Under system tools in win98 there's a program that lets you see all the vxds that are running, look at startup registry items, and see what hooks are installed by which programs. This has the makings of a great privacy tool: record the info and if any of it changes, alert the user.

I haven't ever found any code that reliably traverses the vxd chain under w98; there's some that kluges its way thru under w95.

Is anyone interested in working on that?

Hi

There's some interesting possibilities there Mike for a system device driver monitor hook utility. You could hook relevant VXDLDR services to monitor a host of system actions. You can hook pretty well any system call with VMMCall Hook_Device_Service.

;---------------
GetVxDServiceOrdinal eax, Service ; Virtual device or VMM service to hook.
mov esi, OFFSET32 HookProc ; points to the hook procedure to install
VMMCall Hook_Device_Service
jc not_installed ; carry flag set if error

Allows one virtual device to monitor or replace the services of another virtual device, or of the VMM itself. ESI contains the address of the specified service.
;---------------

For example, you can monitor system level drivers being loaded and unloaded with the following code:


Here's an example to install a hook to watch for MS-DOS apps starting:

Icedump uses this technique for several hooks in cmd_trace.asm, including Get/Set_Thread_Context.

What is interesting is that you may be able to _implicitly_ hook Win32 functions as well. There are dozens of registry and memory services you could hook that Win32 APIs may eventually call down to at the system level.


I was poking around in msisys.vxd, which is the driver Msinfo.exe uses, to see what service it hooked (this is the monitoring program Mike is talking about). Here's another example of MS being mysterious, the service being hooked is coded directly as a hex value and isn't retrieved with GetDeviceServiceOrdinal.




It wouldn't be that difficult to design something, people would just need to learn how to write a vxd. The MS Device Driver Kit file Other.chm and Iczelion's vxd writing tutorials are all that is needed. I could supply a vxd skeleton interfaced to a basic GUI written in MASM as a starting point if anyone showed any interest. It is no different from coding in Win32, just done with different API calls within a vxd framework. Getting a listing of the Kernel and DOS drivers loaded on your system is coded using VMM_GetVxDLocationList for the static and VXDLDR_GetDeviceList for the dynamically loaded vxds.


In the interest of generating interest, here's a little code which traverses the linked Device Descriptor Block (DDB) chain, which is added to when a driver is loaded, and searches if Icedump is present. If it is, the ascii text defining it is patched so it can't be recognized by some lame attempts at Icedump detection. See the mini-project "int 20 (hinte's crackme #6)" for more on this and some descriptions of the calls and structures used in the code. This is the Icedump protection I wrote against the crackmes detection attempt.


There is an example with source at Iczelion's which shows how to get a listing output of the system drivers as well as the IDT/LDT/GDT descriptor tables and a dump function.

http://win32assembly.online.fr/files/sysview.zip

Any takers?

Kayaker

Interesting project idea... Was going to reply to this one and post some info about the traversing the DDB chain, but damn! Kayaker, you're just too thorough! Unfortunately, I don't have time to get involved in another project, but if anyone decides to learn how to write a VxD, either Kayaker or myself will be glad to lend assistance. He's right... Its not that much harder than writing regular ASM, just a different format, a different set of APIS, and many more opportunites to play with fire and get burned

Clandestiny

Howdy,

Ya'all kick it hard !!!!!
It scares me sometimes :-)

Peace, Woodmann

What tools do I need to start? An assembler, obviously. Anything else?

hi,
something to learn? i'll join the cause!
i don't know not much about vxd but (exams allowing) i'll be of yours.

i think we can begin the project but i have a little question: what exactly the project will be? just traversing the DDB chain?

bye,
ZaiRoN

Hey Kayaker:

Hmm if there is space for one more, I'd like to hop in too. I too don't know much about VxD but I could learn

Signed,
-- FoxThree

hi foxthree,
welcome on board!
more we are and better it is

ciao,
ZaiRoN

Cool, let's kick some ass hard, lol. Long live Ring0 exploits, heh heh. There's plenty of potential here for reversing fun 'n games, as well as building better protections. To get some idea of the how and whys of system driver hooking, try a Google search for Hook_Device_Service and check out what's been done before. Here are a few examples:

-Some general explanations of vxd hooking and how a keyboard hook can be implemented. Written by some dude named +Fravia, never heard of him but he looks to become a promising reverser
http://www.woodmann.net/fravia/filemon5.htm

-More important generalities in coding a hook. Take note of the BeginProc macro style required to unhook the hook (this is explained further in the DDK docs):
http://www.searchlores.org/protec/rcg_vxd2.htm

-Some discussion of Registry Services which can be trapped to monitor opening, closing, creating, and deleting Registry keys and values. Also, using IFSMgr_InstallFileSystemAPIHook to monitor file access. As used by the install monitor InCtrl4:
http://www.ntu.edu.sg/cits/software/download/inctrl4.htm

-An example of capturing dialup passwords by hooking services exported by VCOMM.VXD:
http://www.phreedom.org/article.php?id=30

...post continued...

