VxD programming introductory tutorial Author: TBsoft
-------------------------------------------------- ------------------------------
First, Windows 95 DDK installation
Installing Windows 95 DDK Generally Need to install Win32 SDK first because Windows 95 DDK requires the 16-bit resource compiler of Win32 SDK, but Win32 SDK is large (a capacity of the entire disc), and it is difficult to buy, FTP station Less see, even if there is, download is also very difficult. After a period of exploration, the author found several simple methods to install Windows 95 DDK, and the method is now described below: Method: Use the Third Party Resource Compiler 1, modify the registry, simulation Win32 SDK installed. Establish a registry file called Win32SDK.REG, the content is:
Regedit4
[HKEY_USERS / .DEFAULT / Software / Microsoft / Win32SDK]
[HKEY_USERS / .DEFAULT / SOFTWARE / Microsoft / Win32SDK / Directories] "Install Dir" = "C: // MStools"
Double-click this file in the Explorer to add the contents of this file to the registry. You can install Windows 95 DDK. 2. Run the setup.exe file in Windows 95 DDK, install Windows 95 DDK to C: / DDK. 3. Install MASM 6.11 to C: / MASM611. After the installation is complete, the files in the Masm611c directory in the un installed Windows 95 DDK are overwritten to C: / Masm611 / bin. 4, install Visual C 5.0 (4.0 can also, but should not use 6.0) to C: / Program Files / DevStudio / VC. 5. Establish a C: / MSTools / Binw16 directory, copy the resource compiler. Windows 95 DDK requires a resource compiler that can compile Win32 resource files into a 16-bit resource. If there is Win32 SDK, you can copy the files in the binw16 directory to C: / mstools / binw16. If there is no Win32 SDK, you can use a third-party resource compiler, here to use Borland's resource compiler as an example: prepare Turbo Masm 5.0, use the UNPAK tool to unpack the cmdline.pak file, find the following three files:
Brc.exebrcc32.exerw32core.dll
Copy these three files to c: / mstools / binw16, and the brc.exe is named rc.exe. 6. Modify config.sys to increase environment variable space. In the config.sys file, finally join the line:
Shell = C: /Windows/Command.com / E: 8192 / P
7, enter the Windows 95 MS-DOS mode, initialize the compilation environment (preferably create a batch file):
C: /masm611/binr/new-vars.batc: /ddk/ddkinit.bat 32 Base (Different parameters) C: / Program files / devrs32.bat
You can use Windows 95 DDK, the warning that appears when the connection can be used. 2: Use Windows 98 DDK full version of Windows 98 DDK (about 30m) including Windows 95 DDK, full SDK compiler, and MASM 6.11C assembler, installation method is very simple: Install Windows 98 DDK and Visual C 5.0, then directly Run "Check Build Environment" or "FREE Build Environment" program items can be enabled. Second, a VXD that intercepts Windows 95/98 file operation
VXD - virtual device driver, as the name suggests, vxd is used to control hardware devices, then why do you tell a VXD that intercepts Windows 95/98 files? In fact, VXD can not only control hardware devices, because VXD works on the 80386 protection mode RING 0 privilege level (highest privilege level), and the general application works on the Ring 3 privilege level (minimum privilege level), so VXD Many APIs cannot be completed, such as port reading and writing, physical memory reading, interrupt call, API interception, etc. Because of this, VXD has a wide range of uses in Windows system programming. In