Contents of the HDSENTRY.DOC file
HDSENTRY - HARD DISK PROTECTION FROM TROJAN PROGRAMS
(c) Copyright 1987 by Andrew M. Fried
Every day, thousands of free programs are downloaded from public
bulletin board systems throughout the world. While the system
itself is generally owned and operated by an individual, much of
the contents of the BBS come from the public domain.
The system operators of these bulletin boards, or sysops as they
are affectionately called, rely on their callers for new material
that could be of interest to others. Some of the stuff uploaded
by users include technical articles, software reviews, program
patches, unprotects (ways to crack copy protection), pleas for
assistance and, of course, software.
A problem has recently surfaced concerning the software uploaded
to these systems. Every once in a while, a program surfaces
that, when run, maliciously attacks the systems hard disk. Since
these programs are often disguised, they are referred to as
HDSENTRY was written at the request of a friend of mine (who also
happens to be a sysop). During the past few months, several
'trojan' programs have been uploaded to his BBS. He asked if a
simple program could be developed which would insulate the hard
disk from the rest of the system. Thus, HDSENTRY was born.
HDSENTRY will enable you to run any program on a floppy drive
undisturbed. This will permit you to 'test' an unknown program on
a floppy disk without fears that it will jump over to your hard
disk and "eat it up". The program running on the floppy may even
make calls to the fixed disk so long as the calls do not pose a
threat to the system.
HDSENTRY will prevent most programs from accessing the hard disk
for any type of destructive call. Nondestructive calls such as
reading or resetting the drive are permitted; formatting and
writing to the disk are trapped and prevented from occuring.
Interrupt 26h, the absolute disk write interrupt, is also
effectively removed from the system by this program.
The only way to bypass HDSENTRY's protection scheme would be to
write directly to the ports of the fixed disk controller and
manipulate the disk with the aid of DOS or ROM BIOS. This is no
simple task; only a very experienced and knowledgeable programmer
could do this. It is my belief that anyone that sophisticated
would not be spending their time writing vandalous programs.
CALLING THE PROGRAM
The program is called without any extensions or arguements.
Simple type 'HDSENTRY' at the DOS prompt. HDSENTRY will load
itself and remain resident in memory (programs such as this are
often referred to as TSR or "terminate and stay resident"
Once HDSENTRY is run, interrupt vector 13h (the diskette and
fixed disk interrupt handler) and interrupt vector 26h (absolute
disk write interrupt) are changed to point to routines inside
HDSENTRY. Any subsequent calls to interrupt 26h will be ignored.
Calls made to interrupt 13h are first checked to see if they are
accessing the fixed disk or the floppy. If the floppy is being
accessed, HDSENTRY permits the interrupt to continue undisturbed.
If, on the other hand, one of the fixed disks is the target of
the function call, HDSENTRY checks the interrupt request to see
if a write or format command has been issued. If so, the program
flashes an error message on the screen and the program continues
(unaware that it did not reach the fixed disk). Nondestructive
calls are permitted, and those requests will be passed onto the
original interrupt handler for execution.
HDSENTRY was written in IBM assembly language and designed to be
used on IBM PC/XT's and PC/AT's. Systems without a hard disk are
not supported under this version of HDSENTRY.
Basically, HDSENTRY operates by revectoring all of the ROM BIOS
calls which are responsible for providing direct hardware control
of the systems disk drives. I am referring to interrupts 13h and
Once HDSENTRY has been initialized in memory, all support
requests for disk services are sent to its handler.
If HDSENTRY finds that the service call is requesting services
from the diskette, the parameters are passed along to the
original interrupt handler for processing. If, on the other
hand, the call is directed towards a fixed disk, the handler
examines the AH register in order to ascertain what BIOS service
is being requested. The possibilities include:
0 - reset diskette system
1 - read status of system
2 - read disk sector
3 - write to disk sector
4 - verify desired sector
5 - format desired track
8 - read drive parameters
21 - read dasd type (AT only)
22 - disk change line status (AT only)
23 - set dasd type for format (AT only)
If HDSENTRY finds that the call involves either a write or format
command, a warning is displayed and an interrupt return is
generated. The original interrupt handler never sees the call
and cannot be invoked.
One technical point to mention concerning interrupt 26h is that
it, unlike all other interrupts, does not perform a clean
interrupt return. Upon return, a word is left in the stack which
must be removed by the application program making the function
The significance of this is that if our program failed to add a
word to the stack before performing an interrupt return, the
offending program would cause chaos by popping information from
the stack when it shouldn't. The stack pointer would get all
messed up and unpredictable results would occur almost
This program should be invoked before running any newly acquired
software downloaded from a BBS. It permits you to run a program
on your floppy disk drive without worrying that a concealed
command will trash your hard disk. Removing the program once it
is invoked, however, requires you to reboot the system.
The program is a good example of memory resident programming, as
If you don't have a macro assembler and would like a copy of this
program (along with source code), send me a check for $10 to
cover postage and handling along with your name and address to my
address shown below. I will send you the program compiled and
ready to run!
Andrew M. Fried
895 Cynthia Drive
Titusville, Fla. 32780