As for what's required, you need to d/l one of the Microsoft Windows Driver Development Kits at
http://www.microsoft.com/ddk/

I guess you can accomplish this with an NT/XP/2000 driver as well, but for Win98 you can get the necessary DDK components at
http://www.microsoft.com/ddk/install98ddk.asp#Segments

The full install is 25.8Mb, but I think you can get away with just the following two. What is needed are the Include files and the file Other.chm:
http://www.microsoft.com/ddk/download/98/98SETUP.EXE
3.4Mb
http://www.microsoft.com/ddk/download/98/OTHER.EXE
3.7Mb

As for what you want to write it in, I use MASM v.7, but there is a tool called VxDWriter which you can use to write it in C/C++. Other docs include

Iczelion's vxd writing tutorials
http://spiff.tripnet.se/~iczelion/tutorials.html

[Yates] - a set of 3 vxd tutorials, I won't insult anyone by not assuming they can't search for these

Also, d/l the Virtual Machine Manager Services (VMM) Help file that I uploaded in a previous vxd mini-project. This isn't a replacement for the DDK file other.chm, but it does contain some of the same info:
http://www.woodmann.net/forum/showthread.php?threadid=1915

Heh, that mini-project may not have gone anywhere, but the hard-to-find VMM help file was downloaded 298 times, lol! I wonder sometimes if people hoard everything they can get their hands on just for the sake of it...


One more thing, about what I said about the disassembly of msisys.vxd not showing which service was hooked, in retrospect "duh, of course not!"
This is because
GetVxDServiceOrdinal eax, Service
is a macro, defined in vmm.inc. So if you code in the name of the Service to be hooked, it is compiled as a ServiceOrdinal value, any name information disappears. The high word of the ServiceOrdinal is the VxD ID and the low word is the service number.
For the record, the call that was hooked by msisys.vxd was VMMcall Log_Fault_Call_Out. Check out the VMMCall list compiled by Daemon for a quick way to find out unknown VMM service numbers:
http://www.anticrack.de/daemon/VMMCalls.txt


That's about it for now I guess. I don't think there's really any "project" here yet, just throwing out some ideas along the lines of a system monitoring tool of some kind, or general vxd coding or whatever. It's pretty well open to suggestions or whatever direction people might take it. I'm working on a very basic implementation of a hook right now which will trigger when a dynamically loaded driver is loaded (hooking VMM_Add_DDB). If I get it working I'll up the source as a template, the hook can be replaced with any other.

What's important I guess is what you do *with* the hook. Other than making the actual hook and/or informing the user, I haven't really thought that far ahead yet, lol.

Kayaker

Hi All,

OK, here's a little something, an example showing how to set a system hook using VMMCall Hook_Device_Service from within a VxD. The example hooks VMM_Add_DDB, which can be used to detect application system drivers being loaded. When a hook occurs, a system modal error box is displayed showing information gathered about the driver being loaded and allows for user input. Further action can be taken or the information can be sent back to Win32.

The example can be used as a vxd skeleton or the hook VMM_Add_DDB can be replaced with any other to try out different hooks. Commented source is included, though you'll still need the appropriate include files from the Win98 DDK to compile it. The hook routine could in theory be placed in a static vxd as well that loaded on system startup.

Setting a Kernel or application driver hook has interesting reversing potential. I haven't yet tested creating a hook after accessing Ring0 in 'non-traditional' ways, i.e. without using a vxd. It may be possible, but there can be reentrancy issues with calling certain system level functions in a self-generated interrupt, let alone creating a further hook from within an ISR. Clandestiny has tried certain VxDCall IFSMgr_Ring0_FileIO calls from within a Ring0 interrupt routine, and there were several issues with this. These may be confined to file I/O calls though where timing may become a problem.

In any case, I hope someone learns something from this, and maybe we could get some feedback from anyone trying a different hook, or maybe has further ideas as to a type of tool we could develop with this knowledge.

Have fun,
Kayaker

hi Kayaker!
this source is added to the readings that carry me in this new vxd_world
thx..

ZaiRoN