source: trunk/bootcode/special/virus.asm@ 75

Last change on this file since 75 was 57, checked in by Ben Rietbroek, 10 years ago

All source-files lowercased [v1.1.1-testing]

Some standard files like 'COPYING', 'LICENSE', etc. have not been
converted to lower case because they are usually distributed uppercased.
File size: 7.5 KB
Line 
1; AiR-BOOT (c) Copyright 1998-2008 M. Kiewitz
2;
3; This file is part of AiR-BOOT
4;
5; AiR-BOOT is free software: you can redistribute it and/or modify it under
6; the terms of the GNU General Public License as published by the Free
7; Software Foundation, either version 3 of the License, or (at your option)
8; any later version.
9;
10; AiR-BOOT is distributed in the hope that it will be useful, but WITHOUT ANY
11; WARRANTY: without even the implied warranty of MERCHANTABILITY or FITNESS
12; FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
13; details.
14;
15; You should have received a copy of the GNU General Public License along with
16; AiR-BOOT. If not, see <http://www.gnu.org/licenses/>.
17;
18;---------------------------------------------------------------------------
19; AiR-BOOT / VIRUS DETECTION
20;---------------------------------------------------------------------------
21
22; Checks system for stealth-virus...if any is found, MBR will get restored and
23; system will get halted. On Non-Real-Mode this will only save Interrupt Vectors.
24; Segment Registers preserved
25
26IFDEF MODULE_NAMES
27DB 'VIRUS',0
28ENDIF
29
30VIRUS_CheckForStealth Proc Near Uses ds si es di
31 xor al, al
32 mov cx, 4
33 mov di, offset CFG_VIR_INT08
34 push di
35 repe scasb
36 pop di
37 jne VCFS_AlreadyInitiated
38
39 VCFS_InitNow:
40 xor ax, ax
41 mov ds, ax
42 mov ax, cs
43 mov es, ax
44 mov cx, 2
45 mov si, 08h*4
46 rep movsw ; INT 08 Ptr
47 mov cl, 2
48 mov si, 13h*4
49 rep movsw ; INT 13 Ptr
50 mov cl, 2
51 mov si, 1Ch*4
52 rep movsw ; INT 1C Ptr
53 IFDEF ReleaseCode
54 call DriveIO_SaveConfiguration
55 ENDIF
56 jmp VCFS_Finished
57
58 VCFS_AlreadyInitiated:
59 xor ax, ax
60 mov es, ax
61 xor si, si
62 mov ax, word ptr es:[si+08h*4]
63 mov dx, word ptr es:[si+08h*4+2]
64 cmp ax, word ptr ds:[di+0]
65 jne VCFS_Found
66 cmp dx, word ptr ds:[di+2]
67 jne VCFS_Found
68 mov ax, word ptr es:[si+13h*4]
69 mov dx, word ptr es:[si+13h*4+2]
70 cmp ax, word ptr ds:[di+4]
71 jne VCFS_Found
72 cmp dx, word ptr ds:[di+6]
73 jne VCFS_Found
74 mov ax, word ptr es:[si+1Ch*4]
75 mov dx, word ptr es:[si+1Ch*4+2]
76 cmp ax, word ptr ds:[di+8]
77 jne VCFS_Found
78 cmp dx, word ptr ds:[di+10]
79 jne VCFS_Found
80
81 VCFS_Finished:
82 ret
83
84 VCFS_Found:
85 ; New ROM-Proof Logic:
86 ; Mismatching vector found, so try to write to that location. If it doesn't
87 ; succeed, ROM will be assumed (so valid change), a message will get
88 ; displayed and new vectors will be saved. Otherwise Virus found.
89 mov es, dx
90 mov bx, ax
91 mov al, bptr es:[bx] ; Get Byte from Interrupt Vector
92 mov ah, al
93 xor al, 0FFh
94 mov bptr es:[bx], al ; Try to write there...
95 mov al, bptr es:[bx] ; Get back...
96 mov bptr es:[bx], ah ; And restore to original byte...
97 cmp al, ah
98 jne VCFS_WhewThisIsOne ; Mismatch ? -> Virus found
99 mov si, offset TXT_BIOSchanged
100 call MBR_Teletype
101 xor ah, ah
102 int 16h ; Waits for any keystroke
103 jmp VCFS_InitNow
104
105 VCFS_WhewThisIsOne:
106 call VIRUS_TryRestore
107
108 ; Code should no reach this since we halt the system in VIRUS_TryRestore.
109 ret
