INTERCEPT/INTERPRET -- monitor DOS and BIOS calls. By:

	Ned Konz
	210 Oleeta St.
	Ormond Bch, FL 32074
	BIX:nkonz  CIS:76046,223  (904)672-2431
	08/02/1987

============================================================
Program description:
============================================================
INTERCEPT (intercep.exe) and INTERPRET (interpre.exe)
were written so I could monitor the interaction between
unknown programs and MS-DOS (and the BIOS). I've used them
to help disassemble and patch programs, as well as to 
debug my own programs.

I'll give a short example of how you run INTERCEPT here.
I'm not going to explain what the DOS or BIOS are, or why
anyone should care what a program does with them. If you
don't know, you probably don't need this program. But if
you want to learn about the IBM-PC or MS-DOS, INTERCEPT
makes a good learning tool along with a good book on DOS
(like Peter Norton's "Programmer's Guide to the IBM PC".)

Suppose you were curious about what the DOS utility
"LABEL.COM" does. Run INTERCEPT like this (assuming you've
installed it properly; see a later section of this file):

	intercept label

You'll see a logo from INTERCEPT appear, followed by
the normal operation of LABEL. Answer its question, and
it ends. At this point, INTERCEPT runs INTERPRET and
a file called "intercep.out" is produced in the current
directory.

INTERCEP.OUT looks like this:

INTERCEPT/INTERPRET by Ned Konz 08/02/87
dump of DOS/BIOS calls from program "label"
595A:0597  2130   Get DOS version number
595A:05BD  2119   Report current drive
595A:05CC  21 4409  0003 0000 595a  595a 595a 0100 fffe 0882
595A:05E8  211a   Set DTA to 595A:0316
595A:05EF  2111   Search for first file matching FCB at 595A:0316
595A:09F5  2140   Write 0014 bytes from 595A:07E0 to file #0002 
595A:09F5  2140   Write 0010 bytes from 595A:07E0 to file #0002 
595A:09F5  2140   Write 0014 bytes from 595A:07E0 to file #0002 
595A:09F5  2140   Write 0014 bytes from 595A:07E0 to file #0002 
595A:09F5  2140   Write 0008 bytes from 595A:07E0 to file #0002 
595A:0714  213f   Read 007F bytes from file #0000 to 595A:0081
595A:09F5  2140   Write 0002 bytes from 595A:07E0 to file #0002 
595A:0778  2113   Delete file using FCB at 595A:0343
595A:078A  215b   Create new file (name at 595A:0304, attr. 08)
595A:0792  213e   Close file handle #0006
595A:0592  214c   Terminate process (return code 00)

What the lines mean is this:

* The first field (like "595A:0597") is the program counter address
from which the DOS or BIOS interrupts were called.

* The second field (like "2130") is the interrupt (here 21h, the
DOS catchall interrupt) and (possibly) the AH or AX values
(the 30 here means that AH equaled 30h -- the function code
for "get DOS version number", and AL (the other half of the
A register called AX) was unimportant.

* The rest of the line is a description of what that INTerrupt
call means in the context of MS-DOS or the IBM-PC BIOS, as defined
in the INTERPRE.DAT file. You can change this file if you need to,
to correct it or add other definitions.

In other words, if you used DEBUG to look at LABEL.COM around offset 0597,
you'd see:

3F24:058E B44C           MOV	AH,4C
3F24:0590 B000           MOV	AL,00
3F24:0592 CD21           INT	21
3F24:0594 50             PUSH	AX
3F24:0595 B430           MOV	AH,30
3F24:0597 CD21           INT	21
3F24:0599 3D0314         CMP	AX,1403
3F24:059C 740A           JZ	05A8 

Note that there are two INT 21 instructions in this short segment.
The one at offset 0592 corresponds to the last line in INTERCEP.OUT:
	595A:0592  214c   Terminate process (return code 00)
and the one at offset 0597 corresponds to the first line:
	595A:0597  2130   Get DOS version number
Note also that the segment values here (3F24:) are different
than in INTERCEP.OUT. This is because both DEBUG and INTERCEPT
ran LABEL.COM as a "child process", and they're different
sizes.

What about the line that reads:
	595A:05CC  21 4409  0003 0000 595a  595a 595a 0100 fffe 0882
Well, that's one of those "RESERVED", undocumented DOS calls
which is used frequently by the DOS utilities. I've documented
some of these, like INT 21h, function 37h, sub-functions 01 and 02,
which get and set the DOS parameter switch character (and
are called by the undocumented Turbo C routines getswitchar() and
setswitchar().)

You can run INTERCEPT as "intercep -L" and get a long-form
output, with the values of all the registers at each call.

============================================================
INSTALLING INTERCEPT:
============================================================
INTERCEPT is supplied as an ARC file. If you're reading
this, you've figured out how to take apart an ARC file.
Just move the following files to a directory that's
somewhere on your PATH:
	INTERCEP.EXE	-- The INTERCEPT program itself
	INTERPRE.EXE	-- The INTERPRET program
	INTERPRE.DAT	-- The definition of all the interrupts
The rest of the files here are either documentation
or C source text, and aren't necessary to operation of the
program. If you run INTERCEPT without any command-line
arguments, you can get a usage prompt. (see below)

============================================================
Contents of ARC file:
============================================================
Filename        Length   Method     Size   Ratio    Date      Time
--------        ------   ------    ------  -----    ----      ----
INTERCEP.C       11197  Crunched     5798   49%   08-02-87  18:35:42
INTERCEP.DOC      6896  Crunched     3731   46%   08-02-87  19:32:38
INTERCEP.EXE     16400  Crunched    12612   24%   08-02-87  18:41:20
INTERCEP.H        1232  Crunched      802   35%   08-02-87  15:03:42
INTERPRE.C        6291  Crunched     3315   48%   08-02-87  18:37:52
INTERPRE.DAT      7435  Crunched     3960   47%   08-02-87  18:50:22
INTERPRE.EXE     32464  Crunched     8704   74%   08-02-87  18:41:22
----            ------             ------  -----
0007             81915              38922   53%

============================================================
INTERCEPT: Usage:
============================================================
intercept [-l] [-T tmpdir] [-s maxcalls] [-o outfile] program [args[...]]
	-l	sets long format output: explanation AND register values
	-T	sets temporary directory for intermediate file to "tmpdir"
		(will use TMP or TMPDIR environment vars. if found otherwise)
	-s	sets the maximum number of SWI records to "maxcalls"
	-o	names the output filename to "outfile" rather than
		the default name ("intercep.out")
	program		is the name of the program to monitor
	args		are any command-line arguments to be passed
			to the monitored program.
============================================================