source: trunk/BOOTCODE/SPECIAL/VIRUS.ASM@ 39

Last change on this file since 39 was 38, checked in by Ben Rietbroek, 12 years ago

Converting to JWasm -- phase #1 (not working) [2012-02-15]

WARNING!!

All commits upto and including the commit of [2012-05-13] contain
a severe bug!! Building from these sources and then disabling
the 'force LBA' feature while also using the drive-letter feature or
editing the label can DESTROY THE MBR on ALL ATTACHED DISKS!!
DO NOT DISABLE 'FORCE LBA USAGE' WHEN BUILT FROM THE THESE COMMITS!!

Problems

o WLink generates an oversized image
o Only Tasm with TLink works correctly
File size: 6.9 KB
Line 
1; AiR-BOOT (c) Copyright 1998-2008 M. Kiewitz
2;
3; This file is part of AiR-BOOT
4;
5; AiR-BOOT is free software: you can redistribute it and/or modify it under
6; the terms of the GNU General Public License as published by the Free
7; Software Foundation, either version 3 of the License, or (at your option)
8; any later version.
9;
10; AiR-BOOT is distributed in the hope that it will be useful, but WITHOUT ANY
11; WARRANTY: without even the implied warranty of MERCHANTABILITY or FITNESS
12; FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
13; details.
14;
15; You should have received a copy of the GNU General Public License along with
16; AiR-BOOT. If not, see <http://www.gnu.org/licenses/>.
17;
18;---------------------------------------------------------------------------
19; AiR-BOOT / VIRUS DETECTION
20;---------------------------------------------------------------------------
21
22; Checks system for stealth-virus...if any is found, MBR will get restored and
23; system will get halted. On Non-Real-Mode this will only save Interrupt Vectors.
24; Segment Registers preserved
25
26IFDEF ModuleNames
27DB 'VIRUS',0
28ENDIF
29
30VIRUS_CheckForStealth Proc Near Uses ds si es di
31 xor al, al
32 mov cx, 4
33 mov di, offset CFG_VIR_INT08
34 push di
35 rep scasb
36 pop di
37 jne VCFS_AlreadyInitiated
38
39 VCFS_InitNow:
40 xor ax, ax
41 mov ds, ax
42 mov ax, cs
43 mov es, ax
44 mov cx, 2
45 mov si, 08h*4
46 rep movsw ; INT 08 Ptr
47 mov cl, 2
48 mov si, 13h*4
49 rep movsw ; INT 13 Ptr
50 mov cl, 2
51 mov si, 1Ch*4
52 rep movsw ; INT 1C Ptr
53 IFDEF ReleaseCode
54 call DriveIO_SaveConfiguration
55 ENDIF
56 jmp VCFS_Finished
57
58 VCFS_AlreadyInitiated:
59 xor ax, ax
60 mov es, ax
61 xor si, si
62 mov ax, word ptr es:[si+08h*4]
63 mov dx, word ptr es:[si+08h*4+2]
64 cmp ax, word ptr ds:[di+0]
65 jne VCFS_Found
66 cmp dx, word ptr ds:[di+2]
67 jne VCFS_Found
68 mov ax, word ptr es:[si+13h*4]
69 mov dx, word ptr es:[si+13h*4+2]
70 cmp ax, word ptr ds:[di+4]
71 jne VCFS_Found
72 cmp dx, word ptr ds:[di+6]
73 jne VCFS_Found
74 mov ax, word ptr es:[si+1Ch*4]
75 mov dx, word ptr es:[si+1Ch*4+2]
76 cmp ax, word ptr ds:[di+8]
77 jne VCFS_Found
78 cmp dx, word ptr ds:[di+10]
79 jne VCFS_Found
80
81 VCFS_Finished:
82 ret
83
84 VCFS_Found:
85 ; New ROM-Proof Logic:
86 ; Mismatching vector found, so try to write to that location. If it doesn't
87 ; succeed, ROM will be assumed (so valid change), a message will get
88 ; displayed and new vectors will be saved. Otherwise Virus found.
89 mov es, dx
90 mov bx, ax
91 mov al, bptr es:[bx] ; Get Byte from Interrupt Vector
92 mov ah, al
93 xor al, 0FFh
94 mov bptr es:[bx], al ; Try to write there...
95 mov al, bptr es:[bx] ; Get back...
