Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/doc/syslinux-3.11/ drwxr-xr-x |
Viewing file: memdisk.doc (6.17 KB) -rw-r--r-- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) | $Id: memdisk.doc,v 1.18 2005/08/23 21:11:36 hpa Exp $ [This documentation is rather crufty at the moment.] MEMDISK is meant to allow booting legacy operating systems via PXE, and as a workaround for BIOSes where ISOLINUX image support doesn't work. MEMDISK simulates a disk by claiming a chunk of high memory for the disk and a (very small - 2K typical) chunk of low (DOS) memory for the driver itself, then hooking the INT 13h (disk driver) and INT 15h (memory query) BIOS interrupts. To use it, type on the SYSLINUX command line: memdisk initrd=diskimg.img ... where diskimg.img is the disk image you want to boot from. [Obviously, the memdisk binary as well as your disk image file need to be present in the boot image directory.] ... or add to your syslinux.cfg/pxelinux.cfg/isolinux.cfg something like: label dos kernel memdisk append initrd=dosboot.img Note the following: a) The disk image can be uncompressed or compressed with gzip or zip. b) If the disk image is one of the following sizes, it's assumed to be a floppy image: 368,640 bytes - 360K floppy 737,280 bytes - 720K floppy 1,222,800 bytes - 1200K floppy 1,474,560 bytes - 1440K floppy 1,720,320 bytes - 1680K floppy (common extended format) 1,763,328 bytes - 1722K floppy (common extended format) 2,949,120 bytes - 2880K floppy 3,932,160 bytes - 3840K floppy (extended format) For any other size, the image is assumed to be a hard disk image, and should typically have an MBR and a partition table. It may optionally have a DOSEMU geometry header; in which case the header is used to determine the C/H/S geometry of the disk. Otherwise, the geometry is determined by examining the partition table, so the entire image should be partitioned for proper operation (it may be divided between multiple partitions, however.) You can also specify the geometry manually with the following command line options: c=# Specify number of cylinders (max 1024[*]) h=# Specify number of heads (max 256[*]) s=# Specify number of sectors (max 63) floppy[=#] The image is a floppy image[**] harddisk[=#] The image is a hard disk image[**] # represents a decimal number. [*] MS-DOS only allows max 255 heads, and only allows 255 cylinders on floppy disks. [**] Normally MEMDISK emulates the first floppy or hard disk. This can be overridden by specifying an index, e.g. floppy=1 will simulate fd1 (B:). This may not work on all operating systems or BIOSes. c) The disk is normally writable (although, of course, there is nothing backing it up, so it only lasts until reset.) If you want, you can mimic a write-protected disk by specifying the command line option: ro Disk is readonly d) MEMDISK normally uses the BIOS "INT 15h mover" API to access high memory. This is well-behaved with extended memory managers which load later. Unfortunately it appears that the "DOS boot disk" from WinME/XP *deliberately* crash the system when this API is invoked. The following command-line options tells MEMDISK to enter protected mode directly, whenever possible: raw Use raw access to protected mode memory. bigraw Use raw access to protected mode memory, and leave the CPU in "big real" mode afterwards. Some interesting things to note: If you're using MEMDISK to boot DOS from a CD-ROM (using ISOLINUX), you might find the generic El Torito CD-ROM driver by Gary Tong and Bart Lagerweij useful: http://www.nu2.nu/eltorito/ Similarly, if you're booting DOS over the network using PXELINUX, you can use the "keeppxe" option and use the generic PXE (UNDI) NDIS network driver, which is part of the PROBOOT.EXE distribution from Intel: http://www.intel.com/support/network/adapter/1000/software.htm Additional technical information: Starting with version 2.08, MEMDISK now supports an installation check API. This works as follows: EAX = 454D08xxh ("ME") (08h = parameter query) ECX = 444Dxxxxh ("MD") EDX = 5349xxnnh ("IS") (nn = drive #) EBX = 3F4Bxxxxh ("K?") INT 13h If drive nn is a MEMDISK, the registers will contain: EAX = 4D21xxxxh ("!M") ECX = 4D45xxxxh ("EM") EDX = 4944xxxxh ("DI") EBX = 4B53xxxxh ("SK") ES:DI -> MEMDISK info structures The low parts of EAX/ECX/EDX/EBX have the normal return values for INT 13h, AH=08h, i.e. information of the disk geometry etc. See Ralf Brown's interrupt list, http://www.cs.cmu.edu/afs/cs.cmu.edu/user/ralf/pub/WWW/files.html or http://www.ctyme.com/rbrown.htm, for a detailed description. The MEMDISK info structure currently contains: [ES:DI] word Total size of structure (currently 27 bytes) [ES:DI+2] byte MEMDISK minor version [ES:DI+3] byte MEMDISK major version [ES:DI+4] dword Pointer to MEMDISK data in high memory [ES:DI+8] dword Size of MEMDISK data in 512-byte sectors [ES:DI+12] 16:16 Far pointer to command line [ES:DI+16] 16:16 Old INT 13h pointer [ES:DI+20] 16:16 Old INT 15h pointer [ES:DI+24] word Amount of DOS memory before MEMDISK loaded [ES:DI+26] byte Boot loader ID MEMDISK 3.00 and higher has the size of this structure as 27; earlier versions had size 26 and did not include the boot loader ID. In addition, the following fields are available at [ES:0]: [ES:0] word Offset of INT 13h routine (segment == ES) [ES:2] word Offset of INT 15h routine (segment == ES) The program mdiskchk.c in the sample directory is an example on how this API can be used. The following code can be used to "disable" MEMDISK. Note that it does not free the handler in DOS memory, and that running this from DOS will probably crash your machine (DOS doesn't like drives suddenly disappearing from underneath): mov eax, 454D0800h mov ecx, 444D0000h mov edx, 53490000h + drive # mov ebx, 3F4B0000h int 13h shr eax, 16 cmp ax, 4D21h jne not_memdisk shr ecx, 16 cmp cx, 4D45h jne not_memdisk shr edx, 16 cmp dx, 4944h jne not_memdisk shr ebx, 16 cmp bx, 4B53h jne not_memdisk cli mov bx,[es:0] ; INT 13h handler offset mov eax,[es:di+16] ; Old INT 13h handler mov byte [es:bx], 0EAh ; FAR JMP mov [es:bx+1], eax mov bx,[es:2] ; INT 15h handler offset mov eax,[es:di+20] ; Old INT 15h handler mov byte [es:bx], 0EAh ; FAR JMP mov [es:bx+1], eax sti |
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0106 ]-- |