home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Belgian Amiga Club - ADF Collection
/
BS1 part 19.zip
/
BS1 part 19
/
Guardian v1.2r.adf
/
instructions
< prev
next >
Wrap
Text File
|
1989-01-02
|
21KB
|
411 lines
************************************************************************
* GUARDIAN v1.2 *
* Antivirus Bootstrap *
* Copyright 1988 by Leonardo Fei, via A. Fava 6, 20125 Milano, Italy *
* Distributed by Transactor (UK) Ltd, Unit2, Langdale Grove, *
* Bingham, Nottinghamshire, England, NG13 8SR *
* *
* IMPORTANT NOTE: This version is not Public Domain, nor Shareware. *
* All rights are reserved to the author. *
* Please respect this copyright notice ...Thanks! *
* *
* Imported by Quartex in 1988! *
* *
************************************************************************
The first version of Guardian was written, on impetus, in a few days,
after I discovered that a new virus had infected most of my disks.
This second version has been greatly enhanced, both in terms of security
and of versatility. If you are using Kickstart 1.3 (v34.5) you will
find Guardian very useful in helping you do things you couldn't normally
do without it. More about this later.
Guardian does not steal even a single cycle of the machine's time,
because it's called only during boot.
While the other antivirus programs are tuned on a particular version or
family of viruses, Guardian recognize any not-standard bootblock. With
'standard bootblock' I mean a bootblock created by the Workbench INSTALL
command. This standard bootblock is contained into the Guardian code.
Guardian installs itself in place of the bootstrap module, and examine
the contents of each bootblock by comparing it with the standard one,
BEFORE it is actually executed.
"WARNING !!! - THIS IS NOT A STANDARD BOOTBLOCK !!!"
----------------------------------------------------
If the bootblock code differs even by a single byte, an alert is
displayed to warn the user of the possible threat contained in the
bootcode, and an ASCII view of the suspect bootblock is given, to help
you in recognizing it. You may recognize a virus by text strings such
as 'SCA!SCA!SCA!' or 'VIRUS BY BYTE BANDIT', but remember that there are
also anonymous viruses around, without a single message into them.
So, always be very careful, even when you don't see these text strings.
The user can choose to regardless give control to the loaded bootblock,
or to execute the standard one contained into the Guardian code.
The opportunity to execute the loaded bootcode is given because there
are several not-standard bootblocks that actually don't contain viruses.
These are boot-intros, fast loaders, boot-menus and other custom
bootblocks, which you can find on commercial and not-commercial disks.
You'll need to execute them, if you want those disks to work properly.
If you decide to give the control to the loaded bootblock, the
screen color will become red, to remind you that you've chosen the
dangerous way. A copy of ExecBase is made before actually executing the
bootcode, and after the control is returned from the bootcode to
Guardian, this copy is compared to the current ExecBase.
"WARNING !!! - ExecBase was altered by bootcode !!!"
----------------------------------------------------
If they differ even by a single byte, an alert is displayed, and you can
decide to restore the old copy of ExecBase into its place, overwriting
the changes made by the bootcode. If you get this alert, you could
have executed the 'BYTE BANDIT' virus. Restoring the old
ExecBase will overwrite the changes made to the Vertical Blanking
Interrupt vector by the virus, and also its entry in the Resident
Modules table. This way, the virus won't freeze the machine (because it
has been removed from VBlanking interrupt) and won't survive next reset
(because its ResModules entry has been removed). But there is still a
problem. During its execution time, this virus alters the trackdisk
device library's offset table, so that the virus itself will be called
each time the computer accesses a new disk (each time there's a
read/write command starting from block 0). So you'll still get your
disk infected by simply inserting them into any drive. To solve this
problem you can simply reset the machine. This will force the offset
table to be rebuilt, and since the virus has been removed from the
ResModules table, it will be flushed completely from memory.
The old 'SCA' virus will also cause this alert to appear, because it
changes the contents of the CoolCapture vector, which is contained in
the ExecBase. Simply restoring the old ExecBase will completely remove
this virus, and no further action is required.
If you choose not to restore the old ExecBase, Guardian could be removed
from the ResModules table ('BYTE BANDIT' virus will surely do it, while
'SCA' one will pacifically cohabit) and you would be responsible of what
could happen later.
