TPUG - Toronto PET Users Group

home *** CD-ROM | disk | FTP | other *** search

/ TPUG - Toronto PET Users Group / TPUG Users Group CD / TPUG Users Group CD.iso / AMIGA / (A)U / (A)U5.ADF / NGC / NGC.doc < prev next >

Wrap

Text File | 1989-11-12 | 6KB | 175 lines

- - - N G C - - - - - - N o t e s O n D i s t r i b u t i o n - - - Release one : 02 - August - 1989 (C) Copyright By Ulf Nordquist. This software may only be used for non-commercial purposes, but may be freely distributed as long as all the files in the package are kept together. The package consists of these four files: ngc.a (the source code) ngc.info (the icon) ngc (the program) ngc.doc (this file) The Virus directory is not part of the package, it contains some differnt bootblocks : ByteBandit SCAVirusProtector TheLamerExterminator FormatBootblock (the bootblock of a newly formatted disk) StandardBootblock The Byte Bandit and The Lamer Exterminator virus are different on each infected bootblock, so the compare function will not recognize them. - - - N o t e s O n T h e P r o g r a m - - - The source file (ngc.a) is completely stand alone and does not need to be linked with any other files or libraries, just assemble and link it by itself. It can be started from the CLI or the Workbench. If it is started from the CLI it can be started as : 'run >nil: <nil: ngc' to allow the cli window it started from to be closed with endcli. - - - W h a t I t D o e s - - - First it opens a small window labeled NGC in the top of the screen. After this it will check the bootblock on all attached floppy disk drives with a disk inserted. If a non-standard bootblock is found it will be reported. Then it will check the jump tables of all resident libraries and devices. If any suspicious entry is found it will also be reported. When this is completed it will go to sleep. It will wake up when a disk is inserted into a drive, check the bootblock on it and report if it is a non- standard bootblock. - - - H o w T o U s e I t - - - To be able to use the compare function, assign the device ngcbb: to the directory Virus (or any other directory where there are copies of bootblocks) assign ngcbb: ThisDisk:NGC/Virus If a disk with a non-standard bootblock is inserted, a window is opened with two lines of text and four gadgets : The first line of of text is a description of the error causing the window to open. The second line tells which drive it is. The gadgets : 1. Continue - Closes the window. 2. Save - Saves the bootblock as a normal AmigaDOS file. See 'Save as file' 3. Install - Writes a standard bootblock to the disk. 4. Save as file - Here the file name is entered, which the save gadget will use. (Save them in ngcbb:, see Compare gadget). Be aware that a non-standard bootblock not necessarily is a virus. A typical case is games, which often uses the bootblock to load the game. If the menu button is pressed in the small startup window, a similar window is opened, but it has four extra gadgets : 5. Check - Force a check of the bootblock in the current drive. 6. Compare - Compares the current bootblock with saved bootblocks. It will compare the current bootblock with all files (with size = 1024 bytes) in the directory assigned to ngcbb:. Example : Insert a disk with a standard bootblock in the current drive, press the compare gadget, after a while the first text line should read: 'Found: StandardBootbl' 7. + - Increase current drive number and check the disk in it. 8. - - Decrease current drive number and check the disk in it. The text lines are updated as disks are inserted, installed, checked and compared. If a suspicious entry is found in a jump table it is reported with a requester, (jump tables are only checked at start-up) Example : if workbench running, a requester will come up reading : Suspicious entry at -276 intuition.library -276 is the decimal byte offset from the library base, in this case : -276 in intuition.library is _LVOSetWindowTitles Be aware that workbench and setpatch changes some entries in the jump tables. The workbench I have changes : -060 in graphics.library -276 in intuition.library The setpatch I have changes : -108 in exec.library -222 in exec.library -090 in layers.library A virus typically changes in trackdisk.device. The close gadget in the startup window will exit the program. ============================================================================ - - - W h y I M a d e T h i s P r o g r a m - - - For some time I had thought about writing a program that could read bootblocks and save them, beacause I wanted to look at viruses and see how they work. I just thought about it, I never did it, until... Enter 'The Lamer Exterminator !' Suddenly my assembler work disk had read/write errors, and program crashed. After a while I used xoper (highly recommended) to look at tasks and list and in the resident list I found an entry called 'The Lamer Exterminator !'. So I wrote this program, NGC, it will find the two changes 'The Lamer Exterminator !' does to the jump tables : If 'The Lamer Exterminator !' is in the memory, two changes are found : Suspicious entry at -612 Suspicious entry at -030 exec.library trackdisk.device This is _LVOSumKickData This is BEGINIO ============================================================================ Thanks to: Commodore-Amiga, Inc. for the computer Matt Dillon for the editor Charlie Gibbs for the assembler The Software Distillery for the linker Metadigm, Inc. for the debugger Werner Gunther, for Xoper ============================================================================ I have used the program for some time myself, and it works fine. This means that there are bugs left to find, so... Comments and bug reports are welcome Ulf Nordquist Brunnehagen 36 417 47 Gothenburg Sweden PS. New (and old) viruses are also welcome.