Shareware Overload

home *** CD-ROM | disk | FTP | other *** search

/ Shareware Overload / ShartewareOverload.cdr / utils / antivir2.zip / TRAPDISK.DOC < prev next >

Wrap

Text File | 1986-09-18 | 7KB | 140 lines

TRAPDISK.COM Version 1.0 PURPOSE "Trap Disk" (TRAPDISK.COM) is NOT a game! It is a further attempt to prevent pranksters from destroying your data. The proliferation of the "Trojan Horse" type programs which proport to be games but actually plant bombs in your system which format your hard disk or erase the disk directory, has prompted the writing of this program, as well as CHK4BOMB.EXE ("Check for Bomb"). This program is based on BOMBSQAD.COM by Andy Hopkins. CHK4BOMB.EXE reads the program file from disk and attempts to spot dangerous code and suspicious messages, but since code is often a function of run time memory situations, it could miss spotting the "bombs". TRAPDISK.COM is a program that intercepts calls to the BIOS code in ROM as a suspicious program is run, displays what is going to happen during the call, and asks if you want to continue. You can abort or continue as you see fit. INSTRUCTIONS FOR RUNNING TRAPDISK.COM Type "TRAPDISK" and one or more of the following letters (upper or lower): "R" to stop on a request to READ a sector "W" to stop on a request to WRITE to a sector "V" to stop on a request to VERIFY a sector "F" to stop on a request to FORMAT a track "U" to 'UNINSTALL' TRAPDISK - note that program will not be active, but memory can not be reused until the system is rebooted. "H" or "?" to display a brief command summary (will not install TRAPDISK). To change any of the instructions, just run the program again with the new letters; although TRAPDISK is a memory-resident program, once installed it will not attempt to re-install itself. Remember that TRAPDISK will stop only on those requests specified the last time it was invoked. If you start it with "F" only to stop on a FORMAT call, and later want to add "W" to stop on a WRITE call, you must specify: TRAPDISK FW on the DOS command line. IF NO LETTERS ARE SPECIFIED: TRAPDISK will remain active but will not stop on any disk calls. If TRAPDISK is not installed, a "blank" call will install it in memory. SUGGESTION: Try TRAPDISK R to stop on a READ request and then try a DIR command. Watch the operation on TRAPDISK when disk READS are called. This will give you an indication of how the program works. MESSAGES When TRAPDISK detects a call to the BIOS routines, it checks to see if the stop condition is met. If the function has not been selected, TRAPDISK will pass control directly to the BIOS disk routine. If, however, a stop has been requested before a disk function occurs, TRAPDISK will display the following message: |--------------------------------------| | DISK MONITOR | |--------------------------------------| | Break on request to READ | | | | DRIVE HEAD TRACK SECTOR NUMBER | | A: 0 26 1 9 | | Data address 0BA9:00F0 | | Return address 0070:0143 | | | | <Esc> to Abort <Ret> to Perform | | <Del> to perform & disable trapdisk | |--------------------------------------| DRIVE is the requested drive (A-D). HEAD is the side or head (0-1) for diskette (0-3 or more) for hard disk. TRACK is the cylinder or track in decimal (0-39 or more). SECTOR is the starting sector number in decimal (1-8 or 1-9 or more). NUMBER is the number of sectors involved in the operation. DATA ADDRESS (in HEX) is where the data is stored or read from. RETURN ADDRESS (in Hex) is the return address for the calling program (i.e. the address where execution will resume after Int 13 completes). PRESSING THE ESCAPE KEY causes TRAPDISK to return to the calling program with the error code for time out. The disk operation is NOT performed. The action the program may take on this error will vary, but the requested disk function will NOT take place. PRESSING THE RETURN KEY causes the program to carry on as if TRAPDISK did not exist for this call. Be warned that if you request a stop on a READ operation, you will press the Return key many times just to read one file as DOS searches directories and the FAT! Instructive, but not too useful. PRESSING THE DEL KEY causes the program to carry on (just like RETURN), but there is a difference. DEL will shut down any further checking. The only way to enable checking again is to call TRAPDISK with command-line arguments (as described above). This key is very useful in cases where you have forgotten that TRAPDISK is installed and want to disable it so you can get on with your work! CHANGES & IMPROVEMENTS versus BOMBSQAD.EXE "TRAPDISK" has added a command-line help that functions without installing the resident code. It corrects a bug in "BOMBSQAD" that incorrectly reported hard disk drive letters. It extends the BIOS calls beyond the diskette interrupt calls to some of the hard disk specific calls (Read Long, Write Long, Format Bad Sector, Format Whole Disk) that "BOMBSQAD" does not handle. And it has added the "RETURN ADDRESS" information and the "Del" key to the pop-up window. TECHNICAL NOTES This program can only trap access requests that go through Int 13h. All of the DOS disk calls for standard disk/diskette devices are routed through this interrupt. However, access to installed devices (like some RAM disks or OEM add-on packages like TALLGRASS & SYSGEN) is often through vendor-sipplied device drivers. These drivers are known to DOS and are used in lieu of Int 13h to access these devices. TRAPDISK CAN ONLY CAPTURE ACCESS REQUESTS FOR DEVICES THAT ARE CONTROLLED VIA INT 13h!!! Ergo, any "devices" that use installed device drivers could be compromised by a well- placed trojan horse program, even if TRAPDISK is active. The moral: DO NOT depend on TRAPDISK to protect your add-on hard disks from damage from a trojan horse algorhythm! COPYRIGHT AND DISTRIBUTION In the spirit of Mr. Hopkins original program, feel free to copy and distribute this program. We make no claim on any sort of copyright, since this program is based on BOMBSQAD!