http://www.programmershare.

com/2626160/
VxD Programming Tutorial
Tag: VC development, Author: staramyren Date: 2012-10-28
VxD Programming Tutorial: TBsoft
-------------------------------------------------- -----------------------------An installation of Windows 95 DDK
Install the Windows 95 DDK generally need to install the Win32 SDK, because the Windows 95
DDK need 16 of the Win32 SDK resource compiler, but the Win32 SDK (a full capacity of the
disc), and the hard-to-find, ftp station on rare, even if the download is also very difficult. After a
period of exploration, the author has found several simple ways to install Windows 95 DDK's, will
now be described below:
Methods: using a third-party resource compiler
1, modify the registry, simulation Win32 SDK has been installed.
The establishment of a the named WIN32SDK.REG registry file, says:
REGEDIT4
[HKEY_USERS/.Default/Software/Microsoft/Win32SDK]
[HKEY_USERS/.Default/Software/Microsoft/Win32SDK/Directories]
"Install Dir" = "C :/ / MSTOOLS"
Explorer, double-click the file, the contents of this file is added to the registry. You can install the
Windows 95 DDK.
2, run SETUP.EXE file in the Windows 95 DDK, install the Windows 95 DDK to C :/ DDK.
3 to install MASM 6.11 to the C :/ MASM611, install the file upon completion is not installed in the
Windows 95 DDK MASM611C directory the cover C :/ MASM611/BIN.
Install Visual C + + 5.0 (4.0 can also, but not 6.0) to C :/ Program Files / DevStudio / VC.
5, the establishment C :/ MSTOOLS/BINW16 directory, copy the resource compiler. Windows 95
DDK requires a Win32 resource source file can be compiled into a 16-bit resource resource
compiler. If you have Win32 SDK can be files in BINW16 directory directly copied to the C :/
MSTOOLS/BINW16, if there is no Win32 SDK, you can use third-party resource compiler to use
Borland resource compiler, for example:
Ready Turbo MASM 5.0 set of the to decompress CMDLINE.PAK with UNPAK tools file, locate
the following three documents:
BRC.EXE
BRCC32.EXE
RW32CORE.DLL
These three files are copied to the C :/ MSTOOLS/BINW16, and is renamed BRC.EXE RC.EXE
to.
6, to modify CONFIG.SYS increase environment variable space.
Finally, add a line in the CONFIG.SYS file:
SHELL = C :/ WINDOWS / COMMAND.COM / E: 8192 / P
7, Windows 95 MS-DOS, to initialize the build environment (best to create a batch file):
C :/ MASM611/BINR/NEW-VARS.BAT

C :/ DDK / DDKINIT.BAT 32 BASE

(Compiler, device drivers are also different parameters)
C :/ Program Files/DevStudio/VC/bin/VCVARS32.BAT
You can use the Windows 95 DDK, warning that appears when the connection can ignore. The
second method: using the Windows 98 DDK full version of Windows 98 DDK (about 30M)
including Windows 95 DDK, a full set of SDK compiler and MASM 6.11C compilation device,
installation method is very simple: install the Windows 98 DDK and Visual C + + 5.0, and then
directly run "Check the Build Environment" (compiled with debug the information device drivers)
or "Free Build Environment" (compiled officially released version of the device driver) program
keys to.
Second, an interceptor Windows 95/98 VxD file operations
VxD - virtual device driver, as the name suggests, VxD is used to control hardware devices, so
why talk about a block Windows 95/98 file operations VxD? In fact, the VxD not only can be used
to control hardware devices, because the the VxD work in 80386 protected mode Ring 0 privilege
level (the highest privilege level), and the general application in Ring 3 privilege level (the lowest
privilege level), so the VxD can be done many API functions can not be completed, such as read
and write ports, physical memory read and write, interrupt calls, API interception. Because of so,
VxD in the Windows system programming with a wide range of applications, in fact we are
generally encountered Windows API does not resolve the difficult problem to solve before
considering writing VxD solve the problem. All file operations are presented here interception
Windows 95/98 VxD file operations can be used to intercept Windows 95/98 (Windows NT does
not support VxD), then the VxD what you do with it? The biggest use may be - the virus firewall to
filter for file operations, dynamic virus detection and dynamic anti-virus. VxD the principle and the
principle of popular CIH virus infection is basically the same. (In fact, if you want to ask me why I
write such a VxD, it is because - I Virus version moderators.)
The file name of the VxD FILEHOOK.VXD source (FILEHOOK.ASM) as follows:
The; FILEHOOK.VXD-- intercept file operations of the Windows 95/98 VxD
.386 P
The XLIST
INCLUDE VMM.Inc,
INCLUDE VWin32.Inc,
INCLUDE Shell.Inc,
MASM = 1
INCLUDE IFS.Inc,
INCLUDE IFSMgr.Inc,
. LIST
; VxD Statement
Declare_Virtual_Device
FILEHOOK, 1,0, VxD_Control, Undefined_Device_ID,,,
; Protected mode data segment
VxD_DATA_SEG
Prev_File_System_Api_Hook dd 0

