Author Topic: Wondered if this code still works under XP  (Read 6138 times)

Magnum

  • Member
  • *****
  • Posts: 2354
Wondered if this code still works under XP
« on: January 27, 2013, 02:03:51 PM »
This makes a memory dump, forgot what it does ??

Is the dump simulated and if not, can the whole RAM be dumped ?

Code: [Select]
;-------------------------------------------------1996 Andrew Kennedy---------
; dumpmem.asm  Dump first meg of memory to a file
;              Works thru Win XP

.model tiny                             
.code

org 100h

start:
             xor          cx,cx
             mov          dx,offset m
             mov          ah,3ch
             int          21h
             xchg         ax,bx             
             mov          ch,80h
             xor          dx,dx
             xor          si,si
mark:             
             mov          ds,si
             mov          ah,40h
             int          21h
             add          si,800h
             jnb          mark
             int          20h

m            db           '1stMgRam.txt',0

end          start

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

  • Member
  • *****
  • Posts: 2354
Re: Wondered if this code still works under XP
« Reply #1 on: January 27, 2013, 02:06:28 PM »
I forgot to attach the com file on the prev. post.
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1209
Re: Wondered if this code still works under XP
« Reply #2 on: January 27, 2013, 07:11:41 PM »
Is the dump simulated and if not, can the whole RAM be dumped ?

In my tests, accessing the bottom 1MB of address space of my Windows 2000 system from a Windows app with the aid of the WinIO driver, what I get looks like the bottom 1MB of address space. Although I did not do a detailed comparison, the BIOS data area looks correct for the system, as does the BIOS date at the top of the address space. Under Windows 2000 I can access at least 2MB into the address space (I have not tried to go further). In my tests under Windows XP only the bottom 4096 bytes were accessible. I intended to attach a dump for my Windows 2000 system, but even zipped it is too large.

For a RM app to access beyond the first MB it would need to first switch to PM and increase the segment limit, and I can’t see any way to do this under Windows.
Well Microsoft, here’s another nice mess you’ve gotten us into.

Magnum

  • Member
  • *****
  • Posts: 2354
Re: Wondered if this code still works under XP
« Reply #3 on: January 27, 2013, 11:48:08 PM »
Thanks for the info.

Did you try my app under Win 2000?

I was curious as the what you would get.

Andy



Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

japheth

  • Guest
Re: Wondered if this code still works under XP
« Reply #4 on: January 27, 2013, 11:55:55 PM »
The result of a virtual memory dump for a NTVDM on XP SP3 on my machine is:

Code: [Select]
Region Size(hex) State AllocBase AllocProtect
00000000    10000 commit        0 execute_readwrite
00010000    90000 commit    10000 execute_readwrite
000A0000    20000 commit    A0000 execute_readwrite
000C0000     F000 commit    C0000 readonly
000CF000    11000 commit    CF000 execute_readwrite
000E0000    20000 commit    E0000 readonly
00100000    10000 commit   100000 execute_readwrite
00110000     B000 commit   110000 execute_readwrite
0011B000 1EE5000 reserve   110000 execute_readwrite
02000000     1000 commit 2000000 readwrite
02001000     F000 free
02010000     1000 commit 2010000 readwrite
02011000     F000 free
02020000    3C000 reserve 2020000 readwrite
0205C000     1000 commit 2020000 readwrite
0205D000     3000 commit 2020000 readwrite
02060000     3000 commit 2060000 readonly
02063000     D000 free
02070000     7000 commit 2070000 readwrite
02077000    F9000 reserve 2070000 readwrite
02170000     6000 commit 2170000 readwrite
02176000     A000 reserve 2170000 readwrite
02180000     7000 commit 2180000 readwrite
02187000     9000 reserve 2180000 readwrite
02190000    16000 commit 2190000 readonly
021A6000     A000 free
021B0000    41000 commit 21B0000 readonly
021F1000     F000 free
02200000    41000 commit 2200000 readonly
02241000     F000 free
02250000     6000 commit 2250000 readonly
02256000     A000 free
02260000     2000 commit 2260000 execute_read
02262000    BE000 reserve 2260000 execute_read
02320000     2000 commit 2260000 execute_read
02322000     6000 reserve 2260000 execute_read
02328000     8000 free
02330000   103000 commit 2330000 readonly
02433000     D000 free
02440000     1000 commit 2440000 readwrite
02441000     F000 free
02450000    34000 commit 2450000 execute_read
02484000   2CC000 reserve 2450000 execute_read
02750000     1000 commit 2750000 readwrite
02751000     F000 free
02760000     C000 commit 2760000 readwrite
0276C000     4000 reserve 2760000 readwrite
02770000     3000 commit 2770000 readonly
02773000     D000 free
02780000    3D000 reserve 2780000 readwrite
027BD000     1000 commit 2780000 readwrite
027BE000     2000 commit 2780000 readwrite
027C0000    53000 commit 27C0000 readwrite
02813000    AD000 reserve 27C0000 readwrite
028C0000    3D000 reserve 28C0000 readwrite
028FD000     1000 commit 28C0000 readwrite
028FE000     2000 commit 28C0000 readwrite
02900000     1000 commit 2900000 readwrite
02901000    7F000 reserve 2900000 readwrite
02980000 C680000 free
0F000000     1000 commit F000000 execute_writecopy
0F001000    60000 commit F000000 execute_writecopy
...

