home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Belgian Amiga Club - ADF Collection
/
BS1 part 05.zip
/
BS1 part 5
/
GOD14-(412)695-3647.adf
/
FindEmAllV5.2.Doc.pp
/
FindEmAllV5.2.Doc
Wrap
Text File
|
1992-08-04
|
51KB
|
1,023 lines
FindEmAll V5.2
Copyright © 1991-1992 Koen Peetermans
All rights reserved
Release date May 18, 1992
FREEWARE/VOLUNTARY SHAREWARE
User Manual
TABLE OF CONTENTS
-----------------
A) DISCLAIMER
B) PREFACE
C) HOW TO GET A NEW VERSION
D) ERIK LØVENDHAL'S ANTI-VIRUS WORK
E) SYSTEM REQUIRMENTS
F) WHY DID I WRITE THIS PROGRAM ???
G) WHAT DOES THIS PROGRAM DO ??
H) PACKAGE LIST
I) QUICK START/EXPERIMENTING
J) THE DISPLAY USED IN THE FINDEMALL PROGRAMS
1) Special "User-friendly" ANALYSE display in CLI
2) Example Display of a CLEAN computer with kickstart 1.2/1.3
K) TECHNICAL STUFF
1) ColdCpt,CoolCpt,WarmCpt
2) KickMem
3) KickTag
4) Debug
5) Execint
6) SftList
7) ErrVec
8) HardInt
9) TrapVec
10) TaskVec
11) DosBase
12) KBReset
13) INTERRUPT SERVERS
-What are interrupt servers ?
-Examples
14) LIBRARIES/DEVICES/RESOURCES
-What are libraries/devices/resources ?
-Examples
-THE INTERNAL DOS LIBRARY
15) TASKS
-Normal Display
-Example : diskdoctors virus
-Harddisk problems
-Tips & Tricks
16) RESIDENTS
-What are resident programs ?
-Multiple viruses example
17) Message Ports
L) THE FINDEMALLVECTORS PROGRAM
M) MORE TECHNICAL STUFF
1) The Printname routine.
2) The Cold Reset routine.
L) "SHORT" FINDEMALL HISTORY
M) CLI CHECKING VERSUS BOOTBLOCKCHECKING / CLI MEMCHECK INSTALLATION
N) FUTURE UPGRADE PLANS + HELP NEEDED.
O) THE AUTHOR - ME !
P) THANKS
Q) QUESTIONS ??
R) BUGS ??
S) SOURCE CODE
DISCLAIMER
FindEmAll has been tested thoroughly and is not able to damage
your system in any way. However, the author is not responsible
for any loss of data caused by bad use of the program. See
especially in the section that explains the use of the installer.
PREFACE
This program is freeware, this means that you can copy it
freely as long as you don't ask any more money for it than a
nominal fee for copying. If you want to distribute this program
you should keep this document with it. This program cannot be
used for commercial purposes without written permission from the
author. I hereby give explicit permission to Erik Løvendahl Sørensen
and Fred Fish to include this program in their series.
HOW TO GET A NEW VERSION
New versions are available from me directly, just send enough
money for stamps,disk,... Although this program is freeware, more
money than needed won't be refused, the money will be used in the
battle against Viruses and Virus-authors. If you send me more than
$15, you can also get the source of the previous version and you can
get the next 2 versions directly from me (Fast !).
Or you could write to Erik Løvendahl Sørensen (see below), he
will always get new versions from me directly, and hopefully
he'll place it on his splendid "New SuperKillers" disks.
If you have suggestions or remarks about this program, or if
you find any bugs, please contact me. I like to have mail about this program
and other Virus subjects. New Viruses would also be appreciated.
Write to the following address:
Koen Peetermans
Vrijheersstraat 8
B-3891 Gingelom
Belgium (Europe)
Erik Løvendhal's Anti-virus work
--------------------------------
Our motto: "Safe Hex..."
I want to mention the work of Erik Løvendhal Sørensen from Denmark.
He has founded a group of Amiga Enthusiast, all fighting against viruses.
This group has over 250 international members now, among them
some of the programmers of wellknown anti-virus programs like
Steve Tibbet and Jonathan Potter. Among the activities of this
group are:
- Spreading information to anti-virus programmers as fast as
possible.
- Trying to get names and proof against virus programmers and
giving the information to the justice departement of his/her
country to press charges. Remember, there is a reward of
1000$ (Wow !) for the person that helps convicting a Virus
programmer.
- Writing articles in popular magazines to inform new Amiga
users about viruses and how to protect themselves.
All this is volunteer work. If you want some more information
about this organization or you want to sponsor his work, contact
Erik at the following address:
Erik Løvendahl Sørensen
Snaphanevej 10
4720 Præstø
Denmark - Europe
Phone: 00 45 55 99 25 12
Fidonet 2:23424/43
Persons in Belgium can contact me directly, I'm also responsible for the
Regional Virus Centre in Belgium (Dutch language).
SYSTEM REQUIREMENTS
FindEmAll should run on ALL amiga's, who have their kickstart logically
at $f80000 or $fc0000. People with kickstart e.g. at $2000000 or so can get
an adjusted version from me if they send me a description of their kickstart
address. Future versions of FindEmAll will probably be able to bypass this
problem by using a special installer. (comments are welcome !)
If you're an experienced Amiga freak, you can "patch" the code if you want,
just change the values $efffff and $1000001 inside the programs to the right
kickstart addresses.
It has been tested with KickStart 1.2,1.3 and 2.0 on A500/2000/3000
Amiga models (Not on an Amiga 1000,but these won't cause a problem I guess.)
