you can hook other interrupts, and periodically check your timer interrupt is still hooked.

I would hook int 0x21, its something that everything is going to use more or less. I would do something like recording the last tick of your timer interrupt, and when int0x21 is called, test the current timer to see time elapsed, if its too much, you know your timer isnt firing and can possible re-hook.

i know when i wrote dos games i would hook timer+keyboard and not chain back.

you will probably have same problems with protected mode stuff not chaining back, or only chaining when they switch from pmode to rmode or something sometimes. (depending how they reflect ints and do vm86 mode).

Have a look at the /STEALTH option of PCXDUMP...

You can use IRQ from the RTC, it should not be touched by anything.

EDIT: That stealth way is excellent ~

That's indeed a neat trick. However, it does make one wonder if any game developers ever used that same trick themselves, since that would render the stealth solution useless as well in those games.

Thanks for the info here - I've been looking into STEALTH mode, and that is definitely something I need to migrate to, although couldn't get it quite working on a first try.

Another question I have had in this area is: is it possible to hook the INT 10h, AH = 00h call "Set Video Mode", and execute some code *after* running the original BIOS code?

I think I can easily hook into INT 10h, AH = 00h and run something before running the original INT 10h vector.. but when I chain to the original vector, it won't return back, so I don't have an obvious way to run code afterwards.

What I would like to do is reprogram some VGA adapter registers after each video mode change, so run some code once after each occurrence of INT 10h, AH = 00h in a game.. but not quite sure if that might be feasible?

You would need to set up the stack appropriately (with a return address, segment and flags) so that the original vector's IRET ends up "returning" to your code.

jmarsh wrote on 2025-03-18, 12:06:

You would need to set up the stack appropriately (with a return address, segment and flags) so that the original vector's IRET ends up "returning" to your code.

I think you might do it a bit simpler than that - just save the original return address, and patch it to point
at your code - then jump to the IRQ handler, when it "returns" to you - do your stuff then jump back to the
actual return address

Then how do you return from your handler? The old handler will have already popped off the needed data so you can't use IRET... You can't return via a branch instead because you need to restore flags and the original segment atomically.

jmarsh wrote on 2025-03-18, 12:37:

Then how do you return from your handler? The old handler will have already popped off the needed data so you can't use IRET... You can't return via a branch instead because you need to restore flags and the original segment atomically.

My idea was a bit overly simplified - when the handler returns to you, it will have restores the flags etc.
You would save them (and any other registers you need) do you stuff, restore and inter-segment jump
back to the original caller - prob easiest way to do that would be to save original-return/flags/registers
to a "fake" IRET stack and just IRET at the end of your code.

I still think it would be better than making the fake stack at the beginning - that would need twice as
much stack space, and you would have to copy all entries for registers you don't actually use.

If you have an unused int vector available that you can point at your code - you could prob make it all
dead easy - patch original stack to point to you, launch original handler, back to you, "Special" INT, patch
stack to point to original caller - do "stuff", IRET - I've prob. missed some details - it has been years since
I've done such low level/tricky x86 code...

trap int 0x10, saving original address

when new int 0x10 comes in, calls your code, cmp ah=0, if so, you do pushf/call d[old_address], which is what the old int10 needs to return, you then do your stuff.