Some time back (ca. 1991-1992) I wrote a rudimentary debugger for MVS
that hooked into the Program FLIH (I used SIGP to install the hook on
each processor). I figured I'd look at the IBM FLIH code and use it as
a template but I didn't have access to VPL and/or microfiche listings so
I just disassembled the code in an active system (once I had hacked my
storage browser to handle real storage, that is, since the Program FLIH
is invoked with a DAT off PSW).
Once I had a display of the code in storage I stated reading and
decoding the instruction stream. Less than a dozen instructions into
the process it was very obvious that I was not looking at IBM MVS code.
I had stumbled upon a fiendishly well hidden back door.
Once I was working for a software company I started finding the same
code in SVC dumps sent in by our customers.
Eventually I stopped looking for it and then I kind of forgot about it
until about a year ago when I found a new version of it in our own
system. I started looking for it again in customer dumps and I find it
more often than not.
If you're at all curious to see if it's in your system/s you can use
IPCS (as of z/OS v1.9) to browse real storage when source is specified
as ACTIVE. You need to have read access to BLSACTV.SYSTEM in class
FACILITY and then use the command:
IP L pointer_at_location_1DC ABS INST
If the address at location 1DC points to a page boundary it's most
likely that the 3rd party code is installed.
Happy hunting,
Keven