It has a NTSC/PAL detection for automatic sizing of the display.
Should you have any trouble running FindEmAll on your machine,
please write to me with the full specifications of your machine,
that is KickStart version, model, expansion boards etc...
Use a good sysinfo program to determine your setup, if needed.
A printout of the output of the "FindEmAllVectors" program (see further)
would also help me solving your problem.
WHY DID I WRITE THIS PROGRAM ??
Some time ago I noticed that a new virus, the Saddam Virus,
had infiltrated about 10 disks of me, even though I already knew quite
a lot about viruses. At the moment there existed no viruskiller for this
virus so I had quite a few problems deleting it. At that moment I said
that I should have a program that should be able to immediatly detect ALL
new viruses, no matter how devious their tricks or "INVISIBLE" modes would
be. The FindEmAll programs work a bit like the Ram-check option of
the new BOOTX versions, and at the moment it does also some other things.
The main difference is that I managed to make my program so short that
I was able to place it in a bootblock (1Kb !), what is very difficult if
you see the abilities of this program. Since it is a bootblock you are able
to detect future viruses very fast in memory, and a lot of disks which
don't use things like loaders can be installed with this bootblock.
Don't under-estimate the work that has gone into these programs. I've
been working on it the last months and it has changed a LOT since the
first version (See the History). A lot of research was needed in order
to understand all the things that are and COULD be used by viruses.
WHAT DOES THIS PROGRAM DO ????
This program checks a LOT of things in memory, some are very important,
where some are less important and some are maybe not even needed, but you
can never have enough information when dealing with viruses.
Here is a short summary of the things it does (Detailed information
can be found further in this manual) :
- It checks + shows ALL the main vectors used by viruses (cold,Cool,...)
- It checks + shows some "important" values in Execbase
- It checks ALL sorts of interrupts, from Hardware interrupts, to
Execbase Interrupts (handlers AND SERVERS !), the serverlist is
even displayed on-screen !!!
- It shows + COMPLETELY checks ALL libraries and Devices, and ALL
the Resources that can be checked.
- It shows ALL names of reset-proof resident modules (Very useful !)
- It shows all the tasks running.
- The CLI programs also check the Internal Doslibrary and 2 important
vectors in DosBase, this is VERY EXTRAORDINARY AND RARE !!!
- It can wipe out ANY virus from MEMORY !!! by doing a reset !.
- .......
As you can or can't see, this program is the MOST powerful
Virus-DETECTOR available for the Amiga at the moment, certainly
when compared with other BOOTBLOCK checkers, I've never seen
one even coming close !! (STOP bragging, Koen !!). Most other
bootblock checkers only check about 3 values in memory, my
programs check even more than 500 values in memory !!!!!.
PACKAGE:
The package should contain (Names can be changed a BIT,if needed):
- This doc file "FindEmAll.doc"
- The Bootblock installer "FindEmAllInstaller"
- The CLI program "FindEmAllCLI" (V5.2)
- A Program called "FindEmAllvectors "(V1.6) (runs only from CLI)
QUICK START/EXPERIMENTING
Run the installer (from CLI or WorkBench), insert a Disk with a normal
bootblock (so not with a loader !), and press the Install gadget. The Boot-
block will now be installed on that disk. Press a key during the execution
of that boot to display the current status (so,hold down shift or something
else during bootup and the display will always pop up).
If there is something wierd, like a virus, is in memory, the display will
come up autimatically, even withouth a key-press.
During the display, press Left-MouseButton to wipe everything out of
memory, and the Right one to perform a normal boot and leave everything in
memory. Sorry for so few mousebutton information on the display, I had no
place left, I thought security was more important than user-friendlyness and
after a few times using the programs you'll work with it with your eyes
closed !!!.
THE BOOTBLOCK INSTALLER
The installer is pretty straight-forward and user-friendly, if I may
say it. just run it from CLI command or from workbench, and a window will
pop up. Just select the appropriate "gadgets" to do a install with my
bootblock, display the current bootblock on that disk, and select another
drive. The only gadget that could confuse you is the 'TaskCheck' gadget.
This is a switch that allows you to put task checking on and off. After
you've selected that you'll still have to install the disk with the chosen
bootblock. Why is this selection possible ??? Well see further in the doc's
in the part on TASKS !!. For now, leave the taskcheck on, it's safer !!!
Important: Be sure NOT to overwrite loaders or special intro's !!!
You can also install an other version that doesn't display a message, but
that checks more things, the names of these bootblocks have an "/X" or
something like that behind the name.
THE DISPLAY USED IN THE FINDEMALL PROGRAM/BOOTBLOCK.
After the Boot, the screen will become BLACK to enable you to notice the
presence of the FindEmAll bootblock on that disk (Black is beautiful !)
I use an Alert Window to display the status/.... The programming of
such a window doesn't need a lot of programming so I had more space for
detection routines. The Alert Window also assured me maximum Kickstart
compatibility.
SPECIAL "USER-FRIENDLY" ANALYSE DISPLAY IN CLI
The "OLD" FindEmALL versions were not very userfriendly, so I did an
effort to make at least the CLI checker a bit more userfriendly. When there
is something wierd in memory, a special alert window will pop up, saying
that there is a suspicious program found in memory, and that this COULD
be a virus. If nothing is found in memory, this window will NEVER pop up !
In the Middle of the screen you see an ANALYSE window that quickly shows
the most frequently performed actions of some viruses, and if they are
done at the moment. If there are some Yes-es in this display, you should
be EXTREMELY cautious !!. If you want more information (see further), you
can press the left mouse button. I am planning to keep this ANALYSE window
updated so that with ANY resident VIRUS, there is at least one YES in the
analyse window. IF there is no YES in the display, normally there is NO
OLD virus in memory, but beware for NEW viruses, but these are normally
found and displayed in a more technical way in the "Technical display".
