📄 vxd-e6.html

📁 汇编语言编写的虚拟驱动程序
💻 HTML
📖 第 1 页 / 共 3 页
字号:
上一页 1 23
mov edi,[esi].lpvInBuffer</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;-----------------------------------</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
; copy the message title to buffer</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;-----------------------------------</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _lstrlen, &lt;[edi]></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _HeapAllocate,&lt;eax,HEAPZEROINIT></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov pTitle,eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
pop eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _lstrcpyn,&lt;pTitle,[edi],eax></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;-----------------------------------</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
; copy the message text to buffer</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;-----------------------------------</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _lstrlen, &lt;[edi+4]></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _HeapAllocate,&lt;eax,HEAPZEROINIT></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov pMessage,eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
pop eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _lstrcpyn,&lt;pMessage,[edi+4],eax></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edi,pTitle</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ecx,pMessage</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax,MB_OK</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall Get_Sys_VM_Handle</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VxDCall SHELL_sysmodal_Message</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _HeapFree,pTitle,0</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _HeapFree,pMessage,0</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
xor eax,eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; .endif</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; ret</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>EndProc OnDeviceIoControl</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>VxD_PAGEABLE_CODE_ENDS</font></font></b>
<p><b><font face="Arial,Helvetica"><font size=-1>end</font></font></b></blockquote>

<h3>
<font face="Arial,Helvetica"><font color="#66FFFF"><font size=+0>Analysis:</font></font></font></h3>
<font face="Arial,Helvetica"><font size=-1>We start from VxDLoader.asm.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;
invoke CreateFile,addr VxDName,0,0,0,0,FILE_FLAG_DELETE_ON_CLOSE,0</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; .if
eax!=INVALID_HANDLE_VALUE</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov hVxD,eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
....</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; .else</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
invoke MessageBox,NULL,addr Failure,NULL,MB_OK+MB_ICONERROR</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; .endif</font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>We call CreateFile to load the
dynamic VxD. Note <b><font color="#FFFF99">FILE_FLAG_DELETE_ON_CLOSE</font></b>
flag. This flag instructs Windows to unload the VxD when the VxD handle
returned from CreateFile is closed. If CreateFile is successful, we store
the VxD handle for future use.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
invoke MessageBox,NULL,addr Success,addr AppName,MB_OK+MB_ICONINFORMATION</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
invoke DeviceIoControl,hVxD,1,addr InBuffer,8,NULL,NULL,NULL,NULL</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
invoke CloseHandle,hVxD</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
invoke MessageBox,NULL,addr Unload,addr AppName,MB_OK+MB_ICONINFORMATION</font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>The program displays a message
box when the VxD is loaded/unloaded. It calls <b><font color="#FFFF99">DeviceIoControl</font></b>
with <b><font color="#FFFF99">dwIoControlCode</font></b> 1 and passes the
address of <b><font color="#FFFF99">InBuffer </font></b>in<b><font color="#FFFF99">
lpInBuffer</font></b> parameter, and the size of <b><font color="#FFFF99">InBuffer</font></b>
(8) in <b><font color="#FFFF99">nInBufferSize</font></b>. InBuffer is a
dword array of two elements: each element is the address of a text string.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;
MsgTitle db "DeviceIoControl Example",0</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; MsgText
db "I'm called from a VxD!",0</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; InBuffer
dd offset MsgTitle</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dd offset MsgText</font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>Now we turn our attention to
the VxD.</font></font>
<br><font face="Arial,Helvetica"><font size=-1>It processes only <b><font color="#FFFF99">w32_deviceIoControl
</font></b>message.
When<b><font color="#FFFF99"> w32_deviceIoControl</font></b> message is
sent, <b><font color="#FFFF99">OnDeviceIoControl</font></b> procedure is
called.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>BeginProc OnDeviceIoControl</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; assume
esi:ptr DIOCParams</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp; .if
[esi].dwIoControlCode==DIOC_Open</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
xor eax,eax</font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>OnDeviceIoControl processes
DIOC_Open code by returning 0 in eax.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;
.elseif [esi].dwIoControlCode==1</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edi,[esi].lpvInBuffer</font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>It also processes control code
1. The first thing it does is to extract the data in lpvInBuffer which
are the two dwords passed in lpInBuffer of DeviceIoControl API. It puts
the address to the dword array into edi for extraction. The first dword
is the address of the text to be used as the message box title. The second
dword is the address of the text to be used as the message box text.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;-----------------------------------</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
; copy the message title to buffer</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;-----------------------------------</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _lstrlen, &lt;[edi]></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _HeapAllocate,&lt;eax,HEAPZEROINIT></font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov pTitle,eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
pop eax</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _lstrcpyn,&lt;pTitle,[edi],eax></font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>It calculates the length of
the message box title by calling VMM service<b><font color="#FFFF99"> _lstrlen</font></b>.
The value in eax returned by <b><font color="#FFFF99">_lstrlen </font></b>is
the length of the string. We increase the length by 1 to take into account
the terminating NULL. Next we allocate a block of memory large enough to
hold the string with its terminating NULL by calling <b><font color="#FFFF99">_HeapAllocate</font></b>.
<b><font color="#FFFF99">HEAPZEROINIT
</font></b>flag
instructs <b><font color="#FFFF99">_HeapAllocate</font></b> to zero out
the memory block. <b><font color="#FFFF99">_HeapAllocate</font></b> returns
the address of the memory block in eax. We then copy the string from the
address space of the win32 app into the memory block we allocated. We do
the same operation on the text string that we will use as the message box
text.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edi,pTitle</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ecx,pMessage</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax,MB_OK</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall Get_Sys_VM_Handle</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VxDCall SHELL_sysmodal_Message</font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>We store the addresses of the
title and message into edi and ecx, respectively. Put the desired flag
into eax, obtain the VM handle of the system VM by calling <b><font color="#FFFF99">Get_Sys_VM_handle</font></b>
and then call <b><font color="#FFFF99">SHELL_Sysmodal_Message</font></b>.
<b><font color="#FFFF99">SHELL_SysModal_Message</font></b>
is the system modal version of <b><font color="#FFFF99">SHELL_Message</font></b>.
It freezes the system until the user responds to the message box.</font></font>
<blockquote><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _HeapFree,pTitle,0</font></font></b>
<br><b><font face="Arial,Helvetica"><font size=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
VMMCall _HeapFree,pMessage,0</font></font></b></blockquote>
<font face="Arial,Helvetica"><font size=-1>When <b><font color="#FFFF99">SHELL_Sysmodal_Message</font></b>
returns, we can free the memory blocks by calling <b><font color="#FFFF99">_HeapFree</font></b>.</font></font>
<h3>
<font face="Arial,Helvetica"><font color="#66FFFF"><font size=+0>Conclusion</font></font></font></h3>
<font face="Arial,Helvetica"><font size=-1>DeviceIoControl interface makes
it ideal to use a dynamic VxD as a ring-0 DLL extension to your win32 application.</font></font>
<br>
<hr WIDTH="100%">
<center><b><font face="Arial,Helvetica"><font size=-1>[<a href="http://win32asm.cjb.net">Iczelion's
Win32 Assembly Homepage</a>]</font></font></b></center>

</body>
</html>
上一页 1 23
💿 文件大小 99 K
👤 上传用户 simoncxl
📂 所属分类驱动编程
🏷️ 相关标签

#汇编语言 #编写 #虚拟 #驱动程序
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -