Mail Archives: djgpp/2000/01/04/09:13:02

delorie.com/archives/browse.cgi

search

Mail Archives: djgpp/2000/01/04/09:13:02

From: ams AT ludd DOT luth DOT se (Martin Str|mberg)

Newsgroups: comp.os.msdos.djgpp

Subject: The endless int31 hooking debugging continued

Date: 4 Jan 2000 10:36:30 GMT

Organization: University of Lulea, Sweden

Lines: 152

Message-ID: <84sife$ral$1@news.luth.se>

NNTP-Posting-Host: queeg.ludd.luth.se

X-Trace: news.luth.se 946982190 27989 130.240.16.109 (4 Jan 2000 10:36:30 GMT)

X-Complaints-To: abuse AT luth DOT se

NNTP-Posting-Date: 4 Jan 2000 10:36:30 GMT

X-Newsreader: TIN [UNIX 1.3 950824BETA PL0]

To: djgpp AT delorie DOT com

DJ-Gateway: from newsgroup comp.os.msdos.djgpp

Reply-To: djgpp AT delorie DOT com

I must be doing something wrong but I can't figure out what.

When I run the program last in this mail in plain DOZE I get this
crash dump (yes, it's all of it, only three lines):
F:\HACKERY\DPMI_SEL>simple6
got interrupt vector
General Protection Fault at eip=2407; flags=3016
eax=0000000d ebx=000000af ecx=0001465e edx=00014418 esi=00002548 edi=00002540
ebp=0000000d esp=0001ae14 cs=a7 ds=af es=af fs=8f gs=bf ss=af error=0000

When run in WINDOZE 4.1 (98) I get the "This program has performed and
illegal op..." blurb saying "Fault Location: 0028:C0001FE7
Faulting component: VMM(01) + 00000FE7
Interrupts in service: None"

Other similar versions of this program has managed to reboot the PC
when run in WINDOZE - you have been warned.

When I disassemble the code around EIP 2407 (with "objdump -D
simple6.exe") I find this:
000023cb <stack_ok>:
    23cb:       66 8e c0        movw   %ax,%es
    23ce:       89 de           movl   %ebx,%esi
    23d0:       8b 7d 1c        movl   0x1c(%ebp),%edi
    23d3:       83 ef 5c        subl   $0x5c,%edi
    23d6:       89 7d 1c        movl   %edi,0x1c(%ebp)
    23d9:       89 3d e8 24 00  movl   %edi,0x24e8
    23de:       00
    23df:       b9 10 00 00 00  movl   $0x10,%ecx
    23e4:       fc              cld
    23e5:       f3 a5           repz movsl %ds:(%esi),%es:(%edi)
    23e7:       8b 43 00        movl   0x0(%ebx),%eax
    23ea:       8b 73 10        movl   0x10(%ebx),%esi
    23ed:       8b 7b 14        movl   0x14(%ebx),%edi
    23f0:       8b 4b 08        movl   0x8(%ebx),%ecx
    23f3:       66 8e 43 2c     movw   0x2c(%ebx),%es
    23f7:       5d              popl   %ebp
    23f8:       ff 73 04        pushl  0x4(%ebx)
    23fb:       ff 73 2a        pushl  0x2a(%ebx)
    23fe:       c6 05 be 24 00  movb   $0x0,0x24be
    2403:       00 00
    2405:       1f              popl   %ds
    2406:       5b              popl   %ebx
    2407:       cb              lret

00002408 <limitFix>:
    2408:       50              pushl  %eax
    2409:       51              pushl  %ecx
    240a:       52              pushl  %edx
    240b:       2e 8b 1d ca 24  movl   %cs:0x24ca,%ebx


gcc version 2.81 and a recent (~1 week) cvs snapshot of djdev.

Any ideas how to proceed?


Right,

							MartinS

------ Start of simple6.c. -----
#include <dpmi.h>
#include <go32.h>
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <crt0.h>

int _crt0_startup_flags = _CRT0_FLAG_LOCK_MEMORY;

__dpmi_paddr old_addr, new_addr;

void handler (void);
void handler_end (void);

char chain_str[] = "Chaining.\n\r";

__asm__ (".globl _handler
_handler:

/* Jump to previous handler. */
chain:
        pushl %eax
        pushl %ecx
        pushl %edx
        pushl $_chain_str
        call _cputs
        addl $4, %esp
        popl %edx
        popl %ecx
        popl %eax

        ljmp _old_addr

        .globl _handler_end
_handler_end:
        nop");

int
main (void)
{
  int selector;
  __dpmi_paddr tmp_addr;

  if (__dpmi_get_protected_mode_interrupt_vector (0x31, &old_addr))
    {
      fprintf (stderr, "can not get interrupt\n");
      exit (EXIT_FAILURE);
    }

  printf ("got interrupt vector\n");

  new_addr.selector = _my_cs ();
  new_addr.offset32 = (unsigned long) handler;
  if (__dpmi_set_protected_mode_interrupt_vector (0x31, &new_addr))
    {
      fprintf (stderr, "can not set interrupt\n");
      exit (EXIT_FAILURE);
    }

  printf ("set interrupt vector\n");

  selector = __dpmi_allocate_ldt_descriptors (1);
  if (selector == -1)
    fprintf (stderr, "can not allocate selector\n");
  else
    __dpmi_free_ldt_descriptor (selector);

  printf ("allocated LDT descriptor?\n");

  while (__dpmi_get_protected_mode_interrupt_vector (0x31, &tmp_addr)
         || (tmp_addr.selector != new_addr.selector)
         || (tmp_addr.offset32 != new_addr.offset32)
         || __dpmi_set_protected_mode_interrupt_vector (0x31, &old_addr))
    {
      fprintf (stderr, "can not restore interrupt\n");
      system ("");
    }

  printf ("restored interrupt vector\n");

  return EXIT_SUCCESS;
}

/*
   Local Variables:
   compile-command: "gcc -g -O2 -Wall -o simple6 simple6.c"
   End:
   */

------ End of simple6.c. -----

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

From:	ams AT ludd DOT luth DOT se (Martin Str\|mberg)
Newsgroups:	comp.os.msdos.djgpp
Subject:	The endless int31 hooking debugging continued
Date:	4 Jan 2000 10:36:30 GMT
Organization:	University of Lulea, Sweden
Lines:	152
Message-ID:	<84sife$ral$1@news.luth.se>
NNTP-Posting-Host:	queeg.ludd.luth.se
X-Trace:	news.luth.se 946982190 27989 130.240.16.109 (4 Jan 2000 10:36:30 GMT)
X-Complaints-To:	abuse AT luth DOT se
NNTP-Posting-Date:	4 Jan 2000 10:36:30 GMT
X-Newsreader:	TIN [UNIX 1.3 950824BETA PL0]
To:	djgpp AT delorie DOT com
DJ-Gateway:	from newsgroup comp.os.msdos.djgpp
Reply-To:	djgpp AT delorie DOT com