Here's a short explanation of the ANALYSED functions :
- Reset proof program found in memory : There is a program in memory that
can survive a RESET !!!
- Drive I/O intercepted : Bootblock/... read/writes intercepted
by a program (VERY LIKELY a VIRUS !!).
- Hard/Software interrupts changed : Used a lot by viruses, but sometimes
also by "badly" written utilities.
- Reset Proof memory allocated : The least important function of this
ANALYSE display, this is sometimes
used by viruses, or a RAMDISK
- DOSBase changed (traveling Jack) : 99 % sure that this is a VIRUS !!!
- DosLib LOAD offset intercepted : Could be a LINK-virus, or maybe also
explode.library,LVD,pp.library
- DosLib WRITE offset intercepted : Could be a LINK-virus, or also
patchpp,....
EXAMPLE DISPLAY OF A CLEAN COMPUTER ON A KICKSTART 1.2/1.3 AMIGA
************************************************************************
* LEFT=KILL/RESET K.P. FindEmAll V5.2 *
* *
* ColdCpt OK -ciaa.resource OK -potgo.resource OK *
* CoolCpt OK -?????? OK -keymap.resource OK *
* WarmCpt OK -gameport.device OK -ciaa.resource OK *
* KickMem OK -timer.device OK -ciab.resource OK *
* KickTag OK -ciab.resource OK -disk.resource OK *
*{Debug OK} {-Internal DOS library OK} -misc.resource OK *
* ExecInt OK -exec.library OK *
*{SftList OK} -expansion.library OK -keyboard.device OK *
*{ErrVec OK} -graphics.library OK -gameport.device OK *
* HardInt OK -layers.library OK -timer.device OK *
*{TrapVec OK} -intuition.library OK -audio.device OK *
*{TaskVec OK} -mathffp.library OK -input.device OK *
*{DosBase OK} {.............} -console.device OK *
*{KBReset OK} -exec.library OK -trackdisk.device OK *
* *
* -input.device OK *
* -trackdisk.device OK *
* *
* *
* *
* *
* *
* *
* *
* Resident: OK *
************************************************************************
Note that the field places of the left column are different in BOOT,
and there are also some fields not displayed in boot.
In CLI: 'K.P. FindEmAll v5.2',DOSBase+dos.library+internal DOS library
+ some extra libraries/ports displayed ( see {}) + KBReset checked
+ servers displayed below the devices !!!
TECHNICAL STUFF
Hmmm..... for a non-programmer or a non-virus specialist there should
be at least a few problems understanding all this, that's why I'll try
to explain all of them ....... I won't get TOO deep into some parts,since
I would give would-be virus programmers too many tips and that's absolutely
not what I want to do.
It's rather technical, but READ it, it's quite important if you want
to understand and use this bootblock to the limit. I kept the information
as simple as I could possibly write it !!!
I have divided the displayed vectors/... into three classes :
- Class A : Very important, very often used by viruses. These Vectors
HAVE to be used to create reset-proof software.
- Class B : important, often/frequent used by viruses for hooking
into memory,hiding in memory,...
- Class C : Vectors that aren't really critical or normally couldn't
be used by a Virus.
ColdCpt,CoolCpt,WarmCpt (Class A)
-----------------------
- These are vectors that are very often used by viruses since they enable
a program to be reset-proof. The three vectors' full names are
ColdCapture,CoolCapture and WarmCapture. They are found in the Execbase
structure (The 'Main' system structure). These values are checked for
being zero, if they're NOT than there is almost certain a reset-resident
program (A Virus ?) in memory. The ColdCapture and the CoolCapture vectors
are much more important than the WarmCpt vectors, since that vector is
apparantly not possible to use for creating reset-resident programs with
the current kickstarts.
These vectors are considerd Very important Vectors, if there is anything
wrong with these the chances are great that there is a virus in memory (or
another reset-proof program.) => Class 'A' Vectors
When a Vector is not zero, the "OK" is changed into a "BAD!"
Kickmem (Class B)
-------
- This is a vector that allows programmers to keep a certain part of memory
reserved AFTER a reset, so that part of memory can be "protected" to be
overwritten after a reset. When this Vector isn't zero, this vector will
be displayed 'BAD!'. This vector is not as important as the previous vectors,
but is sometimes used by some viruses. So, CAUTION when this vectors is
'BAD!'. If ONLY this vector is BAD!, there is little chance that there is
a reset-proof PROGRAM in memory, since it is not possible to START some
sort of routine or program by using this vector, maybe it could be some sort
of reset-proof ramdisk that keeps its memory allocated after a reset.
KickTag (Class AA)
-------
- Now this IS a very important one !!!. This one is used to be able to even
create MULTIPLE reset-resident programs (See the Resident explanation).
Because of the way FindEmAll searches for residents I thought it would be safer
to ALSO display/check this vector seperatly, since this is one of the most
important vectors.
Debug (Class CC)
-----
- This appears to be an entrypoint for the Amiga Debugger, I haven't been
able to call it until now, so I guess it's not important, but it's checked
anyway, to see if this one points to ROM.
ExecInt (Class BA)
-------
- This field stands for the status of 16 Interrupt vectors (Interrupts are
RUN when some special thing happens, like the refresh of a screen,I/O).
