📄 vxdmon.lst
字号:
; increment entry count
00000010 FF 46 08 inc [esi].SS_Enter
; allocate a return structure to replace original return with
00000013 A1 000028B9 R mov eax, [ReturnFree] ; get location of return function
00000018 8B 78 05 mov edi, [eax].RetTemplateHooker ; get location of next on list
0000001B 89 3D 000028B9 R mov [ReturnFree], edi ; update pointer to first on list
; change return address to point to us, fetch original return address
00000021 8B F8 mov edi, eax ; copy pointer to return structure
00000023 87 44 24 18 xchg [esp+24], eax ; store new return address, fetch old
; save original return address
00000027 89 47 09 mov [edi].RetTemplateOrigAddr, eax
; store service hooker address
0000002A 89 77 05 mov [edi].RetTemplateHooker, esi
; save address of return address on stack
0000002D 8D 44 24 18 lea eax, [esp+24]
00000031 89 47 0D mov [edi].RetTemplateSP, eax
; do stuff for recording callers/callees
00000034 E8 0000005C call MRUEnter
; update time spent in function (do as late as possible)
00000039 rdts1: myRDTSC ; edx:eax = rdtsc
00000039 0F 31 1 db 0Fh, 31h ; rdtsc
0000003B 90 1 nop ; pad to 4 bytes long
0000003C 90 1 nop ; pad to 4 bytes long
0000003D 89 47 11 mov [edi].RetTemplateTime, eax ; store time low
00000040 89 57 15 mov [edi].RetTemplateTime+4, edx ; store time high
00000043 5A pop edx
00000044 58 pop eax
00000045 5F pop edi
00000046 5E pop esi
00000047 9D popfd
00000048 C3 ret
EndProc MonEnter
00000049 1 MonEnter endp
00000049
; -------------------------------------------------------------------------
; Called each time a service returns from invocation.
; -------------------------------------------------------------------------
BeginProc MonExit
00000049 1 ?prolog_MonExit label near
00000049 00000049 1 MonExit proc near
00000049 9C pushfd
0000004A 56 push esi
0000004B 57 push edi
0000004C 50 push eax
0000004D 52 push edx
; disable interrupts so our timing computations aren't corrupted
0000004E FA cli
; get pointer to original structure
0000004F 8B 7C 24 14 mov edi, [esp+20] ; return address
00000053 81 EF 00000005 sub edi, RetTemplateHooker ; point to front of return template
00000059 8B 77 05 mov esi, [edi].RetTemplateHooker ; get hooker structure pointer
; update time spent in function (do as early as possible)
0000005C rdts2: myRDTSC ; edx:eax = rdtsc
0000005C 0F 31 1 db 0Fh, 31h ; rdtsc
0000005E 90 1 nop ; pad to 4 bytes long
0000005F 90 1 nop ; pad to 4 bytes long
00000060 2B 47 11 sub eax, [edi].RetTemplateTime
00000063 1B 57 15 sbb edx, [edi].RetTemplateTime+4
00000066 01 46 10 add [esi].SS_TimeLo, eax ; add time low
00000069 11 56 14 adc [esi].SS_TimeHi, edx ; add time high
; replace our return address with original
0000006C 8B 57 09 mov edx, [edi].RetTemplateOrigAddr
0000006F 89 54 24 14 mov [esp+20], edx ; replace return address
; increment exit count
00000073 FF 46 0C inc [esi].SS_Exit
; make return address structure available to someone else
00000076 33 D2 xor edx, edx
00000078 89 57 0D mov [edi].RetTemplateSP, edx ; mark as unused
0000007B 8B 15 000028B9 R mov edx, [ReturnFree] ; get base list pointer
00000081 89 57 05 mov [edi].RetTemplateHooker, edx ; set link pointer to base
; now finalize freeing the structure
00000084 89 3D 000028B9 R mov [ReturnFree], edi ; set base list pointer to ours
; do stuff for recording callers/callees
0000008A E8 00000064 call MRUExit
