph is defined to start and end with macro VXD_DATA_SEG and VXD_DATA_ENDS, or it can be named _LData. 3, VXD_ICODE Segment: Protection Mode Initialization Code Segment (optional). This section generally includes the processes and services that are used only during the VXD initialization, and the VMM discards this segment after the init_complete message. This segment is defined to start and end with macro VXD_ICODE_SEG and VXD_ICODE_ENDS, or you can name _itext. 4, VXD_IDATA segment: Protection mode Initialization data segment (optional). This segment generally includes the data used by the initialization process and service, and the VMM discards this segment after the init_complete message. This segment is defined by macro vxd_idata_seg and vxd_idata_ends, and can also be named _idata. 5, vxd_real_init section: Real mode initialization segment (optional). This section contains real mode initialization processes and data, and VMM calls this process before loading VXD, and then discards this segment after the process returns, and the paragraph is defined and ends with the vxd_real_init_ends, and can be named _rtext. In addition to the mode initialization segment, all code and data segments are 32-bit memory mode protection mode, which means that the processes and data defined in the protection mode segment are both 32-bit offset. When the VMM is loaded, all offset is corrected according to the actual location of the VXD in memory. Therefore, in the protective mode segment, use the ordinary OFFSET instruction should use the Offset32 macro, and the offset defined by the OFFSET32 macro determines the correct offset correction information for the connector. VXD cannot change the CS, DS, ES, and SS segment registers, and VXD can use the FS and GS segment registers. Protection mode instruction
The source program file of VXD must begin with .386p command to notify the assembler to allow the protected mode instruction. Although VXD works in 0 privilege level, it should not be used to modify the operation of the CPU, such as modifying the global descriptor (selecting sub-translator's note) or interrupt descriptor, and modify the task status segment or register. It may have an adverse impact on Windows run. The only exception is that when the VXD is a virtual mathematical coprocessor device (VMCPD), 80387 bits in the CR0 register are allowed.
Contains (include) files
The included file defines the macros, structures, symbols, and tables required for VXD, which are used to declare segments and processes and services using VMM and other VXD services. The public service definitions, macro and symbol definitions included in each containing file: 1, VMM.inc: contain all VMM services and the macros and symbols required, such as Declare_Virtual_Device and VMMCall. 2, debug.inc: The macro containing the output information on the debug terminal and performs various data checks. The function of these macros is implemented by the code generated by the VXD that defines the debug symbol. 3, vpicd.inc: All services, macros,, macros, and symbols defined for virtual programmable interrupt controller devices (VPICD). VPICD processes all interrupts, so many VXDs require VPICD services. 4, shell.inc: The definition of the public service provided by the virtual enclosure device. Virtual housing devices provide calls to Windows functions such as MessageBox, allowing VXDs to display dialogs. VXD declaration
Each VXD must declare a name, a version number, an initialization order and a device control process, and many virtual device drivers also declare a device identity and some API processes. VxD is generally used to achieve these statements of Declare_virtual_device macros, for example: Declare_Virtual_Device VSAMPLED, 4, 0, VSAMPLED_Control, VSAMPLED_Device_ID, VSAMPLED_Init_Order, VSAMPLED_V86_API_Handler, VSAMPLED_PM_API_Handler present embodiment declares a VxD example --VSAMPLED V4.0, the name must be defined in the corresponding source file The device control process for Vsampled_Control. Symbol vsampled_device_id and vsampled_init_order Description Non-standard VXD identity and initialization order, the VXD supports the V86 mode and the protection mode API process. VMM is used to initialize VXD with macro and send a system control message to VXD, and allow MS-DOS applications, device drivers, and TSR call VXDs. In order to access the VMM to access this information, the corresponding macro bursts a device description block (DDB) and saves it in the protection mode data segment (the same as the DDB is the same as the vxd_desc_block structure), and the macro has established a VxD connection to the DDB. Explicitly drawn marking. In the above example, the name of the DDB is vsampled_ddb.
VXD Identification (ID)
A VXD provides a VXD identifier to distinguish between other VXDs. The VMM dynamic connection routine uses the VXD identifier to the appropriate VXD connection service call, if the VXD provides a service or providing the V86 mode and the protection mode API process, and other cases requiring unique identifiers, VXD must have unique identifiers. Although standard VXD uses a predefined VXD ID (symbol definition in the vmm.inc file), VXD that supports new devices and new software interfaces must have all new identities. In order to prevent conflicts with other new VXDs, Microsoft guarantees that no other vendors use their own VXD identity, Microsoft reserves the use of all VXDs between 0-01ffh. Do not provide service or API procedures, or if the VXD that does not require unique identifiers should use undefined_device_id symbols to define VXD IDs.