fact, everyone generally encounters the problem that Windows API can't solve or solve, considering writing VXD solutions. The VXD that intercepted Windows 95/98 files here will be used to intercept all file operations for Windows 95/98 (Windows NT does not support VXD), then what is the use of this VXD? The biggest use may be - virus firewall, used to filter file operations, can perform dynamic virus detection and dynamic anti-virus. The principles used by this VXD and the principles of current popular CIH virus infections are basically the same. (In fact, if you want to ask me why I want to write such a vxd, that is because - I am a Virus version of the moderator) The file name of the VXD is FileHook.VXD, the source program (Filehook.asm) is as follows:
Filehook.vxd - Blocking Windows 95/98 file VXD
.386P
.Xlist
INCLUDE VMM.INCINCINCLUDE VWIN32.INCINCINCLUDE shell.inc
MASM = 1
INCLUDE IFS.INCINCLUDE IFSMGR.INC
.List
; Vxd declaration
Declare_virtual_device filehook, 1,0, vxd_control, undefined_device_id ,,,
Protection mode data segment
VXD_DATA_SEGPREV_FILE_SYSTEM_API_HOOK DD 0IN_FILE_SYSTEM_API_HOOK DB 0MESSAGE1 DB 'OPEN FILE!', 0CAPTION1 DB 'FILEHOOK', 0VXD_DATA_ENDS
Protection mode code segment
VXD_CODE_SEG
System control process
BeginProc VxD_ControlControl_Dispatch SYS_DYNAMIC_DEVICE_INIT, VxD_Device_InitControl_Dispatch SYS_DYNAMIC_DEVICE_EXIT, VxD_Device_ExitControl_Dispatch W32_DEVICEIOCONTROL, VxD_IOCTLclcretEndProc VxD_Control; IOCTL control (device I / O control) process
BeginProc VxD_IOCTL; DeviceIoControl obtaining control code mov ecx, [esi.dwIoControlCode] cmp ecx, 1jz Install_File_System_Api_Hookcmp ecx, 2jz Uninstall_File_System_Api_Hookjmp VxD_IOCTL_Exit
Install file system API hook
Install_File_System_Api_Hook: mov eax, OFFSET32 File_System_Api_HookVxDCall IFSMgr_InstallFileSystemApiHook or eax, eaxjz Error_Handler; saved on a file system API hooks address mov Prev_File_System_Api_Hook, eaxjmp VxD_IOCTL_Exit
Remove the file system API hook
Uninstall_file_system_api_hook: MOV Eax, Offset32 File_System_API_HOOKVXDCALL IFSMGR_REMOVEFILESYSTEMAPIHOK CMP EAX, 0FFFFFFFHJZ Error_Handlerjmp vxd_ioctl_exit
; IOCTL control process
Vxd_ioctl_exit: xor eax, EaxClcret
Error handling
Error_Handler: MOV EAX, 0FFFFFFFHSTCRETENDPROC VXD_IOCTL
; Vxd_device_exit process
BeginProc vxd_device_exitclcretendproc vxd_device_exit
; File system API hook process (C language call mode)
BeginProc File_System_Api_Hook, CCALLArgVar FSDFnAddr, DWORDArgVar FunctionNum, DWORDArgVar Drive, DWORDArgVar ResourceFlags, DWORDArgVar CodePage, DWORDArgVar pir, DWORDEnterProcpushad; to prevent the re-entry cmp byte ptr In_File_System_Api_Hook, 00hjnz Prev_Hook; relatively open file operation it? cmp dword ptr FunctionNum, IFSFN_OPENjnz Prev_Hook; provided reentry flag inc byte ptr In_File_System_Api_Hook; get current VM handles VMMCall Get_Cur_VM_Handle; displays a message box mov eax, MB_ICONASTERISK MB_OKmov ecx, OFFSET32 Message1mov edi, OFFSET32 Caption1mov esi, 0mov edx, 0VxDCall Shell_Message; Cancel Reversing flag dec Byte PTR in_file_system_api_hook
Go to the previous file system API hook address
Prev_hook: PopadleaveProcmov Eax, prev_file_system_api_hookjmp [eax] ReturnendProc File_System_API_HOOK
VXD_CODE_ENDS
; Protection mode initialization code segment
Vxd_icode_seg; vxd_device_init process
BeginProc vxd_device_initclcretendproc vxd_device_init
VXD_ICODE_ENDS
end