In_File_System_Api_Hook db 0
Message1 db 'Open file!', 0
Caption1 db 'FILEHOOK', 0
VxD_DATA_ENDS
; Protected mode code segment
VxD_CODE_SEG
The; system control process
BeginProc VxD_Control
Control_Dispatch SYS_DYNAMIC_DEVICE_INIT, VxD_Device_Init
Control_Dispatch SYS_DYNAMIC_DEVICE_EXIT, VxD_Device_Exit
Control_Dispatch W32_DEVICEIOCONTROL, VxD_IOCTL
clc
ret
ENDPROC VxD_Control
; IOCTL control (device I / O control) process
BeginProc VxD_IOCTL
DeviceIoControl control code; Get
mov ecx, [esi.dwIoControlCode]
cmp ecx, 1
jz Install_File_System_Api_Hook
cmp ecx, 2
jz Uninstall_File_System_Api_Hook
jmp VxD_IOCTL_Exit
; Installable File System API hooks
Install_File_System_Api_Hook:
mov eax, OFFSET32 File_System_Api_Hook
VxDCall IFSMgr_InstallFileSystemApiHook
or eax, eax
jz Error_Handler
; Saved on a file system API hooks address
the mov Prev_File_System_Api_Hook, EAX
jmp VxD_IOCTL_Exit
; Remove the file system API hooks
Uninstall_File_System_Api_Hook:
mov eax, OFFSET32 File_System_Api_Hook
VxDCall IFSMgr_RemoveFileSystemApiHook
cmp eax, 0FFFFFFFFH
jz Error_Handler
jmp VxD_IOCTL_Exit
; IOCTL control the end of the process
VxD_IOCTL_Exit:
xor eax, eax
clc
ret

; Error Processing
Error_Handler:
mov eax, 0FFFFFFFFH
stc
ret
ENDPROC VxD_IOCTL
; VxD_Device_Exit process
BeginProc VxD_Device_Exit
clc
ret
ENDPROC VxD_Device_Exit
; The file system API hook procedure (C language calling)
BeginProc File_System_Api_Hook, CCALL
ArgVar FSDFnAddr, DWORD
ArgVar FunctionNum, DWORD
ArgVar Drive, DWORD
ArgVar ResourceFlags, DWORD
ArgVar CodePage, DWORD
ArgVar PIR DWORD
EnterProc
pushad
; To prevent the re-entry
cmp byte ptr In_File_System_Api_Hook are, 00h
JNZ Prev_Hook
; More open file operation?
cmp dword ptr FunctionNum, IFSFN_OPEN
JNZ Prev_Hook
; Reentrant flag set
inc byte ptr In_File_System_Api_Hook
; Take the current VM handle
VMMCall Get_Cur_VM_Handle
; Displays a message box
mov eax, MB_ICONASTERISK + MB_OK
mov ecx, OFFSET32 Message1
mov edi, OFFSET32 Caption1
mov esi, 0
mov edx, 0
VxDCall Shell_Message
; Cancel reentrant flag
DEC byte ptr In_File_System_Api_Hook is
; Go to the previous file system API hooks address
Prev_Hook:
popad
LeaveProc
mov eax, Prev_File_System_Api_Hook
jmp [eax]
Return
ENDPROC File_System_Api_Hook

