Sender: microbe (Wonderful Microbe), Board: DOS
Subject: A very interesting program
Posted at: BBS Shuimu Tsinghua Station (Sat Jan 31 13:42:30 1998) WWW-POST
Anyone who has read the book "Unpublished DOS Kernel Techniques" will surely remember that it has a program called intrspy,
which can observe which interrupts a certain program calls. I made a tool myself called intchain, which can observe
which programs a certain interrupt traverses (of course, they are all memory-resident). For example, below is an intchain output:
C:\USER>intchain 21 2a
INTCHAIN 3.0 is developed by Scott Zhong, SCDZ of USTC, Jan 30 1997
Trace Interrupt 21 Call
Enter : AX=2A00 BX=0000 CX=0000 DX=0000 SI=0000 DI=0000 BP=0000 ES=144C
Code Entry Name Type Owner Pos Size Exec LastIns&INT
-----------------------------------------------------------------------------
0253:04A0 IFS$HLP$ Device IFSHLP 2k 1 Jump Far
00C9:0FB2 MSDOS Kernel MSDOS LOW 23 Jump Far
FF03:41E7 MSDOS Kernel MSDOS HMA 157 Call Far
INT 2A
0070:027A IO SysDev S IO LOW 3 RetF
FF03:84FE MSDOS Kernel MSDOS HMA 3 Call Far
0070:00EE CLOCK$ SysDev I IO LOW 7 Jump Far
FFFF:0040 MSDOS Kernel MSDOS HMA 92 RetF
INT 1A
FF03:850A MSDOS Kernel MSDOS HMA 65 Iret
INT 2A
Totally output 8 Modules and executed 351 Instructions
Return: AX=2A05 BX=0000 CX=07CD DX=0215 SI=0000 DI=0000 BP=0000 ES=144C
Operation seems to be successful
Below is the result of observing the INT 13H interrupt in a DOS box under Win95. Very interesting indeed: there is only one instruction, ARPL.
C:\USER>intchain 13
INTCHAIN 3.0 is developed by Scott Zhong, SCDZ of USTC, Jan 30 1997
Trace Interrupt 13 Call
Enter : AX=0000 BX=0000 CX=0000 DX=0000 SI=0000 DI=0000 BP=0000 ES=127D
Code Entry Name Type Owner Pos Size Exec LastIns&INT
-----------------------------------------------------------------------------
FD5C:2557 ROM BIOS BasicI/O BIOS ROM 1 ARPL
Totally output 1 Module and executed 1 Instruction
Return: AX=0000 BX=0000 CX=0000 DX=0000 SI=0000 DI=0000 BP=0000 ES=127D
Operation seems to be successful
This program can also be used to check whether there is a virus in the current memory environment:
are there any suspicious modules in your INT 13H or INT 21H interrupt chain?
OK, if you are interested in this program, you can download it from the address below:
ftp://ftp.lib.pku.edu.cn/incoming/intchain/int.exe
This is a self-extracting program. After extracting it there are two files: intchain.exe and readme.txt.
BTW: There is a program with the same name in the beta version of Win95, but that one is too crude, so I made one myself.
--
Having traveled the roads to the ends of the earth, in the end I still turn back
Having seen flowers spread like a sea, they fall like snow
※ Modified by:·microbe on Jan 31 13:49:17 modified this post·
※ Source:·BBS Shuimu Tsinghua Station bbs.net.tsinghua.edu.cn·
(This post was copied using the S-Term article copy script)
==================================================
Subject: A very interesting program
Posted at: BBS Shuimu Tsinghua Station (Sat Jan 31 13:42:30 1998) WWW-POST
Anyone who has read the book "Unpublished DOS Kernel Techniques" will surely remember that it has a program called intrspy,
which can observe which interrupts a certain program calls. I made a tool myself called intchain, which can observe
which programs a certain interrupt traverses (of course, they are all memory-resident). For example, below is an intchain output:
C:\USER>intchain 21 2a
INTCHAIN 3.0 is developed by Scott Zhong, SCDZ of USTC, Jan 30 1997
Trace Interrupt 21 Call
Enter : AX=2A00 BX=0000 CX=0000 DX=0000 SI=0000 DI=0000 BP=0000 ES=144C
Code Entry Name Type Owner Pos Size Exec LastIns&INT
-----------------------------------------------------------------------------
0253:04A0 IFS$HLP$ Device IFSHLP 2k 1 Jump Far
00C9:0FB2 MSDOS Kernel MSDOS LOW 23 Jump Far
FF03:41E7 MSDOS Kernel MSDOS HMA 157 Call Far
INT 2A
0070:027A IO SysDev S IO LOW 3 RetF
FF03:84FE MSDOS Kernel MSDOS HMA 3 Call Far
0070:00EE CLOCK$ SysDev I IO LOW 7 Jump Far
FFFF:0040 MSDOS Kernel MSDOS HMA 92 RetF
INT 1A
FF03:850A MSDOS Kernel MSDOS HMA 65 Iret
INT 2A
Totally output 8 Modules and executed 351 Instructions
Return: AX=2A05 BX=0000 CX=07CD DX=0215 SI=0000 DI=0000 BP=0000 ES=144C
Operation seems to be successful
Below is the result of observing the INT 13H interrupt in a DOS box under Win95. Very interesting indeed: there is only one instruction, ARPL.
C:\USER>intchain 13
INTCHAIN 3.0 is developed by Scott Zhong, SCDZ of USTC, Jan 30 1997
Trace Interrupt 13 Call
Enter : AX=0000 BX=0000 CX=0000 DX=0000 SI=0000 DI=0000 BP=0000 ES=127D
Code Entry Name Type Owner Pos Size Exec LastIns&INT
-----------------------------------------------------------------------------
FD5C:2557 ROM BIOS BasicI/O BIOS ROM 1 ARPL
Totally output 1 Module and executed 1 Instruction
Return: AX=0000 BX=0000 CX=0000 DX=0000 SI=0000 DI=0000 BP=0000 ES=127D
Operation seems to be successful
This program can also be used to check whether there is a virus in the current memory environment:
are there any suspicious modules in your INT 13H or INT 21H interrupt chain?
OK, if you are interested in this program, you can download it from the address below:
ftp://ftp.lib.pku.edu.cn/incoming/intchain/int.exe
This is a self-extracting program. After extracting it there are two files: intchain.exe and readme.txt.
BTW: There is a program with the same name in the beta version of Win95, but that one is too crude, so I made one myself.
--
Having traveled the roads to the ends of the earth, in the end I still turn back
Having seen flowers spread like a sea, they fall like snow
※ Modified by:·microbe on Jan 31 13:49:17 modified this post·
※ Source:·BBS Shuimu Tsinghua Station bbs.net.tsinghua.edu.cn·
(This post was copied using the S-Term article copy script)
==================================================
ko20010214
=================================
大功告成,打个Kiss!
ko20010214@MSN.com
神州优雅Q300C
Intel CeleronM 370处理器 | 256MbDDR内存
40G硬盘 | USB2.0 | IEEE 1394
13.3 ' WXGA 宽屏(16:10) | COMBO光驱
10/100M网卡 | 四合一读卡器
=================================
大功告成,打个Kiss!
ko20010214@MSN.com
神州优雅Q300C
Intel CeleronM 370处理器 | 256MbDDR内存
40G硬盘 | USB2.0 | IEEE 1394
13.3 ' WXGA 宽屏(16:10) | COMBO光驱
10/100M网卡 | 四合一读卡器