First, Windows 95 DDK installation
Installing Windows 95 DDK Generally Need to install Win32 SDK first because Windows 95 DDK requires the 16-bit resource compiler of Win32 SDK, but Win32 SDK is large (a capacity of the entire disc), and it is difficult to buy, FTP station Less see, even if there is, download is also very difficult. After a period of exploration, I found several simple ways to install Windows 95 DDK. Now the method is as follows: Method: Method: Use a third-party resource compiler 1, modify the note, simulation Win32 SDK has been installed. Establish a registry file called Win32SDK.REG, the content is:
Regedit4
[HKEY_USERS / .DEFAULT / Software / Microsoft / Win32SDK]
[HKEY_USERS / .DEFAULT / SOFTWARE / Microsoft / Win32SDK / Directories] "Install Dir" = "C: // MStools"
Double-click this file in the Explorer to add the contents of this file to the registry. You can install Windows 95 DDK. 2. Run the setup.exe file in Windows 95 DDK, install Windows 95 DDK to C: / DDK. 3. Install MASM 6.11 to C: / MASM611. After the installation is complete, the files in the Masm611c directory in the un installed Windows 95 DDK are overwritten to C: / Masm611 / bin. 4, install Visual C 5.0 (4.0 can also, but should not use 6.0) to C: / Program Files / DevStudio / VC. 5. Establish a C: / MSTools / Binw16 directory, copy the resource compiler. Windows 95 DDK requires a resource compiler that can compile Win32 resource files into a 16-bit resource. If there is Win32 SDK, you can copy the files in the binw16 directory to C: / mstools / binw16. If there is no Win32 SDK, you can use a third-party resource compiler, here to use Borland's resource compiler as an example: prepare Turbo Masm 5.0, use the UNPAK tool to unpack the cmdline.pak file, find the following three files:
Brc.exe brcc32.exe rw32core.dll
Copy these three files to c: / mstools / binw16, and the brc.exe is named rc.exe. 6. Modify config.sys to increase environment variable space. In the config.sys file, finally join the line:
Shell = C: /Windows/Command.com / E: 8192 / P
7. Enter the Windows 95 MS-DOS mode, initialize the compilation environment (it is best to build a batch file):
C: /masm611/binr/new-vars.bat c: /ddk/ddkinit.bat 32 base (Different parameters) C: / program files / devrs32.bat
You can use Windows 95 DDK, the warning that appears when the connection can be used. 2: Use Windows 98 DDK full version of Windows 98 DDK (about 30m) including Windows 95 DDK, full SDK compiler, and MASM 6.11C assembler, installation method is very simple: Install Windows 98 DDK and Visual C 5.0, then directly Run "Check Build Environment" or "FREE Build Environment" program items can be enabled. Second, a VXD that intercepts Windows 95/98 file operation
VXD - virtual device driver, as the name suggests, vxd is used to control hardware devices, then why do you tell a VXD that intercepts Windows 95/98 files? In fact, VXD can not only control hardware devices, because VXD works on the 80386 protection mode RING 0 privilege level (highest privilege level), and the general application works on the Ring 3 privilege level (minimum privilege level), so VXD Many APIs cannot be completed, such as port reading and writing, physical memory reading, interrupt call, API interception, etc. Because of this, VXD has a wide range of uses in Windows system programming. In fact, everyone is generally incoming that Windows API cannot resolve or solve problems to write VXD solutions. The VXD that intercepted Windows 95/98 files will be used to intercept all files for Windows 95/98 (Windows NT does not support VXD), then what is the use of this VXD? The biggest use may be - virus firewall, used to filter file operations to perform dynamic virus detection and dynamic anti-virus. The principles used by this VXD and the principles of current popular CIH virus infections are basically the same. (In fact, if you want to ask me why I want to write such a vxd, that is because - I am a Virus version of the moderator) The file name of the VXD is FileHook.VXD, the source program (Filehook.asm) is as follows:
Filehook.vxd - Blocking Windows 95/98 file VXD
.386P
.Xlist
INCLUDE VMM.INC INCLUDE VWIN32.INC Include shell.inc
MASM = 1
INCLUDE IFS.INC include IFSMGR.Ic
.List
; Vxd declaration
Declare_virtual_device filehook, 1,0, vxd_control, undefined_device_id ,,,
Protection mode data segment
Vxd_data_seg prev_file_system_api_hook dd 0 in_file_system_api_hook db 0 message1 dB 'open file!', 0 caption1 db 'filehook', 0 vxd_data_ends
Protection mode code segment
VXD_CODE_SEG
System control process
BeginProc VxD_Control Control_Dispatch SYS_DYNAMIC_DEVICE_INIT, VxD_Device_Init Control_Dispatch SYS_DYNAMIC_DEVICE_EXIT, VxD_Device_Exit Control_Dispatch W32_DEVICEIOCONTROL, VxD_IOCTL clc ret EndProc VxD_Control; IOCTL control (device I / O control) process
BeginProc VxD_IOCTL; DeviceIoControl obtaining control code mov ecx, [esi.dwIoControlCode] cmp ecx, 1 jz Install_File_System_Api_Hook cmp ecx, 2 jz Uninstall_File_System_Api_Hook jmp VxD_IOCTL_Exit
Install file system API hook
Install_File_System_Api_Hook: mov eax, OFFSET32 File_System_Api_Hook VxDCall IFSMgr_InstallFileSystemApiHook or eax, eax jz Error_Handler; saved on a file system API hooks address mov Prev_File_System_Api_Hook, eax jmp VxD_IOCTL_Exit
Remove the file system API hook
Uninstall_file_system_api_hook: MOV Eax, Offset32 File_System_API_HOOK VXDCALL IFSMGR_REMOVEFILESYSTEMAPIHOK CMP EAX, 0FFFFFFFH JZ ERROR_HANDLER JMP VXD_IOCTL_EXIT
; IOCTL control process
VXD_IOCTL_EXIT: XOR EAX, EAX CLC RET
Error handling
Error_Handler: MOV EAX, 0FFFFFFFH STC RET endproc vxd_ioctl
; Vxd_device_exit process
BeginProc vxd_device_exit clc Ret endproc vxd_device_exit
; File system API hook process (C language call mode)
BeginProc File_System_Api_Hook, CCALL ArgVar FSDFnAddr, DWORD ArgVar FunctionNum, DWORD ArgVar Drive, DWORD ArgVar ResourceFlags, DWORD ArgVar CodePage, DWORD ArgVar pir, DWORD EnterProc pushad; to prevent the re-entry cmp byte ptr In_File_System_Api_Hook, 00h jnz Prev_Hook; relatively open file operation it? cmp dword ptr FunctionNum, IFSFN_OPEN jnz Prev_Hook; provided reentry flag inc byte ptr In_File_System_Api_Hook; get current VM handles VMMCall Get_Cur_VM_Handle; displays a message box mov eax, MB_ICONASTERISK MB_OK mov ecx, OFFSET32 Message1 mov edi, OFFSET32 Caption1 mov esi, 0 mov edx 0 vxdcall shell_message; cancel the re-entry flag dec Byte PTR in_File_System_API_HOOK
Go to the previous file system API hook address
Prev_hook: Popad LeaveProc MOV EAX, prev_file_system_api_hook jmp [eax] return endproc file_system_api_hookvxd_code_ends
; Protection mode initialization code segment
VXD_ICODE_SEG
; Vxd_device_init process
BeginProc vxd_device_init clc Ret endproc vxd_device_init
VXD_ICODE_ENDS
end