VxD_CODE_ENDS
; Protected mode initialization code segment
VxD_ICODE_SEG
; VxD_Device_Init process
BeginProc VxD_Device_Init
clc
ret
ENDPROC VxD_Device_Init
VxD_ICODE_ENDS
end
The VxD dealt with in the the device control the process (VxD_Control process) in the three
systems control messages, are SYS_DYNAMIC_DEVICE_INIT (dynamic VxD initialization)
SYS_DYNAMIC_DEVICE_EXIT the (dynamic VxD exit) and W32_DeviceIoControl (device I / O
control), the corresponding message processing is VxD_Device_Init, VxD_Device_Exit and
VxD_IOCTL. The only VxD_Device_Init the process and VxD_Device_Exit process clear the
carry flag returns (for success) the VxD_IOCTL process is the Windows 95/98 application VxD
communication interface, complete the installation and removal of the file system API hooks,
[esi.dwIOControlCode] device I / O control code, the control code of 1 Installable File System API
hook to remove the file system API hooks, 2:00. File_System_Api_Hook file system API hook
process, as a simple example, the hook procedure to determine whether to open the file
operation, display a simple message box, and then jump to a file on the hook (equivalent to the
old file system API entrance). If you need to expand the functionality can be increased in the
process code. Assembly is attached VxD need a module definition file and a NMAKE file (manual
assembly connection, of course, also possible). These two files can modify GENERIC instance
DDK in the module definition file and NMAKE files directly from the module definition file
(FILEHOOK.DEF) as follows:
The VXD FILEHOOK Dynamic
DESCRIPTION 'File System API Hook Program'
SEGMENTS
_LPTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LDATA CLASS 'LCODE' PRELOAD NONDISCARDABLE
_TEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_DATA CLASS 'LCODE' PRELOAD NONDISCARDABLE
CONST CLASS 'LCODE' PRELOAD NONDISCARDABLE
_TLS CLASS 'LCODE' PRELOAD NONDISCARDABLE
_BSS CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LMSGTABLE CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
_LMSGDATA CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
_IMSGTABLE CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
_IMSGDATA CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
_ITEXT CLASS 'ICODE' DISCARDABLE
_IDATA CLASS 'ICODE' DISCARDABLE
_PTEXT CLASS 'PCODE' NONDISCARDABLE
_PMSGTABLE CLASS 'MCODE' NONDISCARDABLE IOPL

_PMSGDATA CLASS 'MCODE' NONDISCARDABLE IOPL

_PDATA CLASS 'PDATA' NONDISCARDABLE SHARED
_STEXT CLASS 'SCODE' RESIDENT
_SDATA CLASS 'SCODE' RESIDENT
_DBOSTART CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_16ICODE CLASS '16ICODE 'PRELOAD DISCARDABLE
_RCODE CLASS 'RCODE'
EXPORTS
FILEHOOK_DDB @ 1
NMAKE file (Makefile) as follows:
! Ifdef MASTER_MAKE
BUILD_BITS = 32
BUILD_TYPE = base
! INCLUDE $ (DDKROOT) / master.mk
! Endif
Name = filehook
# Supply the location of a 16-bit linker
LINK =
# Definitions for the debug level
! Ifdef debug
DDEBUG =-DDEBLEVEL = 1-DDEBUG
! Else
DDEBUG =-DDEBLEVEL = 0
! Endif
# Definitions for MASM 6 Assembler
ASM = ml
AFLAGS =-coff-DBLD_COFF-DIS_32-W2-c-Cx-Zm-DMASM6 $ (DDEBUG)
ASMENV = ML
LFLAGS = / VXD / NOD
# MASM 6 only inference rules
, Asm.obj.:
set $ (ASMENV) = $ (AFLAGS)
$ (ASM)-Fo $ obj $ <
all: $ (NAME). VXD
OBJS = filehook.obj
filehook.obj: filehook.asm
$ (NAME). Vxd: $ (NAME) def $ (OBJS)
link @ << $ (NAME). lnk

$ (LFLAGS)
/ OUT: $ (NAME). Vxd
/ MAP: $ (NAME) map
/ DEF: $ (NAME) def
$ (OBJS)
<<
mapsym-s-o $ (NAME). sym $ (NAME). map
clean:
*. obj
*. vxd
*. exp
*. lib
*. map
*. sym
With these two files, run NMAKE to compile connection VxD.
Three, Windows 95/98 application VxD communication
Windows 95/98 application and communication VxD general use DeviceIoControl function,
Here is an example source (FHTEST.C) as follows:
/ / Intercept Windows 95/98 file operations test program
# Include
# Include "tchar.h"
# Define INSTALL_FILE_SYSTEM_API_HOOK a 1
# Define UNINSTALL_FILE_SYSTEM_API_HOOK 2
static TCHAR szAppName [] = _T ("FHTEST");
the static TCHAR szAppTitle The [] = _T ("the interception Windows 95/98 file operations test
program");
static HANDLE hDevice;
LRESULT CALLBACK WndProc (HWND hWnd, UINT Message, WPARAM
wParam, LPARAM lParam);
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE
hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
HWND hWnd;
WNDCLASSEX wcex;
Msg Msg;
/ / This program can not be run in Windows NT
if (GetVersion () <0x80000000)
{
MessageBox (NULL, _T ("This program can not be run in Windows NT!
"), SzAppTitle, MB_ICONINFORMATION | MB_OK);
return FALSE;
}
if (! hPrevInstance)
{
wcex.cbSize = sizeof (WNDCLASSEX);
wcex.style = CS_HREDRAW | CS_VREDRAW;

