Chapter 3/ Hardware Briefing

To test our program, I loaded two TSRs named $$TSR1.C0M and $$TSR2.C0M.

Then I ran the mem.exe with the debug switch to verify that they were loaded.

C:\>$$tsrl

C:\>$$tsr2

C:\>merr /d

091c 34,704 (34K)

1196 128 (OK)

119f 1,296 (IK)

llfl 8,192 (8K)

13f2 1,296 (IK)

1444 8,192 (8K)

1645 1,296 (IK)

1697 55,008 (54K)

2406 507,776 (496K)

DOSX

program

DOSX

data area

$$TSR1

envi ronment

$$TSR1

program

$$TSR2

envi ronment

$$TSR2

program

MEM

envi ronment

MEM

program

free

Next, I executed the HideTSR program and then ran mem.exe again, observing

that the TSRs had been replaced by nondescript (empty) entries.

C:\>mem /d

091c 34,704 (34K) DOSX program

1196 128 (OK) DOSX data area

119f 9,504 (9K)

13f2 9,504 (9K)

1645 1,296 (IK) MEM environment

1697 55,008 (54K) MEM program

2406 507,776 (496K) free

Case Study: Patching the TREE.COM Command

Another way to modify an application is to intercept program control by

injecdng a jump statement that transfers control to a special section of code

that we've grafted onto the executable. This sort of modification can be done

by patching the application's file on disk or by altering the program at run¬

time while it resides in memory. In this case, we'll focus on the former tacdc

(though the latter tactic is more effective because it's much harder to detect).

We'll begin by taking a package from the FreeDOS distribution that imple¬

ments the tree command. The tree command graphically displays the contents

82 I Part I