To write a boot sector that can both boot up the DOS operating system and reproduce means we are going to have to trim down on some of what a normal boot sector does. The KILROY virus won’t display the polite little error messages like “Non-Sys- tem disk or disk error / Replace and strike any key when ready”
when your disk isn’t configured properly. Instead, it will be real rude to the user if everything isn’t just right. That will make room for the code necessary to carry out covert operations.
To start with, let’s take a look at the basic structure of a boot sector. The first bytes in the sector are always a jump instruc- tion to the real start of the program, followed by a bunch of data about the disk on which this boot sector resides. In general, this data changes from disk type to disk type. All 360K disks will have the same data, but that will differ from 1.2M drives and hard drives, etc. The standard data for the start of the boot sector is described in Table 2. It consists of a total of 43 bytes of information. Most of this information is required in order for DOS and the BIOS to use the disk drive and it should never be changed inadvertently. The one exception is the DOS_ID field. This is simply eight bytes to put a name in to identify the boot sector. We’ll put “Kilroy” there.
Right after the jump instruction, the boot sector sets up the stack. Next, it sets up the Disk Parameter Table also known as the Disk Base Table. This is just a table of parameters which the BIOS uses to control the disk drive (Table 3) through the disk drive controller (a chip on the controller card). More information on these parameters can be found in Peter Norton’s Programmer’s Guide to the IBM PC, and similar books. When the boot sector is loaded, the BIOS has already set up a default table, and put a pointer to it at the address 0000:0078H (interrupt 1E Hex). The boot sector re-
Name Position Size Description
DOS_ID 7C03 8 Bytes ID of Format program
SEC_SIZE 7C0B 2 Sector size, in bytes
SECS_PER_CLUST 7C0D 1 Number of sectors per cluster FAT_START 7C0E 2 Starting sector for the 1st FAT FAT_COUNT 7C10 1 Number of FATs on the disk ROOT_ENTRIES 7C11 2 Number of entries in root directory SEC_COUNT 7C13 2 Number of sectors on this disk DISK_ID 7C14 1 Disk ID (FD Hex = 360K, etc.) SECS_PER_FAT 7C15 2 Number of sectors in a FAT table SECS_PER_TRK 7C18 2 Number of sectors on a track
HEADS 7C1A 2 Number of heads (sides) on disk
HIDDEN_SECS 7C1C 2 Number of hidden sectors
Table 2: The Boot Sector data.
Offset Description
0 Specify Byte 1: head unload time, step rate time 1 Specify Byte 2: head load time, DMA mode 2 Time before turning motor off, in clock ticks 3 Bytes per sector (0=128, 1=256, 2=512, 3=1024)
4 Last sector number on a track
5 Gap length between sectors for read/write 6 Data transfer length (set to FF Hex) 7 Gap length between sectors for formatting 8 Value stored in each byte when a track is formatted 9 Head settle time, in milliseconds
A Motor startup time, in 1/8 second units
Table 3: The Disk Parameter Table.
places this table with its own, tailored for the particular disk. This is standard practice, although in many cases the BIOS table is perfectly adequate to access the disk.
Rather than simply changing the address of the interrupt 1EH vector, the boot sector goes through a more complex procedure that allows the table to be built both from the data in the boot sector and the data set up by the BIOS. It does this by locating the BIOS default table and reading it byte by byte, along with a table stored in the boot sector. If the boot sector’s table contains a zero in any given byte, that byte is replaced with the corresponding byte from the BIOS’ table, otherwise the byte is left alone. Once the new table is built inside the boot sector, the boot sector changes interrupt vector 1EH to point to it. Then it resets the disk drive through BIOS interrupt 13H, function 0, using the new parameter table.
The next step, locating the system files, is done by finding the start of the root directory on disk and looking at it. The disk data at the start of the boot sector has all the information we need to calculate where the root directory starts. Specifically,
FRDS (First root directory sector) = FAT_COUNT*SECS_PER_FAT + HIDDEN_SECS + FAT_START
so we can calculate the sector number and read it into memory at 0000:0500H. From there, the boot sector looks at the first two directory entries on disk. These are just 32 byte records, the first eleven bytes of which is the file name. One can easily compare these eleven bytes with file names stored in the boot record. Typical code for this whole operation looks like this:
LOOK_SYS:
MOV AL,BYTE PTR [FAT_COUNT] ;get fats per disk XOR AH,AH
MUL WORD PTR [SECS_PER_FAT] ;multiply by sectors per fat ADD AX,WORD PTR [HIDDEN_SECS] ;add hidden sectors ADD AX,WORD PTR [FAT_START] ;add starting fat sector PUSH AX
MOV WORD PTR [DOS_ID],AX ;root dir, save it MOV AX,20H ;dir entry size MUL WORD PTR [ROOT_ENTRIES] ;dir size in ax MOV BX,WORD PTR [SEC_SIZE] ;sector size ADD AX,BX ;add one sector DEC AX ;decrement by 1
DIV BX ;ax=# sectors in root dir ADD WORD PTR [DOS_ID],AX ;DOS_ID=start of data
MOV BX,OFFSET DISK_BUF ;set up disk read buffer @ 0:0500 POP AX ;and go convert sequential CALL CONVERT ;sector number to bios data
MOV AL,1 ;prepare for a 1 sector disk read CALL READ_DISK ;go read it
MOV DI,BX ;compare first file on disk with MOV CX,11 ;required file name
MOV SI,OFFSET SYSFILE_1 ;of first system file for PC DOS REPZ CMPSB
JZ SYSTEM_THERE ;ok, found it, go load it MOV DI,BX ;compare first file with MOV CX,11 ;required file name
MOV SI,OFFSET SYSFILE_2 ;of first system file for MS DOS REPZ CMPSB
ERROR2:
JNZ ERROR2 ;not the same - an error, so stop
Once the boot sector has verified that the system files are on disk, it tries to load the first file. It assumes that the first file is located at the very start of the data area on disk, in one contiguous block. So to load it, the boot sector calculates where the start of the data area is,
FDS (First Data Sector) = FRDS
+ [(32*ROOT_ENTRIES) + SEC_SIZE - 1]/SEC_SIZE
and the size of the file in sectors. The file size in bytes is stored at the offset 1CH from the start of the directory entry at 0000:0500H.
The number of sectors to load is at most
SIZE IN SECTORS = (SIZE_IN_BYTES/SEC_SIZE) + 1
(Note that the size of this file is always less than 29K or it cannot be loaded.) The file is loaded at 0000:0700H. Then the boot sector sets up some parameters for that system file in its registers, and
Position Size Description
00 Hex 8 Bytes File Name (ASCII, space filled)
08 3 File Name Extension (ASCII, space filled)
0B 1 File Attribute
0C 10 Reserved, Zero filled
16 2 Time file last written to
18 2 Date file last written to
1A 2 Starting FAT entry
1C 4 File size(long integer)
Table 4: The format of a directory entry on disk.
transfers control to it. From there the operating system takes over the computer, and eventually the boot sector’s image in memory is overwritten by other programs.