PDA

View Full Version : DDB help .. please!


SV
November 12th, 2000, 07:47
Hi reversers

I have found this part of code.

mov eax, 2Ah
VMMcall Get_DDB
mov ecx, [ecx+38h]
add ecx, 0B0h

Please, i need some more description of DDB structure.
Thx SV

Get_DDB
include vmm.inc

mov eax, Device_ID
mov edi, Device_Name
VMMCall Get_DDB
mov [DDB], ecx

Determines whether or not a VxD is installed for the specified device and returns a DDB for that device if it
is installed. Uses ECX, flags.
Returns a DDB for the specified device if the function succeeds; otherwise, returns zero.
Device_ID
The device identifier. This parameter can be zero for name-based devices.
Device_Name
An eight-character device name that is padded with blank characters. This parameter is only required if
Device_ID is zero. The device name is case-sensitive.

The Owl
November 12th, 2000, 10:07
Quote:

mov eax, 2Ah
VMMcall Get_DDB
mov ecx, [ecx+38h]
add ecx, 0B0h

Please, i need some more description of DDB structure.


vmm.inc from the DDK has the full definition, IDA recognizes it too, or vxdn.inc from icedump. at offset 38h you have the win32 services table pointer, the table is a structure, first dword contains number of elements that follow thereafter. each element has two dwords, one is a function offset, the other is the number of parameters used. win32 services exported by a VxD can be called from user mode by using kernel32.vxdcall (documented by pietrek for example).

garph0
November 12th, 2000, 12:22
In case you'll need...

i think Kernel32.vxdcall has no exported name, but it's exported as function #1 from kernel. If you want an example i think tha BO2k uses it when it hides the process under win9x.
you can get bo2k at sourceforge.net