About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Direct Draw API Internals

Topic created on: July 22, 2007 21:37 CDT by jimtabor .

Hi!
Over the last year a private team of college students cross heck my work with the Win32/Gdi32 rewrite. They ask me two months ago to release this information.

I have to apologize to some developers for this release. They want it out now.

Thanks,
James


#include <stdio.h>
//#include <windows.h>
//#include <ddk\winddi.h>

typedef long * LONG_PTR;

#define APIENTRY __stdcall

typedef LONG_PTR (APIENTRY *PFN)();

typedef struct _DRVFN {
  unsigned int  iFunc;
  PFN  pfn;
} DRVFN, *PDRVFN;


//
// Index Dx Callback Eng Functions for win32k.sys
//
#define DXENG_INDEX_DxEngIsTermSrv                   1
#define DXENG_INDEX_DxEngScreenAccessCheck           2
#define DXENG_INDEX_DxEngRedrawDesktop               3
#define DXENG_INDEX_DxEngDispUniq                    4
#define DXENG_INDEX_DxEngIncDispUniq                 5
#define DXENG_INDEX_DxEngVisRngUniq                  6
#define DXENG_INDEX_DxEngLockShareSem                7
#define DXENG_INDEX_DxEngUnlockShareSem              8
#define DXENG_INDEX_DxEngEnumerateHdev               9
#define DXENG_INDEX_DxEngLockHdev                    10
#define DXENG_INDEX_DxEngUnlockHdev                  11
#define DXENG_INDEX_DxEngIsHdevLockedByCurrentThread 12
#define DXENG_INDEX_DxEngReferenceHdev               13
#define DXENG_INDEX_DxEngUnreferenceHdev             14
#define DXENG_INDEX_DxEngGetDeviceGammaRamp          15
#define DXENG_INDEX_DxEngSetDeviceGammaRamp          16
#define DXENG_INDEX_DxEngSpTearDownSprites           17
#define DXENG_INDEX_DxEngSpUnTearDownSprites         18
#define DXENG_INDEX_DxEngSpSpritesVisible            19
#define DXENG_INDEX_DxEngGetHdevData                 20
#define DXENG_INDEX_DxEngSetHdevData                 21
#define DXENG_INDEX_DxEngCreateMemoryDC              22
#define DXENG_INDEX_DxEngGetDesktopDC                23
#define DXENG_INDEX_DxEngDeleteDC                    24
#define DXENG_INDEX_DxEngCleanDC                     25
#define DXENG_INDEX_DxEngSetDCOwner                  26
#define DXENG_INDEX_DxEngLockDC                      27
#define DXENG_INDEX_DxEngUnlockDC                    28
#define DXENG_INDEX_DxEngSetDCState                  29
#define DXENG_INDEX_DxEngGetDCState                  30
#define DXENG_INDEX_DxEngSelectBitmap                31
#define DXENG_INDEX_DxEngSetBitmapOwner              32
#define DXENG_INDEX_DxEngDeleteSurface               33
#define DXENG_INDEX_DxEngGetSurfaceData              34
#define DXENG_INDEX_DxEngAltLockSurface              35
#define DXENG_INDEX_DxEngUploadPaletteEntryToSurface 36
#define DXENG_INDEX_DxEngMarkSurfaceAsDirectDraw     37
#define DXENG_INDEX_DxEngSelectPaletteToSurface      38
#define DXENG_INDEX_DxEngSyncPaletteTableWithDevice  39
#define DXENG_INDEX_DxEngSetPaletteState             40
#define DXENG_INDEX_DxEngGetRedirectionBitmap        41
#define DXENG_INDEX_DxEngLoadImage                   42


DRVFN EngFuncs[] =
{
    {0, (PFN) NULL},
    { DXENG_INDEX_DxEngIsTermSrv, (PFN) DxEngIsTermSrv},
    { DXENG_INDEX_DxEngScreenAccessCheck, (PFN) DxEngScreenAccessCheck},
    { DXENG_INDEX_DxEngRedrawDesktop, (PFN) DxEngRedrawDesktop},
    { DXENG_INDEX_DxEngDispUniq, (PFN) DxEngDispUniq},
    { DXENG_INDEX_DxEngIncDispUniq, (PFN) DxEngIncDispUniq },
    { DXENG_INDEX_DxEngVisRngUniq, (PFN) DxEngVisRngUniq}
    { DXENG_INDEX_DxEngLockShareSem, (PFN) DxEngLockShareSem}
    { DXENG_INDEX_DxEngUnlockShareSem, (PFN) DxEngUnlockShareSem}
    { DXENG_INDEX_DxEngEnumerateHdev, (PFN) DxEngEnumerateHdev}
    { DXENG_INDEX_DxEngLockHdev, (PFN) DxEngLockHdev}
    { DXENG_INDEX_DxEngUnlockHdev, (PFN) DxEngUnlockHdev}
    { DXENG_INDEX_DxEngIsHdevLockedByCurrentThread, (PFN) DxEngIsHdevLockedByCurrentThread}
    { DXENG_INDEX_DxEngReferenceHdev, (PFN) DxEngReferenceHdev}
    { DXENG_INDEX_DxEngUnreferenceHdev, (PFN) DxEngUnreferenceHdev}
    { DXENG_INDEX_DxEngGetDeviceGammaRamp, (PFN) DxEngGetDeviceGammaRamp}
    { DXENG_INDEX_DxEngSetDeviceGammaRamp, (PFN) DxEngSetDeviceGammaRamp }
    { DXENG_INDEX_DxEngSpTearDownSprites, (PFN) DxEngSpTearDownSprites}
    { DXENG_INDEX_DxEngSpUnTearDownSprites, (PFN) DxEngSpUnTearDownSprites}
    { DXENG_INDEX_DxEngSpSpritesVisible, (PFN) DxEngSpSpritesVisible}
    { DXENG_INDEX_DxEngGetHdevData, (PFN) DxEngGetHdevData}
    { DXENG_INDEX_DxEngSetHdevData, (PFN) DxEngSetHdevData}
    { DXENG_INDEX_DxEngCreateMemoryDC, (PFN) DxEngCreateMemoryDC}
    { DXENG_INDEX_DxEngGetDesktopDC, (PFN) DxEngGetDesktopDC}
    { DXENG_INDEX_DxEngDeleteDC, (PFN) DxEngDeleteDC}
    { DXENG_INDEX_DxEngCleanDC, (PFN) DxEngCleanDC}
    { DXENG_INDEX_DxEngSetDCOwner, (PFN) DxEngSetDCOwner}
    { DXENG_INDEX_DxEngLockDC, (PFN) DxEngLockDC}
    { DXENG_INDEX_DxEngUnlockDC, (PFN) DxEngUnlockDC}
    { DXENG_INDEX_DxEngSetDCState, (PFN) DxEngSetDCState}
    { DXENG_INDEX_DxEngGetDCState, (PFN) DxEngGetDCState}
    { DXENG_INDEX_DxEngSelectBitmap, (PFN) DxEngSelectBitmap}
    { DXENG_INDEX_DxEngSetBitmapOwner, (PFN) DxEngSetBitmapOwner}
    { DXENG_INDEX_DxEngDeleteSurface, (PFN) DxEngDeleteSurface}
    { DXENG_INDEX_DxEngGetSurfaceData, (PFN) DxEngGetSurfaceData}
    { DXENG_INDEX_DxEngAltLockSurface, (PFN) DxEngAltLockSurface}
    { DXENG_INDEX_DxEngUploadPaletteEntryToSurface, (PFN) DxEngUploadPaletteEntryToSurface}
    { DXENG_INDEX_DxEngMarkSurfaceAsDirectDraw, (PFN) DxEngMarkSurfaceAsDirectDraw}
    { DXENG_INDEX_DxEngSelectPaletteToSurface, (PFN) DxEngSelectPaletteToSurface}
    { DXENG_INDEX_DxEngSyncPaletteTableWithDevice, (PFN) DxEngSyncPaletteTableWithDevice}
    { DXENG_INDEX_DxEngSetPaletteState, (PFN) DxEngSetPaletteState}
    { DXENG_INDEX_DxEngGetRedirectionBitmap, (PFN) DxEngGetRedirectionBitmap}
    { DXENG_INDEX_DxEngLoadImage, (PFN) DxEngLoadImage},
};

ULONG ulCountEngFuncs = DXENG_INDEX_DxEngLoadImage + 1;



