PRB: Windows 95 Doesn't Load SCSI Miniport DriverID: Q140732
|
UnKnown int 13 hooker MBRINT13
The Windows 95 I/O Supervisor (Ios.vxd) attempts to detect unsafe INT 13h
hookers during Windows 95 initialization. Part of this detection mechanism
is an attempt to detect INT 13h hooks that were installed by a modified
Master Boot Record (MBR). MBR INT 13h hooks are usually installed by disk
utilities that perform services such as disk compression or encryption,
which make it unsafe for Windows 95 to take over control of the disk using
32-bit disk drivers. MBR INT 13h hookers may also be installed by certain
viruses.
Under certain circumstances, it is possible for IOS to treat the INT 13h
handler installed by a SCSI BIOS as an unsafe MBR INT 13h hooker. This
occurs when the BIOS allocates system RAM and moves its INT 13h entrypoint
into this memory. The INT 13h hook is treated as an unsafe MBR INT 13h hook
because it lies at an adress below A000:0000h in RAM, rather than above
A000:0000h in what is assumed to be ROM.
IOS tries to detect when a BIOS has installed an INT 13h handler by
examining the code in the handler's entrypoint. It looks for code sequences
that jump directly to an address above A000:0000h. Specifically, it looks
for the following five code sequences to call or jump to an address above
A000:0000h:
push ds
push cs
pop ds
jmp xxxx:yyyy
push ds
push cs
pop ds
jmp dword ptr [foo]
push ds
push cs
pop ds
call dword ptr [foo]
call xxxx:yyyy
jmp xxxx:yyyy This behavior is by design.
Additional query words: 4.00 MBR MBRINT13
Keywords :
Version : 4.00
Platform : WINDOWS
Issue type : Last Reviewed: March 2, 1999