CICA 1993 August

home *** CD-ROM | disk | FTP | other *** search

/ CICA 1993 August / CICA.cdr / unzipped / programr / vwpd / vwpd.doc < prev next >

Wrap

Text File | 1991-06-18 | 20.9 KB | 661 lines

Contents Chapter 1 The Virtual 386 Write Protect Device 1 1.1 Basic Information . . . . . . . . . . . . . . 1 1.1.1 Description . . . . . . . . . . . . . . 1 1.2 Introduction . . . . . . . . . . . . . . . . 1 1.2.1 Worlds first Shareware VIRTUAL Device Driver . . . . . . . . . . . . . . . . . 2 1.2.2 Low Overhead . . . . . . . . . . . . . . 2 1.2.3 Protecting old DOS applications . . . . 2 1.2.4 Optional features & additional options when you register . . . . . . . . . . . 2 1.2.5 Advantages . . . . . . . . . . . . . . . 3 1.2.6 Updated Features: . . . . . . . . . . . 3 1.2.7 Updates . . . . . . . . . . . . . . . . 3 1.2.8 Warnings and cautions . . . . . . . . . 3 1.2.9 Trojan and Virus Programs . . . . . . . 4 1.2.10 Background . . . . . . . . . . . . . . 4 1.3 Known problems . . . . . . . . . . . . . . . 4 1.3.1 Entering DOS . . . . . . . . . . . . . . 4 1.4 Installation . . . . . . . . . . . . . . . . 5 1.4.1 Copying and naming files . . . . . . . . 5 1.4.2 Verifying Installation . . . . . . . . . 6 1.5 Features . . . . . . . . . . . . . . . . . . 6 1.6 Restrictions . . . . . . . . . . . . . . . . 6 1.7 Control Program . . . . . . . . . . . . . . . 7 1.7.1 Installation . . . . . . . . . . . . . . 7 1.7.2 Use . . . . . . . . . . . . . . . . . . 7 1.7.3 Messages . . . . . . . . . . . . . . . . 7 1.7.4 Exiting . . . . . . . . . . . . . . . . 7 1.8 Optional Features . . . . . . . . . . . . . . 7 1.9 DOS Utilities that are protected by VWPD . . 8 1.9.1 Always Protected . . . . . . . . . . . . 8 1.9.2 Protected when write protect is on . . . 8 1.10 Advanced Information . . . . . . . . . . . . 8 1.10.1 Terminate Task . . . . . . . . . . . . 8 1.10.2 Miscellaneous . . . . . . . . . . . . . 8 1.10.3 DOS and Windows Tested . . . . . . . . 8 1.10.4 Custom Windows and OS/2 programming . . 9 1.10.5 Supplementary Documentation . . . . . . 9 1.11 How to contact for information . . . . . . . 9 i Chapter 1 The Virtual 386 Write Protect Device 1.1 Basic Information Title: Prevents disk corruption and crashes in Windows Keywords: VWPD CORRUPT CHKDSK CRASH DISK PROTECT WINDOWS SHAREWARE NETWORK TROJAN VIRUS FORMAT 1.1.1 Description VWPD prevents disk corruption from occuring when using CHKDSK while Windows is running(see Windows User's Guide p.54). It has a write protect feature which can be toggled on/off by the included control program. Test suspected Trojan and virus programs with secure write protect, enabled(runs in Protected Mode at Ring 0). Requires MS Windows 386 Enhanced mode. Documentation included. Network compatible. Simple installation. Download in 3 min. 1.2 Introduction The "Virtual Write Protect Device" is a MS Windows 386 Enhanced Mode virtual device driver. The VWPD protects your hard disk drive from DOS low level sector writes. Utilities like PC Tools Compress, Norton's SD, Golden Bow's VOPT and disk repair and modification utilities will receive an error("disk write protected"), if you attempt to run them while MS Windows is running(Enhanced Mode only). The VWPD also protects your hard disk from low level formatting and if you have used the control program (VWPDCTRL.EXE) to turn on the write protect feature you are protected from Interrupt 13h writes. Not only are you protected from these common utilities but any virus which might attack your system by the same method will be stopped dead in it's tracks. VWPD is a very simple system. There is the device driver(VWPD.386) and there is the control program(VWPDCTRL.EXE). Write protect for Interrupt 26 hex is always on. Write protect for hard disk formats(INT 13h) is always on. Write protect for low level writes(INT 13h) can be toggled on/off by the control program. This is NOT, repeat NOT an ordinary Windows Device Driver. They run at ring 1. VWPD runs at ring 0. It is more secure than code that runs at ring 1. Ordinary code that runs at rings 1,2 or 3 can not touch this driver. The only way code can run at ring 0 is be loaded at the time Windows starts up. 1.2.1 Worlds first Shareware VIRTUAL Device Driver I have good reason to be believe that this is the first virtual device driver for MS Windows ever released to the Shareware market. The effort and cost of doing a virtual device driver is not trivial. It may be some time before anyone becomes crazy enough to do another one. If there are any contenders for the worlds first, speak up or forever hold your peace. In 20 years no one will care who was first! Maybe in 3 weeks. For those of you interested in the INNER workings of MS Windows I am presently working on a tool similar to David Maxey's "INTRSPY" program. The TSR part of intrspy will be replaced by a virtual device driver. Then we can watch the protected mode interrupts go by. (Intrspy comes with the book "Undocumented DOS" by Andrew Schulman, et all). 1.2.2 Low Overhead The performance overhead for this protection is very low. When normal programs are running there is minimal overhead. When one of these special utilities that uses INT 26h is running it is blocked and there is essentially no overhead. 