[mmastrac]

Here's the code from DOS 3.3. I am reasonably sure they didn't intend to overwrite code -- you're probably just seeing a weird artifact where the failure case is leaving a dangling random value that happens to point into valid code.

My guess is that DS isn't being maintained across the failing call to the IOCTL and ends up pointing to the wrong segment.

  DOSOutFH    DW ?   ; fh of DOS destination


  DumpMem:
    MOV    DX,OFFSET DG:BUF+512    ; get offset of bios start
    MOV    CX,pDOS         ; beginning of next guy
    SUB    CX,DX            ; difference is length
    JZ    DumpDos         ; no bios to move
    MOV    BX,BIOSOutFH        ; where to output
    MOV    AH,Write
    INT    21h            ; wham
    retc                ; error
    CMP    AX,CX            ; Did it work?
    JNZ    WRERR            ; No
  DumpDos:
    MOV    DX,pDOS         ; beginning of dos
    MOV    CX,pDOSEnd        ; end of dos
    SUB    CX,DX            ; difference is length
    retz                ; if zero no write
    MOV    BX,DOSOutFH        ; where to output
    MOV    AH,Write
    INT    21h            ; wham
    retc                ; error
    CMP    AX,CX            ; Did it work?
    retz                ; Yes, carry clear

[mbbrutman]

Where is that published? I was using Github for references on DOS 4 as 3.3 isn't there yet.

(Thanks in advance!)

[mmastrac]

https://github.com/AR1972/DOS3.3/blob/master/SRC/CMD/SYS/SYS...

Send me a note via email -- I might have some more pointers for you