扩展SoftICE－－4

Chapter 5: The sample: icecmd.vxd
---------------------------------


Accompanying this article there is a sample VxD who employees most of the techniques
described in the pervious chapter.The VxD does not provide any real functionality , it is
intended only for didactic purposes.It implements a new dot command .Z and a DebugQuery
handler routine.The sample dot command .Zs will dump the stack trace on the debug console.
You can accomplish same thing issuing STACK command in Soft-Ice.It also show you very
basic command line parsing.The VxD is implemented as a static VxD.It also present a mechanism
in which a VxD can detect if it was previously loaded , preventing multiple instances.Since
the code is commented I will not insist in presenting it once again inside the article.Read
the source code ,I tryed to keep things easy to understand.
The only thing unexplained is the code what prevents the VxD being loaded twice.
This code resides in VxD_REAL_INIT_SEG code segment.This code is auto called at the time when
the system is still in real mode and the Virtual Device Drivers are loaded.When the system
reach this entrypoint the BX register contain a value that indicates if the device is already
loaded or not.The method requires a unique device Id.To allow loading you must exit with
AX set to a certain value , as shown below.

Abort_Device_Load -- tells to VMM that this VxD should not be loaded
Abort_Win386_Load -- tells to VMM to end Windows loading (WIN 95 itself will
    fail loading if this value is passed to AX
Device_Load_Ok    -- tells to VMM that al is OK , device can be loaded
No_Fail_Message   -- use with Abort_Device_Load and Abort_Device_Load.Instructs
    the VMM to not display an error message.If not specified
    the VMM will print an error message on screen.

Also , you must return with BX , EDX , SI registers set to the folowing values:

BX  --- must contain a pointer to a null terminated page array table
containing the physical pages reserved for VxD own use.Valid adress
ranges are 0 to 100h. (That\'s it the table must reside in very low
memory.
MUST be set to 0 if no pages are reserved

SI --  must contain a pointer to a null terminated area of data items
MUST be set to 0 if there are no specific instance objects.

EDX -- contain a value who it is passed to the protected mode procedure
      what is the handler for  Sys_Critical_Init message broadcasted
      by VMM.This value is re-loaded in EDX just before the protected mode
      init procedure is called
      Usualy set to 0 , but it will not harm anything if contain other
      values. (This is because it\'s up to you if the handler for
      Sys_Critical_Init will use it or no)

This is not my creation , ive learned this from W. Oney\'s code.

Download icecmd.zip & source code