The VXD processes three system control messages in the device control process (VXD_Control procedure), which are sys_dynamic_Device_init (dynamic VXD initialization), SYS_DYNAMIC_DEVICE_EXIT (Dynamic VXD Exit) and W32_Deviceiocontrol (Device I / O Control), the corresponding message processing process Is vxd_device_init, vxd_device_exit and vxd_ioctl. Where the vxd_device_init process and the vxd_device_exit process only clear the carry flag returns (successful), the vxd_iocTl process is the interface of Windows 95/98 application with VXD communication, complete the installation and removal of the file system API hook, [esi.dwiocontrolcode] Device I / O control code, the control code is 1 to install the file system API hook, transfer to the file system API hook. FILE_SYSTEM_API_HOOK is the file system API hook process, here as a simple instance, the hook process determines if it is open file operation, if so, display a simple message box, then jump to the previous file hook (equivalent to the old file system API Entrance). If the expansion function is required, you can add the code during this process. Compilation Connection VXD requires a module definition file and a nmake file (can also be manually assembled). Both files can be directly modified in the generic instance in the generic instance in the DDK, the module definition file (Filehook.def) is as follows:
Vxd FileHook Dynamic
Description 'File System API Hook Program'
SEGMENTS _LPTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _LTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _LDATA CLASS 'LCODE' PRELOAD NONDISCARDABLE _TEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _DATA CLASS 'LCODE' PRELOAD NONDISCARDABLE CONST CLASS 'LCODE' PRELOAD NONDISCARDABLE _TLS CLASS 'LCODE' PRELOAD NONDISCARDABLE _BSS CLASS 'LCODE' PRELOAD NONDISCARDABLE _LMSGTABLE CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL _LMSGDATA CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL _IMSGTABLE CLASS 'MCODE' PRELOAD DISCARDABLE IOPL _IMSGDATA CLASS 'MCODE' PRELOAD DISCARDABLE IOPL _ITEXT CLASS 'ICODE' DISCARDABLE _IDATA CLASS 'ICODE' DISCARDABLE _PTEXT CLASS 'PCODE' NONDISCARDABLE _PMSGTABLE CLASS 'MCODE' NONDISCARDABLE IOPL _PMSGDATA CLASS 'MCODE' NONDISCARDABLE IOPL _PDATA CLASS 'PDATA' NONDISCARDABLE SHARED _STEXT CLASS 'S CODE 'RESIDENT _SDATA CLASS' SCODE 'RESIDENT _DBOSTART CLASS' DBOCODE 'PRELOAD NONDISCARDABLE CONFORMING _DBOCODE CLASS' DBOCODE 'PRELOAD NONDISCARDABLE CONFORMING _DBODATA CLASS' DBOCODE 'PRELOAD NONDISCARDABLE CONFORMING _16ICODE CLASS' 16ICODE 'PRELOAD DISCARDABLE _RCODE CLASS' RCODE'EXPORTS FILEHOOK_DDB @ 1
The nmake file is as follows:
• ifdef master_make build_bits = 32 build_type = base! Include $ (ddkroot) /master.mk! Endif
Name = filehook
#upply the location of a 16-bit linkerlink =
# Definitions for the debug level
ingdef debug ddebug = -ddeblevel = 1 -ddebug! Else Ddebug = -ddeblevel = 0! Endif
# Definitions for Masm 6 Assembler
ASM = ML AFLAGS = -Coff -dbld_coff -dis_32 -w2 -c -cx -zm -dmasm6 $ (ddebug) Asmenv = ML LFLAGS = / VXD / NOD
# MASM 6 Only Inference Rules
.asm.Obj: Set $ (Asmenv) = $ (AFLAGS) $ (ASM) -fo $ *. Obj $
All: $ (Name) .vxd
Objs = filehook.obj
Filehook.obj: FileHOK.ASM
$ (Name) .vxd: $ (name) .def $ (objs) link @ << $ (name) .Lnk $ (lflags) /out: "(Name ).vxd / map:,0ure (Name ).map / DEF: $ (Name). DEF $ (OBJS) << Mapsym -s -o $ (Name) .ssym $ (name) .map
Clean: - @ del * .obj - @ del * .Exp - @ del * .lib - @ del * .map - @ del * .sym
With these two files, running NMAKE to assemble vxd.
