📄 vxdmon.lst
字号:
Microsoft (R) Macro Assembler Version 6.11d 04/29/01 18:30:51
VXDMHLP - VXDMHLP VxD Page 1 - 1
;****************************************************************************
; *
; VXDMHLP *
; *
; Copyright (c) 1996 Bryce Cogswell and Mark Russinovich *
; All rights reserved *
; *
;****************************************************************************
; *
; VXDMHLP: Monitors entry and exit of VxDs. *
; *
;****************************************************************************
;===========================================================================
page ,132
title VXDMHLP - VXDMHLP VxD
name VXDMHLP.vxd
;===========================================================================
;
; Module:
; Contains everything
;
;===========================================================================
;
; Functional Description: -
;
;
;
;============================================================================
;============================================================================
; I N C L U D E S
;============================================================================
.386p
.xlist
.list
include VXDMON.inc
C ;****************************************************************************
C ;
C ; VXDMHLP header file
C ;
C ;****************************************************************************
C
C
= 'VXDMHLP VXD ' C VXDMHLPName EQU <'VXDMHLP VXD '> ;Must be 16 chars
= 0000 C VXDMHLPRev EQU 00H
C
C ; REC version equates
C
= 0001 C VXDMHLP_MAJOR_VERSION EQU 1
= 0000 C VXDMHLP_MINOR_VERSION EQU 0
C
C
C ; -------------------------------------------------------------------------
C ; The statistics we accumulate for each service
C ; -------------------------------------------------------------------------
= 0008 C CALLER_CNT EQU 8
C
003C C ServiceStats STRUC
0000 00000000 C SS_Ordinal DD ?
0004 00000000 C SS_Next DD ?
0008 00000000 C SS_Enter DD ?
000C 00000000 C SS_Exit DD ?
0010 00000000 C SS_TimeLo DD ?
0014 00000000 C SS_TimeHi DD ?
0018 00000000 C SS_CallerPtr DD ?
001C 0008 [ C SS_Caller DD CALLER_CNT dup (?)
00000000
]
C ServiceStats ENDS
C
C
C
= 0001 C VXDMHLP_ERROR_NOSUCHSERVICE EQU 1
= 0002 C VXDMHLP_ERROR_OUTOFMEMORY EQU 2
= 0003 C VXDMHLP_ERROR_PAGELOCK EQU 3
= 0004 C VXDMHLP_ERROR_NOTFOUND EQU 4
= 0005 C VXDMHLP_ERROR_HOOK EQU 5
= 0006 C VXDMHLP_ERROR_UNHOOK EQU 6
= 0007 C VXDMHLP_ERROR_NOSUCHVXD EQU 7
C
C
;============================================================================
; MACROS
;============================================================================
;============================================================================
; P U B L I C D A T A
;============================================================================
VXD_LOCKED_DATA_SEG
00000000 1 _LDATA SEGMENT
; flags for stats operations
= 00000001 UPDATESTATS EQU 1
= 00000002 ZEROSTATS EQU 2
= 00000003 UPDATEZEROSTATS EQU 3
myRDTSC MACRO
db 0Fh, 31h ; rdtsc
nop ; pad to 4 bytes long
nop ; pad to 4 bytes long
ENDM
; -------------------------------------------------------------------------
; Jump table for commands initiated by Devmon Windows program
; -------------------------------------------------------------------------
00000000 Service_Table label dword
00000000 000001F3 R dd offset32 ioctl_closehandle
00000004 000001F8 R dd offset32 ioctl_getversion
00000008 0000022B R dd offset32 ioctl_getstats
0000000C 00000232 R dd offset32 ioctl_getzerostats
00000010 000001FD R dd offset32 ioctl_zerostats
00000014 0000028C R dd offset32 ioctl_hookservice
00000018 0000033D R dd offset32 ioctl_unhookservice
0000001C 0000039B R dd offset32 ioctl_getoverhead
00000020 = 00000008 Service_Table_Size EQU ($ - Service_Table) / 4
; -------------------------------------------------------------------------
; This points to the most recently called service.
; -------------------------------------------------------------------------
; max call stack depth
= 00000020 MRUMaxStack EQU 32
; max amount by which we expect stack to grow during VxD calls
= 00000200 MRUMaxLocalStack EQU 512
; size of this structure must be power of 2
00000008 MRUService STRUC
00000000 00000000 MRU_Ordinal DD ?
00000004 00000000 MRU_SP DD ?
MRUService ENDS
; call stack
00000020 00000020 [ MRUStack MRUService MRUMaxStack dup (<?>)
00000000
00000000
]
; current call stack pointer
00000120 00000000 MRUStackPtr DD 0
; indicates if error on exit
00000124 00000000 FixRetErr DD 0
; -------------------------------------------------------------------------
; Use this to track error conditions
; -------------------------------------------------------------------------
00000128 00000000 IoctlError DD 0
; -------------------------------------------------------------------------
; This template defines the structure we allocate for each hooked service.
; It is customized for a particular service upon creation.
;
; We provide labels for all relocatable addresses so that we can adjust
; them when the template is instantiated.
; -------------------------------------------------------------------------
0000012C HookTemplate:
0000012C 00000000 ServiceStats <0,0,0,0,0,0,0>
00000000
00000000
00000000
00000000
00000000
00000000
00000008 [
00000000
]
00000168 00000000 HookTemplatePrevHooker dd ?
