Real mode int from protected mode and back Opções

From: gerotica <pgerotica@xxxxxxxxx>
Date: Thu, 21 Feb 2008 18:42:38 -0800 (PST)

Here is the bomb:
I don´t have any experience in protected mode programming, but some
in
real mode.
I have to intercept hardware instructions (in, out) from a protected
mode program (I don´t know what DPMI server, or if there should be
one). Well, my idea was to find the 'outportb' and 'inportb'
functions
at the program (on its exe, I don't have the sources) and hack it to
generate an int 61h wich I wrote. This int should check to see if the
out or in port is between 780h and 785h and, if so, write the data on
a file and issue the out or in command. Here is the disassembly of
the
main program code, already patched:

.text:000CF2B8 pusha ;Function
entrance is 000CF2F0
down there
.text:000CF2B9 mov bp, ax ; I
need the save ax
as argument to the int...
I
really don´t know if I could do this
.text:000CF2BC mov ax, word ptr
ds:dword_BAF64 ;
this BAF64 was taken from
a
other calls int 31h 300h at the code
.text:000CF2C2 db 66h
.text:000CF2C2 mov es, ax
.text:000CF2C5 db 66h
.text:000CF2C5 mov ss, ax
.text:000CF2C8 mov ebx, 61h
.text:000CF2CD mov ecx, 0
.text:000CF2D2 mov edi, offset word_118F10 ;
also
taken from the code
.text:000CF2D7 mov ax, 300h
.text:000CF2DB int 31h ; DPMI
Services ax=func xxxxh
.text:000CF2DB ; SIMULATE
REAL
MODE INTERRUPT
.text:000CF2DB ; BL=interrupt
number
.text:000CF2DB ; CX=number of
words to copy from protected mode to real mode stack
.text:000CF2DB ; ES:DI /
ES:EDI = selector:offset of real mode call structure
.text:000CF2DB ; Return: CF
set on error
.text:000CF2DB ; CF clear if
ok
.text:000CF2DD popa
.text:000CF2DE jmp short loc_CF2FB
.text:000CF2DE ; END OF FUNCTION CHUNK FOR sub_CF2F0
.text:000CF2DE ;
---------------------------------------------------------------------------
.text:000CF2E0 dd 0C588901h, 9D1C408Bh, 5D5B5E5Fh,
768DC3h
.text:000CF2F0
.text:000CF2F0 ; ||||||||||||||| S U B R O U T I N E
|||||||||||||||||||||||||||||||||||||||
.text:000CF2F0
.text:000CF2F0 ; Attributes: bp-based frame
.text:000CF2F0
.text:000CF2F0 sub_CF2F0 proc near ; CODE XREF:
sub_C4AD0 j
.text:000CF2F0
.text:000CF2F0 arg_0 = dword ptr 8
.text:000CF2F0 arg_4 = dword ptr 0Ch
.text:000CF2F0
.text:000CF2F0 ; FUNCTION CHUNK AT .text:000CF2B8 SIZE 00000028 BYTES
.text:000CF2F0 ; FUNCTION CHUNK AT .text:000CF2FB SIZE 00000004 BYTES
.text:000CF2F0
.text:000CF2F0 push ebp ;Function
Outportb
.text:000CF2F1 mov ebp, esp
.text:000CF2F3 mov edx, [ebp+arg_0]
.text:000CF2F6 mov eax, [ebp+arg_4] ;original
code
til here
.text:000CF2F9 jmp short loc_CF2B8 ;added a JMP
to
get some space up there
.text:000CF2F9 sub_CF2F0 endp
.text:000CF2F9
.text:000CF2FB ;
---------------------------------------------------------------------------
.text:000CF2FB ; START OF FUNCTION CHUNK FOR sub_CF2F0
.text:000CF2FB
.text:000CF2FB loc_CF2FB: ; CODE XREF:
sub_CF2F0-12 j
.text:000CF2FB mov esp,
ebp ;original code again
.text:000CF2FD pop ebp
.text:000CF2FE retn
.text:000CF2FE ; END OF FUNCTION CHUNK FOR sub_CF2F0

And here is my ISR code:

#include "dos.h"
#include "stdio.h"

void interrupt int61(...)
{
FILE *f;
int vdx;
char val;

val = _AL;
vdx = _DX;

disable(); ;added for testing

if ((vdx == 0x780) || (vdx == 0x781) || (vdx == 0x782) ||
(vdx == 0x783) || (vdx == 0x784) || (vdx == 0x785))
{
f = fopen("c:\\log.txt", "a+b");
fprintf(f, "%X => %X\n", vdx, val);
fclose(f);
}

outportb(vdx, val);
enable();
}

void main(void)
{
union REGS regs;
setvect(0x61, int61);
regs.x.ax = 0x3100;
regs.x.dx = 0x1000;
intdos(&regs, &regs);
}

What happens when I run the program is that for some time the program
runs ok then an exception occurs:

Page fault at eip=000f7250, error=0006
..................
..................

And there´s no writing to the file, but probably because indos, or
critical flag... i´ll solve that later...1
Running in MS-DOS

Anyway, could anyone just tell me what I am doing wrong ate the int
call?

Thanks in advance,
Pedro

.

Follow-Ups:
- Re: Real mode int from protected mode and back Opções
  - From: japheth

Prev by Date: Re: for the close of all fission nuclear reactor in the world
Next by Date: Re: [OT] for the close of all fission nuclear reactor in the world
Previous by thread: [OT] for the close of all fission nuclear reactor in the world
Next by thread: Re: Real mode int from protected mode and back Opções
Index(es):
- Date
- Thread

Relevant Pages

Real mode int from protected mode and back
... I don´t have any experience in protected mode programming, ... This int should check to see if the ... words to copy from protected mode to real mode stack ... START OF FUNCTION CHUNK FOR sub_CF2F0 ...
(comp.lang.asm.x86)
Real mode int from protected mode and back
... I don´t have any experience in protected mode programming, ... This int should check to see if the ... words to copy from protected mode to real mode stack ... START OF FUNCTION CHUNK FOR sub_CF2F0 ...
(comp.os.msdos.misc)
Real mode int from protected mode and back
... I don´t have any experience in protected mode programming, ... This int should check to see if the ... words to copy from protected mode to real mode stack ... START OF FUNCTION CHUNK FOR sub_CF2F0 ...
(comp.os.msdos.programmer)
Re: Hello Everyone!
... (which is a protected mode) ... And VirtualBox does *not* emulate the processor ... the hardware does not have virtualization extensions. ... of 16-bit real mode code - again, ...
(comp.os.linux.misc)
Re: basic architecture question
... support any more - like robertwessel said. ... mode, 16 bit protected mode, 32 bit protected mode, and 64 bit ... The processor itself runs in either real mode, ... which could not switch back into real ...
(comp.lang.asm.x86)