When one of the 16 Vectors checked doesn't point to ROM or isn't Zero,
there could be a program (likely a VIRUS) in memory that has deviated it
for it's own use, like for calling a routine that keeps filling Class A
Vectors with the viruses' entrypoints. This is wat e.g. the ByteBandit
Virus does. These 16 IntVects are found in Execbase and are used by the
operating system. They define the entrypoint of a single routine (a
so-called 'interrupt-handler'), or the entrypoint of a routine that handles
an 'interrupt-server-list' - see further for explanation on servers
SftList (Class C)
-------
- This also stands for some sort of interrupt, but one that isn't controlled
by hardware, like the other interrupts, but by software ONLY. I just check
if there is something in the 5 softlists, and if there IS something in the
list it's "BAD!". These Vectors are NOT important, but were just included
because I had a few bytes to spare.
ErrVec (Class CB)
------
- These are some values that define the entrypoints of the processor when
for example there is an address-error, like when you have a GURU or
something else. Sometimes changed by a Virus, don't ask me why but
it seems rather unimportant.
HardInt (Class BA)
-------
- This stands for 7 vectors, that are DIRECTLY accessed by the processor
when a hardware interrupt occurs. Normally these point to a ROM-routine
that executes a handler/server (see ExecInt), so if some devious virus
changes this , it's 'BAD!'. These vectors can be used by a virus just
like the ExecInts.
TrapVec (Class C)
-------
- This is comparable with the ErrVec Vectors, so not really important,
and I've not yet seen a Virus using it.
TaskVec (Class C)
-------
- 3 Vectors in Execbase that define the Entrypoints for taskExit(s),
exception routines,...... I've not been able to use them, so probably
a virus won't be able also.
DOSBase (Class BA)
-------
- These 2 vectors can and are only checked in CLI/Workbench because there
is no dos.library during boot. If one of these is changed, you can be
quite sure that there is some sort of (link)virus in memory.
I've heard that the travelling Jack uses one of these two.
KBReset (Class ????? A ??? B ???)
-------
- I don't think this one should be checked at the moment (with the current
kickstarts), but since VMK checks it I'll check it also. I'll have to say
that the routine I use is based heavily on the VMK routine, since I have
no documents that explain this sort of pointers. I also noticed that the
VMK program isn't able to check it on 68030 boards since some values in
the keyboard device are a bit changed then. ($21->$22,$24->$25) FindEmAll
also checks these values. I don't think that it is possible to create
reset-proof programs with these vectors, but when it's possible the program
will find it.
Until now, I must say that these Vectors are not the real power of this
program, since this was rather easy to make and doesn't take much routine-
space/programming. The following things, however, were not THAT easy !!
Interrupt Servers (Class BA)
-----------------
In the upper-mid part of the window you'll normally see this:
-ciaa.resource OK Class B
-?????? OK Class BA
-gameport.device OK Class BA
-timer.device OK Class BA
-ciab.resource OK Class B
"Now what the hell is this ??" I hear the whole Amiga World asking......
Well remember when I told you about interrupt-servers ????. Well, that's
it !!!! These servers are used when a programmer needs to install an
interrupt 'by the book'. All interrupts are placed in a "list", and they
are one by one executed after each other when an interrupt occurs. Some
sort of interrupts are used so much at 'the same time' that these sort
of lists were 'invented'. Notice that there is more than one type of
server. You normally have the servers caused by a CIA-A interrupt
(ciaa.resource), caused by the Vertical Blank interrupt (started when
the electron beam returns to the top of the screen) (-??????,gameport.
device,timer.device) and a CIA-B interrupt (ciab.resource).
So, in this situation we have 3 different sort of servers displayed
(and they are okay !). The names you see appear to be the names of
the 'routines' that USE the server. Don't worry about that -??????
name, that NAME is ALWAYS bad, but that ROUTINE IS also executed so it's
also checked for the right jumpaddress. Notice that you don't see if a
server is a CIA or a VBlank server, that's not really important.
Don't worry if there is a 'other' server displayed like '_SCSI_' (A3000),
as long as it's 'OK' there can be nothing wrong !!!. Also, with a LOT of
harddisks you have will probably also a few BAD servers, it's impossible
for me to know the difference between these and a virus-server. So you
should know your 'usual' BAD servers so you can see a DIFFERENCE when there
is something else in memory. If you look at the example display, you see
the STANDARD servers, if one of these is changed, you can be quite sure
that that change is NOT done by a harddisk !!. If you put the taskchecks
off (with the installer), the servers will be still SHOWN, but the warning
window WON'T pop up if there are ONLY tasks or SERVERS changed.
The servers weren't use by viruses in the 'old days', I think the Saddam
Virus was one of the first to do it.... quite Devious !!!!!!!! That one
changes the one with the BAD name, but my bootblock will say :
-ciaa.resource OK
-?????? BAD!
-gameport.device OK
-timer.device OK
-ciab.resource OK
Gotcha !!!.... another virus bites the dust !!!!!! (Well, the Saddam
Virus changes SO much that is was found anyway, but you never know,
future viruses will try to hide in memory, and now they have an important
place less to hide. ('There ain't much bytes safe for a Virus when there
is a FindEmAll bootblock on your disks !!')
A special feature of this bootblock is that it is able to distinguish
between a server and a handler, so if someone can change a handler into
a server (this is normally not possible, but since I've been able to do
it,....) this program will automatically detect if it's a server and it
will display and check that 'Undocumented Server'. Another Virus Bites
the dust !!! (And it ain't over yet !!)
Please note that some programs like Xoper,ARTM will add new servers to
the system. Usually these servers have a good name like 'Xop I/O counter'
, but some programs like 'blanker' don't use good names,so beware !!
Viruses don't normally set a good name, but I guess they could do that in
the future, so watch out !!!.
Libraries/Devices/Resources (Class BA / BA / B)
---------------------------
This works a bit like the RamCheck option of the new BootX versions,
only that my one is a bit less documentated but therefore small enough
to fit in the boot.
On the screen during the FindEmAll Boot you can see the names of ALL
the libraries/devices/resources that are present in memory during
the Boot (There is NO dos.library during the boot !). Now what are
Libraries/Devices/Resources ???? Well, to make a long story short,
each Lib/Dev/Res is a collection of routines that are put together
in a special structure in order to make it easier for programmers to
make programs and to insure future compatibility when e.g. a new
kickstart is published. A specific routine from one library is run
by calling a certain negative offset of that library.
Now, my bootblock doesn't only checks the offsets OFTEN used by viruses,
but checks ALL offsets of a library so that even a Virus that changes
ANY offset in ANY L/D/R will be found.
Because of the special list-following-routine of my program, NEW
libraries like on the A3000 are checked also.
L/D/R that run COMPLETELY in RAM instead of ROM can't be checked but
normally also can't be used by a virus since they must be loaded from
disk. In this case there won't be an 'OK' after the L/D/R name.
The Bootblock displays the offsets that are BAD in hexadecimal values.
Examples of bad libraries/devices:
-exec.library
-$01C8:BAD! * The DoIO() routine is changed (used
by a LOT of viruses !!!)
-trackdisk.device
-$001E:BAD! * Can be compared with the DoIO() routine,
but this one only applies for disk-drives,
while the ExecLib-DOIO works for most
drives/HD's !!!
Here's a list of offsets used often by viruses:
- exec.library : -trackdisk.device :
-$0060 : FindResident routine -$0006 : Open Device
-$00D8 : Availmem routine -$000C : Close Device
-$0114 : FindName routine -$001E : BeginIO routine
-$0198 : OldOpenLibrary routine -XXXXXXX.device :
-$01C8 : DoIO routine Almost Every device has the
- intuition.library : same offsets !!! => same as
-$00CC : OpenWindow trackdisk.device !!
I advice you to experiment a bit with the bootblock and some resident
utilities like Pseudo-ops Viruskiller (don't USE it !!) to see how
changed L/D/R are chown. Try some viruses if you have any !! (But KILL
them AFTER testing !!!)
THE INTERNAL DOS LIBRARY
------------------------
This library only can be checked in CLI/Workbench, since there is no
dos.library during boot. I've made a routine that should be able to
check ALL the vectors in the internal doslibrary. I've made this
routine 'intelligent', so if there is no internal doslibrary with
kickstart 2.0, it will find that out automatically. If there's something
bad in the internal doslibrary, the vectors that are printed are NOT the
offsets in the internal doslibrary, but the offset-numbers are just the
same as the vectors in the normal dos.library. This makes life just a bit
easier for some guys I guess. (And also made my code SHORTER !!!)
Please allow me to mention that this check is very special, it's the
first program on Amiga that checks all the vectors in the Internal
DOS-library and IT WORKS (It detects the change done by the LZ-virus!)
Tasks (Class B)
-----
- Since the Amiga is a multitasking system, some virus-creators thought it
would be "usefull" to start a task in the background that keeps the Virus
firmly hooked into memory. So I had to show all the Tasks that are running
during the boot. YES, there IS multitasking running during the boot, there
are normally about 3 tasks running (This can be more if you own a harddisk,..)
With my standard Amiga these tasks are called:
-exec.library (The current running tasks, controlled by exec)
-input.device (So a task started or controlled by the input.device)
-trackdisk.device (Same here, used to control the disk drive)
The tasks are displayed below the libraries. Now, when a virus like
the diskdoc virus gets into memory, it will install a task named
"clipboard.device", that keeps putting the virus back into memory when
you try to kill it. FindEmAll V5.2 will find and show this task as a BAD
one. This is what shown at that moment:
-exec.library OK
-clipboard.device BAD!
-input.device OK
-trackdisk.device OK
So FindEmAll is able to find BAD tasks ???. I hear a lot of programmers
wondering how I do this. Well, first I have to say that this only works
during the boot, and the check-"routine" is not ideal by far. You will notice
this when you have a harddisk, most of the time the harddisk task is 'BAD!'
also. That is why there is an option with the installer (see previous) to put
this routine off, when it's annoying you when you have a harddisk. I would
advice to leave the task-check on, since it offers a slightly better
protection. DON'T be to sure that everything is allright when all TASKS are
'OK', since it is possible to bypass the routine (I'm not telling HOW to do
that, search it for yourself you Virus Creating LAMER !!!).
A tip on task-checking :
-If there are MORE tasks displayed than normally on your system,
you should be extremely CAREFULL. Things I've seen are 2 trackdisk tasks
during BOOT,..... So, if you have problems and you think it is a virus,
try pressing a key during the boot when normally no warning is chown
by the bootblock.
If you see new tasks or so, BINGO !!!. So far all this is not needed,
but Viruses -unfortunately- get better and better by the time.
For the experts : all RUNNING,READY and WAITING tasks are chown !!!
(NORMALLY there aren't any ready-tasks during boot, but the diskdoc
virus has another opinion about that !!).
Another program I found that installed a task was the viruskiller
"Viruscontrol V1.3" (This time it was a WAITING task !).
Residents (Class AA)
---------
- At the bottom of the screen the "resident" programs are chown. These
are generated by using the kicktag, explained previously. The Residents
allow it to have MORE THAN ONE reset-proof program in memory at the same
time !!!. Now this can be very dangerous, since viruses can intrude in
memory even if there is a checker like Guardian also in memory, and Guardian
won't notice the other Virus !!!!. So I made a routine that displays the names
of ALL resident programs present in memory. When there is NO resident program
in memory the display reads 'Resident:OK'.
