MEMORY 4.3  
Claudio Capiluppi
University of Padova - ITALY
caps@hal.stat.unipd.it


Memory is a resident RAM explorer for DOS environment, which allows to
understand interactively what a host process is doing and how it works, by
means of several analysis functions.

Major features:
[1] interactive exploration of processes loaded in RAM. Memory can
interrupt a host program and pop-up on several events: a) when an hot-keys
combination is pressed on int 09h and int 08h, b) according to several soft
interrupt trapping strategies (see below), c) before an instruction, when
in debug mode;
[2] advanced trapping strategies of BIOS interrupt 13h and DOS service
dispatchers (int 21h, 25h, 26h), able to identify sigle DOS subservices,
and to isolate BIOS calls from host programs;
[3] on-line 8086 disassembler (and some 286 instructions), with basic
debugging capabilities;
[4] visual compare of RAM changes at different times, with advanced search
features: a) find next difference and b) find a specified byte in the
subset of changed bytes;
[5] capability to handle processes in graphic modes! (EGA, VGA and most
SVGA), restoring also the bitplane used for characters table in VGAs;
[6] direct search of a string of bytes in 8086-addressable RAM;
[7] view and edit of RAM in different formats, with keys to go to relevant
addresses of the host process (CS:IP, DS:DX, etc.);
[8] linked map of processes, MCB, and interrupt vectors.

Special requirements: 286+

Changes: M version 4.3 is the result of five years of development of my
Memory project, and it is highly reliable, compatible with DOS 3.xx-6.xx
and with all the TSR programs I have seen.

Short History:
Version 1 (1989): TSR RAM viewer activating on interrupt 0x09, RAM editing,
string searching function, in pure TC 1.5 compact model.
Version 2 (1990): keep interrupt 0x08 to pop-up, trapping strategy to spy
BIOS 0x13 and DOS 0x25 and 0x26, graphics process handing (CGA and EGA),
break and uninstall functions.
Version 3 (1991): selective trapping of DOS 0x21 (sub)services, RAM compare
function, graphics process full handling (VGA), code size optimization (see
technology section).
Version 4 (1992): 8086 disassembler and debug experimental features, 286
instructions
Version 4.3 (1995): full compatibility with DOS 6.xx, Ncache2 and other TSR
using Smartdrv operating mode, detect Pentium CPU.

Technology: M is written in C and Assembly, using Borland TC 1.5 to get a
very compact and clean code. Startup was rewritten to reduce memory
allocation of resident module. Mixed memory models are used to minimize the
size of the code. Interrupt handlers entry/exit code is written in Assembly
to get best control and to optimize the code. Search function is written in
mixed C and inline ASM instruction to optimize the speed of the search.
Code is compiled for 286.

Limitations: M is not for Windows. M can handle Windows only in Standard
mode. You should not load M before WIN and then to activate M during a
Windows session in Enhanced 386 mode (or a Windows 3.11 session), because
this will lock the system. You can load M inside a DOS window.

Developments:
I am working to support full linear addressing of phisical RAM, and to
handle processes in protected mode, such as Windows 3.11. I would like to
integrate in the new version 5 of Memory a 486 disassembler. If one would
share his outcomes with me, I would like to collaborate with him to produce
together a great analysis tool.

Philosophy:
Memory was born to explore the core of the computer to discover the secrets
of every program. Watching RAM directly is useful to understand a lot about
the computer.
In RAM you can surprise the most protected binary codes while running, in
their plan format. You have only to find the right moment.
To do this, M greatly helps you by means of its trapping strategies, which
allow to go on for significative steps. The on-line code view of M allows
to get the maximum analysis detail, but only when the interesting part of
code was isolated.
Comparing RAM before and after an event, you can isolate the variables in a
program which are changed, identifying their locations!! Then you can
modify directly the values of such variables in RAM, to modify the running
of the host program.
When you have realized what and how a host program works, you can modify
the behavior of the binary code either by modifying its instructions or by
modifying its data, that is modifying the variables which control its work.
M allows both the ways, in fact it allows you to edit directly bytes of
RAM, without limitations. The control is your. You can easily cause a
system lock: no limits to your trials.

If you like this philosophy, which produced Memory, I would be very happy
to know you and to speak of our lives on this world.

Claudio Capiluppi
University of Padova - ITALY
caps@hal.stat.unipd.it

---------------------------------------------------------------------------
---------------------------------------------------------------------------

SHORT REFERENCE of MEMORY FUNCTIONS

Functions are all accessible through function keys, which are depending
form the MENU/SUBMENU context. No on-line help available: a in a TSR, the
code is used only to do and not to tell.

MAIN MENU

Function keys:

[ESC] return to halted process
[F1] edit RAM in the current format
[F2] goto specified 8086 segmented address
[F3] dump a RAM range in a file
[F4] show the host program frozen screen
[F5] configure the trapping strategy -> see TRAP MENU
[F6] show table of interrupts handlers related to MCB process map
[F7] search a string in RAM
[F8] MCB map of processes with hooked vectors
[F9] set up RAM compare function -> see COMP MENU
[F10] reports technical information about system and host process
[CTRL-F1] uninstall M from RAM
[CTRL-F2] show floppy disk table
[CTRL-F3] load a file into RAM range
[CTRL-F4]
[CTRL-F5] save first 64 vectors in buffer
[CTRL-F6] restore first 64 vectors from buffer
[CTRL-F7] halt first HD (primary master)
[CTRL-F8]
[CTRL-F9]
[CTRL-F10] break the host program, like a DOS 0x4C function
[o] compare RAM with a previously dumped file -> see COMP MENU
[u] code view with basic debug capabilities -> see CODE MENU
[h] hexadecimal view format
[l] large view format
[ALT-C] goto CS:IP of host process
[ALT-D] goto DS:DX of host process
[ALT-S] goto SS:SP of host process
[ALT-E] goto ES:BX of host process
[CTRL-C] goto CS:IP of last DOS call 0x21
[CTRL-D] goto DS:DX of last DOS call 0x21
[CTRL-S] goto SS:SP of last DOS call 0x21
[CTRL-E] goto ES:BX of last DOS call 0x21
[home] goto offset 0000h
[arrows] move offset within current segment
[+] move address of a page forward
[-] move address of a page backward
[0]-[F] goto segment 0-F

---------------------------------------------------------------------------
TRAP MENU
This function shows two table of options to configure the trapping
strategy: the vector table and the DOS 0x21 services table.
KEEP means to keep the software interrupt and to intercept the calls,
TRAP means to show the calls, halting the calling process,
ALL (when applicable) means to show all the calls; by default, in fact, M
shows only an intelligent selection of trapped calls, and in particular:
the table selected DOS 0x21 services, and the BIOS 0x13 calls which are not
coming from DOS, that is the ones coming from the host process.
M can keep safely the following interrupt: 0x13, 0x21, 0x25, 0x26. The last
item in the vector table is an experimental feature which allows to
intercept a user selectable interrupt. You should be very cautious if you
will try to use it, because the underlying M handler is suitable only to
handle software interrupts with a standard calling convention.

Function keys active in this menu are:

[arrows] move among option fields
[+] (gray +) turn the option to on
[-] (gray -) turn the option to off
[F1] move to DOS 0x21 services table: [ESC] or [ENTER] exit from this table
[ENTER] confirm changes and return to MAIN MENU
[ESC] leave changes and return to MAIN MENU

---------------------------------------------------------------------------
COMP MENU
To find changes in RAM you have to dump a RAM range into a file by the [F3]
dump function of the MAIN MENU. Then, you can compare the saved range to
the current RAM range by the [o] key or [F9] key. The COMP function is
aimed to isolate the differences between the two situations: you get a
visual effective compare of changed bytes. Red are changed byes, green are
changed bytes matching the search byte (see [F7]).

Function keys available:

[F1] return to MAIN menu adjusting the segmented address to show the RAM
showed by the COMP function
[F5] search the next difference
[F7] specify a byte to search among the changed bytes: all matching bytes
will show in green color
[F8] hexadecimal view
[ESC] and [o] exit to MAIN MENU

---------------------------------------------------------------------------
CODE MENU
The CODE function show the current RAM address as code. M disassembles only
8086, and some 286, instructions. Only two basic debugging features are
supported: step to step turning on the trap flag, and break point (INT 3).

Function keys:

[up] analyze code backward
[down] show following code
[left],[right] syncronize M decoder shifting left/right the start offset
[home] goto CS:IP of the halted process
[F1]
[F2]-[F10] same as MAIN MENU
[CTRL-F1]
[CTRL-F5] set an INT 3 at the specified address (experimental feature):
only one break point is allowed in release 4.3.
[CTRL-F9] step using TRAP FLAG
[CTRL-F10] step using INT 3


---------------------------------------------------------------------------
---------------------------------------------------------------------------

MEMORY 4.3 is SHAREWARE, for non commercial use.

Author: Claudio Capiluppi
        University of Padova - ITALY
        caps@hal.stat.unipd.it