0000016C = 00000044 HookTemplatePrevPtr EQU offset32 $ + 4 - offset32 HookTemplate
0000016C BeginProc HookTemplateProc, Hook_Proc HookTemplatePrevHooker
0000016C 1 ??0001:
0000016C EB 0A 1 jmp short HookTemplateProc
0000016E FF 25 00000168 R 1 jmp [??0002]
00000174 00000000 1 ??0000 dd 0
00000178 1 ?prolog_HookTemplateProc label near
00000178 00000178 1 HookTemplateProc proc near
00000178 E8 00000000 R call MonEnter
0000017D = 0000004D HookTemplateMonEnter EQU offset32 $ - offset32 HookTemplate - 4
0000017D FF 25 00000168 R jmp [HookTemplatePrevHooker]
00000183 = 00000053 HookTemplatePrevHookerJmp EQU offset32 $ - offset32 HookTemplate - 4
EndProc HookTemplateProc
00000183 1 HookTemplateProc endp
align 4
00000184 HookTemplateEnd:
= 00000058 HookTemplateLen EQU (offset32 HookTemplateEnd - offset32 HookTemplate)
= 000007D0 MaxHooks EQU 2000
= 0000002B MaxPages EQU ((HookTemplateLen * MaxHooks + 4095) / 4096)
00000184 00000000 HookTable dd 0
00000188 00000000 HookFree dd 0
0000018C 00000000 HookUsed dd 0
; -------------------------------------------------------------------------
; This template defines the structure we allocate to capture when a service
; returns. It is customized for a particular service at the time the
; service is invoked.
; -------------------------------------------------------------------------
00000190 RetTemplate:
00000190 E8 00000049 R call MonExit
00000195 = 00000005 RetTemplateHooker EQU (offset32 $ - offset32 RetTemplate)
00000195 00000000 dd 0 ; pointer to hooker structure
00000199 = 00000009 RetTemplateOrigAddr EQU (offset32 $ - offset32 RetTemplate)
00000199 00000000 dd 0 ; original return address
0000019D = 0000000D RetTemplateSP EQU (offset32 $ - offset32 RetTemplate)
0000019D 00000000 dd 0 ; pointer to return address on stack
000001A1 = 00000011 RetTemplateTime EQU (offset32 $ - offset32 RetTemplate)
000001A1 00000000 dd 0
000001A5 00000000 dd 0
000001A9 RetTemplateEnd:
= 00000190 MaxReturn EQU 400
= 00000019 RetTemplateLen EQU (offset32 RetTemplateEnd - offset32 RetTemplate)
= 00002EE0 RetTableSize EQU (MaxReturn * RetTemplateLen)
000001A9 00002710 [ ReturnTable db (MaxReturn * RetTemplateLen) dup (?)
00
]
000028B9 000001A9 R ReturnFree dd offset32 ReturnTable
VXD_LOCKED_DATA_ENDS
000028BD 28BD 1 _LDATA ENDS
;============================================================================
; D E V I C E D E C L A R A T I O N
;============================================================================
VXD_LOCKED_CODE_SEG
00000000 1 _LTEXT SEGMENT
00000000
DECLARE_VIRTUAL_DEVICE VXDMHLP, \
VXDMHLP_MAJOR_VERSION, \
VXDMHLP_MINOR_VERSION, \
VXDMHLP_Control, , \
UNDEFINED_INIT_ORDER
= 00000000 1 ??0003 EQU 0
= 00000000 1 ??0004 EQU 0
= 00000000 1 ??0005 EQU 0
= 00000000 1 ??0006 EQU 0
= 00000000 1 ??0007 EQU 0
00000000 00000000 2 _IDATA SEGMENT
00000000 0D 0A 44 5F 45 1 db 0dh, 0ah, 'D_E_B_U_G===>'
5F 42 5F 55 5F
47 3D 3D 3D 3E
0000000F 56 58 44 4D 48 1 db "VXDMHLP", '<===', 0dh, 0ah
4C 50 3C 3D 3D
3D 0D 0A
0000001C
0000001C 00000000 2 _IDATA ENDS
00000000
00000000 000028BD 2 _LDATA SEGMENT
000028C0 00000000 040A 1 VXDMHLP_DDB VxD_Desc_Block <,,,VXDMHLP_MAJOR_VERSION,VXDMHLP_MINOR_VERSION,,"VXDMHLP",UNDEFINED_INIT
0000 01 00 1 _ORDER,\
0000
00000001 [
20504C484D445856
] 80000000
000001B9 R
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
50726576
00000050
52737631
52737632
52737633
00002910
00002910 00000000 2 _LDATA ENDS
00000000
;============================================================================
; M A I N C O D E
;============================================================================
; -------------------------------------------------------------------------
; Called each time a service is invoked.
; -------------------------------------------------------------------------
BeginProc MonEnter
00000000 1 ?prolog_MonEnter label near
00000000 00000000 1 MonEnter proc near
00000000 9C pushfd
; disable interrupts so our timing computations aren't corrupted
00000001 FA cli
00000002 56 push esi
00000003 57 push edi
00000004 50 push eax
00000005 52 push edx
; get pointer to hook structure
00000006 8B 74 24 14 mov esi, [esp+20] ; get return address
0000000A 81 EE 00000051 sub esi, HookTemplateMonEnter + 4
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -