Example of disassembly listing : file is VW32DEMO.VXD, published in
Windows developper's journal July 97 :
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], EAX
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], EAX
ADD [EAX], AL
VW32DEMO_DDB:
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX+EAX], AL
ADD [ECX], AL
ADD [EAX], AL
ADD [ESI+00000057], DL
XOR ESI, [EDX]
INC ESP
INC EBP
DEC EBP
DEC EDI
ADD [EAX], AL
ADD [EAX+Seg1:00000078], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
ADD [EAX], AL
JBE/JNA L000000CB
JB/JNAE/JC L000000B8
PUSH EAX
ADD [EAX], AL
ADD [ECX], DH
JBE/JNA L000000E2
PUSH EDX
XOR DH, [ESI+00000073]
PUSH EDX
XOR ESI, [ESI+00000073]
PUSH EDX
ControlProc:
CMP EAX, 0000001B
JE/JZ L00000089
CMP EAX, 0000001C
JE/JZ L000000C5
CMP EAX, 00000023
JE/JZ L00000101
CLC
RET
SYS_DYNAMIC_DEVICE_INIT:
L00000089: MOV EAX, 00000007
MOV ECX, 00000011
VXDCall List_Create
JAE/JNB/JNC L0000009D
JMP L000000C4
L0000009D: MOV [Seg1:00000000], ESI
PUSH Seg1:0000019E
CALL P00000337
ADD ESP, 00000004
PUSH Seg1:00000018
PUSH Seg1:00000028
VXDCall _Register_Win32_Services
ADD ESP, 00000008
CLC
L000000C4: RET
SYS_DYNAMIC_DEVICE_EXIT:
L000000C5: PUSH 00000000
PUSH Seg1:00000028
VXDCall _Register_Win32_Services
ADD ESP, 00000008
MOV ESI, [Seg1:00000000]
VXDCall List_Get_First
JMP L000000F7
L000000E3: PUSH EAX
PUSH EAX
PUSH dword ptr [EAX+00000005]
CALL P000002D2
ADD ESP, 00000008
POP EAX
VXDCall List_Get_Next
L000000F7: JNE/JNZ L000000E3
VXDCall List_Destroy
CLC
RET
W32_DEVICEIOCONTROL:
L00000101: PUSH ESI
PUSH EDI
PUSH EBX
PUSH EBP
MOV EAX, [ESI+0000000C]
INC EAX
CMP EAX, 00000004
JB/JNAE/JC L00000118
MOV EAX, 00000032
STC
JMP L00000125
L00000118: MOV EDI, [ESI+00000010]
CALL dword ptr [Seg1:00000008+EAX*4]
XOR EAX, EAX
CLC
L00000125: POP EBP
POP EBX
POP EDI
POP ESI
RET
RET
MOV ESI, [Seg1:00000000]
CMP dword ptr [EDI], 00000000
JE/JZ L00000140
MOV EAX, [EDI]
VXDCall List_Get_Next
JMP L00000146
L00000140: VXDCall List_Get_First
L00000146: JE/JZ L00000158
MOV [EDI], EAX
PUSH dword ptr [EAX+00000005]
POP dword ptr [EDI+00000004]
PUSH dword ptr [EAX+0000000D]
POP dword ptr [EDI+00000008]
JMP L0000015E
L00000158: MOV dword ptr [EDI], 00000000
L0000015E: RET
CMP dword ptr [Seg1:00000004], 00000000
JNE/JNZ L00000181
PUSH Seg1:000001F2
PUSH 002A0010
CALL P00000286
ADD ESP, 00000008
MOV [Seg1:00000004], EAX
JMP L0000019D
L00000181: PUSH Seg1:000001F2
PUSH 002A0010
CALL P000002D2
ADD ESP, 00000008
MOV dword ptr [Seg1:00000004], 00000000
L0000019D: RET
PUSH EBP
MOV EBP, ESP
MOV ESI, [Seg1:00000000]
VXDCall List_Allocate
JB/JNAE/JC L000001E5
MOV EDX, Seg1:000001E9
MOV byte ptr [EAX], 0E8
SUB EDX, EAX
SUB EDX, 00000005
MOV [EAX+00000001], EDX
MOV EDX, EAX
PUSH dword ptr [EBP+00000008]
POP dword ptr [EDX+00000005]
PUSH EDX
PUSH dword ptr [EBP+00000008]
CALL P00000286
ADD ESP, 00000008
MOV [EDX+00000009], EAX
MOV dword ptr [EDX+0000000D], 00000000
MOV EAX, EDX
VXDCall List_Attach_Tail
L000001E5: XOR EAX, EAX
LEAVE
RET
POP EDX
INC dword ptr [EDX+00000008]
MOV EDX, [EDX+00000004]
JMP dword ptr [EDX]
PUSH EBP
