0

I try to write a very simple boot code that hook INT 10 as below:

New_int10:

Pushf
Cli
Call [CS:old_Int10]
Iret

The code work fine for all the cases, however when I try to boot to Window. The system hang. I debug in Bochs and notice the OS try to switch to v8086 mode then call the Int10 and with my new Int10 handler (at address 0x97400) the execution fail (it does not go to handler that cause the system hang, it seems some mapping in protected mode not correct).

If don't change the INT10 I can step in the int10 handler (the original handler at address 0xC0152).

Do I miss anything?

I already hook the Int15h to register the area of new handler withe820 type = 2

Update: I did more debug and find out...when the Window (it happen only when windows boot to safe mode) switch to v8086 mode, it set VME (in CR4) = 1,IPOL=3 and the program jump to 0x97400. Unfortunately, the page mapping is currently mapped this address to another physical address 0x7dd2000...so the application go crazy. The address 0xC0000 is still mapping to 0xC0000 that explain why if we don't change the INT10, the window can boot.

My question: is there any way to inform Window Boot Loader not to remap address 0x97400?

Thanks

user3567728
  • 105
  • 1
  • 1
  • 7
  • 1) why do you have that `cli` instruction (without any counterpart) in your handler? Are you sure the system did not modified your handler by rewritting its location with some data? – Martin Drab Oct 26 '16 at 13:31
  • the **iret** command will pop the flags from the stack, so the **cli** will not affect the functionality...i just put there because some reference code did that. I can be sure the system not modified the code, because before step into INT10...i dump the code at address 0x97400, it is no change. I suspect the window use some other info before setting v8086 mode which i may miss out – user3567728 Oct 26 '16 at 14:40

1 Answers1

0

Well, finally I solved the problem.

I have to copy the edba from 0x9fc00 to 0x97400 and adjust 0x40e to the new location 0x97400. Then I relocate my code next to the EDBA and update the EDBA size. Then the code can run.

I guess Window Boot Loader try to map the 640K to a new location which is 0x7dd2000. Then it copy only the bda (from 0 to 4ff) and ebda (from 0x9fc00 to 0xa000) to new location...so relocate edba and update the size of edba do the trick.

user3567728
  • 105
  • 1
  • 1
  • 7