Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Curiosity about a few file extensions I've seen here and there


  • Please log in to reply
7 replies to this topic

#1 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:39 PM

Posted 25 September 2010 - 02:14 PM

Hi folks,
I was just curious about a few file extensions I've seen here and there. I'm not sure if this goes here, but you can decide that for me. Has anyone ever seen the file extensions .vxd and .vmm used anywhere legitimate? I know that .VXD stands for Virtual Device Driver, and that .VMM stands for Virtual machine management, but the only places I've seen or heard of them being referenced is in certain viruses. W97M/Marker, for example, uses a virtual device driver in one of it's variants for instance. What were these files originally designed to be used in by Microsoft? I'd love some input and some education. And I'm sorry if this question seems silly, irrelevant, or out in left field.

Thanks,
Chroembuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:39 PM

Posted 25 September 2010 - 04:59 PM

They were used in earlier versions of windows from Windows 2000 and earlier.

#3 Platypus

Platypus

  • Moderator
  • 14,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:04:39 AM

Posted 26 September 2010 - 05:08 AM

Confusingly, there are two things in Windows that can carry the VMM designation, the Virtual Machine Manager, and the Virtual Memory Manager. The usual place people noticed VMM was in VMM.VXD

The VXD is a driver structure known as a Monolithic Driver, a single file which contains all the code necessary to interface between a hardware device and Windows. It was superseded by the WDM (Windows Driver Model) structure which, once it was properly established, co-ordinated drivers being compiled from the same codebase for Windows 98SE and Windows 2000.

VMM.VXD was a Monolithic Block of drivers, which was used by the Virtual Machine Manager when it built the VM(s) that software ran on and saw as the computer. Instead of loading many individual VXD files, an image of how all the system drivers loaded into memory was saved to disk as VMM.VXD, and when Windows booted all the VXD drivers were loaded in one go.

The usefulness of a VXD to a virus is that device drivers run in Ring 0 (the highest priority in Protected Mode, same as the kernel). So a virus that can infect or replace an existing VXD, or become installed as a VXD pretending to interface to a non-existent device, can execute code at kernel priority. And if it could become incorporated into VMM.VXD, it was one more hiding place where it might be missed.

Top 5 things that never get done:

1.


#4 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:39 PM

Posted 26 September 2010 - 12:06 PM

That's interesting. So then in Windows 7, what are the files that have replaced these earlier ones? Is that where files with a .sys and .drv file extension come in?

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:39 PM

Posted 26 September 2010 - 01:21 PM

That's interesting. So then in Windows 7, what are the files that have replaced these earlier ones? Is that where files with a .sys and .drv file extension come in?



You are correct.

#6 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:39 PM

Posted 27 September 2010 - 10:24 PM

Ah. I figured as much. But now what is the difference between the .sys file type and the .DRV file type?

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#7 Platypus

Platypus

  • Moderator
  • 14,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:04:39 AM

Posted 28 September 2010 - 07:33 AM

An NT-class OS divides drivers into kernel mode and user mode operation. Kernel mode drivers run in Ring 0 and are used where maximum performance is required, user mode drivers run in Ring 3 (for security and stability) and access hardware devices and memory through the Windows API. The .sys drivers can be taken to be kernel mode drivers and .drv as user mode drivers.

Here's an example in Microsoft's discussion of the WDM Audio components:

http://msdn.microsoft.com/en-us/library/ff537039(VS.85).aspx

Edited by Platypus, 28 September 2010 - 07:36 AM.

Top 5 things that never get done:

1.


#8 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:39 PM

Posted 28 September 2010 - 09:26 AM

Dang. That's pretty spiffy. It's interesting how Microsoft improves things so often, even at the deepest levels of the OS.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users