Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

digression : MSDOS 7 and SHARE.EXE revisited (Miscellaneous)

posted by cm(R) Homepage E-mail, Düsseldorf, Germany, 18.12.2009, 14:31

> even if it makes DOS flush disk buffers for no apparent reason :-|

A. Set up fake drives.

B. Find another call which doesn't result in disk access.

C. Screw it, the buffers are flushed by each process termination anyway!

> > Yes because you should use the pointer at 0:C1 instead of the SHARE.EXE
> > hooks ;-)
>
> I'm still waiting for you to show how you do this in practice :-P

Citing myself along the way:
> I'd suggest you use the far jump at 0:C0 instead
> (the CP/M "CALL 5" compatibility entry).

> To ensure that this will actually retrieve correct pointers,
> check that at 0:C0 there is indeed a far jump.

if byte[0:C0] != EAh goto error
ptr = dword[0:C1]


> This either points directly to the DOS code segment or to one
> of the stubs in the DOS data segment. You can identify the stub
> and if it's one, you have to retrieve the address that it jumps
> to in its last instruction; this address points to the DOS code
> segment.

if (word[ptr] == 9090h) || (word[ptr] == 03EBh)
(
    ptr = (ptr & FFFF0000h) | word[ptr+8]
    ptr = dword[ptr]
)


Done. The high word of the variable ptr is now the segment the DOS code is addressed with.

In the last step, you might want to verify that, additionally, a near call (E8h) as well as an indirect far jump with CS: override (2Eh, FFh, 2Eh) follow the double-NOP or short jump of the HMA stub. (Note that the stub is used by DOS in case the DOS code might be relocated to the HMA (DOS=HIGH set) but the short jump will only be patched to the NOP sequence if it actually got relocated. (DOS=HIGH set and XMM loaded.))

I don't know whether the stub looks the same in MS-DOS 8, you have to look into this if you want to adapt this method.

You might also verify that the actual code pointed to by ptr now is the CP/M entry; it starts with some sequence of pop, push and mov instructions. Look at your kernel for this. The sequence probably didn't change between most MS-DOS versions except the offsets into the code and data segment.

> You could probably decide where to search for the patch location
> using the CALL 5 handler instead of the Int27 handler as well.

I'll leave this to you.

---
l

 

Complete thread:

Back to the forum
Board view  Mix view
15112 Postings in 1359 Threads, 247 registered users, 13 users online (0 registered, 13 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum