source: trunk/AIR-BOOT/SOURCE/SPECIAL/VIRUS.ASM@ 10

; Disclaimer:
;=============
; The sourcecode is released via www.netlabs.org CVS *ONLY*.
;  You MUST NOT upload it to other servers nor republish it in any way.
;  The sourcecode is still COPYRIGHTED and NOT YET RELEASED UNDER GPL.
;  It's (c) Copyright 1998-2002 by Martin Kiewitz.
;  You may recompile the source and do *PRIVATE* modifications, but please keep
;  in mind that modifying this code needs at least *some* assembly skill. If
;  you mess up your system, because you needed to hack your way through, don't
;  blame me. Releasing a customized version of AiR-BOOT, selling it in any form
;  or reusing parts of this source is *PROHIBITED*. Ask me, if you have some
;  idea about new functionality *before* developing the code, otherwise I will
;  definitely reject it. Also please accept, that I have some basic design
;  rules on AiR-BOOT and I will maintain them at all costs, so this won't get
;  another GRUB.

;---------------------------------------------------------------------------
;                                                AiR-BOOT / VIRUS DETECTION
;---------------------------------------------------------------------------

; Checks system for stealth-virus...if any is found, MBR will get restored and
; system will get halted. On Non-Real-Mode this will only save Interrupt Vectors.
; Segment Registers preserved
VIRUS_CheckForStealth      Proc Near  Uses ds si es di
   xor     al, al
   mov     cx, 4
   mov     di, offset CFG_VIR_INT08
   push    di
      rep     scasb
   pop     di
   jne     VCFS_AlreadyInitiated

  VCFS_InitNow:
   xor     ax, ax
   mov     ds, ax
   mov     ax, cs
   mov     es, ax
   mov     cx, 2
   mov     si, 08h*4
   rep     movsw                         ; INT 08 Ptr
   mov     cl, 2
   mov     si, 13h*4
   rep     movsw                         ; INT 13 Ptr
   mov     cl, 2
   mov     si, 1Ch*4
   rep     movsw                         ; INT 1C Ptr
   IFDEF ReleaseCode
      call    DriveIO_SaveConfiguration
   ENDIF
   jmp     VCFS_Finished

  VCFS_AlreadyInitiated:
   xor     ax, ax
   mov     es, ax
   xor     si, si
   mov     ax, word ptr es:[si+08h*4]
   mov     dx, word ptr es:[si+08h*4+2]
   cmp     ax, word ptr ds:[di+0]
   jne     VCFS_Found
   cmp     dx, word ptr ds:[di+2]
   jne     VCFS_Found
   mov     ax, word ptr es:[si+13h*4]
   mov     dx, word ptr es:[si+13h*4+2]
   cmp     ax, word ptr ds:[di+4]
   jne     VCFS_Found
   cmp     dx, word ptr ds:[di+6]
   jne     VCFS_Found
   mov     ax, word ptr es:[si+1Ch*4]
   mov     dx, word ptr es:[si+1Ch*4+2]
   cmp     ax, word ptr ds:[di+8]
   jne     VCFS_Found
   cmp     dx, word ptr ds:[di+10]
   jne     VCFS_Found

  VCFS_Finished:
   ret

  VCFS_Found:
   ; New ROM-Proof Logic:
   ;  Mismatching vector found, so try to write to that location. If it doesn't
   ;  succeed, ROM will be assumed (so valid change), a message will get
   ;  displayed and new vectors will be saved. Otherwise Virus found.
   mov     es, dx
   mov     bx, ax
   mov     al, bptr es:[bx]              ; Get Byte from Interrupt Vector
   mov     ah, al
   xor     al, 0FFh
   mov     bptr es:[bx], al              ; Try to write there...
   mov     al, bptr es:[bx]              ; Get back...
   mov     bptr es:[bx], ah              ; And restore to original byte...
   cmp     al, ah
   jne     VCFS_WhewThisIsOne            ; Mismatch ? -> Virus found
   mov     si, offset TXT_BIOSchanged
   call    MBR_Teletype
   xor     ah, ah
   int     16h                           ; Waits for any keystroke
   jmp     VCFS_InitNow
  VCFS_WhewThisIsOne:
   mov     si, offset TXT_VirusFoundMain
   call    MBR_Teletype
   ; Now check BackUp MBR for validation (AiRBOOT signature), do this
   ; using direct-calls to original bios handler.
   call    ANTIVIR_RestoreMBR
   jnc     VCFS_ValidRestore
   mov     si, offset TXT_VirusFound1damn
   call    MBR_Teletype
   call    MBR_Teletype                  ; VirusFound1any
   mov     si, offset TXT_VirusFoundEnd
   call    MBR_Teletype
   jmp     MBR_HaltSystem