//
// Index Functions for drivers/dxg.sys
//
#define DXG_INDEX_NtGdiDxgGenericThunk              0
#define DXG_INDEX_NtGdiD3dContextCreate             1
#define DXG_INDEX_NtGdiD3dContextDestroy            2
#define DXG_INDEX_NtGdiD3dContextDestroyAll         3
#define DXG_INDEX_NtGdiD3dValidateTextureStageState 4
#define DXG_INDEX_NtGdiD3dDrawPrimitives            5
#define DXG_INDEX_NtGdiDdGetDriverState             6
#define DXG_INDEX_NtGdiDdAddAttachedSurface         7
#define DXG_INDEX_NtGdiDdAlphaBlt                   8
#define DXG_INDEX_NtGdiDdAddAttachedSurface         9
#define DXG_INDEX_NtGdiDdBeginMoCompFrame           10
#define DXG_INDEX_NtGdiDdBlt                        11
#define DXG_INDEX_NtGdiDdCanCreateSurface           12
#define DXG_INDEX_NtGdiDdCanCreateD3DBuffer         13
#define DXG_INDEX_NtGdiDdColorControl               14
#define DXG_INDEX_NtGdiDdCreateDirectDrawObject     15
#define DXG_INDEX_NtGdiDdCreateSurface              16
#define DXG_INDEX_NtGdiDdCanCreateD3DBuffer         17
#define DXG_INDEX_NtGdiDdCreateMoComp               18
#define DXG_INDEX_NtGdiDdCreateSurfaceObject        19
#define DXG_INDEX_NtGdiDdDeleteDirectDrawObject     20
#define DXG_INDEX_NtGdiDdDeleteSurfaceObject        21
#define DXG_INDEX_NtGdiDdDestroyMoComp              22
#define DXG_INDEX_NtGdiDdDestroySurface             23
#define DXG_INDEX_NtGdiDdDestroyD3DBuffer           24
#define DXG_INDEX_NtGdiDdEndMoCompFrame             25
#define DXG_INDEX_NtGdiDdFlip                       26
#define DXG_INDEX_NtGdiDdFlipToGDISurface           27
#define DXG_INDEX_NtGdiDdGetAvailDriverMemory       28
#define DXG_INDEX_NtGdiDdGetBltStatus               29
#define DXG_INDEX_NtGdiDdGetDC                      30
#define DXG_INDEX_NtGdiDdGetDriverInfo              31
#define DXG_INDEX_NtGdiDdGetDxHandle                32
#define DXG_INDEX_NtGdiDdGetFlipStatus              33
#define DXG_INDEX_NtGdiDdGetInternalMoCompInfo      34
#define DXG_INDEX_NtGdiDdGetMoCompBuffInfo          35
#define DXG_INDEX_NtGdiDdGetMoCompGuids             36
#define DXG_INDEX_NtGdiDdGetMoCompFormats           37
#define DXG_INDEX_NtGdiDdGetScanLine                38
#define DXG_INDEX_NtGdiDdLock                       39
#define DXG_INDEX_NtGdiDdLockD3D                    40
#define DXG_INDEX_NtGdiDdQueryDirectDrawObject      41
#define DXG_INDEX_NtGdiDdQueryMoCompStatus          42
#define DXG_INDEX_NtGdiDdReenableDirectDrawObject   43
#define DXG_INDEX_NtGdiDdReleaseDC                  44
#define DXG_INDEX_NtGdiDdRenderMoComp               45
#define DXG_INDEX_NtGdiDdResetVisrgn                46
#define DXG_INDEX_NtGdiDdSetColorKey                47
#define DXG_INDEX_NtGdiDdSetExclusiveMode           48
#define DXG_INDEX_NtGdiDdSetGammaRamp               49
#define DXG_INDEX_NtGdiDdCreateSurfaceEx            50
#define DXG_INDEX_NtGdiDdSetOverlayPosition         51
#define DXG_INDEX_NtGdiDdUnattachSurface            52
#define DXG_INDEX_NtGdiDdUnlock                     53
#define DXG_INDEX_NtGdiDdUnlockD3D                  54
#define DXG_INDEX_NtGdiDdUpdateOverlay              55
#define DXG_INDEX_NtGdiDdWaitForVerticalBlank       56
#define DXG_INDEX_NtGdiDvpCanCreateVideoPort        57
#define DXG_INDEX_NtGdiDvpColorControl              58
#define DXG_INDEX_NtGdiDvpCreateVideoPort           59
#define DXG_INDEX_NtGdiDvpDestroyVideoPort          60
#define DXG_INDEX_NtGdiDvpFlipVideoPort             61
#define DXG_INDEX_NtGdiDvpGetVideoPortBandwidth     62
#define DXG_INDEX_NtGdiDvpGetVideoPortField         63
#define DXG_INDEX_NtGdiDvpGetVideoPortFlipStatus    64
#define DXG_INDEX_NtGdiDvpGetVideoPortInputFormats  65
#define DXG_INDEX_NtGdiDvpGetVideoPortLine          66
#define DXG_INDEX_NtGdiDvpGetVideoPortOutputFormats 67
#define DXG_INDEX_NtGdiDvpGetVideoPortConnectInfo   68
#define DXG_INDEX_NtGdiDvpGetVideoSignalStatus      69
#define DXG_INDEX_NtGdiDvpUpdateVideoPort           70
#define DXG_INDEX_NtGdiDvpWaitForVideoPortSync      71
#define DXG_INDEX_NtGdiDvpAcquireNotification       72
#define DXG_INDEX_NtGdiDvpReleaseNotification       73
#define DXG_INDEX_HeapVidMemAllocAligned            74
#define DXG_INDEX_VidMemFree                        75
#define DXG_INDEX_DxDdEnableDirectDraw              76
#define DXG_INDEX_DxDdDisableDirectDraw             77
#define DXG_INDEX_IntSuspendDirectDrawandEx         78 // Used with both
#define DXG_INDEX_IntResumeDirectDraw               79
#define DXG_INDEX_DxDdDynamicModeChange             80
#define DXG_INDEX_DxDdCloseProcess                  81
#define DXG_INDEX_IntGetDirectDrawBounds            82
#define DXG_INDEX_DxDdEnableDirectDrawRedirection   83 // not called from w32k
#define DXG_INDEX_EngAllocPrivateUserMem            84
#define DXG_INDEX_EngFreePrivateUserMem             85
#define DXG_INDEX_EngLockDirectDrawSurface          86
#define DXG_INDEX_EngUnlockDiectDrawSurface         87
#define DXG_INDEX_DxDdSetAccelLevel                 88
#define DXG_INDEX_DxDdGetSurfaceLock                89
#define DXG_INDEX_DxDdEnumLockedSurfaceRect         90
#define DXG_INDEX_EngDxIoctl                        91


// External
PDRVFN pDxFuncs;
HANDLE hDxGraphics;
ULONG DirectDrawContext;

//
// These are normal for the above index functions.
//
DWORD
APIENTRY
NtGdiD3dContextCreate(
      IN HANDLE hDirectDrawLocal,
      IN HANDLE hSurfColor,
      IN HANDLE hSurfZ,
      IN OUT D3DNTHAL_CONTEXTCREATEI *pdcci
                )
{
   pDxFuncs[DXG_INDEX_NtGdiD3dContextCreate].pfn();
}

BOOL
APIENTRY
NtGdiDdDeleteSurfaceObject(
       IN HANDLE hSurface
                 )
{
   pDxFuncs[DXG_INDEX_NtGdiDdDeleteSurfaceObject].pfn();
}


FLATPTR
WINAPI
HeapVidMemAllocAligned(
    IN LPVIDMEM  lpVidMem,
    IN DWORD  dwWidth,
    IN DWORD  dwHeight,
    IN LPSURFACEALIGNMENT  lpAlignment,
    OUT LPLONG  lpNewPitch
    )
{
   pDxFuncs[DXG_INDEX_HeapVidMemAllocAligned].pfn();
}

VOID
WINAPI
VidMemFree(
    IN LPVMEMHEAP  pvmh,
    IN FLATPTR  ptr
    )
{
   pDxFuncs[DXG_INDEX_VidMemFree].pfn();
}

