1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
|
/*++ BUILD Version: 0001 // Increment this if a change has global effects
Copyright (c) 1985-1996, Microsoft Corporation
Module Name:
vdmdbg.h
Abstract:
Prodecure declarations, constant definitions, type definition and macros
for the VDMDBG.DLL VDM Debugger interface.
--*/
#ifndef _VDMDBG_
#define _VDMDBG_
#ifdef __cplusplus
extern "C" {
#endif
#include <pshpack4.h>
#define STATUS_VDM_EVENT STATUS_SEGMENT_NOTIFICATION
#ifndef DBG_SEGLOAD
#define DBG_SEGLOAD 0
#define DBG_SEGMOVE 1
#define DBG_SEGFREE 2
#define DBG_MODLOAD 3
#define DBG_MODFREE 4
#define DBG_SINGLESTEP 5
#define DBG_BREAK 6
#define DBG_GPFAULT 7
#define DBG_DIVOVERFLOW 8
#define DBG_INSTRFAULT 9
#define DBG_TASKSTART 10
#define DBG_TASKSTOP 11
#define DBG_DLLSTART 12
#define DBG_DLLSTOP 13
#define DBG_ATTACH 14
#endif
//
// The following flags control the contents of the CONTEXT structure.
//
#define VDMCONTEXT_i386 0x00010000 // this assumes that i386 and
#define VDMCONTEXT_i486 0x00010000 // i486 have identical context records
#define VDMCONTEXT_CONTROL (VDMCONTEXT_i386 | 0x00000001L) // SS:SP, CS:IP, FLAGS, BP
#define VDMCONTEXT_INTEGER (VDMCONTEXT_i386 | 0x00000002L) // AX, BX, CX, DX, SI, DI
#define VDMCONTEXT_SEGMENTS (VDMCONTEXT_i386 | 0x00000004L) // DS, ES, FS, GS
#define VDMCONTEXT_FLOATING_POINT (VDMCONTEXT_i386 | 0x00000008L) // 387 state
#define VDMCONTEXT_DEBUG_REGISTERS (VDMCONTEXT_i386 | 0x00000010L) // DB 0-3,6,7
#define VDMCONTEXT_FULL (VDMCONTEXT_CONTROL | VDMCONTEXT_INTEGER |\
VDMCONTEXT_SEGMENTS)
#ifdef _X86_
// On x86 machines, just copy the definition of the CONTEXT and LDT_ENTRY
// structures.
typedef struct _CONTEXT VDMCONTEXT;
typedef struct _LDT_ENTRY VDMLDT_ENTRY;
#else // _X86_
//
// Define the size of the 80387 save area, which is in the context frame.
//
#define SIZE_OF_80387_REGISTERS 80
typedef struct _FLOATING_SAVE_AREA {
ULONG ControlWord;
ULONG StatusWord;
ULONG TagWord;
ULONG ErrorOffset;
ULONG ErrorSelector;
ULONG DataOffset;
ULONG DataSelector;
UCHAR RegisterArea[SIZE_OF_80387_REGISTERS];
ULONG Cr0NpxState;
} FLOATING_SAVE_AREA;
//
// Simulated context structure for the 16-bit environment
//
typedef struct _VDMCONTEXT {
//
// The flags values within this flag control the contents of
// a CONTEXT record.
//
// If the context record is used as an input parameter, then
// for each portion of the context record controlled by a flag
// whose value is set, it is assumed that that portion of the
// context record contains valid context. If the context record
// is being used to modify a threads context, then only that
// portion of the threads context will be modified.
//
// If the context record is used as an IN OUT parameter to capture
// the context of a thread, then only those portions of the thread's
// context corresponding to set flags will be returned.
//
// The context record is never used as an OUT only parameter.
//
// CONTEXT_FULL on some systems (MIPS namely) does not contain the
// CONTEXT_SEGMENTS definition. VDMDBG assumes that CONTEXT_INTEGER also
// includes CONTEXT_SEGMENTS to account for this.
//
ULONG ContextFlags;
//
// This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
// set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT
// included in CONTEXT_FULL.
//
ULONG Dr0;
ULONG Dr1;
ULONG Dr2;
ULONG Dr3;
ULONG Dr6;
ULONG Dr7;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_FLOATING_POINT.
//
FLOATING_SAVE_AREA FloatSave;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_SEGMENTS.
//
ULONG SegGs;
ULONG SegFs;
ULONG SegEs;
ULONG SegDs;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_INTEGER.
//
ULONG Edi;
ULONG Esi;
ULONG Ebx;
ULONG Edx;
ULONG Ecx;
ULONG Eax;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_CONTROL.
//
ULONG Ebp;
ULONG Eip;
ULONG SegCs; // MUST BE SANITIZED
ULONG EFlags; // MUST BE SANITIZED
ULONG Esp;
ULONG SegSs;
} VDMCONTEXT;
//
// LDT descriptor entry
//
typedef struct _VDMLDT_ENTRY {
USHORT LimitLow;
USHORT BaseLow;
union {
struct {
UCHAR BaseMid;
UCHAR Flags1; // Declare as bytes to avoid alignment
UCHAR Flags2; // Problems.
UCHAR BaseHi;
} Bytes;
struct {
ULONG BaseMid : 8;
ULONG Type : 5;
ULONG Dpl : 2;
ULONG Pres : 1;
ULONG LimitHi : 4;
ULONG Sys : 1;
ULONG Reserved_0 : 1;
ULONG Default_Big : 1;
ULONG Granularity : 1;
ULONG BaseHi : 8;
} Bits;
} HighWord;
} VDMLDT_ENTRY;
#endif // _X86_
typedef VDMCONTEXT *LPVDMCONTEXT;
typedef VDMLDT_ENTRY *LPVDMLDT_ENTRY;
#define VDMCONTEXT_TO_PROGRAM_COUNTER(Context) (PVOID)((Context)->Eip)
#define VDMCONTEXT_LENGTH (sizeof(VDMCONTEXT))
#define VDMCONTEXT_ALIGN (sizeof(ULONG))
#define VDMCONTEXT_ROUND (VDMCONTEXT_ALIGN - 1)
#define V86FLAGS_CARRY 0x00001
#define V86FLAGS_PARITY 0x00004
#define V86FLAGS_AUXCARRY 0x00010
#define V86FLAGS_ZERO 0x00040
#define V86FLAGS_SIGN 0x00080
#define V86FLAGS_TRACE 0x00100
#define V86FLAGS_INTERRUPT 0x00200
#define V86FLAGS_DIRECTION 0x00400
#define V86FLAGS_OVERFLOW 0x00800
#define V86FLAGS_IOPL 0x03000
#define V86FLAGS_IOPL_BITS 0x12
#define V86FLAGS_RESUME 0x10000
#define V86FLAGS_V86 0x20000 // Used to detect RealMode v. ProtMode
#define V86FLAGS_ALIGNMENT 0x40000
#define MAX_MODULE_NAME 8 + 1
#define MAX_PATH16 255
typedef struct _SEGMENT_NOTE {
WORD Selector1; // Selector of operation
WORD Selector2; // Dest. Sel. for moving segments
WORD Segment; // Segment within Module
CHAR Module[MAX_MODULE_NAME+1]; // Module name
CHAR FileName[MAX_PATH16+1]; // PathName to executable image
WORD Type; // Code / Data, etc.
DWORD Length; // Length of image
} SEGMENT_NOTE;
typedef struct _IMAGE_NOTE {
CHAR Module[MAX_MODULE_NAME+1]; // Module
CHAR FileName[MAX_PATH16+1]; // Path to executable image
WORD hModule; // 16-bit hModule
WORD hTask; // 16-bit hTask
} IMAGE_NOTE;
typedef struct {
DWORD dwSize;
char szModule[MAX_MODULE_NAME+1];
HANDLE hModule;
WORD wcUsage;
char szExePath[MAX_PATH16+1];
WORD wNext;
} MODULEENTRY, *LPMODULEENTRY;
/* GlobalFirst()/GlobalNext() flags */
#define GLOBAL_ALL 0
#define GLOBAL_LRU 1
#define GLOBAL_FREE 2
/* GLOBALENTRY.wType entries */
#define GT_UNKNOWN 0
#define GT_DGROUP 1
#define GT_DATA 2
#define GT_CODE 3
#define GT_TASK 4
#define GT_RESOURCE 5
#define GT_MODULE 6
#define GT_FREE 7
#define GT_INTERNAL 8
#define GT_SENTINEL 9
#define GT_BURGERMASTER 10
/* If GLOBALENTRY.wType==GT_RESOURCE, the following is GLOBALENTRY.wData: */
#define GD_USERDEFINED 0
#define GD_CURSORCOMPONENT 1
#define GD_BITMAP 2
#define GD_ICONCOMPONENT 3
#define GD_MENU 4
#define GD_DIALOG 5
#define GD_STRING 6
#define GD_FONTDIR 7
#define GD_FONT 8
#define GD_ACCELERATORS 9
#define GD_RCDATA 10
#define GD_ERRTABLE 11
#define GD_CURSOR 12
#define GD_ICON 14
#define GD_NAMETABLE 15
#define GD_MAX_RESOURCE 15
typedef struct {
DWORD dwSize;
DWORD dwAddress;
DWORD dwBlockSize;
HANDLE hBlock;
WORD wcLock;
WORD wcPageLock;
WORD wFlags;
BOOL wHeapPresent;
HANDLE hOwner;
WORD wType;
WORD wData;
DWORD dwNext;
DWORD dwNextAlt;
} GLOBALENTRY, *LPGLOBALENTRY;
typedef DWORD (CALLBACK* DEBUGEVENTPROC)( LPDEBUG_EVENT, LPVOID );
// Macros to access VDM_EVENT parameters
#define W1(x) ((USHORT)(x.ExceptionInformation[0]))
#define W2(x) ((USHORT)(x.ExceptionInformation[0] >> 16))
#define W3(x) ((USHORT)(x.ExceptionInformation[1]))
#define W4(x) ((USHORT)(x.ExceptionInformation[1] >> 16))
