Hi there.
Do you guys know of the different ways to reboot the machine?
There is the API way of course, but what about some other ?low level? solutions?
Basically i?m trying to avoid some win98 from rebooting and trapping ExitWindowsEx does not make it.
Any suggestions??

Thanks.

Latigo
Posted on 2003-01-19 13:19:42 by latigo
Couldn't you create a window and check for WM_QUERYENDSESSION messages?
Posted on 2003-01-19 13:38:49 by Tola
Hi there Tola, and thanks.
I don?t think this idea you provide would work since i?m trying to trap or catch
other non-api ways to reboot the machine. Like interrupts and the like.
Bye and thanks.
Posted on 2003-01-19 18:39:26 by latigo
Here's the classical:



mov al,0FEh
out 64h,al

Works on any OS (on intel compatible CPUs ofcourse), and cannot be stopped (when running with CPL<=IOPL).

I think it's the lowest level way. Thought, it uses the kb-controller, so there might be some other more direct way (probably chipset dependent).

Also, there's the BIOS reboot entrypoint that can be called in real-mode (0F000h:FFF0h), which probably does that hw specific thing.

Ok, this wasn't exactly what you were looking for, as you wanted to stop it from rebooting :grin:

-Stealth
Posted on 2003-01-19 19:55:05 by Stealth
it's probably the lowest level way of rebooting the machine, yes. ends up pulsing the reset pin on the processor. weird that they're using the keyboard controller for a task like this. in general, the keyboard controller has some weird tasks :).

other ways of rebooting? cause a triple fault, for instance.
Posted on 2003-01-20 03:27:58 by f0dder
Thanks Guys!
Now i?ll hafta figure out some ways of intercepting the thing...:cool:
Ciao.

Latigo
Posted on 2003-01-20 05:58:41 by latigo
you aren't by any chance messing with pace/interlok? really pesky stuff. they seem to believe they have the right to reboot your computer just because you have softice running. *sigh*.
Posted on 2003-01-20 06:10:20 by f0dder
Nah, just some free internet thing...hehe.
A good excuse to take the dust off the books... :)
It would have been a good title for one of the sections at Fravia?s. He?d have named it ?Cyber Cafe Super Hacking Extravaganza? or something..heh.


Latigo
Posted on 2003-01-20 08:05:04 by latigo
*g*. and remember, MOSKOVSKAJA wodka!
Posted on 2003-01-20 08:40:03 by f0dder

in general, the keyboard controller has some weird tasks :).

Indeed, IIRC, it's used to control A20 gate, too.

Now i?ll hafta figure out some ways of intercepting the thing...

Depends on how it does it, but if you have a good kernel-debugger, it would be easier.

Originally posted by f0dder"]
*g*. and remember, MOSKOVSKAJA wodka!

Or, may I suggest, Finlandia? ;)

-Stealth
Posted on 2003-01-20 17:21:12 by Stealth
yeah, A20 too unless I'm mistaken.
Oooh, finlandia? isn't that the one that tastes exactly like water?
Posted on 2003-01-20 17:25:03 by f0dder

:grin:
Depends on taste...

-Stealth
Posted on 2003-01-20 18:43:21 by Stealth
Besides RESET and A20 line, keyboard controller also handles: PS/2 mouse interface ;)

They had one chip in there that had some pins unused and they do not wanted to add more hardware == ie save some $ ;)
Posted on 2003-01-20 19:05:16 by BogdanOntanu
1.lidt fword ptr [00000000]
2.lidt fword ptr
3.lgdt fword ptr [00000000]
4.lgdt fword ptr
5.mov al,fe
out 64,al
Posted on 2003-01-26 22:30:50 by Micro5oft
Hi,

Other ways for just only DOS :grin:



int 19h
Posted on 2003-01-27 03:19:04 by CYDONIA
int 19h requires a rather clean boot to work. and technically, it isn't really a reboot.
Posted on 2003-01-27 03:41:35 by f0dder
Ok you cannot really do anything against those low-level things. They won't
run under NT though. It's hard to get into ring0 there.

But there's not only the "-Ex"-version: ExitWindows() also does the
job.

If none of the above catches it, please check if your 'catch'-method really
works!


aweX <-

P.S.: mov al, 0FEh ; out 64, al <- works in ring 3. Just tested it :grin:
Posted on 2003-01-27 03:46:36 by aweX
Well, they cannot be stopped 'automatically', but if you can find the point where the code does that with a debugger, you can bypass it manually. And, if you find it, you can modify the executable to avoid it from rebooting.


1.lidt fword ptr [00000000]
2.lidt fword ptr
3.lgdt fword ptr [00000000]
4.lgdt fword ptr
5.mov al,fe
out 64,al

The options 1-4 don't _guarantee_ a reboot, but a very high possibility. It depends what's in [0] or [0FFFFFFFFh]. In Windows, address zero would point to 0 in physical memory, too, and the real-mode IVT is there, so it would load the IDT/GDT size from the int 0's handler's 16-bit address and address from (int 0 segment+int 1 addr).

Well, everyone who has done any OS coding knows that triple-fault is very easy to do, and it'll most likely happen, when loading idt or gdt with some arbitrary data, but it's not 100% sure...

-Stealth
Posted on 2003-01-27 11:13:27 by Stealth