what happens when you do quit to DOS in a program

May 6, 2016 at 11:20:36
Specs: MSDOS
recently I was doing one DOS pwnable (CTF wargame) which, in the end, required to write a DOS shellcode. For that I used int 0x21 , 4B function.

What came into my mind was what does exit function do ? To put it into context:

Computer boots up and command.com is launched - as a command interpreter. I run a game and hit "quit to DOS". As there can be only one running process (TSR excluded), what happened to the command.com context ? Is it saved on the stack and restored upon int 0x21, 00 ? Or is it wiped out during the game execution ? If so, where is "exit to DOS" returning to ?

See More: what happens when you do quit to DOS in a program

Report •

May 7, 2016 at 03:26:33
"Exit to DOS" should bring up a command prompt. Simple as that.

Report •

May 7, 2016 at 05:38:49
Yes, but I'm looking for the DOS internals. Does it execve() the new shell (calls int 0x21, 4b), or is there a way to restore the context from previous running program. I'm guessing not as there was always only one program running in DOS (TSR being the exception, sort of).
What intrigues me is then how did it know the CWD (current working dir) ( getenv() maybe ? ). I already found out that history (browsable within command prompt using arrows) was done by a TSR program.

I installed the MS-DOS under qemu and will try to debug it with gdb. Setting the breakpoint just before the execution and just before the exit is a bit problem. Maybe if I catch the int 0x21 ..

Report •

May 8, 2016 at 09:48:08
What you are looking for is not clear to me, anyway be aware DOS shell, i.e. command.com, is always resident in core memory while user's processes take control of the environment. All changes to the environment are retained after the end of an application, e.g. current directory, environment variables and so on. You can create a new environment loading again command.com, but that just becomes a new layer over the ancestor reducing available memory, an expensive resource in DOS systems.

If interested in DOS internals, you may take a look at FreeDOS , the open source MS DOS clone, whose source code in C language is available to developers community.

Report •

Related Solutions

May 9, 2016 at 02:05:15
I'm trying to figure out the internals of task handling in DOS. For fun only. The curiosity was triggered by one pwnable task I did in CTF wargame.

Yes, you are right - part of the command.com is resident in the memory.

That's what I did - I downloaded the FreeDOS version and actually was able to find the DOS 2 source codes in assembler too.
Now I'd like to see that in live action and debug it a bit.

As DOS doesn't have the task queue as modern systems I wanted to see what happens when new process is executed and what is done when application tries to return to DOS. I know I'll end up with the command.com and that environ from the previous process is copied to a new one.

I'm using qemu/gdb. Still trying to figure out the way to "catch interrupt" or "catch execve", as I need DOS interrupt to be caught in gdb, not the linux one.

I was hoping to find somebody who was doing the actual development in that time. Googling these info now is a bit problematic.

Report •

May 9, 2016 at 06:19:56
To trap interrupts you have to manipulate the DOS interrupt vector that I did long time ago using the facilities offered by Borland Turbo Pascal 7 for DOS. Since you use as Virtual machibe QEMU, you surely are aware of Bochs, a free full emulator, not a virtualizer, equipped with powerfull debugging tools to monitor system modules behavior. QEMU is derived from Bochs to avoid its lack of speed, not relevant however on modern PCs and running DOS as guest operating system.

Report •

May 17, 2016 at 01:44:14
Ideally I don't want to modify anything inside the qemu (DOS), I want to observe the behavior only. It's the observer (gdb) which should be able to catch the interrupt.

After some googling I found somebody else found a way already: http://ternet.fr/?p=gdb_real_mode

Thanks for help.

Report •

June 8, 2016 at 09:17:16

Unfortunately, We Believe That, DOS is Easy/Cheap/... !
To Load And/Or Execute The Program, DOS Detects COM" OR "EXE" Files.
INT 21h Function 4Ch (And Function 00h) - "EXIT" - TERMINATE WITH RETURN CODE (DOS 2+), To Terminate The Current Program.
By Using Function 4Bh, You Send Some Technical Information About Program To MS-DOS (Or Other Compatible Operating System, DR-DOS, OSx16, NW-DOS, FreeDOS), DOS Analyzes It, And Initializes Registers and Defines Memory (And Memory Control Blocks - MCB), Stack, PSP ,Environment Variables,... and In Final Step, Jumps To Entry Point Of New Program.
By INT 21h Function 4Ch, The Program Terminates Itself !
DOS Gets The Control, Erases/Deletes Occupied/Allocated Memory Blocks, Removes Local Variables, And so on

Good Luck.

Report •

Ask Question