Hailey4d ago
Cooked up a binaryninja plugin that knows how to disassemble VxDCall macros. This is a funky dynamic linking mechanism used in the Windows 9x kernel, it's an int 0x20 followed by an inline dword representing the 16 bit device id and service ordinal which is being called. The kernel patches these sequences with a regular call instruction directly invoking the target service the first time each is executed
Show threadHailey4d ago

The plugin lifts each VxDCall/VMMCall macro into binaryninja's low-level intermediate language by translating it to two IL instructions: a VxD_Get_Service_Address instrinsic which loads the target address into a temporary, and a plain old call or jump instruction so binaryninja can understand and analyze the branch.

Then, an analysis pass replaces those VxD_Get_Service_Address intrinsics with a direct reference to the resolved service, if the service table was found in the binary being analysed -

Show threadHailey4d ago

And the result is a very readable high-level decompilation! It'll be even better once I transcribe type information from the DDK documentation into a C header file for binaryninja to load!!

plugin's on codeberg, it's in C++ https://codeberg.org/hails/vxdninja

Show threadCindʎ Xiao 🍉
@hailey Nice stuff!! Great example of using the Workflow feature, too
Apr 1 at 6:33amWeb