 How to get the Windoze directory from a dos virus
 ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ>
                                                                 Reptile/29A

 Sumtimes you need to get the windoze directory from a dos virus, for examp-
 le in a VxD dropper or sum weird (multiplatform) virus :) or you just need
 it for other purposes but you can't use APIs. Anyways this can be done very
 easily. Just take a l00k at msdos.sys:

 ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
 [Paths]
 UninstallDir=C:\
 WinDir=C:\WINDOWS <--- :P
 WinBootDir=C:\WINDOWS
 HostWinBootDrv=C

 [Options]
 BootGUI=1
 Network=1
 Logo=0
 ;
 ;The following lines are required for compatibility with other programs.
 ;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
 ;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
 ;xxx...
 ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ

 To make it even easier... here's sum code of a never finished virus :P

 ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
 ;get the windoze directory
 mov ax,4300h    ;get attributes
 lea dx,[bp + offset msdossys]
 int 21h
 push cx ;save 'em for l8r

 mov ax,4301h    ;remove attributes
 xor cx,cx
 lea dx,[bp + offset msdossys]
 int 21h

 mov ax,3d02h    ;open 'c:\msdos.sys'
 lea dx,[bp + offset msdossys]
 int 21h
 xchg ax,bx
 jc exit

 mov ah,3fh
 mov cx,255  ;better to read t00 much than not enuff :P
 lea dx,[bp + offset rbuf]
 int 21h

 push ds
 pop es
 
 lea si,[bp + offset rbuf]
 lea di,[bp + offset sdir]
 find:
 lodsb
 cmp al,'W'  ;'W'inDir=C:\WINDOZE
 jne l00p
 lodsd
 cmp eax,'iDni'  ;W'inDi'r=C:\WINDOZE
 jne l00p
 lodsw
 st0re:
 lodsb
 cmp al,0dh  ;end?
 je d0ne
 stosb
 jmp st0re
 l00p:
 loop find
 d0ne:
 
 mov word ptr [bp + wdir],di ;save windoze path

 ;NOTE: dont forget to add a zero on the end before using wdir :P
 
 mov ah,3eh  ;close 'c:\msdos.sys'
 int 21h

 mov ax,4301h    ;restore attributes
 pop cx
 lea dx,[bp + offset msdossys]
 int 21h
 ;--------------------------------------------------------------------------
 msdossys db 'c:\msdos.sys',0
 
 rbuf db ?
 sdir db ?
 wdir db ?
 ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ

 There are also some other variables in msdos.sys that might be interesting:

 [Paths]
 HostWinBootDrv=  The letter of the drive which windoze is installed on
 WinBootDir=      The directory that contains the windoze start-up files
 WinDir=          The windoze 'home' directory (windoze uses WinDir= to set
                  the default values for environment variables like TMP, TE-
                  MP, COMSPEC)

 [Options]        (You can choose between 1=enabled 0=disabled)
 BootKeys=        Allow the use of boot-option function keys while the 'st-
                  arting windoze' message?
 BootDelay=       The setting: how long the 'starting windoze' message will
                  be visible
 BootMenu=        Display the start-up menu every time?
 BootMenuDefault= Which item of the menu will be selected if there's no
                  choice?
 BootMenuDelay=   Time to choose the item
 BootGUI=         Start the graphical windoze interface?
 Logo=            Display the animated windoze logo?
 BootWin=         Tell the bootstrap loader to start windoze?
 BootMulti=       Options
 BootSafe=        Start system in 'Safe Mode'?
 BootWarn=        Displays sum warning stuff
 DblSpace=        Load disk compression driver?
 DrvSpace=        ''
 DoubleBuffer=    Load the 32-bit double-buffering device driver for SCSI?
 LoadTop=         Load command.com and disk compression drivers on the top
                  of conventional RAM?
 Network=         Add the safe mode with networking to the start-up? If it's
                  disabled on a networked pc, the pc can't access the netwo-
                  rk unless the system is started in normal mode
 DisableLog=      Undocumented: disable sum loggin'
 SystemReg=       Undocumented: sumthing with the registry (?) :P

 Oh...and don't forget to change the windoze logo which is saved as logo.sys
 (in bmp format) in the root directory of the drive where windoze is.

 Alternative ways of getting the windoze directory
 ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
 Since the page where the Interrupt Descriptor Table (IDT) is stored in
 windoze 9x is not protected you can add a new gate and then do an exception
 to transfer to a ring0 selector. Once you are in ring0 you can use this to
 get the path of windoze:

 push 256    ;allocate memory
 VxDCall IFSMgr_GetHeap
 add esp,4
 mov [wdir],eax

 ;get the path of vmm32.vxd
 VMMCall Get_Exec_Path  ;edx = path / ecx = count of chars
 mov esi,edx ;c:\windoze\system\
 mov edi,[wdir]    ;store it here    
 sub ecx,8  ;count of chars - \system\
 rep movsb

 wdir dd 0

 ...or you could try to scan kernel32 and then use GetProcAdress/GetModule-
 Handle or try to use the dos stub of regedit.exe to access the registry.
 
 see yah in hell,
 -Reptile/29A-