Third, Windows 95/98 Application and VXD communication
Windows 95/98 Applications and VXD communication generally use the DeviceIocontrol function, here gives an instance source program (fHtest.c) as follows:
File: // Intercept Windows 95/98 File Operation Test Program
#include #include "tchar.h"
#define install_file_system_api_hook 1 #define uninstall_File_System_API_HOOK 2
Static tchar szappname [] = _ t ("fhtest"); static tchar szapptitle [] = _ t ("Intercepting Windows 95/98 File Operation Detection"; static handle hdevice;
LResult Callback WndProc (HWND HWND, UINT MESSAGE, WPARAM WPARAM, LPARAM LPARAM);
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {HWND hWnd; WNDCLASSEX wcex; MSG Msg; file: // This procedure can not be run if (GetVersion () <0x80000000) in Windows NT {MessageBox (NULL , _T ("This program cannot be run in Windows NT!"), SzappTitle, MB_ICONITIONFORMATION | MB_OK); Return False;} if (! Hprevinstance) {wcex.cbsize = sizeof (WNDCLASSEX); wcex.style = cs_hredraw | cs_vredRAW; wcex.lpfnWndProc = WndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = 0; wcex.hInstance = hInstance; wcex.hIcon = LoadIcon (hInstance, IDI_APPLICATION); wcex.hCursor = LoadCursor (NULL, IDC_ARROW); wcex.hbrBackground = (HBRUSH) (COLOR_WINDOW 1); wcex.lpszMenuName = NULL; wcex.lpszClassName = szAppName; wcex.hIconSm = LoadIcon (hInstance, IDI_APPLICATION); if (! RegisterClassEx (& wcex)) return FALSE;} hWnd = CreateWindow (szAppName, SzappTitle, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, 0, 0, HINSTANCE, NULL; if (! hwnd) Return False; showwindow (hwnd, ncmdshow); Updat Ewindow (hwnd); While (GetMessage (& MSG, 0, 0)) {TranslateMessage (& MSG); DispatchMessage (& MSG);} return msg.wparam;}
LRESULT CALLBACK WndProc (HWND hWnd, UINT Message, WPARAM wParam, LPARAM lParam) {HDC hDC; PAINTSTRUCT ps; DWORD cb; BOOL bResult; switch (Message) {case WM_CREATE: hDevice = CreateFile ( ".// FILEHOOK.VXD", 0,0, NULL, 0, FILE_FLA G_DELETE_ON_CLOSE, NULL); if (hDevice = INVALID_HANDLE_VALUE) {bResult = DeviceIoControl (hDevice, INSTALL_FILE_SYSTEM_API_HOOK, NULL, 0, NULL, 0, & cb, 0);! if (bResult) MessageBox (hWnd , _T ("file system API hook installation success!"), SzappTitle, MB_ICONITION | MB_OK; Else MessageBox (hwnd, _t ("Cannot install file system API hook!"), Szapptitle, MB_ICONITION | MB_OK);} else {MessageBox (hwnd, _t ("Filehook.VxD!"), SzappTitle, MB_ICONITION | MB_OK;} Break; Case WM_PAINT: HDC = BeginPaint (HWND, & PS); EndPaint (HWND, & PS); Break; Case WM_DESTROY: IF (hDevice = INVALID_HANDLE_VALUE!) {bResult = DeviceIoControl (hDevice, UNINSTALL_FILE_SYSTEM_API_HO OK, NULL, 0, NULL, 0, & cb, 0); if (bResult) MessageBox (hWnd, _T ( "file system API hook removed successfully!") , SzappTitle, MB_ICONInInformation | MB_OK; Else Message Box (hwnd, _t ("cannot remove the file system API hook! "), SzAppTitle, MB_ICONINFORMATION | MB_OK); CloseHandle (hDevice);} else {MessageBox (hWnd, _T (" Can not open FILEHOOK.VXD "), szAppTitle, MB_ICONINFORMATION | MB_OK);!} PostQuitMessage (0); break; default : Return DefWindowProc (HWND, Message, WPARAM, LPARAM);} Return 0;
This program uses the CreateFile function to dynamically load VXD, then send device I / O control code, install and remove file system API hooks to VXD with the DeviceIoControl function, and finally remove the VXD with the CloseHandle function. When running the program, if the file system API hook is installed successfully, the message box of "file system API hook installation is successful!", Then the "Open File!" Message box will be displayed as long as the open file operation is turned on. When exiting the program, if the file API hook is successful, the message box that "file API hook removal is successful!" Will not display the message box when opening file operation. Fourth, small knot
The above instance demonstrates a complete way to intercept the VXD and Windows 95/98 applications for Windows 95/98 file system API and the VXD communication. This VXD can be used as a basic framework, which can be used for software such as virus firewalls. In fact, VXD's function is far more than this, and the features of VXD can be used to write many advanced applications that use APIs cannot be written. This tutorial is just a simple VXD programming example, because the author's level is limited, plus less time, simple writing, please forgive me, and welcome everyone to discuss. The VMM function, VXD function and API functions used in this tutorial are reviewed or help.