110VIRUS_CheckForStealth EndP
111
112;
113; This procedure is created to avoid jumping to labels that are local to
114; procedures. JWasm does not allow that.
115; Should be fixed better later.
116;
117VIRUS_TryRestore Proc Near
118 mov si, offset TXT_VirusFoundMain
119 call MBR_Teletype
120 ; Now check BackUp MBR for validation (AiRBOOT signature), do this
121 ; using direct-calls to original bios handler.
122 call ANTIVIR_RestoreMBR
123 jnc VIRUS_TryRestore_ValidRestore
124
125 mov si, offset TXT_VirusFound1damn
126 call MBR_Teletype
127 call MBR_Teletype ; VirusFound1any
128 mov si, offset TXT_VirusFoundEnd
129 call MBR_Teletype
130 jmp MBR_HaltSystem
131
132 VIRUS_TryRestore_ValidRestore:
133 mov si, offset TXT_VirusFound1ok
134 call MBR_Teletype
135 mov si, offset TXT_VirusFound1any
136 call MBR_Teletype
137 mov si, offset TXT_VirusFoundEnd
138 call MBR_Teletype
139 jmp MBR_HaltSystem
140
141 ; Code should not reach this since we halt the system.
142VIRUS_TryRestore Endp
143
144
145; Checks system for normal-MBR-virus... (done by comparing current MBR with
146; memory image). Note: We will only compare the first 446 bytes.
147; if one is found, MBR will get restored and system will get halted.
148; Segment Registers preserved
149VIRUS_CheckForVirus Proc Near Uses ds si es di
150 push cs
151 push cs
152 pop ds
153 pop es
154 mov bx, offset TmpSector
155 mov dx, 0080h
156 mov cx, 0001h ; Harddisc 0, Sector 1
157 mov ax, 0201h
158 int 13h
159 jnc VCFV_MBRloaded
160 ret
161 VCFV_MBRloaded:
162 mov si, BootBasePtr
163 mov di, offset TmpSector
164 mov cx, 223 ; Compare 446 bytes
165 repz cmpsw ; if fail: Cross call to Stealth-Virus
166 ;jne VCFS_WhewThisIsOne
167 je VIRUS_CheckForVirus_end
168 call VIRUS_TryRestore
169 VIRUS_CheckForVirus_end:
170 ret
171VIRUS_CheckForVirus EndP
172
173; ============================================================================
174; ANTI-VIRUS-CODE
175; ============================================================================
176
177; Saves a backup of the current MBR to harddisc (used before booting)
178ANTIVIR_SaveBackUpMBR Proc Near Uses ax bx cx dx es
179 push cs
180 pop es
181 mov bx, BootBasePtr
182 mov dx, 0080h
183 ;mov cx, 003Ch ; First Harddrive, Sector 60
184 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
185 mov ax, 0301h ; Write 1 Sector
186 int 13h
187 ret
188ANTIVIR_SaveBackUpMBR EndP
189
190; Will report Carry-Clear, if BackUp MBR is valid (supposingly)
191ANTIVIR_CheckBackUpMBR Proc Near
192 push cs
193 push cs
194 pop es
195 pop ds
196 mov bx, offset TmpSector
197 mov dx, 0080h
198 ;mov cx, 003Ch ; Harddisc 0, Sector 60
199 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
200 mov ax, 0201h ; Load 1 Sector
201 pushf
202 call dword ptr cs:[CFG_VIR_INT13] ; Get Sector 60 directly (w/o INT 13h)
203 jc ACBUMBR_Failed
204 mov cx, 7
205 mov di, offset TmpSector
206 add di, 2 ; Position for "AiRBOOT" normally
207 mov si, offset CheckID_MBR
208 repz cmpsb
209 stc
210 jne ACBUMBR_Failed
211 clc
212 ACBUMBR_Failed:
213 ret
214ANTIVIR_CheckBackUpMBR EndP
215
216ANTIVIR_RestoreMBR Proc Near
217 call ANTIVIR_CheckBackUpMBR
218 jnc ARMBR_DoIt
219 ret
220 ARMBR_DoIt:
221 mov bx, offset TmpSector
222 mov dx, 0080h
223 mov cx, 0001h ; Harddisc 0, Sector 1
224 mov ax, 0301h ; Write 1 Sector
225 pushf
226 call dword ptr cs:[CFG_VIR_INT13] ; Writes to Sector 1 directly
227 ret
228ANTIVIR_RestoreMBR EndP
Note: See TracBrowser for help on using the repository browser.