The VXD processes three system control messages in the device control process (VXD_Control procedure), which are sys_dynamic_Device_init (dynamic VXD initialization), SYS_DYNAMIC_DEVICE_EXIT (Dynamic VXD Exit) and W32_Deviceiocontrol (Device I / O Control), the corresponding message processing process Is vxd_device_init, vxd_device_exit and vxd_ioctl. Where the vxd_device_init process and the vxd_device_exit process only clear the carry flag returns (successful), the vxd_iocTl process is the interface of Windows 95/98 application with VXD communication, complete the installation and removal of the file system API hook, [esi.dwiocontrolcode] Device I / O control code, the control code is 1 to install the file system API hook, transfer to the file system API hook. FILE_SYSTEM_API_HOOK is the file system API hook process, here as a simple instance, the hook process determines if it is open file operation, if so, display a simple message box, then jump to the previous file hook (equivalent to the old file system API Entrance). If the expansion function is required, you can add the code during this process. Compilation VXD requires a module definition file and a nmake file (manual assembly connection is of course). Both files can be directly modified with the module definition files in the generic instance in the DDK, the module definition file (FileHook.def) is as follows:
Vxd FileHook Dynamic
Description 'File System API Hook Program'
SEGMENTS _LPTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _LTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _LDATA CLASS 'LCODE' PRELOAD NONDISCARDABLE _TEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE _DATA CLASS 'LCODE' PRELOAD NONDISCARDABLE CONST CLASS 'LCODE' PRELOAD NONDISCARDABLE _TLS CLASS 'LCODE' PRELOAD NONDISCARDABLE _BSS CLASS 'LCODE' PRELOAD NONDISCARDABLE _LMSGTABLE CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL _LMSGDATA CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL _IMSGTABLE CLASS 'MCODE' PRELOAD DISCARDABLE IOPL _IMSGDATA CLASS 'MCODE' PRELOAD DISCARDABLE IOPL _ITEXT CLASS 'ICODE' DISCARDABLE _IDATA CLASS 'ICODE' DISCARDABLE _PTEXT CLASS 'PCODE' NONDISCARDABLE _PMSGTABLE CLASS 'MCODE' NONDISCARDABLE IOPL _PMSGDATA CLASS 'MCODE' NONDISCARDABLE IOPL _PDATA CLASS 'PDATA' NONDISCARDABLE SHARED _STEXT CLASS 'SCODE' RESIDENT _SDATA CLASS 'SCODE' RESIDENT _DBOSTART CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING _DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING _DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING _16ICODE CLASS '16ICODE' PRELOAD DISCARDABLE _RCODE CLASS 'RCODE'EXPORTS FILEHOOK_DDB @ 1
Nmake files (Makefile) are as follows:
ingdef master_makebuild_bits = 32build_type = base! Include $ (ddkroot) /master.mk !ndif
Name = filehook
#upply the location of a 16-bit linker
Link = # definitions for the debug level
ingdef debugddebug = -ddeblevel = 1 -ddebug! Elseddebug = -ddeblevel = 0! Endif
# Definitions for Masm 6 Assembler
ASM = mlaflags = -coff -dbld_coff -dis_32 -w2 -c -cx -zm -dmasm6 $ (ddebug) Asmenv = mllflags = / vxd / nod
# MASM 6 Only Inference Rules
.asm.Obj: Set $ (Asmenv) = $ (AFLAGS) $ (ASM) -fo $ *. Obj $
All: $ (Name) .vxd
Objs = filehook.obj
Filehook.obj: FileHOK.ASM
$ (Name) .vxd: $ (name) .def $ (objs) link @ << $ (name) .lnk $ (lflags) /out: "(Name ).vxd/map:1 (Name ).map/ DEF: $ (Name). DEF $ (OBJS) << Mapsym -s -o $ (Name) .ssym $ (name) .map
Clean: - @ del *.obj-@del *.vxd-@del *.exp-@del *.lib-@del *.map-@del * .sym
With these two files, running NMAKE to assemble vxd.
