5

I'm reading the PnP BIOS specification and stumbled across the following paragraph:

Actively monitor the INT 19h bootstrap vector

The current System BIOS Architecture allows option ROMs to hook INT 19h indiscriminately. By actively monitoring control of INT 19h, the System BIOS may regain control of the Bootstrap process to ensure that the Operating System is loaded from the proper device and in the proper manner.

On line 3, the possibility to "hook" an interrupt is mentioned. As far as I could find out, it means to monitor the issuance of an interrupt like calling a special notification function in every ISR to let the OS keep track of fired interrupts. Is that correct?
What does it mean?

cadaniluk
  • 15,027
  • 2
  • 39
  • 67

2 Answers2

4

When interrupts are fired in real mode, the CPU transfers execution to the handler for that interrupt, which is specified in the Interrupt Vector Table.

To hook an interrupt in this context means to change the address at entry 19h in the Interrupt Vector Table to point to another address of their choice. Then, when interrupt 19h is fired, it would execute their own routine starting at that address, which would likely also transfer control back to the original 19h interrupt handler before returning.

Assuming the interrupt handler is located in RAM, another approach to hooking would be to place an inline hook within the handler for interrupt 19h. That is, one could leave the address of the interrupt handler alone, but replace one of the instructions in the handler with a jmp (or call) to their own routine. It is unclear in this context if they also monitor for this type of hooking.

Edit: After skimming through the document, it appears that the first style of hooking is what they were talking about.

... If the IPL device is known to the system BIOS, then ensure that interrupt 19h is still controlled by the system BIOS. If not, recapture interrupt 19h and save the vector ...

... If the operating system fails to load and a previous ISA option ROM had control of the interrupt 19h vector, then restore the interrupt 19h vector to the ISA option ROM and re-execute the Interrupt 19h bootstrap loader ...

So, basically at a specific part of the boot process, they check to see if an option ROM has modified the handler for interrupt 19h. If it is modified, they save the address of the new handler (which they may choose to run later) and put the original handler back into the IVT.

user1354557
  • 2,413
  • 19
  • 29
4

Yes, "hooking" means having your code run when that interrupt fires, but then jumping to handler you replaced when your function is done. So instead of taking over the interrupt completely, you've added your function to the head of a chain of handlers.

Imagine the IDT as a global array of function pointers. In C, it would be like:

extern void (*IDT[256])(void );

static void (*old_handler)(void);
void my_handler(void) {
    // do stuff ..., then:
    old_handler();
}  // tail-call optimized to a jmp

void install_handler(int irq) {
    old_handler = IDT[irq];
    IDT[irq] = my_handler;
}
void uninstall_handler(int irq) {   // Don't forget this part when you unload your code
    IDT[irq] = old_handler;
}

This compiles to exactly the kind of code you'd use to hook the real IDT.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847