📄 vxdmon.lst
字号:
000001D2 000001D2 1 VXDMHLP_ioctl proc near
000001D2 C7 05 00000128 R mov IoctlError, VXDMHLP_ERROR_NOSUCHSERVICE
00000001
000001DC 8B 4E 0C mov ecx,[esi].dwIoControlCode ; get ioctl code
000001DF 41 inc ecx ; base is -1
000001E0 81 F9 00000008 cmp ecx, Service_Table_Size ; out of bounds ?
000001E6 0F 83 00000234 jae ioctl_failure ; y: bad code, exit
000001EC FF 24 8D jmp Service_Table[4*ecx] ; index into table
00000000 R
; -------------------------------------------------------------------------
; -------------------------------------------------------------------------
000001F3 ioctl_closehandle:
; Nothing to do for this
000001F3 E9 00000224 jmp ioctl_success ; exit successfully
; -------------------------------------------------------------------------
; -------------------------------------------------------------------------
000001F8 ioctl_getversion:
; Nothing to do for this
000001F8 E9 0000021F jmp ioctl_success ; exit successfully
; -------------------------------------------------------------------------
; Get the statistics we've collected for all hooked services
; -------------------------------------------------------------------------
000001FD ioctl_zerostats:
000001FD BB 00000002 mov ebx, ZEROSTATS ; zero the stats, no update
00000202 8B 15 0000018C R mov edx, [HookUsed]
00000208 FC cld
00000209 ioctl_dozero:
; check for end of list
00000209 83 FA 00 cmp edx, 0
0000020C 0F 84 0000020A je ioctl_success
; zero volatile statistics
00000212 FA cli
00000213 56 push esi
00000214 8D 32 lea esi, [edx] ; get stats pointer
00000216 33 C0 xor eax, eax
00000218 89 46 08 mov [esi].SS_Enter, eax
0000021B 89 46 0C mov [esi].SS_Exit, eax
0000021E 89 46 10 mov [esi].SS_TimeLo, eax
00000221 89 46 14 mov [esi].SS_TimeHi, eax
00000224 FB sti
00000225 5E pop esi
; move to next service
00000226 8B 52 04 mov edx, [edx].SS_Next
00000229 EB DE jmp ioctl_dozero
; get stats with no zero
0000022B ioctl_getstats:
0000022B BB 00000001 mov ebx, UPDATESTATS ; update with no clear
00000230 EB 05 jmp ioctl_scanstats
; get stats and reset
00000232 ioctl_getzerostats:
00000232 BB 00000003 mov ebx, UPDATEZEROSTATS ; update and zero stats
00000237 ioctl_scanstats:
; zero current output size
00000237 33 C0 xor eax, eax
00000239 8B 4E 20 mov ecx, [esi].lpcbBytesReturned
0000023C 89 01 mov [ecx], eax
; get pointer to source and destination buffers
0000023E 8B 15 0000018C R mov edx, [HookUsed]
00000244 8B 7E 18 mov edi, [esi].lpvOutBuffer
; iterate over structures in use, copying
00000247 FC cld
00000248 ioctl_docopy:
; check for end of list
00000248 83 FA 00 cmp edx, 0
0000024B 0F 84 000001CB je ioctl_success
; update size of output and exit if buffer full
00000251 8B 4E 20 mov ecx, [esi].lpcbBytesReturned ; get output size pointer
00000254 8B 01 mov eax, [ecx] ; get current output size
00000256 83 C0 3C add eax, size ServiceStats ; update total size
00000259 3B 46 1C cmp eax, [esi].cbOutBuffer ; less than max output size ?
