Category : System Diagnostics for your computer
Archive   : INTERCE.ZIP

Output of file : INTERCEP.DOC contained in archive : INTERCE.ZIP
INTERCEPT/INTERPRET -- monitor DOS and BIOS calls. By:

Ned Konz
210 Oleeta St.
Ormond Bch, FL 32074
BIX:nkonz CIS:76046,223 (904)672-2431

Program description:
INTERCEPT (intercep.exe) and INTERPRET (interpre.exe)
were written so I could monitor the interaction between
unknown programs and MS-DOS (and the BIOS). I've used them
to help disassemble and patch programs, as well as to
debug my own programs.

I'll give a short example of how you run INTERCEPT here.
I'm not going to explain what the DOS or BIOS are, or why
anyone should care what a program does with them. If you
don't know, you probably don't need this program. But if
you want to learn about the IBM-PC or MS-DOS, INTERCEPT
makes a good learning tool along with a good book on DOS
(like Peter Norton's "Programmer's Guide to the IBM PC".)

Suppose you were curious about what the DOS utility
"LABEL.COM" does. Run INTERCEPT like this (assuming you've
installed it properly; see a later section of this file):

intercept label

You'll see a logo from INTERCEPT appear, followed by
the normal operation of LABEL. Answer its question, and
it ends. At this point, INTERCEPT runs INTERPRET and
a file called "intercep.out" is produced in the current

INTERCEP.OUT looks like this:

INTERCEPT/INTERPRET by Ned Konz 08/02/87
dump of DOS/BIOS calls from program "label"
595A:0597 2130 Get DOS version number
595A:05BD 2119 Report current drive
595A:05CC 21 4409 0003 0000 595a 595a 595a 0100 fffe 0882
595A:05E8 211a Set DTA to 595A:0316
595A:05EF 2111 Search for first file matching FCB at 595A:0316
595A:09F5 2140 Write 0014 bytes from 595A:07E0 to file #0002
595A:09F5 2140 Write 0010 bytes from 595A:07E0 to file #0002
595A:09F5 2140 Write 0014 bytes from 595A:07E0 to file #0002
595A:09F5 2140 Write 0014 bytes from 595A:07E0 to file #0002
595A:09F5 2140 Write 0008 bytes from 595A:07E0 to file #0002
595A:0714 213f Read 007F bytes from file #0000 to 595A:0081
595A:09F5 2140 Write 0002 bytes from 595A:07E0 to file #0002
595A:0778 2113 Delete file using FCB at 595A:0343
595A:078A 215b Create new file (name at 595A:0304, attr. 08)
595A:0792 213e Close file handle #0006
595A:0592 214c Terminate process (return code 00)

What the lines mean is this:

* The first field (like "595A:0597") is the program counter address
from which the DOS or BIOS interrupts were called.

* The second field (like "2130") is the interrupt (here 21h, the
DOS catchall interrupt) and (possibly) the AH or AX values
(the 30 here means that AH equaled 30h -- the function code
for "get DOS version number", and AL (the other half of the
A register called AX) was unimportant.

* The rest of the line is a description of what that INTerrupt
call means in the context of MS-DOS or the IBM-PC BIOS, as defined
in the INTERPRE.DAT file. You can change this file if you need to,
to correct it or add other definitions.

In other words, if you used DEBUG to look at LABEL.COM around offset 0597,
you'd see:

3F24:058E B44C MOV AH,4C
3F24:0590 B000 MOV AL,00
3F24:0592 CD21 INT 21
3F24:0594 50 PUSH AX
3F24:0595 B430 MOV AH,30
3F24:0597 CD21 INT 21
3F24:0599 3D0314 CMP AX,1403
3F24:059C 740A JZ 05A8

Note that there are two INT 21 instructions in this short segment.
The one at offset 0592 corresponds to the last line in INTERCEP.OUT:
595A:0592 214c Terminate process (return code 00)
and the one at offset 0597 corresponds to the first line:
595A:0597 2130 Get DOS version number
Note also that the segment values here (3F24:) are different
than in INTERCEP.OUT. This is because both DEBUG and INTERCEPT
ran LABEL.COM as a "child process", and they're different

What about the line that reads:
595A:05CC 21 4409 0003 0000 595a 595a 595a 0100 fffe 0882
Well, that's one of those "RESERVED", undocumented DOS calls
which is used frequently by the DOS utilities. I've documented
some of these, like INT 21h, function 37h, sub-functions 01 and 02,
which get and set the DOS parameter switch character (and
are called by the undocumented Turbo C routines getswitchar() and

You can run INTERCEPT as "intercep -L" and get a long-form
output, with the values of all the registers at each call.

INTERCEPT is supplied as an ARC file. If you're reading
this, you've figured out how to take apart an ARC file.
Just move the following files to a directory that's
somewhere on your PATH:
INTERCEP.EXE -- The INTERCEPT program itself
INTERPRE.DAT -- The definition of all the interrupts
The rest of the files here are either documentation
or C source text, and aren't necessary to operation of the
program. If you run INTERCEPT without any command-line
arguments, you can get a usage prompt. (see below)

Contents of ARC file:
Filename Length Method Size Ratio Date Time
-------- ------ ------ ------ ----- ---- ----
INTERCEP.C 11197 Crunched 5798 49% 08-02-87 18:35:42
INTERCEP.DOC 6896 Crunched 3731 46% 08-02-87 19:32:38
INTERCEP.EXE 16400 Crunched 12612 24% 08-02-87 18:41:20
INTERCEP.H 1232 Crunched 802 35% 08-02-87 15:03:42
INTERPRE.C 6291 Crunched 3315 48% 08-02-87 18:37:52
INTERPRE.DAT 7435 Crunched 3960 47% 08-02-87 18:50:22
INTERPRE.EXE 32464 Crunched 8704 74% 08-02-87 18:41:22
---- ------ ------ -----
0007 81915 38922 53%

intercept [-l] [-T tmpdir] [-s maxcalls] [-o outfile] program [args[...]]
-l sets long format output: explanation AND register values
-T sets temporary directory for intermediate file to "tmpdir"
(will use TMP or TMPDIR environment vars. if found otherwise)
-s sets the maximum number of SWI records to "maxcalls"
-o names the output filename to "outfile" rather than
the default name ("intercep.out")
program is the name of the program to monitor
args are any command-line arguments to be passed
to the monitored program.

  3 Responses to “Category : System Diagnostics for your computer
Archive   : INTERCE.ZIP

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: