source: trunk/bootcode/special/virus.asm@ 91

Last change on this file since 91 was 80, checked in by Ben Rietbroek, 8 years ago

I knew there were a few stealhy ones... [v1.1.1-testing]

CAUTION:
This is a testbuild !
AirBoot uses the BIOS to access disks and a small coding error can trash
partition tables or other vital disk structures. You are advised to make
backups of TRACK0 and EBRs before using this testbuild. More info at:
https://rousseaux.github.io/netlabs.air-boot/pdf/AirBoot-v1.1.0-manual.pdf
File size: 7.8 KB
Line 
1; AiR-BOOT (c) Copyright 1998-2008 M. Kiewitz
2;
3; This file is part of AiR-BOOT
4;
5; AiR-BOOT is free software: you can redistribute it and/or modify it under
6; the terms of the GNU General Public License as published by the Free
7; Software Foundation, either version 3 of the License, or (at your option)
8; any later version.
9;
10; AiR-BOOT is distributed in the hope that it will be useful, but WITHOUT ANY
11; WARRANTY: without even the implied warranty of MERCHANTABILITY or FITNESS
12; FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
13; details.
14;
15; You should have received a copy of the GNU General Public License along with
16; AiR-BOOT. If not, see <http://www.gnu.org/licenses/>.
17;
18;---------------------------------------------------------------------------
19; AiR-BOOT / VIRUS DETECTION
20;---------------------------------------------------------------------------
21
22; Checks system for stealth-virus...if any is found, MBR will get restored and
23; system will get halted. On Non-Real-Mode this will only save Interrupt Vectors.
24; Segment Registers preserved
25
26IFDEF MODULE_NAMES
27DB 'VIRUS',0
28ENDIF
29
30VIRUS_CheckForStealth Proc Near Uses ds si es di
31 xor al, al
32 mov cx, 4
33 mov di, offset CFG_VIR_INT08
34 push di
35 repe scasb
36 pop di
37 jne VCFS_AlreadyInitiated
38
39 VCFS_InitNow:
40 xor ax, ax
41 mov ds, ax
42 mov ax, cs
43 mov es, ax
44 mov cx, 2
45 mov si, 08h*4
46 rep movsw ; INT 08 Ptr
47 mov cl, 2
48 mov si, 13h*4
49 rep movsw ; INT 13 Ptr
50 mov cl, 2
51 mov si, 1Ch*4
52 rep movsw ; INT 1C Ptr
53
54 call DriveIO_SaveConfiguration
55
56 jmp VCFS_Finished
57
58 VCFS_AlreadyInitiated:
59 xor ax, ax
60 mov es, ax
61 xor si, si
62 mov ax, word ptr es:[si+08h*4]
63 mov dx, word ptr es:[si+08h*4+2]
64 cmp ax, word ptr ds:[di+0]
65 jne VCFS_Found
66 cmp dx, word ptr ds:[di+2]
67 jne VCFS_Found
68 mov ax, word ptr es:[si+13h*4]
69 mov dx, word ptr es:[si+13h*4+2]
70 cmp ax, word ptr ds:[di+4]
71 jne VCFS_Found
72 cmp dx, word ptr ds:[di+6]
73 jne VCFS_Found
74 mov ax, word ptr es:[si+1Ch*4]
75 mov dx, word ptr es:[si+1Ch*4+2]
76 cmp ax, word ptr ds:[di+8]
77 jne VCFS_Found
78 cmp dx, word ptr ds:[di+10]
79 jne VCFS_Found
80
81 VCFS_Finished:
82 ret
83
84 VCFS_Found:
85 ; New ROM-Proof Logic:
86 ; Mismatching vector found, so try to write to that location. If it doesn't
87 ; succeed, ROM will be assumed (so valid change), a message will get
88 ; displayed and new vectors will be saved. Otherwise Virus found.
89 mov es, dx
90 mov bx, ax
91 mov al, bptr es:[bx] ; Get Byte from Interrupt Vector
92 mov ah, al
93 xor al, 0FFh
94 mov bptr es:[bx], al ; Try to write there...
95 mov al, bptr es:[bx] ; Get back...
96 mov bptr es:[bx], ah ; And restore to original byte...
97 cmp al, ah
98 jne VCFS_WhewThisIsOne ; Mismatch ? -> Virus found
99 mov si, offset TXT_BIOSchanged
100 call MBR_Teletype
101 xor ah, ah
102 int 16h ; Waits for any keystroke
103 jmp VCFS_InitNow
104
105 VCFS_WhewThisIsOne:
106 call VIRUS_TryRestore
107
108 ; Code should no reach this since we halt the system in VIRUS_TryRestore.
109 ret
110VIRUS_CheckForStealth EndP
111
112;
113; This procedure is created to avoid jumping to labels that are local to
114; procedures. JWasm does not allow that.
115; Should be fixed better later.
116;
117VIRUS_TryRestore Proc Near
118 mov si, offset TXT_VirusFoundMain
119 call MBR_Teletype
120 ; Now check BackUp MBR for validation (AiRBOOT signature), do this
121 ; using direct-calls to original bios handler.
122 call ANTIVIR_RestoreMBR
123 jnc VIRUS_TryRestore_ValidRestore
124
125 mov si, offset TXT_VirusFound1damn
126 call MBR_Teletype
127 call MBR_Teletype ; VirusFound1any
128 mov si, offset TXT_VirusFoundEnd
129 call MBR_Teletype
130 jmp MBR_HaltSystem
131
132 VIRUS_TryRestore_ValidRestore:
133 mov si, offset TXT_VirusFound1ok
134 call MBR_Teletype
135 mov si, offset TXT_VirusFound1any
136 call MBR_Teletype
137 mov si, offset TXT_VirusFoundEnd
138 call MBR_Teletype
139 jmp MBR_HaltSystem
140
141 ; Code should not reach this since we halt the system.
142VIRUS_TryRestore Endp
143
144
145; Checks system for normal-MBR-virus... (done by comparing current MBR with
146; memory image). Note: We will only compare the first 446 bytes.
147; if one is found, MBR will get restored and system will get halted.
148; Segment Registers preserved
149VIRUS_CheckForVirus Proc Near Uses ds si es di
150 push cs
151 push cs
152 pop ds
153 pop es
154 mov bx, offset TmpSector
155 mov dh, 0 ; Head 0
156 mov dl, [BIOS_BootDisk] ; Disk AirBoot was loaded from
157 mov cx, 0001h ; Harddisc 0, Sector 1
158 mov ax, 0201h
159 int 13h
160 jnc VCFV_MBRloaded
161 ret
162 VCFV_MBRloaded:
163 mov si, BootBasePtr
164 mov di, offset TmpSector
165 mov cx, 223 ; Compare 446 bytes
166 repz cmpsw ; if fail: Cross call to Stealth-Virus
167 ;jne VCFS_WhewThisIsOne
168 je VIRUS_CheckForVirus_end
169 call VIRUS_TryRestore
170 VIRUS_CheckForVirus_end:
171 ret
172VIRUS_CheckForVirus EndP
173
174; ============================================================================
175; ANTI-VIRUS-CODE
176; ============================================================================
177
178; Saves a backup of the current MBR to harddisc (used before booting)
179ANTIVIR_SaveBackUpMBR Proc Near Uses ax bx cx dx es
180 push cs
181 pop es
182 mov bx, BootBasePtr
183 mov dh, 0 ; Head 0
184 mov dl, [BIOS_BootDisk] ; Disk AirBoot was loaded from
185 ;mov cx, 003Ch ; First Harddrive, Sector 60
186 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
187 mov ax, 0301h ; Write 1 Sector
188 int 13h
189 ret
190ANTIVIR_SaveBackUpMBR EndP
191
192; Will report Carry-Clear, if BackUp MBR is valid (supposingly)
193ANTIVIR_CheckBackUpMBR Proc Near
194 push cs
195 push cs
196 pop es
197 pop ds
198 mov bx, offset TmpSector
199 mov dh, 0 ; Head 0
200 mov dl, [BIOS_BootDisk] ; Disk AirBoot was loaded from
201 ;mov cx, 003Ch ; Harddisc 0, Sector 60
202 mov cx, image_size / sector_size ; Harddisc 0, Sector 60 (or 62 for extended version)
203 mov ax, 0201h ; Load 1 Sector
204 pushf
205 call dword ptr cs:[CFG_VIR_INT13] ; Get Sector 60 directly (w/o INT 13h)
206 jc ACBUMBR_Failed
207 mov cx, 7
208 mov di, offset TmpSector
209 add di, 2 ; Position for "AiRBOOT" normally
210 mov si, offset CheckID_MBR
211 repz cmpsb
212 stc
213 jne ACBUMBR_Failed
214 clc
215 ACBUMBR_Failed:
216 ret
217ANTIVIR_CheckBackUpMBR EndP
218
219ANTIVIR_RestoreMBR Proc Near
220 call ANTIVIR_CheckBackUpMBR
221 jnc ARMBR_DoIt
222 ret
223 ARMBR_DoIt:
224 mov bx, offset TmpSector
225 mov dh, 0 ; Head 0
226 mov dl, [BIOS_BootDisk] ; Disk AirBoot was loaded from
227 mov cx, 0001h ; Harddisc 0, Sector 1
228 mov ax, 0301h ; Write 1 Sector
229 pushf
230 call dword ptr cs:[CFG_VIR_INT13] ; Writes to Sector 1 directly
231 ret
232ANTIVIR_RestoreMBR EndP
Note: See TracBrowser for help on using the repository browser.