MOV EBP, ESP
CMP dword ptr [EBP+00000010], 0000713A
JNE/JNZ L00000207
MOV EDX, [EBP+00000008]
OR dword ptr [EDX+0000002C], 00000001
JMP L00000210
L00000207: LEAVE
MOV EDX, [Seg1:00000004]
JMP dword ptr [EDX]
L00000210: LEAVE
RET 0010
PUSH EBP
MOV EBP, ESP
VXDCall VWIN32_GetCurrentProcessHandle
XOR EAX, [EBP+00000010]
XCHG EAX, [EBP+00000008]
PUSH dword ptr [EBP+00000008]
POP dword ptr [EAX+0000001C]
LEAVE
RET 000C
INT 3
INT 3
INT 3
P00000230: PUSH EBP
MOV EBP, ESP
PUSH ECX
MOV EAX, [EBP+00000008]
ROR EAX, 10
MOVZX EAX, AX
VXDCall Get_DDB
XOR EAX, EAX
OR ECX, ECX
JE/JZ L0000026C
TEST word ptr [ECX+0000000A], 4000
JE/JZ L0000026C
MOV ECX, [ECX+00000038]
OR ECX, ECX
JE/JZ L0000026C
CMP [ECX], EAX
JE/JZ L0000026C
MOVZX EAX, word ptr [EBP+00000008]
CMP EAX, [ECX]
JAE/JNB/JNC L0000026A
LEA EAX, [ECX+EAX*8+00000008]
JMP L0000026C
L0000026A: XOR EAX, EAX
L0000026C: POP ECX
LEAVE
RET
PUSH EBP
MOV EBP, ESP
PUSH dword ptr [EBP+00000008]
CALL P00000230
ADD ESP, 00000004
OR EAX, EAX
JE/JZ L00000284
MOV EAX, [EAX+00000004]
L00000284: LEAVE
RET
P00000286: PUSH EBP
MOV EBP, ESP
ADD ESP, 0FFFFFFFC
PUSHAD
PUSH dword ptr [EBP+00000008]
CALL P00000230
ADD ESP, 00000004
OR EAX, EAX
JE/JZ L000002CB
MOV [EBP-00000004], EAX
PUSH 00000001
PUSH 00000009
VXDCall _HeapAllocate
ADD ESP, 00000008
JE/JZ L000002CB
MOV byte ptr [EAX], 0E9
SUB [EBP+0000000C], EAX
SUB dword ptr [EBP+0000000C], 00000005
PUSH dword ptr [EBP+0000000C]
POP dword ptr [EAX+00000001]
MOV EDX, [EBP-00000004]
MOV ESI, [EDX]
MOV [EAX+00000005], ESI
MOV [EDX], EAX
LEA EAX, [EAX+00000005]
L000002CB: MOV [ESP+0000001C], EAX
POPAD
LEAVE
RET
P000002D2: PUSH EBP
MOV EBP, ESP
PUSHAD
PUSH dword ptr [EBP+00000008]
CALL P00000230
ADD ESP, 00000004
OR EAX, EAX
JE/JZ L00000330
MOV EDX, [EAX]
MOV ESI, [EDX+00000001]
ADD ESI, 00000005
ADD ESI, EDX
CMP ESI, [EBP+0000000C]
JNE/JNZ L000002FB
PUSH dword ptr [EDX+00000005]
POP dword ptr [EAX]
JMP L00000324
L000002FB: CMP byte ptr [EDX], 0E9
JE/JZ L00000304
XOR EAX, EAX
JMP L00000324
L00000304: MOV ECX, [EDX+00000005]
MOV ESI, [ECX+00000001]
ADD ESI, 00000005
ADD ESI, ECX
CMP ESI, [EBP+0000000C]
JNE/JNZ L0000031E
PUSH dword ptr [ECX+00000005]
POP dword ptr [EDX+00000005]
MOV EDX, ECX
JMP L00000324
L0000031E: MOV EDX, ECX
CMP EAX, EAX
JE/JZ L000002FB
L00000324: PUSH 00000000
PUSH EDX
VXDCall _HeapFree
ADD ESP, 00000008
L00000330: MOV [ESP+0000001C], EAX
POPAD
LEAVE
RET
P00000337: PUSH EBP
MOV EBP, ESP
ADD ESP, 0FFFFFFF8
PUSHAD
VXDCall VMM_GetDDBList
JMP L00000382
L00000346: TEST word ptr [EAX+0000000A], 4000
JE/JZ L00000380
MOV EDX, [EAX+00000038]
OR EDX, EDX
JE/JZ L00000380
MOV [EBP-00000004], EAX
MOVZX EAX, word ptr [EAX+00000006]
SHL EAX, 10
MOV [EBP-00000008], EAX
XOR ECX, ECX
JMP L00000379
L00000366: PUSH EDX
PUSH ECX
OR ECX, [EBP-00000008]
PUSH ECX
CALL dword ptr [EBP+00000008]
ADD ESP, 00000004
OR EAX, EAX
POP ECX
POP EDX
JNE/JNZ L0000037D
INC ECX
L00000379: CMP ECX, [EDX]
JB/JNAE/JC L00000366
L0000037D: MOV EAX, [EBP-00000004]
L00000380: MOV EAX, [EAX]
L00000382: OR EAX, EAX
JNE/JNZ L00000346
POPAD
LEAVE
RET
INT 3
INT 3
INT 3