Path: utzoo!attcan!uunet!peregrine!elroy!spl1!laidbak!att!pacbell!ames!mailrus!cornell!batcomputer!sun.soe.clarkson.edu!spam
From: spam@sun.soe.UUCP (Roger Gonzalez,,,)
Newsgroups: comp.binaries.ibm.pc.d
Subject: Re: Writing TSRs
Message-ID: <8702@spl1.UUCP>
Date: 2 Nov 88 00:29:30 GMT
References: <11499@bellcore.bellcore.com>
Sender: news@spl1.UUCP
Lines: 23

> Reference discusses the system call 0x31 and the function _dos_keep() which
> will exit the program leaving it in memory.  I don't get it.  If you're 
> gonna exit the progarm, how can it do anything after the system call statement?

Very briefly, you write a piece of code that you want executed, and put its
address in the interrupt table under whatever interrupt you want to have
activate it (i.e. INT5 (I think) is the print-screen interrupt, and there
are others for various functions like hitting any keyboard key, disk access
(a favorite of virus programs) etc etc ad nauseum)
You then do the *T*erminate and *S*tay *R*esident call, which leaves your
program in memory, and returns to DOS.
When your hooked interrupt is "activated" (or whatever it's called) it
finds the address of *your* routine in the table, and executes it. 
Great. Unfortunately, if you didn't save the original copy of the interrupt
(the address that it was supposed to go to before you hijacked it),
DOS will probably be unhappy with you. So you then do a long jump to 
the address that you saved. By the way, there's some stuff you should
do first, like saving the flags, etc.  
This is how it works in assembly; I've never done it in C, but it
should be similar.

Good luck,
-rg-