home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Media Share 9
/
MEDIASHARE_09.ISO
/
utility
/
dint_sw1.zip
/
DINT.DOC
next >
Wrap
Text File
|
1993-07-13
|
32KB
|
564 lines
╔═══════════════════════════════════════╗
║ DOS INterrupt Toolkit ║
║ (c) 1992, 1993 Zen Works ║
╚═══════════════════════════════════════╝
A long while ago, I realized that my aging brain could not possibly
retain all the DOS Interrupt 21h sub-function information that I
needed from time to time.
While I have a reasonably decent programmer's library, at least as
far as assembly language is concerned (never mind the wisecracks -
everything around here is done Quick-and-Dirty and I happen to LOVE
pasta, particularly spaghetti!), but the needed data is spread over
a variety of printed volumes as well as binary files such as Ralf
Brown's excellent Interrupt List, various virus disassemblies, and
the collected Virus-L Digests.
I needed one single reference that would provide the necessary
information to use and/or translate all of the Interrupt 21h
sub-functions, particularly those that are rarely used in the course
of my normal programming and virus disassembly.
About a year ago, I put everything on hold and went through every
bit of source material at my disposal, accumulating a collection of
the essential reference material on the INT 21h sub-functions.
Since there are definite limits to the amount of time available for
such a project, all INT 21h sub-functions utilized by Novell, and
any other network, were omitted. Sorry, folks, maybe one of these
days, if there happens to be enough demand, but not now.
The result of my data collecting was DINT - a [D]os [IN]terrupt 21h
[T]oolkit, although I'm not certain whether the name `DINT' was
originally inspired by "what does that [D]amn [INT]errupt do?" or
by the "[DINT]y Moore" brand of Irish stew, given that DINT is also
a collection of odd ingredients from strange sources... <grin>
DINT exists in two parts, and is simple to use (remember, I wrote
it for my own use... ,-> ) Type "dint" and press <Enter>. Barring
a power failure or a lightning strike, you'll be presented with a
screen (Surprise! You were expecting pizza, maybe?):-
╔══════════════════════════════════════════════════════════════════════════╗
╔═══════════════════════════════════════════════════╗
║ DOS INterrupt Toolkit - v.n.nn ║
║ (c) 1992, 1993 Zen Works ║
╚═══════════════════════════════════════════════════╝
Quick reference for INT 21h sub-function calls.
[If registered copy, your name appears here]
Display an INT 21h sub-function [D]
Scroll Virus Installation Checks [V]
Test an INT 21h function [T]
Quit program [Q]
╚══════════════════════════════════════════════════════════════════════════╝
where v.n.nn is the current version number.
Selecting the `D' option (yeah, you press `d' or `D' - DINT is dumb and
DINT don't care...) clears the screen and presents a single line:-
╔══════════════════════════════════════════════════════════════════════════╗
Enter sub-function in 4-digit hex mode:
╚══════════════════════════════════════════════════════════════════════════╝
which means just what it says. If hexadecimal is a stranger to you,
what are you doing here?
For instance, if you want to see what the program termination function,
4C00h needs for calling parameters, enter `4C00'. And here, a small
note of apology is in order.
I set DINT up to accept a 4-character hex input with the idea that one
of these days I might enhance the program to allow the user to input
sub-function requests down to the AL level, for example, 5801 - Set
memory allocation strategy. You will discover, if you try it, that I
never did hone DINT down that fine, and it will default to AL being
equal to 00. Put up with it. Suffering builds character.
So assume we enter 7400:-
╔══════════════════════════════════════════════════════════════════════════╗
Enter sub-function in 4-digit hex mode: 7400
╚══════════════════════════════════════════════════════════════════════════╝
DINT will display the available information on that sub-function call:-
╔══════════════════════════════════════════════════════════════════════════╗
INT 21h Function 74h - Undocumented
Display an INT 21h sub-function [D]
Scroll Virus Installation Checks [V]
Test an INT 21h function [T]
Quit program [Q]
╚══════════════════════════════════════════════════════════════════════════╝
Surprise! In spite of the work of Ralf Brown and others, there are
still many functions whose purpose is unknown. Microsoft may know
what some of these do, but Microsoft wasn't a major contributor to
this product.
And of course, DINT, being well behaved, returns the menu for your
further selection.