Initialization order
Each VXD has an initialization sequence value for specifying the VMM to initialize the VXD, and the VMM initializes the virtual machine (VM-Translator Note) from the small to large order. If two or more VXDs have the same value, the VMM is initialized in the order in the System.ini file, but the specified order is not guaranteed. The initialization order is important for VXDs that need to call other VXD services or need to intercepted interrupts before other VXDs. If a VXD needs to initialize before or after standard VXD, its initialization sequence value should be created by adding or subtracting a small value to a standard VXD predefined initial sequence symbol (defined in the VMM.inc file) or subtract a small value. If a VXD does not need to initialize sequence values, you should use the undefined_init_order symbol instead of initialization sequence values. Equipment control process
Each VXD has a device control process, and VMM sends VXD system control messages by calling this procedure. System Control Message Guide VXD Complete Action, such as itself, or notifies VXD virtual machine changes (for example, create virtual machines). Many VXD defines the device control process by using Begin_Control_Dispatch, Control_Dispatch, and END_CONTROL_DISPATCH macro, for example:
Begin_Control_Dispatch VSAMPLEDControl_Dispatch Sys_Critical_Init, VSAMPLED_Crit_InitControl_Dispatch Device_Init, VSAMPLED_Device_InitControl_Dispatch Sys_Critical_Exit, VSAMPLED_Crit_ExitEnd_Control_Dispatch VSAMPLED
In the above, the macro created a device control process that named VSAMpled_Control and generated instructions for checking sys_critical_init, device_init, and sys_critical_exit messages. When these messages are sent to the process, the process processes the message by controlling the corresponding process (e.g., vsampled_crit_init), which must be defined in VXD.
System control message
VMM Send System Control Messages to VXD to notify VXD to affect the changes in the system and virtual machines. Most VXDs need to track the creation and status of the virtual machine, so whenever you create, initialize or terminate the virtual machine, VMM will send a message to VXD. The VMM also sends a message to the user when the focus moves to a virtual machine or from a virtual machine, and the virtual enclosure device needs to display the message to the user. VXD. Here is how public messages and VXDs should handle these messages:
Begin_MESSAGE_MODE message: This message is received when the virtual enclosure needs to display a message box to the user but cannot use the system virtual machine and the Windows function. The virtual keyboard, mouse, and display devices saves the current state, allowing any message mode service to initialize the corresponding device for message mode processing. CREATE_VM message: This is the first message received by VXD when a new virtual machine is created. VXD should initialize data related to virtual machines, especially control blocks. Debug_Query message: VXD received this message from the WDEB386 debugger. VXD can display the debug list and read the user command from the debug terminal. Destroy_vm message: This is a third virtual machine termination message received by VXD. Simulate_INT and EXEC_INT services are no longer valid for virtual machines that get this message. Device_init message: This is the second message received by VXD. Allow interrupts, most VXD assignments, and copy initial status to the device specified section in the system virtual machine control block, install the interrupt callback function and I / O protection exception, and specify instance data. At this time, Simulate_INT and EXEC_INT services become effective. END_MESSAGE_MODE message: VXD receives this message when the virtual enclosure is no longer needed to display the message box. Virtual keyboard, mouse, and display device restore the status of the virtual machine for this message, disable any message mode service. INIT_COMPLETE message: This is a third message received by VXD and a message related to system initialization. Although most VXD do not process this message, VXD using V86 memory should return the previous positioning and application memory. When VXD returns this message, VMM discards the initialization code and data segments of VXD. Query_Destory message: Vxd receives this message when the virtual enclosure device needs to decide if the virtual machine can be deleted. VXD can return to prevent the virtual machine from being deleted by setting the inlet flag (CF - Translator Note), in which case VXD should use the shell_message service to notify the user problem. Reboot_Processor message: Vxd receives this message when the user tries to restart the computer. You can restart your computer's VXD, such as the keyboard device, you should do this. Set_Device_focus message: Vxd receives this message when performing focus moves from a virtual machine to another virtual machine. VXD recovers the hardware device to the virtual machine. If VXD uses I / O capture management does not perform a virtual machine when the focus is performed, VXD should move too much I / O capture as much as possible, so that the virtual machine is run as fast as possible. SYS_CRITICAL_EXIT message: This is the last message received by VXD. Disable interrupts, SIMUALTE_INT and EXEC_INT services are no longer valid. VXD should reset the hardware device associated with it to ensure that it is possible to return to the real mode without problems. SYS_CRITICAL_INIT message: This is the first message received by VXD. The interrupt is still not allowed, so VXD should complete the task as quickly as possible. Most VXDs complete the following tasks: Installation and initialization requires support for any function from the hardware interrupt from the device and software interrupt from the VMM or other VXD, providing an application other than the V86 mode memory page, such as a virtual display device application display RAM. Initializing any data required for VXD services, which typically includes settings in the system.ini file. When this message is handled, the SIMUALTE_INT and EXEC_INT services must not be used. SYS_VM_INIT message: After the init_complete message, VXD received this message. VXD should initialize the hardware and software status of the system virtual machine. If the VXD sets the inlet flag, VMM terminates all processes and exits Windows. SYS_VM_TERMINATE message: This is the first system virtual machine termination message received by VXD. VXD can begin to prepare for the virtual machine.
