VxD programming introductory tutorial Author: TBsoft
First, Windows 95 DDK installation
Installing Windows 95 DDK Generally Need to install Win32 SDK first because Windows 95 DDK requires the 16-bit resource compiler of Win32 SDK, but Win32 SDK is large (a capacity of the entire disc), and it is difficult to buy, FTP station Less see, even if there is, download is also very difficult. After a period of exploration, I found several simple ways to install Windows 95 DDK, and the method is now introduced as follows:
One of the methods: use a third-party resource compiler
1. Modify the registry, simulate the case where Win32 SDK has been installed.
Establish a registry file called Win32SDK.REG, the content is:
Regedit4
[HKEY_USERS / .DEFAULT / Software / Microsoft / Win32SDK]
[HKEY_USERS / .DEFAULT / SOFTWARE / Microsoft / Win32SDK / DIRECTORIES]
"Install dir" = "c: // mstools"
Double-click this file in the Explorer to add the contents of this file to the registry. You can install Windows 95 DDK.
2. Run the setup.exe file in Windows 95 DDK, install Windows 95 DDK to C: / DDK.
3. Install MASM 6.11 to C: / MASM611. After the installation is complete, the files in the Masm611c directory in the un installed Windows 95 DDK are overwritten to C: / Masm611 / bin.
4, install Visual C 5.0 (4.0 can also, but should not use 6.0) to C: / Program Files / DevStudio / VC.
5. Establish a C: / MSTools / Binw16 directory, copy the resource compiler. Windows 95 DDK requires a resource compiler that can compile Win32 resource files into a 16-bit resource. If there is Win32 SDK, you can copy the files in the binw16 directory to C: / mstools / binw16. If there is no Win32 SDK, you can use a third-party resource compilation.
In order to use the resource compiler of Borland as an example:
Prepare Turbo Masm 5.0, unpacking the cmdline.pak file with UNPAK tools, find the following three files:
Brc.exe
Brcc32.exe
RW32Core.dll
Copy these three files to c: / mstools / binw16, and the brc.exe is named rc.exe.
6. Modify config.sys to increase environment variable space.
In the config.sys file, finally join the line:
Shell = C: /Windows/Command.com / E: 8192 / P
7, enter the Windows 95 MS-DOS mode, initialize the compilation environment (preferably create a batch file):
C: /masm611/binr/new-vars.bat
C: /ddk/ddkinit.bat 32 Base
(The compiled equipment driver is different, the parameters are different)
C: / program files / devstudio / vc / bin / vcvars32.bat
You can use Windows 95 DDK, the warning that appears when the connection can be used. 2: Use Windows 98 DDK full version of Windows 98 DDK (about 30m) including Windows 95 DDK, full SDK compiler, and MASM 6.11C assembler, installation method is very simple: Install Windows 98 DDK and Visual C 5.0, then directly Run "Check Build Environment" or "FREE Build Environment" program items can be enabled. Second, a VXD that intercepts Windows 95/98 file operation
VXD - virtual device driver, as the name suggests, vxd is used to control hardware devices, then why do you tell a VXD that intercepts Windows 95/98 files? In fact, VXD can not only control hardware devices, because VXD works on the 80386 protection mode RING 0 privilege level (highest privilege level), and the general application works on the Ring 3 privilege level (minimum privilege level), so VXD Many APIs cannot be completed, such as port reading and writing, physical memory reading, interrupt call, API interception, etc. Because of this, VXD has a wide range of uses in Windows system programming. In fact, everyone generally encounters the problem that Windows API can't solve or solve, considering writing VXD solutions. The VXD that intercepted Windows 95/98 files here will be used to intercept all file operations for Windows 95/98 (Windows NT does not support VXD), then what is the use of this VXD? The biggest use may be - virus firewall, used to filter file operations, can perform dynamic virus detection and dynamic anti-virus. The principles used by this VXD and the principles of current popular CIH virus infections are basically the same. (In fact, if you want to ask me why I want to write such a vxd, that is because - I am a Virus version of the moderator)
