Using a VXD, tried to set a Hook on TIMER INTERRUPT, by re-directing it to a Function.
(Our_Int_Handler).Hook was successful, but the prob was, i can't get the Caller's
Name ,or can't Compare it correctly.

The Re-directed code as follows.The '****************' symbol displays
Suspicious CODES.!!.


BeginProc Our_Int_Handler

pushad
mov eax,[ebp.Client_EAX] ;IOREQ struc Member
cmp ax,2A00h ;Get_System_Time DOS function?
jne Let_DOS_Work

xor eax,eax
mov FLAGS,eax ;Must be zero

VxDCall VWIN32_GetCurrentProcessHandle
mov eax,[eax+38h]
or al,7
mov LD,eax ;Store the Local Descriptor

VmmCall Get_Sys_VM_Handle
mov SYS_VM,ebx

VmmCall _SelectorMapFlat <SYS_VM,LD,FLAGS>

add eax,0F2h ;NowEAX must point to the CALLER's NAME.
mov ebx, [eax] ;*************************************
int 3
cmp ebx,'ideH' ;*******Compare it with (Inverted)NAME OF THE prgm v interested.******
jne Let_DOS_Work;*****But it will always jump to Let_DOS_WORK. *********

mov bl,[eax+4]
cmp bl,'t' ;****** The Last Digit is also Checked(Due to Dword Limit.)******
jne Let_DOS_Work

;int3 For debugger

mov [ebp.Client_AX],1 ;Day of week New VALUES Inserted by us.!!!
mov [ebp.Client_CX],1088 ;Year
mov [ebp.Client_DX],0101h ;Day and Month

Is_Hedit:
popad
clc ;consume the interrupt
ret

Let_DOS_Work:
popad
stc ; don't consume the interrupt
ret

EndProc Our_Int_Handler
Posted on 2003-11-01 12:54:47 by zakham
This looks like it should work. I can't find any errors here.
Try simplifying it a bit to reduce the possible sources of errors:
cmp [ebp.Client_AX],2a00h

jnz Let_DOS_Work
VxDCall VWIN32_GetCurrentProcessHandle
test eax,eax
jz Let_DOS_Work
push gs
mov gs,[eax+38h]
xor eax,eax
mov al,242
cmp dword ptr [gs:eax],'ideH'
jnz WrongProgram
cmp byte ptr [gs:eax+4],'t'
jnz WrongProgram
mov [ebp.Client_AX],1
mov [ebp.Client_CX],1088
mov [ebp.Client_DX],101h
pop gs
clc
ret
WrongProgram:
pop gs
Let_DOS_Work:
stc
ret
Posted on 2003-11-02 06:51:54 by Sephiroth3