Third, Windows 95/98 Application and VXD communication
Windows 95/98 Applications and VXD communication generally use the DeviceIocontrol function, here gives an instance source program (fHtest.c) as follows:
// Intercept Windows 95/98 File Operation Test Program
#include #include "tchar.h"
#define install_file_system_api_hook 1 # define uninstall_file_system_api_hook 2
Static tchar szappname [] = _ t ("fhtest"); static tchar szapptitle [] = _ t ("Intercepting Windows 95/98 File Operation Test Program); Static Handle Hdevice;
LResult Callback WndProc (HWND HWND, UINT MESSAGE, WPARAM WPARAM, LPARAM LPARAM);
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {HWND hWnd; WNDCLASSEX wcex; MSG Msg; // This procedure can not be run on Windows NT, if (GetVersion () <0x80000000) {MessageBox (NULL, _T ("This program cannot run in Windows NT!"), SzappTitle, MB_ICONITIONFORMATION | MB_OK; RETURN FALSE;} if (! Hprevinstance) {wcex.cbsize = sizeof (WNDCLASSEX); wcex.style = cs_hredraw | cs_vredraw; wcex. lpfnWndProc = WndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = 0; wcex.hInstance = hInstance; wcex.hIcon = LoadIcon (hInstance, IDI_APPLICATION); wcex.hCursor = LoadCursor (NULL, IDC_ARROW); wcex.hbrBackground = (HBRUSH ) (COLOR_WINDOW 1); wcex.lpszMenuName = NULL; wcex.lpszClassName = szAppName; wcex.hIconSm = LoadIcon (hInstance, IDI_APPLICATION);! if (RegisterClassEx (& wcex)) return FALSE;} hWnd = CreateWindow (szAppName, szAppTitle, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, 0,0, hInstance, NULL);! if (hWnd) return FALSE; ShowWindow (hWnd, nCmdShow); UpdateWindow (hWnd); while (GetMessage (& Msg, 0,0,0 )) {TranslateMessag e (& Msg); DispatchMessage (& Msg);} return Msg.wParam;} LRESULT CALLBACK WndProc (HWND hWnd, UINT Message, WPARAM wParam, LPARAM lParam) {HDC hDC; PAINTSTRUCT ps; DWORD cb; BOOL bResult; switch (Message) {CASE WM_CREATE:
hDevice = CreateFile ( ".// FILEHOOK.VXD", 0,0, NULL, 0, FILE_FLAG_DELETE_ON_CLOSE, NULL); if (hDevice = INVALID_HANDLE_VALUE!) {bResult = DeviceIoControl (hDevice, INSTALL_FILE_SYSTEM_API_HOOK, NULL, 0, NULL, 0, & cb, 0); if (BRESULT) MessageBox (Hwnd, _T ("file system API hook installation success!"), szapptitle, mb_iconinformation | mb_ok); Else MessageBox (hwnd, _t ("You can't install file system API hook!") , szAppTitle, MB_ICONINFORMATION | MB_OK);} else {MessageBox (hWnd, _T ( "can not open FILEHOOK.VXD!"), szAppTitle, MB_ICONINFORMATION | MB_OK);} break; case WM_PAINT: hDC = BeginPaint (hWnd, & ps); EndPaint (hWnd, & ps); break; case WM_DESTROY: (! hDevice = INVALID_HANDLE_VALUE) if {bResult = DeviceIoControl (hDevice, UNINSTALL_FILE_SYSTEM_API_HOOK, NULL, 0, NULL, 0, & cb, 0); if (bResult) MessageBox (hWnd, _T ( "File system API hook removal!"), SzappTitle, MB_ICONInInInformation | MB_OK; Else MessageBox (hwnd, _t ("Cannot remove file system API hook!"), SzappTitle, MB_ICONITION | MB_OK); CloseHandle (HDEvice); } Else {MessageBox (hwnd, _t ("You can't open Filehook.vxd!"), SzappTitle, MB_ICONITION | MB_OK);} PostquitMessage (0) Break; Default: Return DEFAULT: RETURN DEFWINDOWPROC (HWND, Message, WPARAM, LPARAM);} Return 0;} This program uses the createfile function to dynamically load VXD, then send device I / O control code to VXD with the DeviceIocontrol function, install and remove files System API hook, finally removes VXD with a CloseHandle function. When running the program, if the file system API hook is installed successfully, the message box of "file system API hook installation is successful!", Then the "Open File!" Message box will be displayed as long as the open file operation is turned on. When exiting the program, if the file API hook is successfully removed, the message box that "file API hook removal is successful!" Will no longer display the message box when opening file operation.
Fourth, small knot
