source: trunk/BOOTCODE/SPECIAL/VIRUS.ASM@ 31

Last change on this file since 31 was 30, checked in by Ben Rietbroek, 15 years ago

AiR-BOOT v1.07 -- As released with eCS v2.1. [2011-05-06]
Signature-date: 2006-03-13. (incorrect)
Trunk contains buildable v1.07 version as distributed with eCS v2.1.
Directory 'tags' contains v1.06 & v1.07 reference versions
built for all languages. Note that language ID for 'Dutch' changed
from 'DT' to 'NL' in v1.07 and that the v1.06 reference version also
uses 'NL' for 'Dutch'.
Also note that helper programs like the installer and setaboot are
are only modified for the OS/2 versions in v1.07.
The signature-date for v1.07 incorrectly states the same
date as for v1.06. The signature-version is correct.
Removed other binaries. (cd-rom images, old releases, etc.)
The tags serve as reference versions:

  • v1.06: rebuilt from source. (tags/v1.06r)
  • v1.07: built as released with eCS v2.1. (tags/v1.07r)
File size: 6.9 KB
Line 
1; AiR-BOOT (c) Copyright 1998-2008 M. Kiewitz
2;
3; This file is part of AiR-BOOT
4;
5; AiR-BOOT is free software: you can redistribute it and/or modify it under
6; the terms of the GNU General Public License as published by the Free
7; Software Foundation, either version 3 of the License, or (at your option)
8; any later version.
9;
10; AiR-BOOT is distributed in the hope that it will be useful, but WITHOUT ANY
11; WARRANTY: without even the implied warranty of MERCHANTABILITY or FITNESS
12; FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
13; details.
14;
15; You should have received a copy of the GNU General Public License along with
16; AiR-BOOT. If not, see <http://www.gnu.org/licenses/>.
17;
18;---------------------------------------------------------------------------
19; AiR-BOOT / VIRUS DETECTION
20;---------------------------------------------------------------------------
21
22; Checks system for stealth-virus...if any is found, MBR will get restored and
23; system will get halted. On Non-Real-Mode this will only save Interrupt Vectors.
24; Segment Registers preserved
25
26IFDEF ModuleNames
27DB 'VIRUS',0
28ENDIF
29
30VIRUS_CheckForStealth Proc Near Uses ds si es di
31 xor al, al
32 mov cx, 4
33 mov di, offset CFG_VIR_INT08
34 push di
35 rep scasb
36 pop di
37 jne VCFS_AlreadyInitiated
38
39 VCFS_InitNow:
40 xor ax, ax
41 mov ds, ax
42 mov ax, cs
43 mov es, ax
44 mov cx, 2
45 mov si, 08h*4
46 rep movsw ; INT 08 Ptr
47 mov cl, 2
48 mov si, 13h*4
49 rep movsw ; INT 13 Ptr
50 mov cl, 2
51 mov si, 1Ch*4
52 rep movsw ; INT 1C Ptr
53 IFDEF ReleaseCode
54 call DriveIO_SaveConfiguration
55 ENDIF
56 jmp VCFS_Finished
57
58 VCFS_AlreadyInitiated:
59 xor ax, ax
60 mov es, ax
61 xor si, si
62 mov ax, word ptr es:[si+08h*4]
63 mov dx, word ptr es:[si+08h*4+2]
64 cmp ax, word ptr ds:[di+0]
65 jne VCFS_Found
66 cmp dx, word ptr ds:[di+2]
67 jne VCFS_Found
68 mov ax, word ptr es:[si+13h*4]
69 mov dx, word ptr es:[si+13h*4+2]
70 cmp ax, word ptr ds:[di+4]
71 jne VCFS_Found
72 cmp dx, word ptr ds:[di+6]
73 jne VCFS_Found
74 mov ax, word ptr es:[si+1Ch*4]
75 mov dx, word ptr es:[si+1Ch*4+2]
76 cmp ax, word ptr ds:[di+8]
77 jne VCFS_Found
78 cmp dx, word ptr ds:[di+10]
79 jne VCFS_Found
80
81 VCFS_Finished:
82 ret
83
84 VCFS_Found:
85 ; New ROM-Proof Logic:
86 ; Mismatching vector found, so try to write to that location. If it doesn't
87 ; succeed, ROM will be assumed (so valid change), a message will get
88 ; displayed and new vectors will be saved. Otherwise Virus found.
89 mov es, dx
90 mov bx, ax
91 mov al, bptr es:[bx] ; Get Byte from Interrupt Vector
92 mov ah, al
93 xor al, 0FFh
94 mov bptr es:[bx], al ; Try to write there...
95 mov al, bptr es:[bx] ; Get back...
96 mov bptr es:[bx], ah ; And restore to original byte...
97 cmp al, ah
98 jne VCFS_WhewThisIsOne ; Mismatch ? -> Virus found
99 mov si, offset TXT_BIOSchanged
100 call MBR_Teletype
101 xor ah, ah
102 int 16h ; Waits for any keystroke
103 jmp VCFS_InitNow
104 VCFS_WhewThisIsOne:
105 mov si, offset TXT_VirusFoundMain
106 call MBR_Teletype
107 ; Now check BackUp MBR for validation (AiRBOOT signature), do this
108 ; using direct-calls to original bios handler.
109 call ANTIVIR_RestoreMBR
110 jnc VCFS_ValidRestore
111 mov si, offset TXT_VirusFound1damn
112 call MBR_Teletype
113 call MBR_Teletype ; VirusFound1any
114 mov si, offset TXT_VirusFoundEnd
115 call MBR_Teletype
116 jmp MBR_HaltSystem
117
118 VCFS_ValidRestore:
119 mov si, offset TXT_VirusFound1ok
120 call MBR_Teletype
121 mov si, offset TXT_VirusFound1any
122 call MBR_Teletype
123 mov si, offset TXT_VirusFoundEnd
124 call MBR_Teletype
125 jmp MBR_HaltSystem
126VIRUS_CheckForStealth EndP
127
128; Checks system for normal-MBR-virus... (done by comparing current MBR with
129; memory image). Note: We will only compare the first 446 bytes.
130; if one is found, MBR will get restored and system will get halted.
131; Segment Registers preserved
132VIRUS_CheckForVirus Proc Near Uses ds si es di
133 push cs cs
134 pop ds es
135 mov bx, offset TmpSector
136 mov dx, 0080h
137 mov cx, 0001h ; Harddisc 0, Sector 1
138 mov ax, 0201h
139 int 13h
140 jnc VCFV_MBRloaded
141 ret
142 VCFV_MBRloaded:
143 mov si, BootBasePtr
144 mov di, offset TmpSector
145 mov cx, 223 ; Compare 446 bytes
146 repz cmpsw ; if fail: Cross call to Stealth-Virus
147 jne VCFS_WhewThisIsOne
148 ret
149VIRUS_CheckForVirus EndP
150
151; ============================================================================
152; ANTI-VIRUS-CODE
153; ============================================================================
154
155; Saves a backup of the current MBR to harddisc (used before booting)
156ANTIVIR_SaveBackUpMBR Proc Near Uses ax bx cx dx es
157 push cs
158 pop es
159 mov bx, BootBasePtr
160 mov dx, 0080h
161 ;mov cx, 003Ch ; First Harddrive, Sector 60
162 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
163 mov ax, 0301h ; Write 1 Sector
164 int 13h
165 ret
166ANTIVIR_SaveBackUpMBR EndP
167
168; Will report Carry-Clear, if BackUp MBR is valid (supposingly)
169ANTIVIR_CheckBackUpMBR Proc Near Uses
170 push cs cs
171 pop es ds
172 mov bx, offset TmpSector
173 mov dx, 0080h
174 ;mov cx, 003Ch ; Harddisc 0, Sector 60
175 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
176 mov ax, 0201h ; Load 1 Sector
177 pushf
178 call dword ptr cs:[CFG_VIR_INT13] ; Get Sector 60 directly (w/o INT 13h)
179 jc ACBUMBR_Failed
180 mov cx, 7
181 mov di, offset TmpSector
182 add di, 2 ; Position for "AiRBOOT" normally
183 mov si, offset CheckID_MBR
184 repz cmpsb
185 stc
186 jne ACBUMBR_Failed
187 clc
188 ACBUMBR_Failed:
189 ret
190ANTIVIR_CheckBackUpMBR EndP
191
192ANTIVIR_RestoreMBR Proc Near Uses
193 call ANTIVIR_CheckBackUpMBR
194 jnc ARMBR_DoIt
195 ret
196 ARMBR_DoIt:
197 mov bx, offset TmpSector
198 mov dx, 0080h
199 mov cx, 0001h ; Harddisc 0, Sector 1
200 mov ax, 0301h ; Write 1 Sector
201 pushf
202 call dword ptr cs:[CFG_VIR_INT13] ; Writes to Sector 1 directly
203 ret
204ANTIVIR_RestoreMBR EndP
Note: See TracBrowser for help on using the repository browser.