When there is a resident program in memory the name is displayed,
if possible (read the comment about the printname routine, further in the
manual). I've been able to put about 5 resident programs in memory at the
same time. These were : TurboPrint,Guardian,PowerUtility,The Lamer
Exterminator Virus and a other virus with a bad resident name. So the display
looked somewhat like this:
Resident:-printer.device (Turboprint)
-PowerUtility !!!
-??????? (Virus With BAD name)
-strap (Guardian)
-The Lamer Exterminator !!! (Guess what ....)
(This is just an example, the actual places were different)
The resident program with the highest priority is chown at the lowest place,
due to the text-build-up of my routine. The program with the highest priority
is executed first during the reset-routine.
Message Ports (Class CC)
-------------
- Very unimportant, I think I'm gonna remove this check !
The Ports are displayed below the devices (if there ARE ports).
Don't worry if you get ports with the -?????? name that just are ports
that aren't used anymore (although I'm really not sure about that).
In CLI,there usually ARE ports like 'IDCMP','-??????' !!!
THE FINDEMALLVECTORS PROGRAM
This is a program that can only be run from CLI (or with iconx). This
program shows all the things checked by the other FindEmAll programs in
hexadecimal values. This is normally used by people that know a bit more
about viruses and things. I use this program to determine the address of
a possible virus in memory, to do specific tests,.... There is a lot of
room for improving this program (user-friendly ??), but you can work with
it if you want. The output can be redirected so 'FindEmAllvectors > prt:'
will print the output on printer. With this program it is
possible to determine almost all activities of a virus very quickly !!
(I hope this program will turn out to be very useful for other anti-virus
programmers, and hope they'll use it and send me suggestions !!)
This program is comparable with the VMK program, it only does many things
more. Send me your tips on how I could improve this program !
PS: The VMK program has some bugs (e.g. with 'special' resources like the
keymap.resource), use the FindEmAllvectors program !!!
From version 1.2, there is also a ASCII display of the memory.
The program figures out which part of memory to display,by way of sorting
and selecting bad pointers. Now, the program can be made to display the
memory in ASCII when a certain number of BAD vectors are close to each-
other in memory. The default number for this is 3, so a program has
to change at least 3 vectors in order to be displayed in ascii.
The number used by the program can be given as parameters in CLI,
for example:
'FindEmAllvectors' => No ASCII displays.
'FindEmAllvectors -d5' => Only ASCII displays above 5 changed vectors.
'FindEmAllvectors -d1' => Always ASCII displays of changed vectors.
'FindEmAllvectors -d' => Default => Value = 3
This can be quite confusing, so try fiddling with it a bit, I hope
you understand it. Please note that the parameter-parser of the
program is very primitive, it won't give error messages or help !!
THE PRINTNAME ROUTINE :
- When printing names from libraries/devices/resources/residents/tasks,
I get these names out of RAM, and some virus-makers try to do some special
tricks to give some things BAD names. When you see a -?????? displayed that
means that the name begins with a zero (so it is an empty name), so I placed
question marks instead of nothing. Now, a SMART virus programmer (That's not
possible since all these "programmers" are not smart enough to get out of
their ....) could give the name all blanks (" "), but I've outsmarted them,
I just place the "-" character before each name, so NO name can stay
undetected !!!!. This was also done for when an Extremely clever virus
maker would program a resident virus with the 'OK' name. (The OK-virus ???
Hahahaha !!! Don't give them ideas, Koen !!!! ) Normally that would
cause the Resident display to read "Resident:OK", but now it is :
"Resident:-OK'. Gotcha !!!. I guess you still need a sharp eye, but it's
better than the old printname routine I guess....
THE COLD RESET ROUTINE :
Like mentioned before, by pressing the left mouse button during the warning
display, you can kill ALL resident programs/viruses in memory. This routine
will be similar like putting the computer off and on, so NOTHING can survive
this sort of reset.
I've tried a lot of 'reset versions' to see which one was the most
compatible one and would work on each system. First I used an adjusted
version of the 'official' reset routine published by commodore. Well, this
one didn't seem to work at all on an A3000 or on some autoboot harddisks.
From version V4.9, there is a new reset routine , that should work
much better and more compatible. Special thanks must go to Geert Coelmont for
sending an official reset routine !!. There is also a new reset version in
boot now, that should solve the previous problems with autoconfig boards.
SHORT FINDEMALL HISTORY
-V1.0 : checked only ColdCpt,CoolCpt,WarmCpt and KickTag
-V1.1 : added KickMem and KickChckSum test(the last one shouldn't be checked)
-V2.0 : First 'advanced' version.
- First library checker routine for exec.library and trackdisk.device
- Checked residents => only one resident displayed
- checked ColdCpt,CoolCpt,WarmCpt,KickMem,KickTag,KckCheckSum
and hardints.
- memory allocated, 80 cols (didn't work on kick 2.0), 'official'
reset-routine.
-V2.1 : Included intuition.library and graphics.library check, and a few
much used ExecInts.
-V2.1+: Better display
-V2.2 : added timer.device and layers.library check, checked ALL execints
-V3.0 : First version of FindEmAll that went trough list to check ALL
libraries/devices/resources. Included TrapVec and ErrVec check.
-V3.1 : RAM/ROM L/D/R detection, TaskVecs checked, multiple (5) residents
displayed, KickTag field removed (because of the checked residents)
-V3.2 : test version
-V3.3 : First version with task-check, ExecInt checked better, SoftList
checked, max. 7 residents displayed
-V3.4 : test version
-V3.5 : DebugEntry check added, checks included for use with 'special'
32-bit RAM outside 16 MB area.
-V3.5+: added Port-display
-V3.6 : Better and new task-check.
-V3.7 : First check of interrupt servers
-V3.8 : New Checklibrary routine (safer)
-V4.0 : Much better interrupt server check ('BAD' ones also checked)
automatic server<->handler detection included.
-V4.1 : safer server check (no more GURU's with BAD lists)
-V4.2 : much safer library checker, display reorganised
-V4.3 : shorter and fast library check-routine
memory used is NOW allocated properly
PAL/NTSC check
-V4.4 : KickTag check reinserted (You never know .....)
Code tidied up a bit.
library check routine more watertight against 'smart' guys.
FIRST OFFICIAL RELEASE.
-V4.5 : ONLY CLI/workbench programs improved, since the added things can
only be checked in CLI/workbench. Added DOSBase check,internal
dos.library check and KicKMemList(s) display. Fixed the Task-
check bug.
-V4.6 : -Exec library test made safer (99% watertight).
The new bootblock does this test.
-CLI checkers even more safer (99.9% Watertight !!)
-FastFonts and Blitzfonts programs support added in vectors program,
and also LoadWB (AmigaWiz !) and explode library recognized.
-KickMemlist display 'bug' in FindEmAllvectors fixed.
-'smart' ASCII display of memory in vectors program.
-SoftList and Ports checks removed from bootblock (rather useless ?).
-rt_init field (jumpaddress of a resident-routine or data's) and
rt_Endskip field (end of structure) from residents displayed
by vectors program.
-V4.7 : -Hmmm, I (at last !) found that the ExecPatch isn't done yet during
boot, so I could remove this routine, and so I had space to
re-include the SftList check. Because of this new library test
the bootblock has become just as watertight as the CLI version!!!!
-Security improved drastic by not using the NT_TYPE (node !) values.
-Exec.library test made mega-safe !!! (99.999% Waterproof !)
-Dos.library check also made extra safe.
-Much Safer RAM/ROM detection
-Running Task is now also displayed.
-Drive Motor is stopped during boot-display.
-Replaced OldOpenLibrary into OpenLibrary in CLI programs
-Placed Servers on another place in screen in CLI, because there
are more libraries and tasks in CLI !!!
-V4.7+: -Bootblock/Programs now also have Safer RAM/ROM detection
-Ports check deleted (again ???) from bootblock.
-V4.8 : -Brand new and very good ROM/RAM L/D/R detection routine,
very safe. Because of this new and long routine, the softlist
check was deleted again in the bootblock (forever ???)
-Vectors program now also checks librarychecksums and
the Resident's matchword.
-No more fiddling possible with libraries' negative sizes.
-Libraries closed after use in CLI (no place for it in BOOT !)
-V4.9 : -LMB "bug" fixed in CLI program
-Table added with the negative sizes of some very important
ROM libraries/devices/resources, making CLI-checks mega-safe.
-New COLD-reset routine in CLI programs.
-V5.0 : -I was out of 4.x versions, so what's new ????
-Many code changes to make the bootblock code even shorter and
more compatible + waterproof.
-Negative size of exec.library checked in boot also.
-Negative size of libraries not CHANGED anymore, just checked,
so no more BAD library checksums caused by the FindEmAll program.
(Many viruses, however, WILL corrupt library checksums !!!)
-New, very SHORT and compatible COLD-reset routine in boot.
-checks against odd addresses added (less GURU's with bad lists).
-no more self-modifying code in programs, so there cannot be
problems with 680X0 caches (although the previous versions modified
their code in a quite compatible way, no GURU's there !!!!)
-KeyboardReset is checked (Important ????) ONLY in CLI,since the
check routine takes too much space (almost 100 Bytes !!)
-Many ß-testing was done of this version on Kickstart 1.2,1.3,2.0
,on Amiga 500,2000+HD+68030,Amiga 3000 in order to 'earn' the
5.0 version.
-V5.1 : -The name of the programs were changed from 'Memcheck' to 'FindEmALL'
,that should sound more logical (thanks to Erik for this tip).
-The CLI program is made much more user-friendly, and I added an
analyze display for activities done a lot by viruses.
-There is also a WARNING text in boot also, but unfortunately I had
to remove the more unimportant fields from the boot (but normally
these vectors won't be used by viruses).
-V5.2 : -Just some small stuff changed, please send me more suggestions next
time, so I can make better improvements !!
-The CLI version didn't seem to always "switch" properly from one
"big" alert window to the other on my kick 1.2, the present versions
tries to solve this by using a Delay between the displays.
-No more key press check in CLI, only LMB check !!
-The bootblock installer now saves 4 versions of the bootblock, so
"experts" can save the 'no-warning-prompt versions' also.
-The installer should run okay now when started from WORKBENCH,
I forgot to ReplyMsg the Workbench message, causing memory loss
and sometimes a GURU. The CLI FEA program now also does this,
YES you CAN run it ALSO from WORKBENCH, did you know this ??
-I don't use the Kick2.0 ColdResetRoutine anymore, it didn't seem
to be safe in all days use.....
CLI CHECKING VERSUS BOOTBLOCK CHECKING / CLI FINDEMALL INSTALLATION
There are a few differences between virus-memory-checking in CLI/Workbench
and checking during the boot :
- Viruses (LINK) that don't stay in memory during a reset (XENO !),
WON'T use 'Class A' Vectors to stay in memory. These viruses are quite
difficult to find in memory since they usually stay resident by way of
libraries. Viruses of this type won't be found in memory during boot
since they ARE NOT in memory at that time. These viruses are very rare
at the moment. The solution to this is to use a checker that starts from CLI
and that can deal with that virus. The CLI version of my FindEmAll program
or the FindEmAllvectors program could be used for this.
