Home/ Questions/Q 8693069
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T00:27:36+00:00

Im trying to reverse mbr rootkit and faced a problem with low-memory addresses 0x4c

  • 0

Im trying to reverse mbr rootkit and faced a problem with low-memory addresses 0x4c and 0x4e.
I have no idea about their destination.

[0x000000000009f51c] 9f40:011c (unk. ctxt): xor ax, ax                ; 33c0
[0x000000000009f51e] 9f40:011e (unk. ctxt): mov ds, ax                ; 8ed8  
...  
[0x000000000009f52e] 9f40:012e (unk. ctxt): cli                       ; fa
...
[0x000000000009f52f] 9f40:012f (unk. ctxt): xor ax, ax                ; 33c0
[0x000000000009f531] 9f40:0131 (unk. ctxt): mov word ptr ds:0x4c, ax  ; a34c00
[0x000000000009f534] 9f40:0134 (unk. ctxt): mov ax, es                ; 8cc0
[0x000000000009f536] 9f40:0136 (unk. ctxt): add ax, 0x0040            ; 054000
[0x000000000009f539] 9f40:0139 (unk. ctxt): mov word ptr ds:0x4e, ax  ; a34e00
[0x000000000009f53c] 9f40:013c (unk. ctxt): sti                       ; fb

At 9f40:0131 DS is zero.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The real-mode interrupt vector table starts at address 0 and it contains 256 4-byte (far) pointers to the 256 interrupt service routines.

    0x4c/4=19, 0x4e/4=19, so the code is accessing the pointer to the ISR for vector 19(=0x13).

    That ISR is special, it’s invoked with the int 0x13 instruction in order to access disk. Look up Ralf Brown’s Interrupt List for details.

    The above code changes the address of this ISR in the interrupt vector table. It does that probably to intercept disk I/O from other software (e.g. the OS loader), so it can forge some data.

    It sets the ISR address to 0x40:0, which is right after the end of the interrupt vector table.

    • 0