wcex.lpfnWndProc = WndProc;
wcex.cbClsExtra = 0;
wcex.cbWndExtra = 0;
wcex.hInstance = hInstance;
wcex.hIcon = LoadIcon (hInstance, IDI_APPLICATION);
wcex.hCursor = LoadCursor (NULL, IDC_ARROW);
wcex.hbrBackground = (HBRUSH) (COLOR_WINDOW +1);
wcex.lpszMenuName = NULL;
wcex.lpszClassName = szAppName;
wcex.hIconSm = LoadIcon (hInstance, IDI_APPLICATION);
if (! RegisterClassEx (& wcex)) return FALSE;
}
hWnd = CreateWindow (szAppName, szAppTitle, WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,
0,0, hInstance, NULL);
if (! hWnd) return FALSE;
ShowWindow (hWnd, nCmdShow);
UpdateWindow (hWnd);
while (GetMessage (& msg, 0, 0, 0))
{
TranslateMessage (& Msg);
DispatchMessage (& Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc (HWND hWnd, UINT Message, WPARAM wParam, LPARAM
lParam)
{
HDC hDC;
PAINTSTRUCT ps;
DWORD CB;
BOOL bResult;
switch (message)
{
case WM_CREATE:
hDevice = CreateFile (" );
if (hDevice! = INVALID_HANDLE_VALUE)
{
bResult = DeviceIoControl (hDevice, INSTALL_FILE_SYSTEM_API_HOOK, NULL, 0, NULL, 0, &
cb, 0);
if (bResult) MessageBox (hWnd, _T ("file system API hooks installed successfully!"), szAppTitle,
MB_ICONINFORMATION | MB_OK);
else MessageBox (hWnd, _T ("can not mount the file system API hooks!") szAppTitle,
MB_ICONINFORMATION The | MB_OK);
}
else
{
MessageBox (hWnd, _T ("can not to open FILEHOOK.VXD!
"), SzAppTitle, MB_ICONINFORMATION | MB_OK);
}
break;
case WM_PAINT:
hDC = BeginPaint (hWnd, & ps);

EndPaint (hWnd, & ps);

break;
case WM_DESTROY:
if (hDevice! = INVALID_HANDLE_VALUE)
{
bResult = DeviceIoControl (hDevice, UNINSTALL_FILE_SYSTEM_API_HOOK, NULL, 0, NULL,
0, & cb, 0);
if (bResult) MessageBox (hWnd, _T ("file system API hooks removed successfully!"), szAppTitle,
MB_ICONINFORMATION | MB_OK);
else MessageBox (hWnd, _T ("can not remove file system API hooks!
"), SzAppTitle, MB_ICONINFORMATION | MB_OK);
CloseHandle (hDevice);
}
else
{
MessageBox (hWnd, _T ("can not open FILEHOOK.VXD!"), SzAppTitle,
MB_ICONINFORMATION | MB_OK);
}
PostQuitMessage (0);
break;
default:
return DefWindowProc (hWnd, Message, wParam, lParam);
}
return 0;
}
This program uses the CreateFile function dynamically loaded VxD, then use the DeviceIoControl
function to send to the VxD device I / O control codes, installation and removal of the file system
API hooks, and finally use the CloseHandle function dynamically remove VxD. Run the program,
if the file system API hooks installation is successful, it will display the file system API hooks
installed! "Message box, and then as long as the file open, it will show" Open File! "In the
message box. Will be shown when you exit the program, if the file API hooks removed
successfully the File API hooks removed successfully! "Message box, after you open the file
operations no longer displays a message box.
IV Summary
The above examples demonstrate a complete block VxD and Windows 95/98, Windows 95/98 file
system API applications with the VxD communication method. The VxD can be used as a basic
framework, with some slight modifications can be used for virus and firewall software. In fact, the
VxD features far more than that, take full advantage of the functionality of the VxD can write many
advanced applications can not use the API to write. This tutorial is just a simple VxD
programming examples, because I level, coupled with less time, written in a more simple, please
forgive me, but also we welcome the discussion. VMM functions used in this tutorial, the VxD
functions and API functions, please refer to the relevant manual or help.