VXD programming entry tutorial

zhaozj2021-02-11  190

VxD programming introductory tutorial Author: TBsoft

First, Windows 95 DDK installation

Installing Windows 95 DDK Generally Need to install Win32 SDK first because Windows 95 DDK requires the 16-bit resource compiler of Win32 SDK, but Win32 SDK is large (a capacity of the entire disc), and it is difficult to buy, FTP station Less see, even if there is, download is also very difficult. After a period of exploration, I found several simple ways to install Windows 95 DDK, and the method is now introduced as follows:

One of the methods: use a third-party resource compiler

1. Modify the registry, simulate the case where Win32 SDK has been installed.

Establish a registry file called Win32SDK.REG, the content is:

Regedit4

[HKEY_USERS / .DEFAULT / Software / Microsoft / Win32SDK]

[HKEY_USERS / .DEFAULT / SOFTWARE / Microsoft / Win32SDK / DIRECTORIES]

"Install dir" = "c: // mstools"

Double-click this file in the Explorer to add the contents of this file to the registry. You can install Windows 95 DDK.

2. Run the setup.exe file in Windows 95 DDK, install Windows 95 DDK to C: / DDK.

3. Install MASM 6.11 to C: / MASM611. After the installation is complete, the files in the Masm611c directory in the un installed Windows 95 DDK are overwritten to C: / Masm611 / bin.

4, install Visual C 5.0 (4.0 can also, but should not use 6.0) to C: / Program Files / DevStudio / VC.

5. Establish a C: / MSTools / Binw16 directory, copy the resource compiler. Windows 95 DDK requires a resource compiler that can compile Win32 resource files into a 16-bit resource. If there is Win32 SDK, you can copy the files in the binw16 directory to C: / mstools / binw16. If there is no Win32 SDK, you can use a third-party resource compilation.

In order to use the resource compiler of Borland as an example:

Prepare Turbo Masm 5.0, unpacking the cmdline.pak file with UNPAK tools, find the following three files:

Brc.exe

Brcc32.exe

RW32Core.dll

Copy these three files to c: / mstools / binw16, and the brc.exe is named rc.exe.

6. Modify config.sys to increase environment variable space.

In the config.sys file, finally join the line:

Shell = C: /Windows/Command.com / E: 8192 / P

7, enter the Windows 95 MS-DOS mode, initialize the compilation environment (preferably create a batch file):

C: /masm611/binr/new-vars.bat

C: /ddk/ddkinit.bat 32 Base

(The compiled equipment driver is different, the parameters are different)

C: / program files / devstudio / vc / bin / vcvars32.bat

You can use Windows 95 DDK, the warning that appears when the connection can be used. 2: Use Windows 98 DDK full version of Windows 98 DDK (about 30m) including Windows 95 DDK, full SDK compiler, and MASM 6.11C assembler, installation method is very simple: Install Windows 98 DDK and Visual C 5.0, then directly Run "Check Build Environment" or "FREE Build Environment" program items can be enabled. Second, a VXD that intercepts Windows 95/98 file operation

VXD - virtual device driver, as the name suggests, vxd is used to control hardware devices, then why do you tell a VXD that intercepts Windows 95/98 files? In fact, VXD can not only control hardware devices, because VXD works on the 80386 protection mode RING 0 privilege level (highest privilege level), and the general application works on the Ring 3 privilege level (minimum privilege level), so VXD Many APIs cannot be completed, such as port reading and writing, physical memory reading, interrupt call, API interception, etc. Because of this, VXD has a wide range of uses in Windows system programming. In fact, everyone generally encounters the problem that Windows API can't solve or solve, considering writing VXD solutions. The VXD that intercepted Windows 95/98 files here will be used to intercept all file operations for Windows 95/98 (Windows NT does not support VXD), then what is the use of this VXD? The biggest use may be - virus firewall, used to filter file operations, can perform dynamic virus detection and dynamic anti-virus. The principles used by this VXD and the principles of current popular CIH virus infections are basically the same. (In fact, if you want to ask me why I want to write such a vxd, that is because - I am a Virus version of the moderator)

The VXD file name is FileHook.vxd, the source program (Filehook.asm) is as follows:

Filehook.vxd - Blocking Windows 95/98 file VXD

.386P

.Xlist

Include vmm.inc

INCLUDE VWIN32.INC

INCLUDE shell.inc

MASM = 1

INCLUDE IFS.IC

INCLUDE IFSMGR.IC

.List

; Vxd declaration

DECLARE_VIRTUAL_DEVICE

Filehook, 1,0, vxd_control, undefined_device_id ,,,

Protection mode data segment

VXD_DATA_SEG

Prev_file_system_api_hook DD 0

IN_FILE_SYSTEM_API_HOOK DB 0

Message1 DB 'Open File!', 0

CAPTION1 DB 'FILEHOK', 0

VXD_DATA_ENDS

Protection mode code segment

VXD_CODE_SEG

System control process

BeginProc vxd_control

Control_dispatch sys_dynamic_Device_init, vxd_device_init

Control_dispatch sys_dynamic_device_exit, vxd_device_exit

Control_dispatch w32_deviceioControl, vxd_ioctlclc

RET

Endproc vxd_control

; IOCTL Control (Device I / O Control) Process

Beginproc vxd_ioctl

Get the Deviceiocontrol control code

MOV ECX, [ESI.DWIOCONTROLCODE]

CMP ECX, 1

JZ Install_File_System_API_HOOK

CMP ECX, 2

JZ Uninstall_File_System_API_HOOK

JMP vxd_ioctl_exit

Install file system API hook

Install_file_system_api_hook:

Mov Eax, Offset32 File_System_API_HOOK

VxdCall IFSMGR_INSTALLFILESYSTEMAPIHOK

OR EAX, EAX

JZ Error_Handler

Save the previous file system API hook address

MOV prev_file_system_api_hook, eax

JMP vxd_ioctl_exit

Remove the file system API hook

Uninstall_File_System_API_HOOK:

Mov Eax, Offset32 File_System_API_HOOK

Vxdcall IFSMGR_RemoveFileSystemapiHook

CMP EAX, 0FFFFFFFH

JZ Error_Handler

JMP vxd_ioctl_exit

; IOCTL control process

VXD_IOCTL_EXIT:

XOR EAX, EAX

CLC

RET

Error handling

Error_Handler:

MOV Eax, 0FFFFFFFH

STC

RET

Endproc vxd_ioctl

; Vxd_device_exit process

Beginproc vxd_device_exit

CLC

RET

Endproc vxd_device_exit

; File system API hook process (C language call mode)

BeginProc file_system_api_hook, ccall

Argvar fsdfnaddr, dword

Argvar FunctionNum, DWORD

Argvar Drive, DWORD

Argvar ResourceFlags, DWORD

Argvar CodePage, DWORD

Argvar Pir, DWORD

Enterproc

Pushhad

Prevent reward

CMP BYTE PTR IN_FILE_SYSTEM_API_HOOK, 00H

JNZ Prev_hook

; Is the comparison to open a file operation?

CMP DWORD PTR FUNCTIONNUM, IFSFN_OPEN

JNZ Prev_hook

Set the re-entry flag

INC BYTE PTR IN_FILE_SYSTEM_API_HOOK

Take the current VM handle

VMMCALL GET_CUR_VM_HANDLE

Show message box

MOV EAX, MB_ICONASTERISK MB_OK

Mov ECX, Offset32 Message1

Mov Edi, Offset32 CAPTION1

MOV ESI, 0

Mov EDX, 0

Vxdcall shell_message

Cancel the re-entry mark

Dec Byte PTR in_file_system_api_hook

Go to the previous file system API hook address

Prev_hook:

Popad

LeaveProc

MOV EAX, prev_file_system_api_hook

JMP [EAX]

Return

Endproc file_system_api_hook

VXD_CODE_ENDS

; Protection mode initialization code segment

Vxd_icode_seg; vxd_device_init process

Beginproc vxd_device_init

CLC

RET

Endproc vxd_device_init

VXD_ICODE_ENDS

end

The VXD processes three system control messages in the device control process (VXD_Control procedure), which are sys_dynamic_Device_init (dynamic VXD initialization), SYS_DYNAMIC_DEVICE_EXIT (Dynamic VXD Exit) and W32_Deviceiocontrol (Device I / O Control), the corresponding message processing process Is vxd_device_init, vxd_device_exit and vxd_ioctl. Where the vxd_device_init process and the vxd_device_exit process only clear the carry flag returns (successful), the vxd_iocTl process is the interface of Windows 95/98 application with VXD communication, complete the installation and removal of the file system API hook, [esi.dwiocontrolcode] Device I / O control code, the control code is 1 to install the file system API hook, transfer to the file system API hook. FILE_SYSTEM_API_HOOK is the file system API hook process, here as a simple instance, the hook process determines if it is open file operation, if so, display a simple message box, then jump to the previous file hook (equivalent to the old file system API Entrance). If the expansion function is required, you can add the code during this process. Compilation VXD requires a module definition file and a nmake file (manual assembly connection is of course). Both files can be directly modified with the module definition files in the generic instance in the DDK, the module definition file (FileHook.def) is as follows:

Vxd FileHook Dynamic

Description 'File System API Hook Program'

Segments

_LPText Class 'Lcode' Preload Nondiscardable

_LText Class 'Lcode' Preload Nondiscardable

_LData Class 'Lcode' Preload Nondiscardable

_Text Class 'Lcode' Preload Nondiscardable

_Data class 'lcode' preload nondiscardable

Const Class 'Lcode' Preload Nondiscardable

_TLS Class 'Lcode' Preload Nondiscardable

_BSS Class 'Lcode' Preload Nondiscardable

_LMSGTable Class 'Mcode' Preload Nondiscardable Iopl

_LMSGData Class 'Mcode' Preload Nondiscardable Iopl

_Imsgtable class 'Mcode' Preload Discardable Iopl

_Imsgdata class 'mcode' preloaded discardable Iopl_itext class 'icode' Discardable

_Idata class 'icode' Discardable

_PText Class 'Pcode' Nondiscardable

_Pmsgtable class 'Mcode' Nondiscardable Iopl

_PMSGData Class 'Mcode' Nondiscardable Iopl

_PDATA CLASS 'PDATA' Nondiscardable Shared

_SText Class 'Scode' ResIdent

_SDATA CLASS 'Scode' Resident

_DBOSTART CLAS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING

_DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING

_DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING

_16icode class '16icode' Preload Discardable

_Rcode Class 'Rcode'

Exports

Filehook_ddb @ 1

Nmake files (Makefile) are as follows:

iFDEF MASTER_MAKE

Build_bits = 32

Build_Type = Base

Include $ (ddkroot) /master.mk

! ENDIF

Name = filehook

#upply the location of a 16-bit linker

LINK =

# Definitions for the debug level

IFDEF Debug

Ddebug = -ddeblevel = 1 -ddebug

Else

Ddebug = -ddeblevel = 0

! ENDIF

# Definitions for Masm 6 Assembler

ASM = ml

AFLAGS = -Coff -dbld_coff -dis_32 -w2 -c -cx -zm -dmasm6 $ (DDEBUG)

Asmenv = ml

LFLAGS = / VXD / NOD

# MASM 6 Only Inference Rules

.asm.obj:

SET $ (Asmenv) = $ (AFLAGS)

$ (ASM) -FO $ *. Obj $

All: $ (Name) .vxd

Objs = filehook.obj

Filehook.obj: FileHOK.ASM

$ (Name) .vxd: $ (name) .def $ (OBJS)

LINK @ << $ (name) .lnk

$ (LFlags)

/Out: "(Name ).vxd

/MAP: $ (Name ).map

/Def: $ (Name ).def

$ (OBJS)

<<

Mapsym-S -O $ (Name) .ssym $ (name) .map

Clean:

- @ del * .obj

- @ del * .vxd

- @ del *.exp-@del * .lib

- @ del * .map

- @ del * .sym

With these two files, running NMAKE to assemble vxd.

Third, Windows 95/98 Application and VXD communication

Windows 95/98 Applications and VXD communication generally use the DeviceIocontrol function,

Here, an example source program (fHtest.c) is as follows:

// Intercept Windows 95/98 File Operation Test Program

#include

#include "tchar.h"

#define install_file_system_api_hook 1

#define uninstall_File_System_API_HOOK 2

Static tchar szappname [] = _ t ("fhtest");

Static tchar szapptitle [] = _ t ("Intercepting Windows 95/98 File Operation Test Program);

Static handle hdevice;

LResult Callback WndProc (HWND HWND, UINT MESSAGE, WPARAM

WPARAM, LPARAM LPARAM;

Int WinApi Winmain (Hinstance Hinstance, Hinstance

HPREVINSTANCE, LPSTR LPCMDLINE, INT NCMDSHOW)

{

Hwnd hwnd;

WNDCLASSEX WCEX;

MSG msg;

// This program cannot run in Windows NT

IF (getVersion () <0x80000000)

{

Messagebox (NULL, _T ("This program cannot run in Windows NT!

"), szapptitle, MB_ICONINFORMATION | MB_OK;

Return False;

}

IF (! hprevinstance)

{

Wcex.cbsize = sizeof (wndclassex);

WCEX.Style = CS_HREDRAW | CS_VREDRAW;

WCEX.LPFNWNDPROC = WNDPROC;

Wcex.cbclsextra = 0;

Wcex.cbWndextra = 0;

WCEX.HINSTANCE = HINSTANCE

WCEX.HICON = LOADICON (Hinstance, IDi_Application);

Wcex.hcursor = loadingcursor (null, idc_arrow);

Wcex.hbrbackground = (Hbrush) (Color_Window 1);

WCEX.LPSZMENUNAME = NULL;

WCEX.LPSZCLASSNAME = szAppname;

Wcex.hiconsm = loading; Hinstance, IDi_Application;

IF (! RegisterClassex (& WCEX)) Return False;

}

HWND = CREATEWINDOW (Szappname, SzappTitle, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,

0,0, hinstance, null;

IF (! hwnd) Return False;

ShowWindow (HWND, NCMDSHOW);

UpdateWindow (HWND);

While (GetMessage (& MSG, 0,0,0))

{

TRANSLATEMESSAGE (& MSG); DispatchMessage (& MSG);

}

Return msg.wparam;

}

Lresult Callback WndProc (HWND HWND, UINT MESSAGE, WPARAM WPARAM, LPARAM LPARAM)

{

HDC HDC;

Paintstruct PS;

DWORD CB;

Bool Bresult;

Switch (Message)

{

Case WM_CREATE:

HDevice = CreateFile (".//filehook.vxd", 0, 0, null, 0, file_flag_delete_on_close, null;

IF (HDevice! = INVALID_HANDLE_VALUE)

{

BRESULT = DeviceioControl (HDevice, Install_File_System_API_HOK, NULL, 0, NULL, 0, & CB, 0);

IF (BRESULT) MessageBox (HWnd, "" file system API hook installation success! "), szapptitle, mb_iconinformation | mb_ok);

Else MessageBox (hwnd, _t ("Cannot install file system API hook!"), SZAPPTITLE, MB_ICONITION | MB_OK;

}

Else

{

Messagebox (hwnd, _t ("can't open Filehook.vxd!

"), szapptitle, MB_ICONINFORMATION | MB_OK;

}

Break;

Case WM_Paint:

HDC = BeginPaint (HWND, & PS);

Endpaint (hwnd, & ps);

Break;

Case WM_DESTROY:

IF (HDevice! = INVALID_HANDLE_VALUE)

{

BRESULT = DeviceioControl (HDevice, Uninstall_File_System_API_HOK, NULL, 0, NULL, 0, & CB, 0);

IF (BRESULT) MESSAGEBOX (HWND, _T ("File System API Hook Move

success! "), szapptitle, MB_ICONINFORMATION | MB_OK;

Else MessageBox (hwnd, _t ("cannot remove the file system API hook!

"), szapptitle, MB_ICONINFORMATION | MB_OK;

CloseHandle (HDEvice);

}

Else

{

Messagebox (hwnd, _t ("You can't open Filehook.VxD!"), SzappTitle, MB_ICONITION | MB_OK;

}

PostquitMessage (0);

Break;

DEFAULT:

Return DefWindowProc (Hwnd, Message, WPARAM, LPARAM);

}

Return 0;

}

This program uses the CreateFile function to dynamically load VXD, then send device I / O control code, install and remove file system API hooks to VXD with the DeviceIoControl function, and finally remove the VXD with the CloseHandle function. When running the program, if the file system API hook is installed successfully, the message box of "file system API hook installation is successful!", Then the "Open File!" Message box will be displayed as long as the open file operation is turned on. When exiting the program, if the file API hook is successfully removed, the message box that "file API hook removal is successful!" Will no longer display the message box when opening file operation. Fourth, small knot

The above instance demonstrates a complete way to intercept the VXD and Windows 95/98 applications for Windows 95/98 file system API and the VXD communication. This VXD can be used as a basic framework, which can be used for software such as virus firewalls. In fact, VXD's function is far more than this, and the features of VXD can be used to write many advanced applications that use APIs cannot be written. This tutorial is just a simple VXD programming example, because the author's level is limited, plus less time, simple writing, please forgive me, and welcome everyone to discuss. The VMM function, VXD function and API functions used in this tutorial are reviewed or help.

转载请注明原文地址:https://www.9cbs.com/read-3877.html

New Post(0)