_Examining VxD Service Hooking_
by Mark Russinovich and Bryce Cogswell


Example 1: 


(a)

VMMcall _PageFree, <hMem, flags>

(b) 

PageFree(ULONG hMem, ULONG flags);


Example 2: 


(a) 

int 20h  ; VxD service trap
dd 0155h ; hi word == VMM.VXD id, lo word == service #

(b) 

call    [VMMServiceTable+55h*4]     ; indirect through table



Example 3:
        
(a) 
PrevInChain = Hook_Device_Service(
   GetVxDServiceOrdinal(Service),
   HookProc, &thunkHookProc);

(b) 

GetVxDServiceOrdinal eax, Service
mov     esi, OFFSET32 HookProc  ; points to the hook
                                ; procedure to install
VMMcall Hook_Device_Service     
mov PrevInChain, esi
    


Example 4: 

PrevInChain     dd  ?        ; address of previous service
BeginProc HookProcedure
     call    [PrevInChain]   ; chain to previous service
     ret

  EndProc HookProcedure



Example 5: 


PrevInChain     dd  ?
BeginProc HookProcedure, Hook_Proc PrevInChain
        Call    PrevInChain
        ret
EndProc HookProcedure 


Example 6: 

    jmp HookProcedure   ; signature
    jmp [PrevInChain]   ; previous in chain ptr
HookProcedure:
    ...


Example 7: 


(a) 

Unhook_Device_Service(
    GetVxDServiceOrdinal(Service),
    HookProc,
    &thunkHookProc );

(b) 

GetVxDServiceOrdinal eax, Service
mov        esi, offset32 HookProc
VMMCall    Unhook_Device_Service