96 mov bptr es:[bx], ah ; And restore to original byte...
97 cmp al, ah
98 jne VCFS_WhewThisIsOne ; Mismatch ? -> Virus found
99 mov si, offset TXT_BIOSchanged
100 call MBR_Teletype
101 xor ah, ah
102 int 16h ; Waits for any keystroke
103 jmp VCFS_InitNow
104 VCFS_WhewThisIsOne:
105 mov si, offset TXT_VirusFoundMain
106 call MBR_Teletype
107 ; Now check BackUp MBR for validation (AiRBOOT signature), do this
108 ; using direct-calls to original bios handler.
109 call ANTIVIR_RestoreMBR
110 jnc VCFS_ValidRestore
111 mov si, offset TXT_VirusFound1damn
112 call MBR_Teletype
113 call MBR_Teletype ; VirusFound1any
114 mov si, offset TXT_VirusFoundEnd
115 call MBR_Teletype
116 jmp MBR_HaltSystem
117
118 VCFS_ValidRestore:
119 mov si, offset TXT_VirusFound1ok
120 call MBR_Teletype
121 mov si, offset TXT_VirusFound1any
122 call MBR_Teletype
123 mov si, offset TXT_VirusFoundEnd
124 call MBR_Teletype
125 jmp MBR_HaltSystem
126VIRUS_CheckForStealth EndP
127
128; Checks system for normal-MBR-virus... (done by comparing current MBR with
129; memory image). Note: We will only compare the first 446 bytes.
130; if one is found, MBR will get restored and system will get halted.
131; Segment Registers preserved
132VIRUS_CheckForVirus Proc Near Uses ds si es di
133 push cs cs
134 pop ds es
135 mov bx, offset TmpSector
136 mov dx, 0080h
137 mov cx, 0001h ; Harddisc 0, Sector 1
138 mov ax, 0201h
139 int 13h
140 jnc VCFV_MBRloaded
141 ret
142 VCFV_MBRloaded:
143 mov si, BootBasePtr
144 mov di, offset TmpSector
145 mov cx, 223 ; Compare 446 bytes
146 repz cmpsw ; if fail: Cross call to Stealth-Virus
147 jne VCFS_WhewThisIsOne
148 ret
149VIRUS_CheckForVirus EndP
150
151; ============================================================================
152; ANTI-VIRUS-CODE
153; ============================================================================
154
155; Saves a backup of the current MBR to harddisc (used before booting)
156ANTIVIR_SaveBackUpMBR Proc Near Uses ax bx cx dx es
157 push cs
158 pop es
159 mov bx, BootBasePtr
160 mov dx, 0080h
161 ;mov cx, 003Ch ; First Harddrive, Sector 60
162 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
163 mov ax, 0301h ; Write 1 Sector
164 int 13h
165 ret
166ANTIVIR_SaveBackUpMBR EndP
167
168; Will report Carry-Clear, if BackUp MBR is valid (supposingly)
169ANTIVIR_CheckBackUpMBR Proc Near Uses
170 push cs cs
171 pop es ds
172 mov bx, offset TmpSector
173 mov dx, 0080h
174 ;mov cx, 003Ch ; Harddisc 0, Sector 60
175 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
176 mov ax, 0201h ; Load 1 Sector
177 pushf
178 call dword ptr cs:[CFG_VIR_INT13] ; Get Sector 60 directly (w/o INT 13h)
179 jc ACBUMBR_Failed
180 mov cx, 7
181 mov di, offset TmpSector
182 add di, 2 ; Position for "AiRBOOT" normally
183 mov si, offset CheckID_MBR
184 repz cmpsb
185 stc
186 jne ACBUMBR_Failed
187 clc
188 ACBUMBR_Failed:
189 ret
190ANTIVIR_CheckBackUpMBR EndP
191
192ANTIVIR_RestoreMBR Proc Near Uses
193 call ANTIVIR_CheckBackUpMBR
194 jnc ARMBR_DoIt
195 ret
196 ARMBR_DoIt:
197 mov bx, offset TmpSector
198 mov dx, 0080h
199 mov cx, 0001h ; Harddisc 0, Sector 1
200 mov ax, 0301h ; Write 1 Sector
201 pushf
202 call dword ptr cs:[CFG_VIR_INT13] ; Writes to Sector 1 directly
203 ret
204ANTIVIR_RestoreMBR EndP
Note: See TracBrowser for help on using the repository browser.