PsL Monthly 1994 February

home *** CD-ROM | disk | FTP | other *** search

/ PsL Monthly 1994 February / psl_9403.zip / psl_9403 / DOS / UT_SYSTM / MWATCHTI.ZIP / MEMWATCH.ASM < prev next >

Wrap

Assembly Source File | 1993-12-09 | 26KB | 608 lines

;-------------------------------- MEMWATCH --------------------------------- ; A TSR to "watch" for all the ways a program might try to allocate memory. ; ; This includes EMS, XMS(UMB's and EMB's), Int 15, DPMI, and VCPI. ; Note: Programs that use higher level methods (like DPMI) may show a ; "hit" on several different methods at the same time. ;--------------------------------------------------------------------------- ; To effectively watch for EMS allocations, we need to do some trickery ; when we hook Int67. Programs often look for an EMS driver by assuming ; Int67 is aimed into a device driver's code segment and then look into ; what would be the device header at DDSeg:devicename. We need to setup ; a "fake" device header they can scan through. ;--------------------------------------------------------------------------- ; Things to do: ; ; - Relocate some code/data into the PSP to reduce resident footprint. ; - Think about adding usage counts ; - Think about active PSP "scoped" reporting ;--------------------------------------------------------------------------- ; Author: Tony Ingenoso ;--------------------------------------------------------------------------- ;--------------------------------------------------------------------------- ; We'll be monitoring these types of memory activities... ;--------------------------------------------------------------------------- MemFlags struc fEMS32 db 0 ; EMS 3.2 flag fEMS40 db 0 ; EMS 4.0 flag fEEMS db 0 ; EEMS flag fHMA db 0 ; HMA flag fEMB db 0 ; XMS extended memory flag fUMB db 0 ; XMS UMB memory flag fDOSSTRAT db 0 ; DOS UMB strategy flag fDOSLINK db 0 ; DOS UMB link flag fDOSHMA db 0 ; DOS managed HMA flag (slack space) fINT15 db 0 ; Int 15 memory flag fDPMI db 0 ; DPMI memory flag fVCPI db 0 ; VCPI memory flag ends ShowMessage macro msg mov dx, offset msg mov ah, 9 int 21h endm memwatch segment para public 'code' assume cs:memwatch org 100h ; This is a COM file. start label near jmp THROW_AWAY_CODE ;-------------------------------------------------------------------------- ; Old vectors/pointers to chain to ;-------------------------------------------------------------------------- align 4 OldInt15 dd 0 ; Saved Int 15 vector OldInt21 dd 0 ; Saved Int 21 vector OldInt2F dd 0 ; Saved Int 2F vector OldInt67 dd 0 ; Saved Int 67 vector OldXMS dd 0 ; Saved XMS entry point ;-------------------------------------------------------------------------- ; Working flags...... ;-------------------------------------------------------------------------- db "MEMWATCH" ; A signature MemVars MemFlags <> ; Flags structure MemVarsLen = $-MemVars ;-------------------------------------------------------------------------- ; The XMS hook to "watch" for XMS calls. ;-------------------------------------------------------------------------- ; By taking over the Int 2F that returns the XMS entry point rather than ; patching into the existing driver, nice things happen. All prior loaded ; TSR's and device drivers that call XMS will go directly to the original ; driver. This means we won't see a bunch of "noise" that looks like it's ; comming from the app(s) being monitored. We'll be seeing only his actions. ; We're really not interested in XMS activity from caches, VDISK's, etc. ;-------------------------------------------------------------------------- align 2 XMShooker proc far jmp short XMS_hookability ; So we can subsequently be hooked nop ; out by some other program... nop ; nop ; XMS_hookability: cmp ah, 1 ; Trying to allocate HMA? jne CheckAllocEMB ; mov MemVars.fHMA, 1 ; jmp short ChainXMS ; CheckAllocEMB: cmp ah, 9 ; Trying to allocate EMB? jne CheckAllocUMB ; mov MemVars.fEMB, 1 ; jmp short ChainXMS ; CheckAllocUMB: cmp ah, 10h ; Trying to allocate UMB? jne ChainXMS ; mov MemVars.fUMB, 1 ; ChainXMS: jmp [OldXMS] XMShooker endp ;-------------------------------------------------------------------------- ; The 15 hook to "watch" for extended memory moves. ;-------------------------------------------------------------------------- align 2 Int15hooker proc far cmp ah, 87h ; Extended memory move? jne No15 ; mov MemVars.fINT15, 1 ; Yes, we've seen one No15: jmp [OldInt15] ; Chain it forward Int15hooker endp ;-------------------------------------------------------------------------- ; The 21 hook to "watch" for UMB activity ;-------------------------------------------------------------------------- align 2 Int21hooker proc far cmp ax, 5801 ; Set strategy? jne LookForLink ; ;------------------------------------------------------------- ; Check the "set" strateg to see if it includes UMB's ;------------------------------------------------------------- cmp bl, 40h ; Is the allocation je YesStrat ; strategy being set cmp bl, 41h ; to something that je YesStrat ; will cause an cmp bl, 42h ; allocation to come je YesStrat ; from a UMB? cmp bl, 80h ; je YesStrat ; cmp bl, 81h ; je YesStrat ; cmp bl, 82h ; je YesStrat ; ;------------------------------------------------------------- ; Check the "link" option to see if it's "linking in" UMB's ;------------------------------------------------------------- LookForLink: ; cmp ax, 5803h ; Is he trying to (un)link UMB's? jne No21 ; Nope... cmp bx, 0001h ; Add UMB's to chain? je YesLink ; Yes,... jmp short No21 ; No,... YesStrat: mov MemVars.fDOSSTRAT, 1 ; Yes, we've seen one jmp short No21 YesLink: mov MemVars.fDOSLINK, 1 ; Yes, we've seen one No21: jmp [OldInt21] ; Chain it forward Int21hooker endp ;-------------------------------------------------------------------------- ; The 2F hook responds to our presence check and other things.... ;-------------------------------------------------------------------------- align 2 Int2Fhooker proc far cmp ax, 'EM' ; Int2F presence check? jne TryDOSmanagedHMA ; We're cmp bx, 'WM' ; looking jne TryDOSmanagedHMA ; for cmp cx, 'TA' ; "MEMWATCH" jne TryDOSmanagedHMA ; in the cmp dx, 'HC' ; AX:BX:CX:DX jne TryDOSmanagedHMA ;