  VCFS_ValidRestore:
   mov     si, offset TXT_VirusFound1ok
   call    MBR_Teletype
   mov     si, offset TXT_VirusFound1any
   call    MBR_Teletype
   mov     si, offset TXT_VirusFoundEnd
   call    MBR_Teletype
   jmp     MBR_HaltSystem
VIRUS_CheckForStealth           EndP

; Checks system for normal-MBR-virus... (done by comparing current MBR with
; memory image). Note: We will only compare the first 446 bytes.
; if one is found, MBR will get restored and system will get halted.
; Segment Registers preserved
VIRUS_CheckForVirus             Proc Near  Uses ds si es di
   push    cs cs
   pop     ds es
   mov     bx, offset TmpSector
   mov     dx, 0080h
   mov     cx, 0001h  ; Harddisc 0, Sector 1
   mov     ax, 0201h
   int     13h
   jnc     VCFV_MBRloaded
   ret
 VCFV_MBRloaded:
   mov     si, BootBasePtr
   mov     di, offset TmpSector
   mov     cx, 223                       ; Compare 446 bytes
   repz    cmpsw                         ; if fail: Cross call to Stealth-Virus
   jne     VCFS_WhewThisIsOne
   ret
VIRUS_CheckForVirus             EndP

; ============================================================================
;      ANTI-VIRUS-CODE
; ============================================================================

; Saves a backup of the current MBR to harddisc (used before booting)
ANTIVIR_SaveBackUpMBR           Proc Near  Uses ax bx cx dx es
   push    cs
   pop     es
   mov     bx, BootBasePtr
   mov     dx, 0080h
   mov     cx, 003Ch                     ; First Harddrive, Sector 60
   mov     ax, 0301h                     ; Write 1 Sector
   int     13h
   ret
ANTIVIR_SaveBackUpMBR           EndP

; Will report Carry-Clear, if BackUp MBR is valid (supposingly)
ANTIVIR_CheckBackUpMBR          Proc Near  Uses
   push    cs cs
   pop     es ds
   mov     bx, offset TmpSector
   mov     dx, 0080h
   mov     cx, 003Ch                     ; Harddisc 0, Sector 60
   mov     ax, 0201h                     ; Load 1 Sector
   pushf
   call    dword ptr cs:[CFG_VIR_INT13]  ; Get Sector 60 directly (w/o INT 13h)
   jc      ACBUMBR_Failed
   mov     cx, 7
   mov     di, offset TmpSector
   inc     di                            ; Position for "AiRBOOT" normally
   mov     si, offset CheckID_MBR
   repz    cmpsb
   stc
   jne     ACBUMBR_Failed
   clc
  ACBUMBR_Failed:
   ret
ANTIVIR_CheckBackUpMBR          EndP

ANTIVIR_RestoreMBR              Proc Near  Uses
   call    ANTIVIR_CheckBackUpMBR
   jnc     ARMBR_DoIt
   ret
  ARMBR_DoIt:
   mov     bx, offset TmpSector
   mov     dx, 0080h
   mov     cx, 0001h                     ; Harddisc 0, Sector 1
   mov     ax, 0301h                     ; Write 1 Sector
   pushf
   call    dword ptr cs:[CFG_VIR_INT13]  ; Writes to Sector 1 directly
   ret
ANTIVIR_RestoreMBR              EndP