in al, 60h instructions, or program the on-board 8042 microcontroller to transmit the scan code for you. The next three sections describe these techniques in detail.
in instruction execute normally. Upon encountering an in instruction (that the keyboard ISR uses to read the keyboard data), we check to see if it is accessing port 60h. If so, we simply load the al register with the desired scan code rather than actually execute the in instruction. It is also important to check for the out instruction, since the keyboard ISR will want to send and EOI signal to the 8259A PIC after reading the keyboard data, we can simply ignore out instructions that write to port 20h.in and out) and to execute other instructions normally. While this is not directly possible in real mode, there is a close approximation we can make. The 80x86 CPUs provide a trace flag that generates an exception after the execution of each instruction. Normally, debuggers use the trace flag to single step through a program. However, by writing our own exception handler for the trace exception, we can gain control of the machine between the execution of every instruction. Then, we can look at the opcode of the next instruction to execute. If it is not an in or out instruction, we can simply return and execute the instruction normally. If it is an in or out instruction, we can determine the I/O address and decide whether to simulate or execute the instruction.in and out instructions, we will need to simulate any int instructions we find as well. The reason is because the int instruction pushes the flags on the stack and then clears the trace bit in the flags register. This means that the interrupt service routine associated with that int instruction would execute normally and we would miss any in or out instructions appearing therein. However, it is easy to simulate the int instruction, leaving the trace flag enabled, so we will add int to our list of instructions to interpret.
.xlist
include stdlib.a
includelib stdlib.lib
.list
cseg segment para public 'code'
assume ds:nothing
byp textequ <byte ptr>
; ScanCode must be in the Code segment.
ScanCode byte 0
;****************************************************************************
;
; KbdSim- Passes the scan code in AL through the keyboard controller
; using the trace flag. The way this works is to turn on the
; trace bit in the flags register. Each instruction then causes a trace
; trap. The (installed) trace handler then looks at each instruction to
; handle IN, OUT, INT, and other special instructions. Upon encountering
; an IN AL, 60 (or equivalent) this code simulates the instruction and
; returns the specified scan code rather than actually executing the IN
; instruction. Other instructions need special treatment as well. See
; the code for details. This code is pretty good at simulating the hardware,
; but it runs fairly slow and has a few compatibility problems.
KbdSim proc near
pushf
push es
push ax
push bx
xor bx, bx ;Point es at int vector tbl
mov es, bx ; (to simulate INT 9).
cli ;No interrupts for now.
mov cs:ScanCode, al ;Save output scan code.
push es:[1*4] ;Save current INT 1 vector
push es:2[1*4] ; so we can restore it later.
; Point the INT 1 vector at our INT 1 handler:
mov word ptr es:[1*4], offset MyInt1
mov word ptr es:[1*4 + 2], cs
; Turn on the trace trap (bit 8 of flags register):
pushf
pop ax
or ah, 1
push ax
popf
; Simulate an INT 9 instruction. Note: cannot actually execute INT 9 here
; since INT instructions turn off the trace operation.
pushf
call dword ptr es:[9*4]
; Turn off the trace operation:
pushf
pop ax
and ah, 0feh ;Clear trace bit.
push ax
popf
; Disable trace operation.
pop es:[1*4 + 2] ;Restore previous INT 1
pop es:[1*4] ; handler.
; Okay, we're done. Restore registers and return.
VMDone: pop bx
pop ax
pop es
popf
ret
KbdSim endp
;----------------------------------------------------------------------------
;
; MyInt1- Handles the trace trap (INT 1). This code looks at the next
; opcode to determine if it is one of the special opcodes we have to
; handle ourselves.
MyInt1 proc far
push bp
mov bp, sp ;Gain access to return adrs via BP.
push bx
push ds
; If we get down here, it's because this trace trap is directly due to
; our having punched the trace bit. Let's process the trace trap to
; simulate the 80x86 instruction set.
;
; Get the return address into DS:BX
NextInstr: lds bx, 2[bp]
; The following is a special case to quickly eliminate most opcodes and
; speed up this code by a tiny amount.
cmp byp [bx], 0cdh ;Most opcodes are less than
jnb NotSimple ; 0cdh, hence we quickly
pop ds ; return back to the real
pop bx ; program.
pop bp
iret
NotSimple: je IsIntInstr ;If it's an INT instruction.
mov bx, [bx] ;Get current instruction's opcode.
cmp bl, 0e8h ;CALL opcode
je ExecInstr
jb TryInOut0
cmp bl, 0ech ;IN al, dx instr.
je MayBeIn60
cmp bl, 0eeh ;OUT dx, al instr.
je MayBeOut20
pop ds ;A normal instruction if we get
pop bx ; down here.
pop bp
iret
TryInOut0: cmp bx, 60e4h ;IN al, 60h instr.
je IsINAL60
cmp bx, 20e6h ;out 20, al instr.
je IsOut20
; If it wasn't one of our magic instructions, execute it and continue.
ExecInstr: pop ds
pop bx
pop bp
iret
; If this instruction is IN AL, DX we have to look at the value in DX to
; determine if it's really an IN AL, 60h instruction.
MayBeIn60: cmp dx, 60h
jne ExecInstr
inc word ptr 2[bp] ;Skip over this 1 byte instr.
mov al, cs:ScanCode
jmp NextInstr
; If this is an IN AL, 60h instruction, simulate it by loading the current
; scan code into AL.
IsInAL60: mov al, cs:ScanCode
add word ptr 2[bp], 2 ;Skip over this 2-byte instr.
jmp NextInstr
; If this instruction is OUT DX, AL we have to look at DX to see if we're
; outputting to location 20h (8259).
MayBeOut20: cmp dx, 20h
jne ExecInstr
inc word ptr 2[bp] ;Skip this 1 byte instruction.
jmp NextInstr
; If this is an OUT 20h, al instruction, simply skip over it.
IsOut20: add word ptr 2[bp], 2 ;Skip instruction.
jmp NextInstr
; IsIntInstr- Execute this code if it's an INT instruction.
;
; The problem with the INT instructions is that they reset the trace bit
; upon execution. For certain guys (see above) we can't have that.
;
; Note: at this point the stack looks like the following:
;
; flags
;
; rtn cs -+
; |
; rtn ip +-- Points at next instr the CPU will execute.
; bp
; bx
; ds
;
; We need to simulate the appropriate INT instruction by:
;
; (1) adding two to the return address on the stack (so it returns
; beyond the INT instruction.
; (2) pushing the flags onto the stack.
; (3) pushing a phony return address onto the stack which simulates
; the INT 1 interrupt return address but which "returns" us to
; the specified interrupt vector handler.
;
; All this results in a stack which looks like the following:
;
; flags
;
; rtn cs -+
; |
; rtn ip +-- Points at next instr beyond the INT instruction.
;
; flags --- Bogus flags to simulate those pushed by INT instr.
;
; rtn cs -+
; |
; rtn ip +-- "Return address" which points at the ISR for this INT.
; bp
; bx
; ds
IsINTInstr: add word ptr 2[bp], 2 ;Bump rtn adrs beyond INT instr.
mov bl, 1[bx]
mov bh, 0
shl bx, 1 ;Multiply by 4 to get vector
shl bx, 1 ; address.
push [bp-0] ;Get and save BP
push [bp-2] ;Get and save BX.
push [bp-4] ;Get and save DS.
push cx
xor cx, cx ;Point DS at interrupt
mov ds, cx ; vector table.
mov cx, [bp+6] ;Get original flags.
mov [bp-0], cx ;Save as pushed flags.
mov cx, ds:2[bx] ;Get vector and use it as
mov [bp-2], cx ; the return address.
mov cx, ds:[bx]
mov [bp-4], cx
pop cx
pop ds
pop bx
pop bp
iret
;
MyInt1 endp
; Main program - Simulates some keystrokes to demo the above code.
Main proc
mov ax, cseg
mov ds, ax
print
byte "Simulating keystrokes via Trace Flag",cr,lf
byte "This program places 'DIR' in the keyboard buffer"
byte cr,lf,0
mov al, 20h ;"D" down scan code
call KbdSim
mov al, 0a0h ;"D" up scan code
call KbdSim
mov al, 17h ;"I" down scan code
call KbdSim
mov al, 97h ;"I" up scan code
call KbdSim
mov al, 13h ;"R" down scan code
call KbdSim
mov al, 93h ;"R" up scan code
call KbdSim
mov al, 1Ch ;Enter down scan code
call KbdSim
mov al, 9Ch ;Enter up scan code
call KbdSim
ExitPgm
Main endp
cseg ends
sseg segment para stack 'stack'
stk byte 1024 dup ("stack ")
sseg ends
zzzzzzseg segment para public 'zzzzzz'
LastBytes db 16 dup (?)
zzzzzzseg ends
end Main