Repeating the `D' option, and this time choosing sub-function
4B00h produces a bit more information:-
╔══════════════════════════════════════════════════════════════════════════╗
INT 21h Function 4Bh - "EXEC" - LOAD AND/OR EXECUTE PROGRAM
Call with AL = 00h "Load and Execute Program"
03h "Load Overlay:"
ES:BX = seg:offset of parameter block
DS:DX = seg:offset of program specifications
Returns: AX = error code if CF set
INT 21h Function 4B04h VIRUS - "MG", "699"/"Thirteen Minutes"
- INSTALLATION CHECK
Returns: CF clear if MG resident
AX = 044Bh if 699/Thirteen Minutes resident
INT 21h Function 4B05h - DOS 5.0 - SET EXECUTION STATE
Call with DS:DX -> execution state structure
Returns: AX = 0000h
AX = error code if CF set
Function has more screens. Display them? [Y/N]
╚══════════════════════════════════════════════════════════════════════════╝
Pressing a `Y' or `y' will hopefully produce Yet Another Screen of
invaluable data for your perusal:-
╔══════════════════════════════════════════════════════════════════════════╗
INT 21h Function 4B25h VIRUS - "1063"/"Mono" - INSTALLATION CHECK
Returns: DI = 1234h if resident
INT 21h Function 4B40h VIRUS - "Plastique"/"AntiCad"
- INSTALLATION CHECK
Returns: AX = 5678h if resident
INT 21h Function 4B41h VIRUS - "Plastique"/"AntiCad" - UNKNOWN
Call with AL = 41h
Returns: ???
INT 21h Function 4B4Ah VIRUS - "Jabberwocky" - INSTALLATION CHECK
Returns: AL = 57h if resident
INT 21h Function 4B4Bh VIRUS - "Horse-2" - INSTALLATION CHECK
Call with AL = 4Bh
Returns: CF clear if resident
Function has more screens. Display them? [Y/N]
╚══════════════════════════════════════════════════════════════════════════╝
Any function that has more than a single screen of information
available will display the "Function has more screens" line,
leaving it up to you whether they are to be displayed or not.
Time for one other little quirk. At the risk of sounding like
an echo in the Alps, DINT insists on a 4-character input. So,
if you want to see the accumulated wisdom concerning sub-function
0F, `Open File', you must enter 0F00.
On the other hand, particularly for programmer types who know that
hexadecimal numbers must be input in odd ways, FORGET IT. Here,
for example, if you want to explore sub-function FF, you merely
enter `FF00'. FOUR characters only; got it?
DINT includes references to INT 21h sub-functions used by assorted
DOS viruses. Staale Fagerland suggested that it would be quite
convenient if one were able to scroll through those selected
sub-functions. Since I've wished for the same feature many times
since DINT was originally written, I'm more than happy to comply
with his request.
Staale, this is for you:-
Select [V] from the menu, and you get:-
╔══════════════════════════════════════════════════════════════════════════╗
INT 21h Function 0B56h VIRUS - "Perfume" - Installation Check
Returns: AX = 4952h if resident
INT 21h Function 0D20h VIRUS - "Crazy Imp" - Installation Check
Returns: AX = 1971h if resident
INT 21h Function 30h VIRUS - "Possessed" - Installation Check
Call with DX = ABCDh
Returns: DX = DCBAh if installed
INT 21h Function 30F1h VIRUS - "Dutch-555"/"Quit 1992" - Installation Check
Returns: AL = 00h if resident
Function has more screens. Display them? [Y/N]
╚══════════════════════════════════════════════════════════════════════════╝
so you can at least scroll forward through the collected information
pertaining to DOS computer viruses. Backward scrolling is NOT
available. Don't ask. Forget it. Unless I get absolutely overwhelmed
with registrations and multiple requests for a backward scroll feature,
both of which are highly unlikely.
The [T] option, wherein the user can `test' an INT 21h sub-function is
only available in the registered version, and I'm not at all certain
it's a good idea, even then.
WARNING!!! WARNING!!! WARNING!!! WARNING!!!
~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~
Use it entirely at your own risk. Neither I nor Zen Works will accept
ANY responsibility for anything you manage to do to yourself, your
computer, some one else's computer, your neighbour's lawn, pet dog,
pet iguana, pet wife, antique auto, house plants, or innocent
bystanders. If you choose to use this feature, you are absolutely on
your own. We refuse to even send flowers.
After all that, if you do select the [T] option, you'll be presented
with a further warning screen:
╔══════════════════════════════════════════════════════════════════════════╗
WARNING!! Selected functions are executed!
This is NOT a simulation. Use at your own risk!
[C]ontinue or [A]bort:
╚══════════════════════════════════════════════════════════════════════════╝
Means just what it says. The sub-function you plug in here WILL be
executed on your machine. You can create or delete a directory, a
file, or do anything of which the various sub-functions of DOS
Interrupt 21h are capable.
Entering an `A' (yes, evan an `a') will get you back to the menu.
Press `C' and there's no turning back. Well, there are a couple of
ways.... which is why God gave us the Reset button and the 3-finger
salute....
The next screen to appear:-
╔══════════════════════════════════════════════════════════════════════════╗
Enter Function number (hex) in AX
Preloading other registers is optional - default values
are 0000h with Carry Flag clear
Enter Function (4-digit hex mode) :
╚══════════════════════════════════════════════════════════════════════════╝
Again, the program wants input in four hexadecimal characters,
but here you can make use of the AL register by entering values
other than 0 as the last two hex characters.
At this point, there is one more way to get out. Enter 4C00, the
DOS Interrupt 21h "Terminate" function, and you're back to the
DOS prompt.
Let us assume you want to see what, if anything, the undocumented
sub-function 9A00h actually does return:-
Enter Function (4-digit hex mode) : 9a00
DINT will then give you the option of preloading any value you like
in the other registers (all but CS, of course!).
╔══════════════════════════════════════════════════════════════════════════╗
Enter Function number (hex) in AX
Preloading other registers is optional - default values
are 0000h with Carry Flag clear
Enter Function (4-digit hex mode) : 9a00
Preload any other registers? [Y/N]:
╚══════════════════════════════════════════════════════════════════════════╝
Press `N' at this point and DINT will execute an INT 21h, sub-function
9Ah, with the AX, BX, CX, and DX registers set to zero and the Carry
Flag clear.
Press `Y' and DINT will cycle through the registers, giving you the
opportunity to load any hex value you like into each of them:-
╔══════════════════════════════════════════════════════════════════════════╗
Enter Function number (hex) in AX
Preloading other registers is optional - default values
are 0000h with Carry Flag clear
Enter Function (4-digit hex mode) : 9a00
Preload any other registers? [Y/N]:y
Preload BX register? [Y/N] :
╚══════════════════════════════════════════════════════════════════════════╝
If you choose to load a value in a particular register, press `Y'
and you will then be prompted for the value:-
╔══════════════════════════════════════════════════════════════════════════╗
Enter Function number (hex) in AX
Preloading other registers is optional - default values
are 0000h with Carry Flag clear
Enter Function (4-digit hex mode) : 9a00
Preload any other registers? [Y/N]:y
Preload BX register? [Y/N] : y Enter hex value:
╚══════════════════════════════════════════════════════════════════════════╝
If you attempt to preload the CS register, you will get a short
message telling you that sins of that magnitude are not allowed
in polite society. ;-)
╔══════════════════════════════════════════════════════════════════════════╗
Enter Function number (hex) in AX
Preloading other registers is optional - default values
are 0000h with Carry Flag clear
Enter Function (4-digit hex mode) : 9a00
Preload any other registers? [Y/N]:y
Preload CS register? [Y/N] : y Enter hex value: 0010
Set Carry Flag? [Y/N] :
Sorry, CS manipulation will hang your system!
╚══════════════════════════════════════════════════════════════════════════╝
Note that subsequent Preload queries all utilize the same line,
overwriting the previously displayed line. Pay attention!
And finally, you can choose whether to set the Carry flag or not.
Immediately that your choice of the carry flag setting is entered,
DINT will execute the requested INT 21h sub-function. If your
selection wasn't entirely bizarre, and your system didn't hang as
a result, you should get a response screen:-
╔══════════════════════════════════════════════════════════════════════════╗
Enter Function number (hex) in AX
Preloading other registers is optional - default values
are 0000h with Carry Flag clear
Enter Function (4-digit hex mode) : 9a00
Preload any other registers? [Y/N]:y
Preload CS register? [Y/N] : y Enter hex value: 0010
Set Carry Flag? [Y/N] : n
AX is now 9A00 hex BP is now 0000 hex
BX is now 0010 hex CS is still 3D14 hex
CX is now 0000 hex DS is now 3D14 hex
DX is now 0000 hex ES is now 27C4 hex
SI is now 0000 hex SS is now 27D4 hex
DI is now 0000 hex
Carry Flag is clear.
Test again? [Y/N]
╚══════════════════════════════════════════════════════════════════════════╝
There, wasn't that totally enlightening? The value preloaded in
BX didn't change, the carry flag is still clear, and the values
of the CS, DS, ES and SS registers are simply the values that
DINT happens to be currently using.
A real Zen experience, huh?
Since the distribution copy of DINT is a compilation, amalgamation,
and accumulation of information from a wide variety of sources, some
copyrighted and some not, I can't ask for money. Use it as you will,
distribute it as you wish. Call my BBS and bitch, gripe, moan in
ecstasy, writhe, grovel, or leave comments. Love to hear them.
If you're overburdened with the world's riches, donations are always
welcome. How welcome? Well, I wrote DINT on an XT-class machine,
and the BBS runs on a 12MHz 80286, if that gives you the picture...
However, the Test feature is only available in a registered version,
and for that I expect to be paid. $20.00 gets you a 3.5" diskette
sent via ordinary mail anywhere. Of that fee, $2.00 cover the code
and the balance is a meagre payment for writing the doc file. The
family philosophy (yes, there's more of us!) is that it's enough for
a programmer to write and debug the code; users shouldn't expect
documentation. But they do. $25.00 buys the same diskette via
registered mail. The additional $5.00 also covers the aggravation
of my having to be awake in the daytime to go to the post office.
If you're bordering on the suicidal and have a compelling desire to
spend your hard earned money just to be able to do arcane and absurd
things to your system, make cheques (Yes, I'll accept personal
cheques - I've been stiffed for greater sums than twenty bucks and
managed to survive), money orders, cashier's cheques, or bank
drafts payable to R. W. Hale (that being the way I sign my name,
simply because it's shorter and quicker), and mail it, along with
your name spelled the way you want it to appear on the opening
screen, and your complete mailing address.
Mail to me at:-
R. Wallace Hale
P. O. Box 528
Houlton, Maine
04730-0528
U.S.A.
Messages to me on Driftnet (my BBS) telling me "the cheque is in
the mail" will be ignored. At least until the mail is delivered.
If any Canadian has read this far, and still has money left after
taxes, the price is the same in Canadian dollars. But if you do
send Canadian money, you'd better have a Canadian mailing address!
<grin>
To answer a few questions that some one, somewhere, may be asking:-
NO! I don not plan to create a TSR version.
No, I'm not aware of any conflicts between DINT and any TSRs, but
I don't use many TSRs, so I don't speak from any position of great
authority.
Upgrades? Possibly, depends on my life span and what new data
becomes available.
Will upgrades be free to registered users? I doubt it. If enough
additional data becomes available to justify updating DINT, and if
more than two people have registered the program, I probably won't
be able to afford the distribution costs. However, I will keep
the cost of updates to the absolute minimum.
Bug fixes? Serious ones will be fixed on my nickel, but you may
have to call Driftnet to get the patched version. Minor ones?
Depends on my workload.
Windows compatability? I sincerely hope not!
An OS/2 version? Why would you want it?
Network compatibility? Perhaps by accident, but not by design.
- R. Wallace Hale
13 July 1993
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
█ ╔═══════════════════╦═════════════════════════════════════════════════╗ █
█ ║ Driftnet BBS ║ Free access at all levels. ║ █
█ ║ Woodstock, N. B. ║ Download on first call, no ratios. ║ █
█ ║ (506) 325-9002 ║ Extensive collection of the latest virus ║ █
█ ║ Intel 14.4 v32 ║ information and anti-viral tools. ║ █
█ ║ 24 hours ║ The virus research section is absolutely ║ █
█ ║ Wallace Hale ║ restricted to recognized members of the ║ █
█ ║ Sysop ║ AV community. ║ █
█ ╠═══════════════════╩═════════════════════════════════════════════════╣ █
█ ║ -= Zen Works =- ║ █
█ ╚═════════════════════════════════════════════════════════════════════╝ █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