Welcomes you to this site byR.MAHESH KUMAR .This site was dedicated to my inspiration who masters the 'C' language-- Mr.Yashavant P.Kanetkar.
Take for instance what happens when the machine is switched on.The microprocessor passes control to a certain area in ROM.The address,by tacit understanding between IBM and INTEL has been decided at FFFF:0000.The routine at this address starts the program known as the POST(power on self test).
PROGRAM1 what the POST does is a lot of hardware checks.Like making sure the monitor,the printer and keyboard are connected and working.It also fills certain areas in memory with numbers after first initializing these locations to zeros.These numbers are later used by DOS.
The bios data area and the interrupt vector table in memory are where these numbers are put.These numbers,
among other things,are also the addresses of the routines in ROM BIOS,eg.FFFF:0000
We have seen earlier that there is a memory location 0x417 that is linked to the special keys (CAPS,ALT,etc) on our keyboard.This location, which is 1 byte, can be manipulated at the bit level with each bit corresponding to a special key.
PROGRAM2 The keep() function reserves 16000 bytes of memory for this program.Now whenever the timer ticks,the function NEW is executed.Redefining interrupt 8,which is the interrupt for the timer and assigning it the function new() causes the line *scr=64; to be executed every 18.2 times.This results in the 6'th bit of byte 0x417 being set to 1 every 18.2 times a second.This bit corresponds to the caps lock key as we have seen earlier prog. Now even if we try and put the caps lock off ,we will not be able to since the status of bit is always being updated.
FOR HACKERS
What do we mean when we say "capturing interrupts"?
There is a part in memory called the IVT(interrupt vector table).this contains addresses of routines,that write o or read from disk,that take KB inputs,that write to screen ,etc.
A virus goes to this IVT and replace an address there with the address of its own code.Now a call to a certain interrupt would activate the virus code rather than the actual routine.For example-lets say memory locations 76 to 79 in the ivt conatin the address of the routine the writes to disk. Suppose a virus replaced these locations with its own address. Now whenever a call is made to write to disk, copy command, the actual routine would not get called.In its place the virus code would be activated.This could do any thing, delete certain files, or even format the disk.It all depends on the Guy who wrote the virus
A virus need not only capture the write interrupt, but also others like timer,KB or even printer.It is therefore important to know these interrupt and its function.
DIL MANGE MORE - MAIL ME by
INTERACTION H/W THRU C
A basic good feature of any programmer worth his salt is:he should never fall short of ideas.He must know more than one way to approach a problem.Therefore,when we set out to interact with the h/w thru C,we must also know which approches could be used.There are several ways to interact with the h/w. these are under:
a. Using high level language functions.(***)
b. Using ROM-BIOS functions (routines)
c. Using DOS functions (routines) stored in the files IO>SYS and
d. Directly programming the hardware.(****)
**** u may decide to employ any one of these approaches in your programs,but the one which directly programs the h/w would run fastest. At the same time this is the one which is most unreliable.Reason being there are many pitfalls in directly programming the h/w.
For one, one must have a detailed knowledge of the h/w one is trying to program.Secondly, the programs that we write for one type of h/w may not be portable to another computer which has a diff h/w.So directly programming the h/w end with mesh only.Beacause i heard that some virus which will destroy our bios also,i.e there is a saying that 's/w cannot destroy the h/w' but i disagree.
while directly progg the h/w you may mesh up things to such an extent that the drive goes and sits in some irretrievable position, or worse still your monitor may blow, or a transformer may burn.Yes, believe me!.
*** The programs which use 'high level language function' to interact with h/w are no doubt most realiable,but work very slowly.Moreover,u are limited by what the function has been designed to do.u may feel cramped as a result of this, since in certain cases u may want a function to do one thing for u, whereareas the function has not been programmed to do this at all.
So, the moral of the story is that the two approaches 'directly prog the h/w' and using hte high level lang function are two extremes. the golden mean is to either use ROM BIOS function or the DOS function. Let us examine why is this so.
MORE ABOUT THIS APPROACH
information on netbios detail
DOWNLOAD
Armed with the knowledge of registers, interrupts and IVT let us now proceed with invoking of the ROM BIOS functions.We would be required to perform the following steps to call a ROM BIOS functions:
a. Make an interrup to occur (hit KB)
b. Find out the number of the interrupt that has occured.
c. Obtain from IVT the address of the ISR which services this interrupt.
d. Push the current valus of CPU registers onto the stack
e. Place new values in CPU registers as required by the ROM_BIOS function being called.
f. Execute the ROM BIOS function.
g. Pop the values from the stack back into the CPU registers.
h. Resume the interrupted task.
Out of the above, except for steps (a) and (e) all other steps are performed by the
microprocessor itself.so our task is to just place the values needed by the ROM BIOS routine
into the registers and make a sogtware interrupt to occur.As seen earlier the software and
interrupt can br caused by using the standard library function int86(),which also
manages to place
values in CPU resgisters,as required by the ROM BIOS function.
ANATOMY OF A PARTITION TABLE VIRUS
Assume our PC is contaminated by this virus. At this moment froget how, or else we'll get into the "what comes first :the chicken or the egg" routine.
Because it resides on the first physical sector of the hard disk, this virus is known as a
partition table virus. It is intelligent enough to only
overwrite the code - which it had alrady shifted to heqad 0, track 0, sector 7 - and leave the data area untouched.
The virus then changes the RAM size in these two location to reflect 638 because from 640 downwards to 638 it occupies memory.
And that;s the way the story goes.So what;s the big deal u may ask? We know that the original code has been stored at head 0,track 0,sector 7.So can't we then just copy it back using NORTON UTILITIES or some such program?.
BACKUPING THE PARTITION TABLE