So memory from 0-11AFFFh can be dumped ( beyond 110000h you'll need to call Int 15h, ah=87h ).

I guess the 110000-11AFFFh regiion is used by DOSX.EXE - some memory there looks like a protected-mode IDT.

NTVDM apparently reserves the first 32 MB for the DOS stuff.

At 0F000000 starts the NTVDM.EXE image and other Win32 dlls.

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1209
Re: Wondered if this code still works under XP
« Reply #5 on: January 28, 2013, 01:26:37 AM »
Andy,

Your program produces a dump that looks like what I would expect from a 16-bit DOS app running under Windows. One of the obvious differences between it and my dump is that the BIOS data area shows the full complement of serial and parallel ports, when the system actually has only one of each:

Code: [Select]
00000400  F8 03 F8 02 E8 03 E8 02 - BC 03 78 03 78 02 C0 9F

The attachment contains a modification of some old code that does a quick test of Interrupt 15h, Function 87h. Under Window 2000 it can read 16 bytes starting at 11aff0h no problem, but starting at 11aff1h triggers an exception.
Well Microsoft, here’s another nice mess you’ve gotten us into.

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: Wondered if this code still works under XP
« Reply #6 on: January 28, 2013, 04:49:44 AM »
under DOS, you can use DEBUG to dump your way through memory
after the BIOS data area, you can see how IO.SYS and MSDOS.SYS loaded
you can also see any drivers loaded during boot via CONFIG.SYS

and, you can see the little 16-byte heap allocation headers in between each item

for the fun of it, i once replaced COMMAND.COM with DEBUG.COM   :P
you can see the state as it is just before COMMAND.COM loads

Magnum

  • Member
  • *****
  • Posts: 2354
Re: Wondered if this code still works under XP
« Reply #7 on: January 28, 2013, 06:16:49 AM »
Super Dave,

Do you mean real DOS or the fake DOS in XP ?

Seems like I remember changing some strings in command.com.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: Wondered if this code still works under XP
« Reply #8 on: January 28, 2013, 06:21:21 AM »
i was talking about real DOS
i haven't played as much with the emulated version under N

Magnum

  • Member
  • *****
  • Posts: 2354
Re: Wondered if this code still works under XP
« Reply #9 on: January 28, 2013, 06:22:31 AM »
Code: [Select]
Michael,

This is what I got when I ran test_mod.exe using cmd.exe and command.com

C:\MASM32\SOURCE>test_mod
0
00000000000000000000000000000000

0


C:\MASM32\SOURCE>
00000400  F8 03 F8 02 E8 03 E8 02 - BC 03 78 03 78 02 C0 9F
I installed the Kasper... rescue disk on a CD.

Would prefer it work on a pendrive though.

I can't figure out how to set up the network so I can download updates while using the Rescue disk.

I have setup wireless before, but this is a challenge.

I use a Zoom Combination Router and cable box modem.

It detects eth0 which I saw when using a Linux CD.

I am looking for recommendations for anti virus rescue disks that you have used sucessfully on a pen drive.

I have not had much luck with creating a boot pendrive with a O.S. on it.
I got one working on a Verbatim pendrive, but it stopped working.

I have tried around 6 versions including Puppy Slax, Mint, Debian, etc.

Thanks,
         Andy

The attachment contains a modification of some old code that does a quick test of Interrupt 15h, Function 87h. Under Window 2000 it can read 16 bytes starting at 11aff0h no problem, but starting at 11aff1h triggers an exception.
[/quote]
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: Wondered if this code still works under XP
« Reply #10 on: January 28, 2013, 06:24:55 AM »
long ago, i wrote a replacement for COMMAND.COM for a specific application
it was used in public schools to run their AV/CCTV system
we sold them a copy of dos as part of the package to cover the legal end of it
i used IO.SYS and MSDOS.SYS, as provided by ms dos 3.3
then, i wrote my own "shell" to run the system under, and named it COMMAND.COM