"WARNING !!! - THIS IS NOT A STANDARD BOOTBLOCK !!!"
----------------------------------------------------
If you choose not to give the control to the loaded bootblock, the
screen color will become white as usual, and you are given the
opportunity of installing the disk with the standard bootblock.
"Shall I replace IT with a STANDARD BOOTBLOCK ?"
------------------------------------------------
If the bootblock contains a virus, you should use this opportunity to
replace it with the standard one.
************************************************************************
WARNING! Do not install the original disk, unless you have a backup
copy or unless you are absolutely sure of what you are doing. Some
commercial programs come with a not-standard bootblock (fast-load,
intros, etc.) and you may be no more able to use those disks/programs
once that the original bootblock is overwritten with the standard one.
************************************************************************
"Disk is write-protected. Shall I retry ?"
-------------------------------------------
An additional alert is displayed if the disk is write protected.
"DANGER !!! - I can't succeed in rewriting the bootblock !"
-----------------------------------------------------------
A new feature has been added to Guardian v1.2 at this point. After the
standard bootblock has been written to the disk, the newly created
bootblock is loaded into the memory once more, and is compared with the
standard one. They should match, of course. But if they don't, this
means that something serious has happened to the trackdisk device. Most
probably you've launched Guardian with the 'BYTE BANDIT' virus already
active in memory, or you didn't reset the computer after giving control
to it and/or after restoring the ExecBase. This is a 'deadend' alert,
and you'll have no chance but to force a cold reset of the computer by
pressing any of the mouse buttons.
** PLEASE DON'T RESET WITH CTRL-AMIGA-AMIGA AT THIS POINT ! **
** This will leave the virus happily messing around ! **
A cold reset is achieved by purposely trashing the low part of the
ExecBase, without letting the corresponding checksum again. During the
following reset, the computer is forced to rebuild all the internal
structures, thus flushing any virus (but also Guardian itself) from
memory. You should put a ** SAFE ** disk into the internal drive BEFORE
pressing any of the mouse button, because loading of the bootblock will
happen just a few instants after. Remember that the bootblock of the
disk that you have into the internal drive when you get this alert
wasn't replaced. If you leave this disk in the drive, the virus will
load itself into memory once again, because Guardian has been flushed
during the cold-reset.
The best thing to do, in this situation, is to place the original
** SAFE ** Guardian disk (you've NEVER removed its write protection,
didn't you ?!!) into the boot drive and press any mouse button to reset.
Load and use of Guardian
------------------------
Again, the best thing to do is to use this ** SAFE ** disk for the first
boot, just after the computer is turned on (and after the Kickstart disk
has been loaded into the A1000, of course !), before inserting ANY other
boot disk into the internal drive. If you NEVER remove this disk's
write protection, you'll be sure that NO virus can place itself here,
and when you are in doubt about any of your boot disks, you'll just have
to turn off and on the computer and use this disk first. There had been
rumours about some new virus, writing also on write protected disks.
That's definitely NOT POSSIBLE. The last word about write protection is
left to the floppy drive itself, and there's no way to fool it. It is
possible to force the computer (the software) to believe the disk is not
write protected. This way you could 'perform' write operations on write
protected disks, and the drive would behave as if it were actually
writing on those disks, but at the end you would find their contents
unchanged. This would let you do some innocent jokes, but nothing else.
After you've removed the viruses from your disks, you could copy
Guardian into their C directories, and call it from their
startup-sequences.
Guardian should be launched in the first place of the startup-sequence,
because of its unusual method of initialization. When it's called, it
looks in the ResModules table to see if it's already there. If this is
not true (such as if it's launched for the first time), Guardian
installs itself in memory and reset the machine, to force the reset code
to build the ResModules table again.
From now on, you don't need to launch Guardian again, because it's
mounted in a Resident Module, and therefore the reset code takes care of
it, through reset and system crashes. Guardian will survive any number
of them, until the machine is forced to do a cold-start, or until a
malfunctioning program trashes its memory area. A label on the boot
screen will inform the user whether and which version is currently
installed.
When Guardian is launched and finds itself in the ResTable, it outputs
an announcement in the initial cli and exits smoothly.
-a flag
-------
This is a new v1.2 feature.
Guardian, by default, installs itself in a 'kind' way, saving the
vectors that KickTagPtr and KickMemPtr may contain, but can't
distinguish between a good and a bad boy. The new ram disk (RAMB0),
that comes on the Workbench 1.3 (v34.4) disk, for example, creates a new
entry into both of these vectors. This is a 'good boy'. The 'BYTE
BANDIT' virus, on the other hand, is a 'bad boy' (not to talk about the
impolite way it throws itself into KickTagPtr, shutting the door upon
all the others !). If you don't want the contents of these vectors to
be preserved, you can use the -a (angry) flag when launching Guardian
for the first time. This will force it to clear these vectors before
installing itself, un-mounting other programs that will be flushed
during the reset. If Guardian is already mounted and you launch it with
the -a flag, it will move its entry to the top of the list and remove
all the others from the same. Note that they won't be removed from
memory until the next reset.
Use of the -a flag is usually not required (and not advised, if you are
running something like RAMB0 device, or other programs that use the
resident modules technique to survive through the reset).
A common situation where the -a flag is required is the following one:
Guardian is not installed and you boot with a 'BYTE BANDIT' infected
disk. The virus activates itself, then the startup-sequence is executed
and Guardian launched. If you didn't use the -q flag (more about this
later), you'll get the alert about the Interrupt Vectors. Restore them.
Then launch Guardian again, this time with the -a flag, put a safe disk
into the internal drive and reset with CTRL-AMIGA-AMIGA.
-q flag
-------
A new Guardian v1.2 feature is the ability to check the interrupt
vectors table for values not standard, and the reset capture vectors to
see if they're not empty.
By default, this security operation is performed each time you launch
Guardian, but can be turned off by using the -q (quiet) flag. This
feature was implemented because these are critical points and are used
for virus operations, the first (interrupt vectors) by the 'BYTE BANDIT'
virus, the second (reset capture vectors) by the 'SCA' virus. If you
have one of these virus already in the computer when you launch Guardian,
you'll get one of the two alerts, and you'll be given the chance of
replacing the standard values into the interrupt vectors table, or of
clearing the reset capture vectors.
Usually, you can keep an eye over these vectors, to see that nothing
mess with them, by simply launching Guardian without the -q flag.
If you are running some strange program that alters some of them, you
can force Guardian to ignore the situation by using this flag.
"WARNING !!! - Reset Capture vectors are not empty !"
-----------------------------------------------------
If you are infected by the 'SCA' virus, you can safely eliminate it, by
cleaning the reset capture vectors.
"WARNING !!! - Interrupt vectors are not standard !"
----------------------------------------------------
If you are infected by the 'BYTE BANDIT' virus, you can choose to
replace the standard interrupt vectors, but you won't be necessarily
safe. This depends whether you launched Guardian with the -a flag or
not. If the -a flag was used, first you get the alert about the
IntVectors (replace them!), then Guardian clears the KickTagPtr (thus
eliminating the virus's entry), installs itself and (if launched for the
first time) reset the computer, forcing it to rebuild libraries's offset
tables. This way the virus is flushed also from the trackdisk device.
If you didn't use the -a flag, the resident entry of the virus is
preserved, and the virus can mess with the trackdisk device again. If
this happens, you should either turn off the computer and boot with a
safe disk, or launch Guardian using the -a option and then reset the
machine to flush the virus from the trackdisk device.
-k flag
-------
A new v1.2 feature, is the -k (kill) flag. If for some strange reason
(incompatibility ? not likely !) you wish to get rid of Guardian, you
can do it by using the -k flag. The resident module will be removed
from the list and its memory will be available after the next reset.
Use of the -k flag removes any Guardian version that is currently
active. If you are running with the older v1.1 and want to replace it
with the new v1.2, you need not use this flag. Just launch v1.2.
The latter will replace the first, and will discard it from memory.
Please note that you can't launch v1.1 with v1.2 already in memory,
because this will lead to a reset loop. If you run into this situation,
take out the boot disk from the internal drive, reset with CTRL-AMIGA-
AMIGA and replace the old Guardian with the new version, in all of your
disks.
Special Kickstart 1.3 (v34.5) flags
-----------------------------------
If you are running with Kickstart 1.3 (v34.5), you'll be able to use two
extra flags and four hot-keys. With Kickstart 1.3 (v34.5) you can boot,
not only from the floppy disk, but also from a hard disk and from the
new ram disk (RAMB0). But if you want to boot from the ram disk, you
have to put a not-installed floppy disk into the internal drive or take
the bootable floppy out from the drive during each boot. Guardian lets
you decide whether the bootstrap should test the presence of a bootable
floppy into the internal drive or the presence of the ram disk first.
Usually the strap module tries to boot from the floppy disk first. If
this fails, it tries to boot from ram disk, and if also this fails you
are requested to insert a disk.
-r flag
-------
If you launch Guardian with the -r flag, this order will be changed.
Bootstrap will first attempt to boot from the ram disk, then from the
floppy, and finally it will request the insertion of a disk.
-f flag
-------
You can use the -f flag to bring things back as they used to be: first
try from floppy then from ram.
Hot-keys
--------
If you selected boot from ram disk, and need to force it from the floppy
disk, there are two hot keys implemented for this purpose. As soon as
the power led stop flashing during the reset process, the screen becomes
light grey, and then white. As soon as it becomes white, you can press
the Left AMIGA key to force boot from floppy disk. If you press the
Left ALT key, the boot screen will be displayed and hold until you
release the key, and bootstrap will start from floppy disk.
If, on the contrary, you have selected boot from floppy disk and need to
force it from ram disk, press the Right AMIGA key. If you press the
Right ALT key, the boot screen will be displayed and hold, until you
release the key, and bootstrap will start from ram disk.
The Left/Right ALT keys were implemented to let you check for the
presence of the Guardian label on the boot screen.
Please note that when I say "force boot from.." I mean that the
bootstrap will try to boot FIRST from that device. If this is not
possible, it will still try to boot from the other devices available.
A final word on Kickstart 1.3 (v34.5)
-------------------------------------
I'm not sure whether this Kickstart version is going to be the final
release or not, but since it's widely spread among A1000 users, I've
tuned this Guardian version to work with it. If the official
release will be different, please return this copy, along with its
serial number, to Transactor (UK) Ltd or to the author for prompt
sending of the new Guardian version at the cost of postage only.
We will be able to fulfill this request from registered users only.
Don't forget to enclose you serial number to any communication with us.
A final word about Guardian v1.2r
---------------------------------
To give you a higher degree of safety from viruses, I created Guardian
v1.2r, which is to be installed on the Kickstart disk directly, in place
of the never-used Debug() function. This way, you won't have to care
about the first boot and things like that. If you own an Amiga 1000,
you can use Guardian_creator to modify a copy of your original Kickstart
disk. Simply launch this program and follow the instructions. Now you
can use the modified Kickstart disk in place of the original one.
You won't be able to use the -a, -k, -f, and -r flags, because they are
implemented in the startup code of Guardian v1.2, but you can still use
the hot-keys which are controlled by the bootstrap itself. If you
launch Guardian_creator to modify a Kickstart 1.3 (v34.5) disk, you'll
be asked to select default boot from Floppy or Ram disk. This selection
will be 'burned' into the Kickstart-resident Guardian code, thus it'll
be used each time you load that modified Kickstart, until you use
Guardian_creator on that disk again. I suggest you to set the default
boot from Ram disk, and to use the Left ALT/AMIGA hot-keys when you need
it to happen from floppy disk. When you are running with Guardian into
the Kickstart, you can anyway launch Guardian v1.2 in your startup-
sequences, to test the interrupt and reset capture vectors.
Guardian v1.1 was developed to work on A500/1000/2000, (v1.1r works on
A1000 only), with Kickstart release 1.2 (v33.180).
Guardian v1.2 was developed to work on A500/1000/2000, (v1.2r works on
A1000 only), with Kickstart release 1.2 (v33.180) and 1.3 (v34.5).
Please don't pirate this program. We've kept the price of this software
so low that there's really no point in pirating it. This is more a
service offered to the readers of "Transactor for the Amiga" than a
commercial program on its own. If you've got this as a pirate copy,
please don't spread it further and send 3 pounds (6 USD) to the author
or to Transactor (UK) Ltd. You'll get a disk with the last Guardian
version and a serial number to use for the next upgrade and for general
support about any problem you may have with Guardian. Thanks !
(May 19th 1988)
Leonardo Fei Transactor (UK) Ltd
via A. Fava 6 Unit 2, Langdale Grove
20125 Milano Bingham, Nottinghamshire
Italy England, NG13 8SR