Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Video Hook Technology

7 views
Skip to first unread message

Lee Mowatt

unread,
Oct 28, 1999, 3:00:00 AM10/28/99
to
I recently became peripherally aware of a technique to monitor the
"conversation" between GDI and the display driver. It was referred to as
"Video Hook Technology". Supposedly, NetMeeting 2.1 uses this technique to
capture the desktop for application sharing. Does anyone know any more about
this technique?

--
Lee Mowatt
lmo...@craftechsoftware.com
http://www.craftechsoftware.com

Mike Hill

unread,
Oct 29, 1999, 3:00:00 AM10/29/99
to

"Lee Mowatt" <lmo...@craftechsoftware.com> wrote in message
news:Ci1S3.115$J04...@newsfeed.slurp.net...

> I recently became peripherally aware of a technique to monitor the
> "conversation" between GDI and the display driver. It was referred to as
> "Video Hook Technology". Supposedly, NetMeeting 2.1 uses this technique to
> capture the desktop for application sharing. Does anyone know any more
about
> this technique?
>

There are two possible techniques.

You can replace the original display driver with your own and forward all
the DDI calls through to the original.

You can create a 'mirror' driver. This gets a duplicate of all the DDI calls
that the GDI would send to the real video driver.

There are however a number of major techincal problems to overcome... what
else do you wan't to know?

Mike.

Gerardo Richarte

unread,
Oct 29, 1999, 3:00:00 AM10/29/99
to
Mike Hill wrote:

> There are two possible techniques.
>
> You can replace the original display driver with your own and forward all
> the DDI calls through to the original.
>
> You can create a 'mirror' driver. This gets a duplicate of all the DDI calls
> that the GDI would send to the real video driver.

What about hooking the system calls added to the kernel for user interface
(I'm talking about something like 500 services provided by INT 2Eh, take a look
at a paper in Library y http://www.securityfocus.com)

Gerardo Richarte
http://www.core-sdi.com


Mike Hill

unread,
Nov 2, 1999, 3:00:00 AM11/2/99
to
> What about hooking the system calls added to the kernel for user
interface
> (I'm talking about something like 500 services provided by INT 2Eh, take a
look
> at a paper in Library y http://www.securityfocus.com)
>
This is certainly possible, but more tricky. For one thing, it's all
undocumented. Some of the vital information you need to hook a system call
(like specific offsets and structure definitions) can (and do) change from
one service pack to another. Therefore your code is more likely to break in
future versions of the OS. Also, Windows 2000 has a code patching protection
mechanism to prevent you from patching kernel mode code (although this can
be turned off if you have admin rights).
If you are writing a hacking aid, then this you can probably live with these
restrictions. If you are writting a commercial application/utility which has
to work on 100% of machines out there, and continue to work if the user
installes a new service pack, then it is not so acceptable.

Constantin Fishkin

unread,
Nov 2, 1999, 3:00:00 AM11/2/99
to
To intercept dispaly driver functions you can to substitute the original display
driver with your own dd that:
1) Exports DrvEnableDriver as entry point
2) The DrvEnableDriver loads the original dd and calls to the it's entry point
3) Stores the original driver function pointers and passes to the gdi its own
function pointers
4) If a driver function is called the driver calls to the same function of the
original driver

Best regards, Coca


Lee Mowatt wrote:

> I recently became peripherally aware of a technique to monitor the
> "conversation" between GDI and the display driver. It was referred to as
> "Video Hook Technology". Supposedly, NetMeeting 2.1 uses this technique to
> capture the desktop for application sharing. Does anyone know any more about
> this technique?
>

Hellenthal J.W.

unread,
Nov 3, 1999, 3:00:00 AM11/3/99
to
On Thu, 28 Oct 1999 15:20:41 -0400, "Lee Mowatt"
<lmo...@craftechsoftware.com> wrote:

>I recently became peripherally aware of a technique to monitor the
>"conversation" between GDI and the display driver. It was referred to as
>"Video Hook Technology". Supposedly, NetMeeting 2.1 uses this technique to
>capture the desktop for application sharing. Does anyone know any more about
>this technique?
>
>--
>Lee Mowatt
>lmo...@craftechsoftware.com
>http://www.craftechsoftware.com
>
>

Take a look at the W2K DDK. It has a sample of a mirror driver.

AJ Gray

unread,
Nov 3, 1999, 3:00:00 AM11/3/99
to
"Lee Mowatt" <lmo...@craftechsoftware.com> wrote:

>I recently became peripherally aware of a technique to monitor the
>"conversation" between GDI and the display driver. It was referred to as
>"Video Hook Technology". Supposedly, NetMeeting 2.1 uses this technique to
>capture the desktop for application sharing. Does anyone know any more about
>this technique?
>
>--

I recently tried out Numega BoundChecker (BchkD.sys) which is part of
DriverStudio 1.0 a rather expensive bit of software which only runs
on NT4. It successfully managed to monitor GDI calls to an S3virge
driver. However it failed miserably with Permedia 2, beware!!!


-------------------------
Andrew Gray
Imagine Graphics
www.imagine-g.com
-------------------------

KPG

unread,
Nov 8, 1999, 3:00:00 AM11/8/99
to
Well, actually NetMeeting uses a "mirror" display driver... See Win2K DDK
for details.

Regards,

Klaus P . Gerlicher

Hellenthal J.W. <whell...@lucent.com> wrote in message
news:381fe75c....@ssbunews.ih.lucent.com...
> On Thu, 28 Oct 1999 15:20:41 -0400, "Lee Mowatt"


> <lmo...@craftechsoftware.com> wrote:
>
> >I recently became peripherally aware of a technique to monitor the
> >"conversation" between GDI and the display driver. It was referred to as
> >"Video Hook Technology". Supposedly, NetMeeting 2.1 uses this technique
to
> >capture the desktop for application sharing. Does anyone know any more
about
> >this technique?
> >
> >--

0 new messages