#define DW3(x) (x.ExceptionInformation[2])
#define DW4(x) (x.ExceptionInformation[3])
#include <poppack.h>
BOOL
WINAPI
VDMProcessException(
LPDEBUG_EVENT lpDebugEvent
);
BOOL
WINAPI
VDMGetThreadSelectorEntry(
HANDLE hProcess,
HANDLE hThread,
WORD wSelector,
LPVDMLDT_ENTRY lpSelectorEntry
);
ULONG
WINAPI
VDMGetPointer(
HANDLE hProcess,
HANDLE hThread,
WORD wSelector,
DWORD dwOffset,
BOOL fProtMode
);
BOOL
WINAPI
VDMGetThreadContext(
LPDEBUG_EVENT lpDebugEvent,
LPVDMCONTEXT lpVDMContext
);
BOOL
WINAPI
VDMSetThreadContext(
LPDEBUG_EVENT lpDebugEvent,
LPVDMCONTEXT lpVDMContext
);
BOOL
WINAPI
VDMGetSelectorModule(
HANDLE hProcess,
HANDLE hThread,
WORD wSelector,
PUINT lpSegmentNumber,
LPSTR lpModuleName,
UINT nNameSize,
LPSTR lpModulePath,
UINT nPathSize
);
BOOL
WINAPI
VDMGetModuleSelector(
HANDLE hProcess,
HANDLE hThread,
UINT wSegmentNumber,
LPSTR lpModuleName,
LPWORD lpSelector
);
BOOL
WINAPI
VDMModuleFirst(
HANDLE hProcess,
HANDLE hThread,
LPMODULEENTRY lpModuleEntry,
DEBUGEVENTPROC lpEventProc,
LPVOID lpData
);
BOOL
WINAPI
VDMModuleNext(
HANDLE hProcess,
HANDLE hThread,
LPMODULEENTRY lpModuleEntry,
DEBUGEVENTPROC lpEventProc,
LPVOID lpData
);
BOOL
WINAPI
VDMGlobalFirst(
HANDLE hProcess,
HANDLE hThread,
LPGLOBALENTRY lpGlobalEntry,
WORD wFlags,
DEBUGEVENTPROC lpEventProc,
LPVOID lpData
);
BOOL
WINAPI
VDMGlobalNext(
HANDLE hProcess,
HANDLE hThread,
LPGLOBALENTRY lpGlobalEntry,
WORD wFlags,
DEBUGEVENTPROC lpEventProc,
LPVOID lpData
);
typedef BOOL (WINAPI *PROCESSENUMPROC)( DWORD dwProcessId, DWORD dwAttributes, LPARAM lpUserDefined );
typedef BOOL (WINAPI *TASKENUMPROC)( DWORD dwThreadId, WORD hMod16, WORD hTask16, LPARAM lpUserDefined );
typedef BOOL (WINAPI *TASKENUMPROCEX)( DWORD dwThreadId, WORD hMod16, WORD hTask16,
PSZ pszModName, PSZ pszFileName, LPARAM lpUserDefined );
#define WOW_SYSTEM (DWORD)0x0001
INT
WINAPI
VDMEnumProcessWOW(
PROCESSENUMPROC fp,
LPARAM lparam
);
INT
WINAPI
VDMEnumTaskWOW(
DWORD dwProcessId,
TASKENUMPROC fp,
LPARAM lparam
);
//
// VDMEnumTaskWOWEx is the same as VDMEnumTaskWOW except
// the callback procedure gets two more parameters,
// the module name of the EXE and the full path to the
// EXE.
//
INT
WINAPI
VDMEnumTaskWOWEx(
DWORD dwProcessId,
TASKENUMPROCEX fp,
LPARAM lparam
);
//
// VDMTerminateTaskWOW rudely terminates a 16-bit WOW task
// similar to the way TerminateProcess kills a Win32
// process.
//
BOOL
WINAPI
VDMTerminateTaskWOW(
DWORD dwProcessId,
WORD htask
);
//
// VDMStartTaskInWOW launches a Win16 task in a pre-existing
// WOW VDM. Note that the caller is responsible for ensuring
// the program is a 16-bit Windows program. If it is a DOS
// or Win32 program, it will still be launched from within
// the target WOW VDM.
//
// The supplied command line and show command are passed
// unchanged to the 16-bit WinExec API in the target WOW VDM.
//
// Note this routine is ANSI-only.
//
BOOL
VDMStartTaskInWOW(
DWORD dwProcessId,
LPSTR lpCommandLine,
WORD wShow
);
//
// VDMKillWOW is not implemented.
//
BOOL
WINAPI
VDMKillWOW(
VOID
);
//
// VDMDetectWOW is not implemented.
//
BOOL
WINAPI
VDMDetectWOW(
VOID
);
BOOL
WINAPI
VDMBreakThread(
HANDLE hProcess,
HANDLE hThread
);
#ifdef __cplusplus
}
#endif
#endif // _VDMDBG_
|