- Some viruses use special techniques to hide from memory DURING the
boot. AFTER the boot they re-install the Class A vectors in order to survive
the following reset. So, when a virus succeeds to bypass detection from my
boot (What is unlikely, but never impossible), I advice you to put the CLI
version somewhere at the 1-3'th place in the s/startup-sequence. I do it this
way: I place the CLI FindEmAll command in the first AND the third place, just
to be on the safe side. REMEMBER, a reset proof virus can NOT be hided from
detection after startup (=> in CLI), this is their main weakness !!!!!
- Some viruses "skip" the real bootblock, so my Bootblock detector
would not be run => no warning (Waft Virus!), so beware of this. Try the
CLI program if you see wierd things like no black screen with a FEA installed
disk !!!.
- Some Viruses, like bombs (Taipan...) are NOT resident in memory and
can therefore NOT be detected by this program (rather obvious...)
By the way, if you run SetPatch before the FindEmAll CLI program is run, you
can see that there are a LOT bad libraries. This is a inconvinience that
hasn't been dealt with until now. So run the CLI program BEFORE the
setpatch command. Also when you start up the WorkBench, you could notice
that there is one vector changed in the intuition.library (-$0114). Don't
worry about this. If you have doubts about some changed vectors, run the
vectors program since it knows a few programs that change libraries,
like FastFonts,.... More programs will probably be added !!
- The bootblock is intended to find a virus in boot,even if it uses
hiding techniques.
FUTURE UPDATE PLANS + HELP NEEDED
- If possible, even more checked !!
- An installer that automatically finds the kickstart start address.
(This could cause problems with ROM-modules at $f..... )
- Bigger and more flexible CLI FindEmAllvectors version
Setpatch,... recognition, if possible
(the recognition routine should be quite short but still VERY safe)
- The program "FindEmAllvectors" can be improved a lot.
Ability to break the program by 'Ctrl-C', but I don't know
how to do it .... Any hints ?? (In assembler !!!)
- Maybe a reset-proof checker if time allowes it.
- More library checks. Does anyone have a good description of the
COMPLETE (POSITIVE part) dos.library, xx.library ,xx.device,
xx.resource structures,... eventually also on kickstart 2.0 ???
Send it to me,please !!!
- ANY SUGGESTIONS ???? -> Write me !!!
THE AUTHOR - ME !
Hmm.... I am a 20 year old Amiga freak, graduated as a programmer-
analist since last year. I'm working as a systems manager/programmer
since the 6th of January 1992 (It's a great job !!).
I use an Amiga 500 with a KCS Power PC Board (Shame on me ??? - well,
the reset-proof ramdisk is quite good .... The Emulator isn't used !!),
together with a STAR LC24-200 (Help !! My printer's 1.2 ROM has a few bugs
when printing graphics, he sometimes skips lines when he had to PRINT...
anyone has a similar problem ????) and one 5 1/4 disk drive. For the moment
it's quite poor but when I earn enough money I'll maybe get a
super-charged A2000 !, or a Tower-3000 maybe....I'll just wait and see.
THANKS
I wish to thank the following people for their help and moral support:
- Geert "Cóóóóóól-G" Coelmont for his high-tech remarks and enthousiasm.
Write more of those great demos and mega-blasts, Geert !!!
- Grégoire Jean Christophe for everything ... (yeah !!)
- The Emro store in "Hasselt" for free use of their A3000, with that nasty
32-bit memory ,that mega-68030 processor and kickstart 2(.01 ??)
- Walter Schoenaers for his technical electronic bullshit and his
1001 questions and comments.
- Elen Joachim for giving me some competition with his Medicine Viruskiller
and for always ripping off my ideas or routines !
- Ronny Joris for his moral support, crazy mind and para-psychologic
headaches (and also his wonderful ice-creams ...) !!
- Ronny Plevoets for his "expert" opinion on "rasters",copper-"lines" and
11 ms harddisks.
- Beatiful girls with curly hair that keep me dreaming and hoping !..
(although they don't need to have curly hair !!!) (I would like to
have some mail from computer crazy girls !! - 200 % reply !!!).
(18-05-92: No responses until now ..... Come on girls !!!!)
QUESTIONS....
Like stated earlier, questions can be send directly to me and I'll try to
find an answer for them. If there are some things confusing in the manual,
let me know as the manual for this program is quite new. I'll change
the doc file, if possible. Urgent questions can be answered directly, by mail.
If you have Virus problems, send also the virus, if you can. If it is a new
virus, I'll send it also further to Erik Løvendahl. Discretion is assured
about your name and address, unless you WANT it published !!
BUGS
There could be some bugs left !!
If you find bugs, contact me !!!
SOURCE CODE.
Hmmm... Normally I don't give away source codes, but if you don't trust
me, it would be possible that I sended the source to one or two well-known
anti-virus programmers, so they could check it.
The latest source isn't normally send to persons that I don't know, but you
never know if you can convince me of your good meanings (probably not).
The source of the previous versions, however, CAN be obtained !!
I'll have to say that the codes of the installer and the vectors program
are not written with a lot of care for loops,.... since there is enough place
for these programs, not every byte is important. The code of the
bootblock/CLI checkers is written quite better and therefore much shorter.
------------------------ Good Virus hunting !! -----------------------------
Signed,
Koen Peetermans alias 'The Exorcist'
