I Set a hook on the FileSystem from a VxD, using(Win98 DDK).
Whenever an attempt to OPEN a file, i tried to show a Message box.But, it just sucks
with the Blue Screen saying that Some fault there in VMM selector 28:XXXXXXX.
SOFTICE would take control, when i set 'Faults ON'.It asks 'C' for to continue & 'R' for
Return.But a Return would again sucks.I had only limited knowledge in BSOD catching
and I am eager to know more about it and how to track it.
Whenever an attempt to OPEN a file, i tried to show a Message box.But, it just sucks
with the Blue Screen saying that Some fault there in VMM selector 28:XXXXXXX.
SOFTICE would take control, when i set 'Faults ON'.It asks 'C' for to continue & 'R' for
Return.But a Return would again sucks.I had only limited knowledge in BSOD catching
and I am eager to know more about it and how to track it.
After the Successful Hooks,and re-direction to function[ FS_Monitor] ,In the code
below, where i tried to show the message box, when an OPEN attempt fires. (In
between the Hash ###############' below)
causes this Fault..
BeginProc FS_Monitor
;Using C calling conventions
push ebp
mov ebp,esp
sub esp,20h
; Parameters into stack:
; ebp+00h -> saved EBP value.
; ebp+04h -> return address.
; ebp+08h -> supplies the address of the FSD function that
; is to be called for this API.
; ebp+0Ch -> supplies the function that is being performed.
; ebp+10h -> supplies the 1-based drive the operation is being
; performed on (-1 if UNC).
; ebp+14h -> supplies the kind of resource the operation is being
; performed on.
; ebp+18h -> supplies the codepage that the user string was
; passed in on.
; ebp+1Ch -> supplies pointer to IOREQ structure.
; Total 20h bytes
; Check if we are trying to process our own IFS calls
cmp dword ptr [our_own_call],"BUSY"
je exit_FS_hook
; Check for OPEN
; This function is called also before execution...
cmp dword ptr [ebp+0Ch],IFSFN_OPEN
je OPEN_FILE
exit_FS_hook:
; Prepare parameters for calling previous FS API hook
mov eax,dword ptr [ebp+1Ch]
push eax
mov eax,dword ptr [ebp+18h]
push eax
mov eax,dword ptr [ebp+14h]
push eax
mov eax,dword ptr [ebp+10h]
push eax
mov eax,dword ptr [ebp+0Ch]
push eax
mov eax,dword ptr [ebp+08h]
push eax
; Call previous hook
mov eax,dword ptr [Prev_IFS_Hook]
call dword ptr [eax]
; IFS hooker needs to fix the stack before return to caller
add esp,00000018h
leave ; Back to caller
ret
;----------------------------------------------------------------------------
; Open file/create a file
;----------------------------------------------------------------------------
OPEN_FILE:
; Save regs
pushfd
pushad
mov dword ptr [our_own_call],"BUSY" ; Set IFS busy flag
;###################################################
;HERE I TRIED TO DISPLAY A MESSAGEBOX, (Here is the page fault culprit .)
popad ;Push the previous Reg Values.
popfd ;pushes previous.flags.
mov ecx,OFFSET32 Loaded ;just Display a message (Loaded=A String)
jmp CommonCode ;(CommonCode) contains,VxDCall SHELL_Message& all clearing stuffs like (clc & ret).
pushfd ;Resore the earlier Values.
pushad
;###################################################
; Reset IFS busy field
mov dword ptr [our_own_call],"FREE"
; Get regs back
popad
popfd
jmp exit_FS_hook
EndProc FS_Monitor
You may have meant to write:
pushad
pushfd
call CommonCode
popfd
popad
Also the code after exit_FS_hook can be replaced with:
mov eax,
leave
jmp
And the mov eax,dword ptr , push eax etc can be replaced with:
push byte 6
pop ecx
loop1:
push dword ptr
loop loop1
You might as well leave out the stack frame, since you're not using it.
pushad
pushfd
call CommonCode
popfd
popad
Also the code after exit_FS_hook can be replaced with:
mov eax,
leave
jmp
And the mov eax,dword ptr , push eax etc can be replaced with:
push byte 6
pop ecx
loop1:
push dword ptr
loop loop1
You might as well leave out the stack frame, since you're not using it.