0000008F 5A pop edx
00000090 58 pop eax
00000091 5F pop edi
00000092 5E pop esi
00000093 9D popfd
00000094 C3 ret
EndProc MonExit
00000095 1 MonExit endp
00000095
BeginProc MRUEnter
00000095 1 ?prolog_MRUEnter label near
00000095 00000095 1 MRUEnter proc near
; if stack is currently empty, only put us on it
00000095 A1 00000120 R mov eax, MRUStackPtr
0000009A 0B C0 or eax, eax
0000009C 74 3C jz mru_enter_reset
; ensure we're using same stack as MRU
; check if esp is larger than last
0000009E 05 00000018 R add eax, offset32 MRUStack - size MRUService
000000A3 8B 50 04 mov edx, [eax].MRU_SP
000000A6 2B D4 sub edx, esp
000000A8 74 30 je mru_enter_reset
; check if esp is much smaller than last
000000AA 81 FA 00000200 cmp edx, MRUMaxLocalStack
000000B0 7F 28 jg mru_enter_reset
; indicate that we were called by MRU service
000000B2 8B 56 18 mov edx, [esi].SS_CallerPtr ; get position to save caller
000000B5 FF 30 push [eax].MRU_Ordinal ; get last called service
000000B7 8F 44 96 1C pop [esi+edx*4].SS_Caller ; save caller
000000BB 42 inc edx
000000BC 83 E2 07 and edx, CALLER_CNT-1
000000BF 89 56 18 mov [esi].SS_CallerPtr, edx ; update caller pointer
; update MRU call stack
000000C2 8B 16 mov edx, [esi].SS_Ordinal
000000C4 89 50 08 mov [eax+size MRUService].MRU_Ordinal, edx
000000C7 89 60 0C mov [eax+size MRUService].MRU_SP, esp
; update stack pointer location
000000CA 2D 00000010 R sub eax, offset32 MRUStack - 2 * size MRUService
000000CF 25 000000F8 and eax, (MRUMaxStack-1) * size MRUService
000000D4 A3 00000120 R mov MRUStackPtr, eax
; all done
000000D9 C3 ret
000000DA mru_enter_reset:
; reset mru stack to be empty
000000DA B8 00000008 mov eax, size MRUService
000000DF A3 00000120 R mov MRUStackPtr, eax
; make us the only thing on the stack
000000E4 8B 16 mov edx, [esi].SS_Ordinal
000000E6 89 15 00000020 R mov MRUStack.MRU_Ordinal, edx
000000EC 89 25 00000024 R mov MRUStack.MRU_SP, esp
; all done
000000F2 C3 ret
EndProc MRUEnter
000000F3 1 MRUEnter endp
000000F3
BeginProc MRUExit
000000F3 1 ?prolog_MRUExit label near
000000F3 000000F3 1 MRUExit proc near
; get pointer to top item on call stack
000000F3 A1 00000120 R mov eax, MRUStackPtr ; eax = last stack entry
000000F8 0B C0 or eax, eax
000000FA 74 1A jz mru_exit_empty ; stack is empty
; ensure that it is us
000000FC 83 E8 08 sub eax, size MRUService ; back down to previous item
000000FF 8B 90 00000020 R mov edx, [MRUStack+eax].MRU_Ordinal
00000105 39 16 cmp [esi].SS_Ordinal, edx
00000107 75 06 jne mru_exit_reset ; who knows how we got here?
; update stack pointer location
00000109 A3 00000120 R mov MRUStackPtr, eax
; all done
0000010E C3 ret
0000010F mru_exit_reset:
0000010F 33 C0 xor eax, eax
00000111 A3 00000120 R mov MRUStackPtr, eax
00000116 mru_exit_empty:
; all done
00000116 C3 ret
EndProc MRUExit
00000117 1 MRUExit endp
00000117
; -------------------------------------------------------------------------
; Initialize the linked list of hooks for hooked services.
; These are created using the HookTemplate.
; -------------------------------------------------------------------------
BeginProc InitHookTable
00000117 1 ?prolog_InitHookTable label near
00000117 00000117 1 InitHookTable proc near
; Allocate space for hook functions and statistics.
; We initialize enough memory to hook tons of services, but
; lock only the portion we need, allowing most to be paged out.
VMMcall _PageAllocate, <MaxPages, PG_SYS, 0, 0, 0, 0, 0, PAGEZEROINIT>
00000117 6A 01 6 push PAGEZEROINIT
00000119 6A 00 6 push 0
0000011B 6A 00 6 push 0
0000011D 6A 00 6 push 0
0000011F 6A 00 6 push 0
00000121 6A 00 6 push 0
00000123 6A 01 6 push PG_SYS
00000125 68 0000002B 6 push MaxPages
0000012A CD 20 2 int Dyna_Link_Int
0000012C 00010053 3 dd @@_PageAllocate+0
00000130 83 C4 20 3 add esp,??_argc * 4
00000133 A3 00000184 R mov [HookTable], eax ; save table pointer
00000138 8B F8 mov edi, eax
0000013A 89 3D 00000188 R mov [HookFree], edi ; set pointer to first
00000140 8D 35 0000012C R lea esi, HookTemplate
00000146 B9 000007D0 mov ecx, MaxHooks
0000014B 2B C6 sub eax, esi
0000014D FC cld
0000014E init_hook_loop:
0000014E 8B D1 mov edx, ecx
; Copy template
00000150 B9 00000058 mov ecx, HookTemplateLen
00000155 F3/ A4 rep movsb
00000157 81 EE 00000058 sub esi, HookTemplateLen
; Fix up relocatable items
0000015D 89 7F AC mov [edi-HookTemplateLen].SS_Next, edi ; set pointer to next
00000160 29 47 F5 sub [edi-HookTemplateLen].HookTemplateMonEnter, eax
00000163 01 47 FB add [edi-HookTemplateLen].HookTemplatePrevHookerJmp, eax
00000166 01 47 EC add [edi-HookTemplateLen].HookTemplatePrevPtr, eax
00000169 05 00000058 add eax, HookTemplateLen
0000016E 8B CA mov ecx, edx
00000170 E2 DC loop init_hook_loop
00000172 33 C9 xor ecx, ecx
00000174 89 4F AC mov [edi-HookTemplateLen].SS_Next, ecx ; set pointer to next
00000177 C3 ret
EndProc InitHookTable
00000178 1 InitHookTable endp
00000178
; -------------------------------------------------------------------------
; Initialize the linked list of return points for invoked functions.
; These are created using the RetTemplate.
; -------------------------------------------------------------------------
BeginProc InitReturnTable
00000178 1 ?prolog_InitReturnTable label near
00000178 00000178 1 InitReturnTable proc near
00000178 8D 3D 000001A9 R lea edi, ReturnTable
0000017E 89 3D 000028B9 R mov [ReturnFree], edi ; set pointer to first
00000184 8D 35 00000190 R lea esi, RetTemplate
0000018A B9 00000190 mov ecx, MaxReturn
0000018F B8 00000019 mov eax, offset32 ReturnTable - offset32 RetTemplate
00000194 FC cld
00000195 init_return_loop:
00000195 8B D1 mov edx, ecx
00000197 B9 00000019 mov ecx, RetTemplateLen
0000019C F3/ A4 rep movsb
0000019E 81 EE 00000019 sub esi, RetTemplateLen
000001A4 89 7F EC mov [edi-RetTemplateLen+RetTemplateHooker], edi ; set pointer to next
000001A7 29 47 E8 sub [edi-RetTemplateLen+RetTemplateHooker-4], eax ; adjust call address
000001AA 05 00000019 add eax, RetTemplateLen
000001AF 8B CA mov ecx, edx
000001B1 E2 E2 loop init_return_loop
000001B3 33 C9 xor ecx, ecx
000001B5 89 4F EC mov [edi-RetTemplateLen+RetTemplateHooker], ecx ; set pointer to next
000001B8 C3 ret
EndProc InitReturnTable
000001B9 1 InitReturnTable endp
;============================================================================
;
; VXDMHLP_Control - Device control procedure for the VxD. Dispatches all
; Windows VxD messages.
;
; Exit: If carry clear then
; Successful
; else
; Control call failed
;
; Destroys: EAX, EBX, ECX, EDX, ESI, EDI, Flags
;
;============================================================================
public VXDMHLP_Control
000001B9 VXDMHLP_Control PROC NEAR
Control_Dispatch SYS_DYNAMIC_DEVICE_INIT, VXDMHLP_Device_Init
000001B9 83 F8 1B 1 cmp eax, SYS_DYNAMIC_DEVICE_INIT
000001BC 0F 84 00000038 R 1 jz VXDMHLP_Device_Init
Control_Dispatch SYS_DYNAMIC_DEVICE_EXIT, VXDMHLP_Device_Exit
000001C2 83 F8 1C 1 cmp eax, SYS_DYNAMIC_DEVICE_EXIT
000001C5 0F 84 0000025C 1 jz VXDMHLP_Device_Exit
Control_Dispatch W32_DEVICEIOCONTROL, VXDMHLP_ioctl
000001CB 83 F8 23 1 cmp eax, W32_DEVICEIOCONTROL
000001CE 74 02 1 jz VXDMHLP_ioctl
000001D0 F8 clc
000001D1 C3 ret
000001D2 VXDMHLP_Control ENDP
;============================================================================
;
; VXDMHLP_ioctl - Respond to IOcontrol messages sent by Win32 program.
;
; Entry: esi -> DIOC block
;
; Exit:
;
;============================================================================
000001D2 Public VXDMHLP_ioctl
BeginProc VXDMHLP_ioctl
000001D2 1 ?prolog_VXDMHLP_ioctl label near
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -