Hello all,
WIN95SPY.BAS is one of the craziest high sophisticated programs I
wrote:
*WIN95 is run as a SHELL of my PowerBASIC program WIN95SPY.EXE*
the PB-EXE is used as a SPY to log several WIN95 interrupts
when WIN95 is shut down my PB-EXE writes the results to a file
The idea was taken from the American book:
Andrew Schulman: "Unauthorized Windows 95"
My motivation:
To show ultimate possibilities of the PB compiler. Thus:
*I dedicate WIN95SPY.BAS to BOB ZALE*
The subject:
When introducing WINDOWS 95 Microsoft tried to make the world
believe, that one can forget the slow 16 bit DOS world now.
However, Andrew Schulman discusses that, even with pure 32 bit
applications, the kernel of WINDOWS 95 uses much more 16 bit
services than Microsoft is willing to confess. - My spy program in
PB proves this.
The function principle:
1) the following switches in the ASCII file MSDOS.SYS have to be
changed as precondion:
BootGUI=0 no automatic start of WIN95
Logo=0 no use of the WIN95 logo
Network=0 no network embedding
The files CONFIG.SYS and AUTOEXEC.BAT are used. MS-DOS 7.0 is
started in pure real mode (no EMM386 !!) and WIN95 would have
to be started similar as known from old WIN 3.x, e.g. by
CD C:\WINDOWS
WIN
at the end of AUTOEXEC.BAT
2) To activate my spy program the last 2 lines are now
CD C:\WINDOWS
C:\PB32\EXE\WIN95SPY.EXE -w -d -f WIN
WIN95SPY now hooks own Interrupt Service Routines to some
DOS interrupts expected to be used by WIN95, then shells to
the DOS prompt (still in pure real mode) and starts WINDOWS 95.
3) The complete WINDOWS 95 operating system has no problems to
cooperate with the PowerBASIC-EXE "under its feet" !!!
3 applications are run:
- the Explorer (a pure 32 bit program) to copy a file
- Winword 7 (a pure 32 bit program) to open/edit/save a file
- in a DOS-window the IDE of PB3.2 (a 16 bit DOS program)
During all that my PB-EXE registers the WIN95 calls to all
functions of the interrupts &H21 and &H2F. Additionally the
timer-IRQs &H08 are registered.
4) when WIN95 is shut down the SHELL state of the PB-EXE terminates
and the PB program can write the results of its observations to
C:\WINDOWS\WIN95SPY.LOG
5) after the next boot the above file can be evaluated. It shows e.g.
------------------------------------------------------------------------------
Results of WIN95SPY:
Timer Ticks: 2336 Tick-Secs: 128.31 - PB-Secs: 133.96
Before the start of WIN95: INT21 Calls: 138 - in V86-mode: 0
INT2F Calls: 47 - in V86-mode: 0
During WIN95 starts: INT21 Calls: 1195 - in V86-mode: 632
INT2F Calls: 273 - in V86-mode: 156
During WIN95 runs: INT21 Calls: 26367 - in V86-mode: 26367
INT2F Calls: 150568 - in V86-mode: 150568
During WIN95 ends: INT21 Calls: 5 - in V86-mode: 3
INT2F Calls: 3 - in V86-mode: 2
After the end of WIN95: INT21 Calls: 116 - in V86-mode: 0
INT2F Calls: 23 - in V86-mode: 0
During WIN95 ran ( 115.0139 Seconds):
21-IOPL 2 - 26367
2F-IOPL 2 - 150568
21-VM No 1 - 3022
2F-VM No 1 - 133136
21-VM No 2 - 17801
2F-VM No 2 - 17164
21-VM No 3 - 5544
2F-VM No 3 - 268
During WIN95 ran, details of INT 21:
02: 144 06: 1 08: 18 0B: 17142 0C: 3 0D:
0E: 28 11: 3 12: 78 14: 1 19: 57 1A:
25: 16 29: 19 2A: 76 2C: 1561 2F: 1 30:
4
33: 7 34: 1 35: 3 36: 1 38: 5 3B:
3E: 478 40: 354 44: 41 48: 13 49: 5 4A:
0
4B: 3 4C: 13 4D: 4 4E: 258 4F: 5122 50:
07
51: 4 52: 1 55: 10 57: 30 58: 9 59:
5D: 6 62: 1 63: 1 65: 2 DC: 1 EA:
During WIN95 ran, details of INT 2F:
11: 304 12: 17 16: 150231 43: 2 48: 3 4A:
55: 1 AE: 4 B7: 3 FE: 1
(remark: the PB source contains German language, I translated the file above)
------------------------------------------------------------------------------
6) Discussion:
- in general: WIN95 always starts in real mode. Even if the EMM386
was used and had started the V86 mode, windows exports the V86
descriptor tables and switches back to real mode; then windows
definitely starts. For this we excluded EMM386 explicitly.
- 1. group: the timer-ticks report the duration of the observation
- 2. group: when starting and finishing WIN95 sends certain &H2F
broadcasts to all programs linked to the INT &H2F chain and
hence to WIN95SPY, too. By this, the PB-EXE is well informed
what's going on.
- 2. group: With every appearing &H21 and &H2F interrupt the
spy program checks the processor mode (real / V86==protected).
One can see: during WIN95 is operative the whole MS-DOS services
are switched from real to protected mode and when WIN95
terminates the real mode is resumed.
- 3. group: here 2 features are reported: 1. the protected mode
privilege level of the CPU (3 = highest, 0 = lowest) of each
interrupt and 2. the VM (virtual machine) number (1 = Win-
kernel, others = different tasks or a DOS machine) which issued
the interrupt.
- 4. group: details the &H21 interrupts according to AH-subfunctions
- 5. group: details the &H2F interrupts according to AH-subfunctions
The results of group 3 to 5 refer ONLY to the run phase of WIN 95
(e.g. only 115 seconds).
And one can easily see, that the good old DOS-INT21 is still used
in a great amount by WIN95 - this is excellently discussed in much
more detail in the book of Andrew Schulman: "Unauthorized Windows 95"
Final remark:
The next 2 mails contain the complete source code of the spy program.
Unfortunately I commented the source of my WIN95SPY.BAS in German
language and momentarily do not find the time to translate it.
However, experienced programmers will understand the statements
and functions, and the operating mechanisms involved.
Attention *Bob Zale*
As I dedicated WIN95SPY to You, I offer to translate the source
file at a later time, if you are interested. - Give me a note.
Ciao
Andras
--- CrossPoint v3.11 R
---------------
* Origin: Fido Point of Disillusion (2:2480/13.34)
|