0000025C 0F 8F 000001BA jg ioctl_success
00000262 89 01 mov [ecx], eax ; update output size
; copy stats to output buffer
00000264 56 push esi
00000265 B9 0000000F mov ecx, size ServiceStats / 4
0000026A 8D 32 lea esi, [edx] ; get stats pointer
0000026C FA cli
0000026D F3/ A5 rep movsd
0000026F F7 C3 00000002 test ebx, ZEROSTATS
00000275 74 0E je nozero
; zero volatile statistics
00000277 33 C0 xor eax, eax
00000279 89 46 CC mov [esi - size ServiceStats].SS_Enter, eax
0000027C 89 46 D0 mov [esi - size ServiceStats].SS_Exit, eax
0000027F 89 46 D4 mov [esi - size ServiceStats].SS_TimeLo, eax
00000282 89 46 D8 mov [esi - size ServiceStats].SS_TimeHi, eax
00000285 nozero:
00000285 FB sti
00000286 5E pop esi
; move to next service
00000287 8B 52 04 mov edx, [edx].SS_Next
0000028A EB BC jmp ioctl_docopy
; -------------------------------------------------------------------------
; Hook a new service
; -------------------------------------------------------------------------
0000028C ioctl_hookservice:
; get ordinal of interest
0000028C 8B 46 10 mov eax, [esi].lpvInBuffer
0000028F 8B 00 mov eax, [eax]
00000291 internal_hookservice:
; ensure that the vxd is loaded
00000291 C7 05 00000128 R mov IoctlError, VXDMHLP_ERROR_NOSUCHVXD
00000007
0000029B 8B D0 mov edx, eax ; save ordinal
0000029D C1 E8 10 shr eax, 16 ; get device id
000002A0 0F 84 0000017A jz ioctl_failure ; if zero, we lose
VMMCall Get_DDB ; check for DDB
000002A6 CD 20 2 int Dyna_Link_Int
000002A8 00010146 3 dd @@Get_DDB+0
000002AC 0B C9 or ecx, ecx
000002AE 0F 84 0000016C jz ioctl_failure ; if result zero, we lose
000002B4 8B C2 mov eax, edx ; restore ordinal
; get a hook structure
000002B6 C7 05 00000128 R mov IoctlError, VXDMHLP_ERROR_OUTOFMEMORY
00000002
000002C0 8B 3D 00000188 R mov edi, [HookFree]
000002C6 83 FF 00 cmp edi, 0
000002C9 0F 84 00000151 je ioctl_failure ; no structures available
; Ensure the page containing the structure is locked in memory.
; We rely on the fact that a page can be locked multiple times.
000002CF C7 05 00000128 R mov IoctlError, VXDMHLP_ERROR_PAGELOCK
00000003
000002D9 50 push eax
000002DA 8B C7 mov eax, edi
000002DC C1 E8 0C shr eax, 12
VMMcall _LinPageLock, <eax, 1, 0>
000002DF 6A 00 6 push 0
000002E1 6A 01 6 push 1
000002E3 50 6 push eax
000002E4 CD 20 2 int Dyna_Link_Int
000002E6 00010063 3 dd @@_LinPageLock+0
000002EA 83 C4 0C 3 add esp,??_argc * 4
000002ED 0B C0 or eax, eax ; nonzero if locked, zero if error
000002EF 58 pop eax
000002F0 0F 84 0000012A jz ioctl_failure
; fill in service-specific info in structure
000002F6 89 07 mov [edi].SS_Ordinal, eax
000002F8 33 D2 xor edx, edx
000002FA 89 57 08 mov [edi].SS_Enter, edx
000002FD 89 57 0C mov [edi].SS_Exit, edx
00000300 89 57 10 mov [edi].SS_TimeLo, edx
00000303 89 57 14 mov [edi].SS_TimeHi, edx
; hook the service
00000306 C7 05 00000128 R mov IoctlError, VXDMHLP_ERROR_HOOK
00000005
00000310 56 push esi
00000311 8D 77 4C lea esi, [edi +(offset32 HookTemplateProc - offset32 HookTemplate)]
VMMCall Hook_Device_Service
00000314 CD 20 2 int Dyna_Link_Int
00000316 00010090 3 dd @@Hook_Device_Service+0
0000031A 5E pop esi
0000031B 0F 82 000000FF jc ioctl_failure
; update pointer to next available structure
00000321 8B 57 04 mov edx, [edi].SS_Next
00000324 89 15 00000188 R mov [HookFree], edx
; add to list of hooked services
0000032A A1 0000018C R mov eax, [HookUsed]
0000032F 89 47 04 mov [edi].SS_Next, eax
00000332 89 3D 0000018C R mov [HookUsed], edi
00000338 E9 000000DF jmp ioctl_success
; -------------------------------------------------------------------------
; Unhook a service
; -------------------------------------------------------------------------
0000033D ioctl_unhookservice:
; get ordinal of interest
0000033D 8B 46 10 mov eax, [esi].lpvInBuffer
00000340 8B 00 mov eax, [eax]
00000342 internal_unhookservice:
; locate hook structure
00000342 8D 15 0000018C R lea edx, [HookUsed]
00000348 8B 3A mov edi, [edx]
0000034A C7 05 00000128 R mov IoctlError, VXDMHLP_ERROR_NOTFOUND
00000004
00000354 unhooksearch:
00000354 83 FF 00 cmp edi, 0
00000357 0F 84 000000C3 je ioctl_failure
0000035D 39 07 cmp [edi].SS_Ordinal, eax
0000035F 74 07 je unhookfound
00000361 8D 57 04 lea edx, [edi].SS_Next
00000364 8B 3A mov edi, [edx]
00000366 EB EC jmp unhooksearch
00000368 unhookfound:
; unhook service
00000368 C7 05 00000128 R mov IoctlError, VXDMHLP_ERROR_UNHOOK
00000006
00000372 56 push esi
00000373 8D 77 4C lea esi, [edi +(offset32 HookTemplateProc - offset32 HookTemplate)]
VMMCall Unhook_Device_Service
00000376 CD 20 2 int Dyna_Link_Int
00000378 0001011C 3 dd @@Unhook_Device_Service+0
0000037C 5E pop esi
0000037D 0F 82 0000009D jc ioctl_failure
; remove from list of used hook structures
00000383 8B 47 04 mov eax, [edi].SS_Next
00000386 89 02 mov [edx], eax
; add to list of free hook structures
00000388 A1 00000188 R mov eax, [HookFree]
0000038D 89 47 04 mov [edi].SS_Next, eax
00000390 89 3D 00000188 R mov [HookFree], edi
00000396 E9 00000081 jmp ioctl_success
; -------------------------------------------------------------------------
; Compute monitoring overhead
; -------------------------------------------------------------------------
0000039B ioctl_getoverhead:
0000039B 56 push esi
; save current time
0000039C rdts3: myRDTSC ; edx:eax = rdtsc
0000039C 0F 31 1 db 0Fh, 31h ; rdtsc
0000039E 90 1 nop ; pad to 4 bytes long
0000039F 90 1 nop ; pad to 4 bytes long
000003A0 50 push eax
; call Get_VMM_Version 128 times
000003A1 BE 00000080 mov esi, 128
000003A6 unhooked_time_loop:
VxDCall Get_VMM_Version
000003A6 CD 20 1 int Dyna_Link_Int
000003A8 00010000 2 dd @@Get_VMM_Version+0
000003AC 4E dec esi
000003AD 75 F7 jnz unhooked_time_loop
; save current time
000003AF rdts4: myRDTSC ; edx:eax = rdtsc
000003AF 0F 31 1 db 0Fh, 31h ; rdtsc
000003B1 90 1 nop ; pad to 4 bytes long
000003B2 90 1 nop ; pad to 4 bytes long
000003B3 50 push eax
; hook Get_VMM_Version. This should always be possible.
GetVxDServiceOrdinal eax, Get_VMM_Version
000003B4 B8 00010000 1 mov eax,@@Get_VMM_Version
000003B9 E8 FFFFFED3 call internal_hookservice
000003BE 72 60 jc ioctl_failure
; call it 128 times
000003C0 BE 00000080 mov esi, 128
000003C5 hooked_time_loop:
VxDCall Get_VMM_Version
000003C5 CD 20 1 int Dyna_Link_Int
000003C7 00010000 2 dd @@Get_VMM_Version+0
000003CB 4E dec esi
000003CC 75 F7 jnz hooked_time_loop
; get the time we've recorded
000003CE 8D 15 0000018C R lea edx, [HookUsed]
000003D4 8B 3A mov edi, [edx]
000003D6 ovrsearch:
000003D6 81 3F 00010000 cmp [edi].SS_Ordinal, 10000h
000003DC 74 07 je ovrfound
000003DE 8D 57 04 lea edx, [edi].SS_Next
000003E1 8B 3A mov edi, [edx]
000003E3 EB F1 jmp ovrsearch
000003E5 ovrfound:
000003E5 6A 00 pushd 0
000003E7 8B 47 10 mov eax, [edi].SS_TimeLo
000003EA 50 push eax
; unhook it
GetVxDServiceOrdinal eax, Get_VMM_Version
000003EB B8 00010000 1 mov eax,@@Get_VMM_Version
000003F0 E8 FFFFFF4D call internal_unhookservice
; now compute the time difference, overhead = (t4-t3)-(t2-t1)
000003F5 8B 04 24 mov eax, [esp]
000003F8 2B 44 24 04 sub eax, [esp+4]
000003FC 2B 44 24 08 sub eax, [esp+8]
00000400 03 44 24 0C add eax, [esp+12]
00000404 83 C4 10 add esp, 4*4
; eax now contains the overhead for 128 calls
00000407 C1 E8 07 shr eax, 7
; save overhead per call
0000040A 5E pop esi
0000040B 8B 56 18 mov edx, [esi].lpvOutBuffer
0000040E 89 02 mov [edx], eax
; set size of output buffer
00000410 8B 56 20 mov edx, [esi].lpcbBytesReturned ; get output size pointer
00000413 B8 00000004 mov eax, 4
00000418 89 02 mov [edx], eax
0000041A EB 00 jmp ioctl_success
0000041C ioctl_success:
0000041C 33 C0 xor eax, eax ; return zero = success
0000041E F8 clc
0000041F C3 ret
00000420 ioctl_failure:
00000420 A1 00000128 R mov eax, IoctlError
00000425 F9 stc
00000426 C3 ret
EndProc VXDMHLP_ioctl
00000427 1 VXDMHLP_ioctl endp
;============================================================================
;
; VXDMHLP_Device_Exit - Cleans up any hooks that are still installed before
; exiting.
;
;============================================================================
00000427 Public VXDMHLP_Device_Exit
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -