The resources VirusDetective™ looks for may be modified below.  You can also save search strings to a text file (see “Option Configuration” to set file type) or read from a text file containing one search string per line.

What gets written is the currently *displayed* set of search strings which may not reflect what is stored in VirusDetective™ unless a Save is done.  Likewise, when you read in a file, it only replaces what is displayed and is not stored until a Save is done.

The syntax is as follows:

  <search-string> :=
     <file-string> {; Comment}
     <file-string> & <resource-string> {; Comment}
     <resource-string> {; Comment}

This says a search string is either a <file-string>, a <file-string> followed by the character ‘&’ followed by a <resource-string> or just a <resource-string>.  All of them may be followed by an optional (indicated by the {}’s) ‘;’ and comment string.

<file-string>’s can actually occur anywhere in the search-string, not just at the beginning.  In general you want them first to speed the search process.

  <file-string> :=
     Creator <op> <CID>
     Filetype <op> <FID>
  <op> :=
     =
     ≠
     >
     <
   <CID> := 4 character file creator
   <FID> := 4 character file type

This says a <file-string> is the word “Creator” or “Filetype” followed by a comparison operator ‘=’ (for “is equal to”), ‘≠’ (for “is not equal to”) (type Option-= to get this character), ‘>’ (for “is greater than”) or ‘<’ (for “is less than”) followed by a four character file creator or filetype.  E.g. “Filetype = APPL” would match all applications.

  <resource-string> :=
     <resource-selector> & <resource-comp> [ & <resource-comp>]

A <resource-string> is a <resource-selector> followed by one or more (indicated by the []’s) <resource-comp>’s each separated by a ‘&’.

  <resource-selector> :=
     Resource Start
     Resource <RID>
  <RID> := 4 character resource type

A <resource-selector> is either “Resource Start” which means the first executed CODE resource or “Resource XXXX” where XXXX is some resource type like “nVIR”.  Note:  It *must* be exactly 4 characters, including spaces.

  <resource-comp> :=
     Any
     Data <pattern>
     ID <op> <snum>
     Name <sep><string><sep>
     Pos <snum> & Data <pattern>
     Size <op> <num>
  <snum> :=
     -<num>
     <num>
  <num> := unsigned decimal number
  <sep> := any single character
  <string> := string of up to 255 characters

Any -
   Matches any <resource-selector> resource.  E.g. “Resource nVIR & Any” would match any nVIR resource.

Data -
   Matches any <resource-selector> resource containing the <pattern> (described below).  You can specify an optional starting offset position with the “Pos” keyword.  Positive offsets add to the beginning and negative offsets subtract from the end.  E.g. “Resource Start & Pos -1344 & Data 060CA9#643E9” starts searching the first executed CODE resource for that pattern 1344 bytes from the end of it.

The “Data” keyword must be the last keyword in a search string. The “Pos” keyword (if present) can occur anywhere before the “Data” keyword.

ID -
   Matches any <resource-selector> resource whose resource ID satisfies the given relationship.  E.g. “Resource CODE & ID > 10” matches any CODE resource whose ID is greater than 10.

Name -
   Matches any <resource-selector> resource whose name is enclosed in the separator characters.  E.g. “Resource INIT & Name "RR"”.

Size -
   Matches any <resource-selector> resource whose resource size satisfies the given relationship.  E.g. “Resource MEV# & Size = 722” matches any MEV# resource whose size is equal to 722.

  <pattern> :=
     <hex-pattern>
     <ascii-pattern>
  <hex-pattern> :=
     <hex-byte-word>{<hex-pattern>}
     #<hex-char>{<hex-pattern>}
  <hex-byte-word> :=
     <hex-char><hex-char>
  <hex-char> := character 0 through 9 or A through F
  <ascii-pattern> :=
     "<string>"
     '<string>'

A Data match pattern can be specified as a sequence of hex digits, two per byte, or as a ASCII string enclosed in either single or double quotes.  An ASCII pattern must match its entire pattern exactly to be considered “a match”.  A hex pattern can “skip” bytes by using the ‘#’ character followed single hex character, 0 through F, to skip 0 through 15 bytes.  E.g. pattern 3C#500 would match a resource containing 3C12C9006A8000.

Spaces may be used between search-string parts to improve readability.  Only the first 255 characters of a search-string are saved.

You can use Command-C to copy any selected search pattern and Command-V to paste it into the type-in buffer for editing.

Examples of valid search strings are:

Resource Start & Size<800 & Data 2F3A#F00#C80 ; For finding nVIR, etc. (Appl's/Finder)
Filetype=ZSYS & Resource INIT & Size<800 & Data 2F3A#F00#C80 ; For finding nVIR, etc. (System)
Resource Start & Size<800 & Data 41FA#92E#797 ; For finding INIT29 in Appl's/Finder
Filetype≠APPL & Resource INIT & Size<800 & Data 41FA#92E#797 ; For finding INIT29 in non-Appl's
Resource Start & Size<8000 & Data FD38#FBA#5A3 ; For finding Scores in Appl's/Finder
Filetype≠APPL & Resource INIT & Size<1100 & Data FD38#FBA#5A3 ; For finding Scores in System, etc.
Resource Start & Pos -1344 & Data 060CA9#643E9 ; For finding ANTI
Resource INIT & Name "RR" ; For finding Peace