//
// Exceptions to the above
//

VOID
DxDdCloseProcess( ULONG ulData )
{
   if (!hDxGraphics || !pDxFuncs) return;

   pDxFuncs[DXG_INDEX_IntResumeDirectDraw ].pfn();
}

VOID
IntResumeDirectDraw(
    PHDEV hdev,
    FLONG flFlags
    )
{
   flFlags = !!flFlags; // Pass only 0 or 1
   return (VOID) pDxFuncs[DXG_INDEX_IntResumeDirectDraw ].pfn( hdev, flFlags );
}

VOID
IntSuspendDirectDraw(
    PHDEV hdev,
    FLONG flFlags
    )
{
   flFlags = !!flFlags;
   return (VOID) pDxFuncs[DXG_INDEX_IntSuspendDirectDrawandEx].pfn( hdev, flFlags );
}

VOID
APIENTRY
IntSuspendDirectDrawEx(
    PHDEV hdev,
    FLONG flFlags
    )
{
   pDxFuncs[DXG_INDEX_IntSuspendDirectDrawandEx].pfn();
}


///////////////////////////////////////////////////////////////////////////////
//
//                    Next step, just like opengl in gdi32!
//
///////////////////////////////////////////////////////////////////////////////


typedef long APIENTRY (*DXDDSTARTUPDXGRAPHICS) (ULONG, PDRVENABLEDATA, ULONG, PDRVENABLEDATA, PULONG, PEPROCESS);
typedef long APIENTRY (*DXDDCLEANUPDXGRAPHICS) (VOID);


DXDDSTARTUPDXGRAPHICS dxStartupDxGraphics = NULL;
DXDDCLEANUPDXGRAPHICS dxCleanupDxGraphics = NULL;


LONG
APIENTRY
DxDdCleanupDxGraphics()
{
   if(!dxCleanupDxGraphics) return 0;
   dxCleanupDxGraphics();
   dxStartupDxGraphics = NULL;
   dxCleanupDxGraphics = NULL;
   pDxFuncs = NULL;
   EngUnloadImage( hDxGraphics);
   hDxGraphics = NULL;
}


NTSTATUS
APIENTRY
DxDdStartupDxGraphics(  ULONG ulc1,
                        PDRVENABLEDATA pDrved1,
                        ULONG ulc2,
                        PDRVENABLEDATA pDrved2,
                        PULONG DDContext,
                        PEPROCESS Proc)
{
  DRVENABLEDATA EngDrv, DXG_API;
  NTSTATUS Status = STATUS_SUCCESS;


  EngDrv.iDriverVersion = WNNC_SPEC_VERSION51;  //0005 0001 ?????
  EngDrv.pdrvfn = &EngFuncs;
  EngDrv.c = ulCountEngFuncs;

  hDxGraphics = NULL;

  DxApiGetVersion(); // This is the only function imported from DxApi.sys.

  hDxGraphics = EngLoadImage (L"drivers\\dxg.sys");

  if (hDxGraphics)
   {
      dxStartupDxGraphics = EngFindImageProcAddress(hDxGraphics, L"DxDdStartupDxGraphics");

      dxCleanupDxGraphics = EngFindImageProcAddress(hDxGraphics, L"DxDdCleanupDxGraphics");

      if ( !dxStartupDxGraphics || !dxCleanupDxGraphics)
      {
         EngUnloadImage( hDxGraphics);

         return STATUS_PROCEDURE_NOT_FOUND;
      }

      Status = dxStartupDxGraphics ( sizeof(DRVENABLEDATA),
                                                   &EngDrv,
                                     sizeof(DRVENABLEDATA),
                                                  &DXG_API,
                                        &DirectDrawContext,
                                                      Proc );

      if (!NT_SUCCESS(Status))
      {
         dxStartupDxGraphics = NULL;
         dxCleanupDxGraphics = NULL;
         EngUnloadImage( hDxGraphics);
         hDxGraphics = NULL;
         return Status;
      }

      pDxFuncs = DXG_API.pdrvfn;

      return Status;
   }
  else
      return STATUS_DLL_NOT_FOUND;
}

  anrcer   December 18, 2007 05:18.24 CST
very great script, Thanks.


----------------
my pc software

  RolfRolles     December 18, 2007 14:59.16 CST
That isn't a script -- that's the workproduct of an analysis of direct draw.

Note: Registration is required to post to the forums.

There are 31,319 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit