Write Access on Win9x

[nikola]

Hi,
i was trying to do API hooking on win9x so i need write access in kernel32.dll memory pages. As you know VirtualProtect wont do that job but there is an undocumented way to perform this thru a VxDCall4. I tested this and it worked, but i need this code relocatable, and not using an import table so i need to do GetProcAddress for this call. VxDCall has no real procedure name so it should be imported by ordinal. Its ordinal is 5 but when i do
push 5
push KernelBase
call GetProcAddress
i get 0 in eax :/
Any help?

[bgrimm]

Don't quote me on this, as I'm not to familiar with the 9x VX scene.

But it is my understanding the HPS virus used an undocumented int21 routine to access Kernel32.dll, then from there you can find VxDCall.

An overview of how it is done is located here:
h**p://vx.netlux.org/lib/vgy06.html

An analysis of the HPS virus is here:
h**p://www.peterszor.com/hps.pdf


-bg

[nikola]

This didnt help me out directly becouse of my weak knowledge of this matter but it pointed me in right direction so i knew what to search for in google. Seems that i cant get to VXDCall with GetProcAddress. It also seems that All VxDCalls are acctually 1 call but you send in parameters what function you want it to perform.
If anyone else needs this here is the file that helped me:
http://madchat.org/vxdevl/papers/vxers/r3_res.txt

And i forgot to say this. Thanks grimm