B: System Variables
PART III
THE ULTIMATE VIRUS KILLER BOOK APPENDICES
B - ATARI TOS COMPUTER SYSTEM VARIABLES
In your computer's memory space between $400 and approximately
$500 (both addresses hexadecimal), the so-called system variables
are located. These mostly consist of memory addresses through
which the Operating System jumps when having to perform specific
tasks.
In this appendix, the system variables that are in some way
related to viruses will be explained. All addresses are in
hexadecimal notation, followed by their length (.L, which means
longword, i.e. 4 bytes).
ADDRESS NAME FUNCTION
-----------------------------------------------------------------
$404.L etv_critic The Critical Error Handler. At the address
contained in this variable a routine is
located that tries to correct disk errors.
When you have one floppy drive, for
example, the alert box to insert disk B:
in drive A: will be put on the screen
using this routine.
$426.L resvalid Should this address contain the magic
longword value of $31415926, the system
will jump through the address contained in
system variable 'resvector', mentioned
below, when a warm reset is executed.
$42A.L resvector This contains the address at which will be
jumped when a warm reset is executed - but
only if $426 is valid (i.e. contains
$31415926).
$42E.L phystop Here you will find the physical top of
memory, the physical end of RAM memory.
With 1 meg machines, this is $100000 (half
meg $80000, 2 meg $200000, etc.). Viruses
often use this to determine a safe place
where to store themselves. Sometimes they
change this address so that it points to a
lower RAM top than is possible. The area
above that fake top of RAM and below the
real one can then be safe for viruses to
hide in.
$446.L bootdev Contains the device number of the drive
from which was booted. This is usually 0
(i.e. drive A), but when you have a hard
disk this is usually 2 (i.e. drive C).
$44E.L _v_bas_ad The address of the logical Video RAM
Screen Base is located here. In English:
This is the start of screen memory, the
bit of memory in your computer that the
video chip sends the image to your monitor
of. Viruses often determine this to find a
safe spot for storing themselves, because
32768 bytes are reserved for screen memory
while the screen only 'needs' 32000. So
the address in $44E plus 32000 is a space
of 768 safe bytes for viruses to store
themselves in.
The above only applies to ST resolutions.
TT and Falcon screen resolutions can use
up vast amounts of RAM which makes quite a
difference. Viruses for TT/Falcon don't
used this method.
$454.W nvbls The number of vertical blank routine
addresses located at the address in
_vblqueue (see below).
$456.L _vblqueue At this address you will find the address
of a list of routines executed at each
vertical blank (vbl). One vertical blank
happens each time your monitor's screen is
built up anew, i.e. 50 or 60 times per
second in colour mode (depending on
whether you're running in 50 or 60 Hz) and
71 times in monochrome mode. On the Falcon
these frequencies can vary more widely.
The mouse is handled from one of these vbl
routines, for example.
$472.L hdv_bpb The vector that is most often bent by
bootsector viruses. At each disk swap, the
Operating System needs to determine where
it can find directory, FAT, etc. of a
disk. This is done by reading the BIOS
Parameter Block from a bootsector, done at
the first disk access after a disk swap.
The routine that does this is located at
the address contained in this system
variable.
$476.L hdv_rw This variable contains the address of the
Operating System routine for reading or
writing a sector from/to a floppy-or hard
disk (this routine is called rwabs - see
appendix C).
$47E.L hdv_mediach At the address contained in this variable
you will find the routine that handles
Media Change (a routine called 'Mediach' -
see appendix C).
$4BA.L _hz_200 Counter for the 200 Hz system frequency.
Apart from the interrupt that happens at
every vbl, there's also an interrupt that
happens 200 times per second, regardless
of the resolution you're in. This counter
is increased 200 times per second and is
located at this longword address. Many
viruses need random values to determine
which (of several) destruction routines to
execute, or to determine which random
sector on disk needs to be read and
corrupted. Often they use this system
variable, logically 'AND' it with a
specific value and get sort of a random
number. Usually only the least significant
word is taken.
$4C6.L _dskbufp Disk Buffer Pointer, an address on which a
1024 byte disk buffer can be found. This
is where sectors reside before they get
written/read to/from disk. After booting,
the bootsector is located here. Many
viruses put themselves at $600 bytes (hex)
above this address, which seems a rather
safe spot (though only on TOS versions
1.0x).
