Does anybody know if win32_service_table in vwin32.vxd differ in different (95/9x/me) windows version? I woud like to hook some service by "ordinal" but I saw in icedump sources something like this:

FindVWIN32Win32APIs:
push ecx
mov eax,[VWIN32.W32ServiceTable]
mov ecx,[eax] ; W32 API count
sub ecx,byte 4
add eax,byte 4 ; walk the parameter count list
.next:
add eax,byte 8
cmp [eax],byte 2
loopnz .next
jnz @F
cmp [eax+8],byte 2
jnz .next
cmp [eax+8+8],byte 5
jnz .next
cmp [eax+8+8+8],byte 5
jnz .next
sub eax,[VWIN32.W32ServiceTable]
shr eax,3
mov [VWIN32.W32_SetThreadContext],eax
dec eax
mov [VWIN32.W32_GetThreadContext],eax
...

This code search services by specific parameters numbers sequence instead of simple get by ordinal. So what do you think
?

Hi

It's hard to say if there would be any rearranging of service ordinals across versions or whether new ones would just be tacked onto the end of the earlier version. In Matt Pietrek's Window's 95 System Programming Secrets he lists 4Eh of the these Win32 Services, I read in a newsgroup there were something like 65h in Win98, and there were likely more added in WinMe. (These Win32 Services are referenced from the DDB_Win32_Service_Table pointer and are essentially equivalent to the newer Int2E ntdll services in Win2K).

Chances are new service function ordinals are added to the existing table (Win95->Win98A/B->WinMe), and any obsolete functions there may be simply point to a "not implemented" message, but this is a bold leap of M$ faith I wouldn't bet my house on.

While the Icedump code scans the parameter dword table as well, instead of just relying blindly on undocumented ordinal values, once the first service is found (W32_SetThreadContext), the rest are simply referenced to it in order and match the listing in Pietrek's book, i.e.

ord 15h = _VWIN32_Set_Thread_Context
dec eax
ord 14h = _VWIN32_Get_Thread_Context
add eax, 6
ord 1Ah = SuspendThread
etc.


Your best bet might be to disassemble vwin32.vxd for each of the OS's, if you can get hold of them, and see if you can confirm that the pattern of parameter dwords is at least the same. (VWin32.vxd is built dynamically from the file on the CD into VMM32.vxd on system installation and when the services are registered, so you might need to disasm vmm32.vxd instead).

Out of curiousity, does Icedump work OK on WinMe?

Kayaker

Thanks for the reply.



Hmmm, it's probably the best choice.


I have no problem with it, but I want to write similar tool for educational purpose on my own

Here is a very very first version of my tool, but it can protect Sice from some tricks now. It work on my WinMe with no problem. Maybe someone regards it as useful.