The VXD file name is FileHook.vxd, the source program (Filehook.asm) is as follows:
Filehook.vxd - Blocking Windows 95/98 file VXD
.386P
.Xlist
Include vmm.inc
INCLUDE VWIN32.INC
INCLUDE shell.inc
MASM = 1
INCLUDE IFS.IC
INCLUDE IFSMGR.IC
.List
; Vxd declaration
DECLARE_VIRTUAL_DEVICE
Filehook, 1,0, vxd_control, undefined_device_id ,,,
Protection mode data segment
VXD_DATA_SEG
Prev_file_system_api_hook DD 0
IN_FILE_SYSTEM_API_HOOK DB 0
Message1 DB 'Open File!', 0
CAPTION1 DB 'FILEHOK', 0
VXD_DATA_ENDS
Protection mode code segment
VXD_CODE_SEG
System control process
BeginProc vxd_control
Control_dispatch sys_dynamic_Device_init, vxd_device_init
Control_dispatch sys_dynamic_device_exit, vxd_device_exit
Control_dispatch w32_deviceioControl, vxd_ioctlclc
RET
Endproc vxd_control
; IOCTL Control (Device I / O Control) Process
Beginproc vxd_ioctl
Get the Deviceiocontrol control code
MOV ECX, [ESI.DWIOCONTROLCODE]
CMP ECX, 1
JZ Install_File_System_API_HOOK
CMP ECX, 2
JZ Uninstall_File_System_API_HOOK
JMP vxd_ioctl_exit
Install file system API hook
Install_file_system_api_hook:
Mov Eax, Offset32 File_System_API_HOOK
VxdCall IFSMGR_INSTALLFILESYSTEMAPIHOK
OR EAX, EAX
JZ Error_Handler
Save the previous file system API hook address
MOV prev_file_system_api_hook, eax
JMP vxd_ioctl_exit
Remove the file system API hook
Uninstall_File_System_API_HOOK:
Mov Eax, Offset32 File_System_API_HOOK
Vxdcall IFSMGR_RemoveFileSystemapiHook
CMP EAX, 0FFFFFFFH
JZ Error_Handler
JMP vxd_ioctl_exit
; IOCTL control process
VXD_IOCTL_EXIT:
XOR EAX, EAX
CLC
RET
Error handling
Error_Handler:
MOV Eax, 0FFFFFFFH
STC
RET
Endproc vxd_ioctl
; Vxd_device_exit process
Beginproc vxd_device_exit
CLC
RET
Endproc vxd_device_exit
; File system API hook process (C language call mode)
BeginProc file_system_api_hook, ccall
Argvar fsdfnaddr, dword
Argvar FunctionNum, DWORD
Argvar Drive, DWORD
Argvar ResourceFlags, DWORD
Argvar CodePage, DWORD
Argvar Pir, DWORD
Enterproc
Pushhad
Prevent reward
CMP BYTE PTR IN_FILE_SYSTEM_API_HOOK, 00H
JNZ Prev_hook
; Is the comparison to open a file operation?
CMP DWORD PTR FUNCTIONNUM, IFSFN_OPEN
JNZ Prev_hook
Set the re-entry flag
INC BYTE PTR IN_FILE_SYSTEM_API_HOOK
Take the current VM handle
VMMCALL GET_CUR_VM_HANDLE
Show message box
MOV EAX, MB_ICONASTERISK MB_OK
Mov ECX, Offset32 Message1
Mov Edi, Offset32 CAPTION1
MOV ESI, 0
Mov EDX, 0
Vxdcall shell_message
Cancel the re-entry mark
Dec Byte PTR in_file_system_api_hook
Go to the previous file system API hook address
Prev_hook:
Popad
LeaveProc
MOV EAX, prev_file_system_api_hook
JMP [EAX]
Return
Endproc file_system_api_hook
VXD_CODE_ENDS
; Protection mode initialization code segment
Vxd_icode_seg; vxd_device_init process
Beginproc vxd_device_init
CLC
RET
Endproc vxd_device_init
VXD_ICODE_ENDS
end
The VXD processes three system control messages in the device control process (VXD_Control procedure), which are sys_dynamic_Device_init (dynamic VXD initialization), SYS_DYNAMIC_DEVICE_EXIT (Dynamic VXD Exit) and W32_Deviceiocontrol (Device I / O Control), the corresponding message processing process Is vxd_device_init, vxd_device_exit and vxd_ioctl. Where the vxd_device_init process and the vxd_device_exit process only clear the carry flag returns (successful), the vxd_iocTl process is the interface of Windows 95/98 application with VXD communication, complete the installation and removal of the file system API hook, [esi.dwiocontrolcode] Device I / O control code, the control code is 1 to install the file system API hook, transfer to the file system API hook. FILE_SYSTEM_API_HOOK is the file system API hook process, here as a simple instance, the hook process determines if it is open file operation, if so, display a simple message box, then jump to the previous file hook (equivalent to the old file system API Entrance). If the expansion function is required, you can add the code during this process. Compilation VXD requires a module definition file and a nmake file (manual assembly connection is of course). Both files can be directly modified with the module definition files in the generic instance in the DDK, the module definition file (FileHook.def) is as follows:
Vxd FileHook Dynamic
Description 'File System API Hook Program'
Segments
_LPText Class 'Lcode' Preload Nondiscardable
_LText Class 'Lcode' Preload Nondiscardable
_LData Class 'Lcode' Preload Nondiscardable
_Text Class 'Lcode' Preload Nondiscardable
_Data class 'lcode' preload nondiscardable
Const Class 'Lcode' Preload Nondiscardable
_TLS Class 'Lcode' Preload Nondiscardable
_BSS Class 'Lcode' Preload Nondiscardable
_LMSGTable Class 'Mcode' Preload Nondiscardable Iopl
_LMSGData Class 'Mcode' Preload Nondiscardable Iopl
_Imsgtable class 'Mcode' Preload Discardable Iopl
_Imsgdata class 'mcode' preloaded discardable Iopl_itext class 'icode' Discardable
_Idata class 'icode' Discardable
_PText Class 'Pcode' Nondiscardable
_Pmsgtable class 'Mcode' Nondiscardable Iopl
_PMSGData Class 'Mcode' Nondiscardable Iopl
_PDATA CLASS 'PDATA' Nondiscardable Shared
_SText Class 'Scode' ResIdent
_SDATA CLASS 'Scode' Resident
_DBOSTART CLAS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_16icode class '16icode' Preload Discardable
_Rcode Class 'Rcode'
Exports
Filehook_ddb @ 1
Nmake files (Makefile) are as follows:
iFDEF MASTER_MAKE
Build_bits = 32
Build_Type = Base
Include $ (ddkroot) /master.mk
! ENDIF
Name = filehook
#upply the location of a 16-bit linker
LINK =
# Definitions for the debug level
IFDEF Debug
Ddebug = -ddeblevel = 1 -ddebug
Else
Ddebug = -ddeblevel = 0
! ENDIF
# Definitions for Masm 6 Assembler
ASM = ml
AFLAGS = -Coff -dbld_coff -dis_32 -w2 -c -cx -zm -dmasm6 $ (DDEBUG)
Asmenv = ml
LFLAGS = / VXD / NOD
# MASM 6 Only Inference Rules
.asm.obj:
SET $ (Asmenv) = $ (AFLAGS)
$ (ASM) -FO $ *. Obj $
All: $ (Name) .vxd
Objs = filehook.obj
Filehook.obj: FileHOK.ASM
$ (Name) .vxd: $ (name) .def $ (OBJS)
LINK @ << $ (name) .lnk
$ (LFlags)
/Out: "(Name ).vxd
/MAP: $ (Name ).map
/Def: $ (Name ).def
$ (OBJS)
<<
Mapsym-S -O $ (Name) .ssym $ (name) .map
Clean:
- @ del * .obj
- @ del * .vxd
- @ del *.exp-@del * .lib
- @ del * .map
- @ del * .sym
With these two files, running NMAKE to assemble vxd.
Third, Windows 95/98 Application and VXD communication
Windows 95/98 Applications and VXD communication generally use the DeviceIocontrol function,
Here, an example source program (fHtest.c) is as follows:
// Intercept Windows 95/98 File Operation Test Program
#include
#include "tchar.h"
#define install_file_system_api_hook 1
#define uninstall_File_System_API_HOOK 2
Static tchar szappname [] = _ t ("fhtest");
Static tchar szapptitle [] = _ t ("Intercepting Windows 95/98 File Operation Test Program);
Static handle hdevice;
LResult Callback WndProc (HWND HWND, UINT MESSAGE, WPARAM
WPARAM, LPARAM LPARAM;
Int WinApi Winmain (Hinstance Hinstance, Hinstance
HPREVINSTANCE, LPSTR LPCMDLINE, INT NCMDSHOW)
{
Hwnd hwnd;
WNDCLASSEX WCEX;
MSG msg;
// This program cannot run in Windows NT
IF (getVersion () <0x80000000)
{
Messagebox (NULL, _T ("This program cannot run in Windows NT!
"), szapptitle, MB_ICONINFORMATION | MB_OK;
Return False;
}
IF (! hprevinstance)
{
Wcex.cbsize = sizeof (wndclassex);
WCEX.Style = CS_HREDRAW | CS_VREDRAW;
WCEX.LPFNWNDPROC = WNDPROC;
Wcex.cbclsextra = 0;
Wcex.cbWndextra = 0;
WCEX.HINSTANCE = HINSTANCE
WCEX.HICON = LOADICON (Hinstance, IDi_Application);
Wcex.hcursor = loadingcursor (null, idc_arrow);
Wcex.hbrbackground = (Hbrush) (Color_Window 1);
WCEX.LPSZMENUNAME = NULL;
WCEX.LPSZCLASSNAME = szAppname;
Wcex.hiconsm = loading; Hinstance, IDi_Application;
IF (! RegisterClassex (& WCEX)) Return False;
}
HWND = CREATEWINDOW (Szappname, SzappTitle, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,
0,0, hinstance, null;
IF (! hwnd) Return False;
ShowWindow (HWND, NCMDSHOW);
UpdateWindow (HWND);
While (GetMessage (& MSG, 0,0,0))
{
TRANSLATEMESSAGE (& MSG); DispatchMessage (& MSG);
}
Return msg.wparam;
}
Lresult Callback WndProc (HWND HWND, UINT MESSAGE, WPARAM WPARAM, LPARAM LPARAM)
{
HDC HDC;
Paintstruct PS;
DWORD CB;
Bool Bresult;
Switch (Message)
{
Case WM_CREATE:
HDevice = CreateFile (".//filehook.vxd", 0, 0, null, 0, file_flag_delete_on_close, null;
IF (HDevice! = INVALID_HANDLE_VALUE)
{
BRESULT = DeviceioControl (HDevice, Install_File_System_API_HOK, NULL, 0, NULL, 0, & CB, 0);
IF (BRESULT) MessageBox (HWnd, "" file system API hook installation success! "), szapptitle, mb_iconinformation | mb_ok);
Else MessageBox (hwnd, _t ("Cannot install file system API hook!"), SZAPPTITLE, MB_ICONITION | MB_OK;
}
Else
{
Messagebox (hwnd, _t ("can't open Filehook.vxd!
"), szapptitle, MB_ICONINFORMATION | MB_OK;
}
Break;
Case WM_Paint:
HDC = BeginPaint (HWND, & PS);
Endpaint (hwnd, & ps);
Break;
Case WM_DESTROY:
IF (HDevice! = INVALID_HANDLE_VALUE)
{
BRESULT = DeviceioControl (HDevice, Uninstall_File_System_API_HOK, NULL, 0, NULL, 0, & CB, 0);
IF (BRESULT) MESSAGEBOX (HWND, _T ("File System API Hook Move
success! "), szapptitle, MB_ICONINFORMATION | MB_OK;
Else MessageBox (hwnd, _t ("cannot remove the file system API hook!
"), szapptitle, MB_ICONINFORMATION | MB_OK;
CloseHandle (HDEvice);
}
Else
{
Messagebox (hwnd, _t ("You can't open Filehook.VxD!"), SzappTitle, MB_ICONITION | MB_OK;
}
PostquitMessage (0);
Break;
DEFAULT:
Return DefWindowProc (Hwnd, Message, WPARAM, LPARAM);
}
Return 0;
}
This program uses the CreateFile function to dynamically load VXD, then send device I / O control code, install and remove file system API hooks to VXD with the DeviceIoControl function, and finally remove the VXD with the CloseHandle function. When running the program, if the file system API hook is installed successfully, the message box of "file system API hook installation is successful!", Then the "Open File!" Message box will be displayed as long as the open file operation is turned on. When exiting the program, if the file API hook is successfully removed, the message box that "file API hook removal is successful!" Will no longer display the message box when opening file operation. Fourth, small knot
The above instance demonstrates a complete way to intercept the VXD and Windows 95/98 applications for Windows 95/98 file system API and the VXD communication. This VXD can be used as a basic framework, which can be used for software such as virus firewalls. In fact, VXD's function is far more than this, and the features of VXD can be used to write many advanced applications that use APIs cannot be written. This tutorial is just a simple VXD programming example, because the author's level is limited, plus less time, simple writing, please forgive me, and welcome everyone to discuss. The VMM function, VXD function and API functions used in this tutorial are reviewed or help.