1.2.3 Protecting old DOS applications Our other shareware program system "Windows Safe" requires that any DOS program that you do not want to run while Windows is running must have a small utility added to the disk to block it from running. If you use 386 Enhanced Mode, then VWPD will protect you on a SYSTEM WIDE basis. It is not necessary to protect each program individually, if what you are trying to prevent is low level sector writes to the disk. So...what you save is disk space. You gain ease of installation and you get virus protection; all at the same time. 1.2.4 Optional features & additional options when you register Custom enhancements and site licenses for larger firms. - 2 - When you register and pay the requested $20 fee you receive an enhanced VWPD with many addition features. The program which we have provided you in effect for free is not a demo or crippled in ANY way. Feel free to use it. I won't waste my breath, telling you to register. So... I will tell you that you will receive an enhanced kit to make it easier for you protect your system from inadvertent and malicious disk writes. If you would like the additional features, then grab the order blank, print it out and send it in. 1.2.5 Advantages Requires only small amount of extra memory to run. Not a TSR. Prevents many crashes in Windows, especially useful for network administrators. 1.2.6 Updated Features: Warning Messages 5-25-91 Toggle Messages 5-27-91 Improved Documentation 5-30-91 DOS Only write protect 6-09-91 Fixes to version #'s 6-09-91 + warning message Fix DOS only bug 6-17-91 Drv. # 1.02, Ctrl. 1.01 1.2.7 Updates VWPD is likely to be enhanced for quite a while as Windows itself is being modified and as I discover more refined ways of providing the same or improved protection. If you have an early version of VWPD V. 1.0. Be sure to look for an improved version (1.5) sometime about 7-1-91. I will post it to Compuserve and maybe a few other places. 1.2.8 Warnings and cautions I have tested the VWPD system carefully. I believe that VWPD should work with ANY application in any situation. However, there is no foolproof system against viruses. During use, VWPD does absolutely no writing to your disk(s). Does not protect Network or RAM disks (drives). The device driver and it's control program have been installed here and running for about a month(5-30-91). The documentation and the control program are a bit rough looking but the driver - 3 - itself seems to be quite stable. Be sure to look for an update about 7-1-91. If you encounter any problems with the system be sure to let me know. 1.2.9 Trojan and Virus Programs The VWPD should be capable of stopping any DOS or Windows program that contains a Trojan or virus. The control program is a protected mode Windows program and is moderately safe from a DOS application. The VWPD itself runs at ring 0 and can only be controlled by a protected mode program and the interface to it is not documented or published to make it more difficult to bypass it. Beware of a virtual device driver that contains or is a virus or Trojan horse. As long as the ring 0 code in Windows does not contain and does not become contaminated by a virus, then Windows is much more secure than plain DOS. A Windows Virtual Device Driver could become contaminated if the disk file were to be modified, but a virus would have tough time changing memory during the time Windows was running. To test a suspected virus program. First turn write protection on using the control program. Also, turn warning messages ON, so that you will KNOW that a write was attempted. Then run the suspected program. If a write to the disk is attempted you will know. 1.2.10 Background VWPD is a general purpose tool that allows you to control writes to your disks. Some OLD DOS applications such as disk repair utilites should not be run from inside Windows. VWPD provides automatic protection for some of these programs. Users that accidently run programs like this from inside Windows can cause Windows to crash. The crash protection described is not complete but it will save you some headaches. Utilities that are not safe are those that bypass INT 26h and use INT 13h. 1.3 Known problems 1.3.1 Entering DOS Pageswap device driver causes a write to occur when opening a DOS window. This can be stopped by: - 4 - Checking the "DOS Only" box when turning on write protect. Opening the DOS window before turning on write protect. OR: Set paging off in the system.ini file. See the installation section below. "paging=FALSE". To turn paging back on set "paging=TRUE". 1.4 Installation 1.4.1 Copying and naming files This is a special WINDOWS Virtual Device Driver. Not a DOS device driver that would go in the CONFIG.SYS file. To install the Virtual Write Protect Driver(VWPD.386) a line must be added to the SYSTEM.INI file located in the Windows directory. This line must be placed in the "[386Enh]" section. The line should look like this: device=vwpd.386 For instance: [386Enh] device=vwpd.386 paging=FALSE VCPIWarning=FALSE SystemROMBreakPoint=False FileSysChange=False ebios=ebios.386 display=*vddvga keyboard=*vkd mouse=*vmd ... (etc.) ... The following information is based on information in the sysini2.txt file and explains the general method for adding a device. ------------------------------------------------------------ Device=<filename> - 5 - Default: none (Setup assigns appropriate values based on your system configuration.) Purpose: Specifies which virtual devices are being used with Windows in 386 enhanced mode. This value appears as the name of a specific virtual device file. Filenames usually include the .386 extension. Multiple device lines are required to run Windows in 386 enhanced mode. To change: Use Notepad to edit the SYSTEM.INI file. Copy the device driver VWPD.386 to the Windows system subdirectory. Copy the VWPDCTRL.EXE program to your windows subdirectory. 1.4.2 Verifying Installation The simplest way to verify correct installation is to attempt to use a disk defragmentor. When run it should stop and report that the disk is write protected! (not yet provided)The installation disk contains a program specifically provided to test that the driver is working. It reads one sector off the disk and attempts to write it back exactly as it found it. The sector used is the last sector on the disk. Not an important sector in a FAT or directory. 1.5 Features Network compatible. Helps prevent Windows from crashing. User Transparent Simple Installation Virus "resistant". Very low overhead. Contains NO code that can damage your system. 1.6 Restrictions Disks: floppies are NOT protected from formatting. Backup programs that do sector reads are not protected. Such programs should not be run if the disk can be modified(written to) while the backup is in progress. - 6 - 1.7 Control Program VWPD comes with control program that allows you to turn write protection on and off. It also has a status box to inform you as to the state of the device driver. 1.7.1 Installation Copy the VWPDCTRL.EXE file to your windows subdirectory. 1.7.2 Use To turn write protect on/off and toggle warning messages click on the "control" menu item. Toggle the appropriate options on or off. If the OK button is selected and write protect is set on; then VWPDCTRL will minimize itself automatically. The DOS Only button allows write protect to be set on, for DOS windows only. 1.7.3 Messages VWPD will display only one message if messaging is enabled and write protect is on. Due to the fact that messages are brought from disk and disk interrupts are NOT re-entrant, in order to put up a message it is necessary to queue the message. This means that there is a delay before the message appears on the screen. In the case of 486 cpu it's about 1/2 second. 1.7.4 Exiting Failure to close VWPDCTRL or turn write protect off before attempting to exit Windows will cause several annoying system write protect messages to be generated. The consequence of this is usually not harmful, but should be avoided. 1.8 Optional Features A version with enhanced features is under development. This will provide options to protect individual floppies drives when 386 mode Windows is running, as well as some other features. Read Sector protection. Format protection (by floppy) Low level write protection by task. Protection for all writes, by task. Toggle protection on/off by task, by function, by drive. I/O port protection. Hiding Windows from a virus. - 7 - Call for information. 1.9 DOS Utilities that are protected by VWPD 1.9.1 Always Protected CHKDSK RECOVER (Tested in DOS 3.30)If run from Windows while VWPD is installed these programs will not write to the disk. They are safe to use. 1.9.2 Protected when write protect is on DOS FORMAT is protected. PC Tools Format is protected. FDISK is protected. 1.10 Advanced Information 1.10.1 Terminate Task VWPD can be used if you want to test a specific program, possibly containing a virus. If an attempt is made to write to the disk, a warning message will be displayed. You may choose to continue (OK) or cancel in which case the task that was running will be closed. If you choose to cancel, after our warning message you will also get a Windows error message telling you that you must reboot. This not necessary, the message is in error. You may safely continue(this last statement is being tested, but believed to be correct). 1.10.2 Miscellaneous VWPD is a virtual device driver, NOT a program. It runs at ring 0 which means that no program can modify it while it is running. Ring 0 is a hardware feature of the 80386, 80486 processors. This driver does NOT work in standard or real modes. Windows in standard (286) mode is not as vulnerable to ill- behaved applications as enhanced mode is. At this time we do not offer a driver that works in 286 mode. 1.10.3 DOS and Windows Tested Tested under DOS 3.30 and Windows 3.0a on a 80486 processor. Tested under DOS 5.0. Requires DOS 3.x or higher. Windows 3.x or higher(386 Enhanced mode) - 8 - Works with DOS 3.x, 4.x and 5.x Runs only on 386 and above machines. Will not run on 8088,8086 or 80286. 1.10.4 Custom Windows and OS/2 programming We do applications and device drivers, call or write for information. Old DOS applications should be modified to be Windows aware. If you have a DOS product and need technical help to update it, we can do the job 1.10.5 Supplementary Documentation The registered kit contains a subdirectory that has several files totaling over 60,000 characters of documentation, most of it related to network issues. See also: Byte Magazine, Networking Windows, Mar. 91, p.299-307. Your Windows directory (win3?), the text file: networks.txt. Provided as is, without a warranty. 1.11 How to contact for information Mom's Software Box 449. 391 So. Pacific St. Rockaway, OR 97136 503-355-2281 CIS 71171,47 - 9 -