home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Tools & Utilities
/
Collection of Tools and Utilities.iso
/
pascal
/
vsafe5_6.zip
/
VSAFE.DOC
< prev
next >
Wrap
Text File
|
1990-12-22
|
14KB
|
304 lines
VSAFE.DOC 12/21/90
Howdy:
The little utility program that you have here was developed as
a cure for many types of virus programs that replicate inside
of a system by attaching themselves to executable programs in
a manner that does not render the program unusable. VSAFE and
VP will protect any v5.0 Turbo Pascal program by storing data
about the file INSIDE of the program, and actually checking
that this data is still valid every time the program is run.
Versions for v5.5 and 6.0 of Turbo Pascal will be available
very soon, check where you found this file, or on my BBS for
these versions and also for upgrades.
The tests are made at locations that a virus has to use when
it infects a file, and cannot be hidden from VSAFE! Once an
.EXE file is thus protected, it will not run after infection
until the program is replaced on the disk. VSAFE will even
work with most programs that have been compressed with the
new LZEXE/PKLITE utilities! I mention this, because I have
just seen programs that were compressed by PKLITE which ran
fine and caused no CRC errors at runtime - but were infected
with the Jerusalem-B virus INSIDE AND OUT!
VSAFE will only work in its present form with programs that
are compiled under Turbo Pascal versions 5.00 thru 6.00 but
can be modified to work with all versions of Turbo Pascal.
TO USE VSAFE:
Using the VSAFE protection is very simple. Just place the
VSAFE.TPU file in your UNITS directory, and add its name to
a USES statement in any part of your program. That is all
you need to do to add VSAFE to your program! NO other mods
to your code are necessary!
Next, just compile your program! That is all there is to it
for this part of the installation process. To test that VSAFE
has properly compiled, you should just run your program! You
will observe a very short delay as VSAFE tests your code, and
then you will see a message that tells you that the program
has been damaged. If this happens, VSAFE is working!
The reason you are seeing that message is because VSAFE has
tested the program out and the values it is getting are the
defaults installed by me when I compiled the unit.
To complete your VSAFE installation you just need to run the
VP program that you have here in the VSAFE.ZIP archive.
NORMAL OPERATION:
To run VP just type: VP [filespec]
Where [filespec] is the COMPLETE path and name of the program
you wish to protect.
Example: VP C:\TURBO\EXECS\MYPROG.EXE
That is all you need to do for some very strong protection
against most all types of virus infection AND hacking! It is
good to know that you can safely distribute software that
cannot be blamed for causing an infection OR easily have its
code disassembled and then easily recompiled by another!
USE WITH LZEXE/PKLITE:
To use VSAFE with a program that is to be compressed with
either PKLITE or LZEXE is a slightly different process.
First compile your program as above, and them compress it
with your choice of either LZEXE or PKLITE.
Next, run VP with the 'CMP' option as follows: VP [filespec] CMP
Where [filespec] is the COMPLETE path and name of the program
you wish to protect THAT HAS JUST BEEN COMPRESSED, and CMP is
a switch to tell VP that it will be processing a program that
is to be compressed.
Example: VP C:\TURBO\EXECS\MYPROG.EXE CMP
VP will then create a small temporary file in the drive it was
run from, and store what it needs to know about the compressed
program.
After this process is complete, you will have to re-compile
your program, and then run VP again WITHOUT any command line
parameters. VP will read the temporary file, and then make
the necessary adjustments to your program.
Finally, re-compress your program with your utility, and test
it by running the program. If the process was successful, you
will not get the 'integrity compromised' message that VSAFE
generates for an infected or damaged file.
***
This version of VSAFE will only test parts of the program that
a virus has to move to successfully infect the file. It also
tests the DOS reported filesize to see if it has changed, but
no tests are made other than that. To see this, you can take a
copy of a protected file and modify a byte with a sector editor
like NORTON in the area about 500-512 bytes into the file. This
should still allow your program to at least execute, and VSAFE
will reject and terminate the program. You can also play with
the data near the top of the file to see if VSAFE catches the
modifications. The number 512 is important as that is the size
of the blocks at the beginning and end of the file that VSAFE
checks for tampering. This does not seem like very much, but
it is more than enough when you consider that in order for a
virus to infect your program it needs to insert something at
the beginning of the program! And even if a virus were to do
something nasty like install itself as an internal overlay,
it still must modify this area if the infected program is to
run when executed. Some of the virus programs attach code at
the end of the file, but this gets tested too!
In order for a virus to be able to avoid detection by VSAFE
it would be necessary for it to disassemble most of the file
it was trying to infect, and then insert itself someplace
after modifying jumps and calls throughout the program! If I
ever meet a virus that can do that, I will take up another
line of work!
I won't be a fool and say it is impossible, but it would be an
awful lot of work to create a program that could do that to any
executable program, yet remain fast enough and small enough to
not raise immediate suspicion.
ABOUT VSAFE:
I wrote these programs to help solve a problem. I saw some
good people get badly screwed by infections of several .EXE
attacking viruses. It really bothered me to see these people
put in that position they because some little jerk-dirtbags
decided to have some nasty fun with their skills, so I sat
down and spent a few minutes to combat them.
This version of VSAFE is fully capable of offering most all
Turbo Pascal programmers a very powerful measure of security
for their own programs. I hope it makes a dent in the mess!
Although not in a position to be an industry standard like
John McAfee and his FANTASTIC series of computer security
products, I would like to do something to help. VSAFE is my
first public effort. I have some other versions that I am
now testing that are capable of providing this level of
protection for ALL executable programs, including those
not compiled with Turbo Pascal. If the interest in VSAFE
is encouraging enough, I will continue to expand on this.
The version of VSAFE you have here has a fixed sampling
window size, and the messages are also fixed to a few
lines of copyright data, and some words about what VSAFE
is doing.
See the last section of this hastily typed document file
for details on how to get the extended version of this
program, and also on how to license it commercially.
DISCLAIMER AND CONDITIONS OF USE: { I hate this part!}
In this version, VSAFE is provided as an evaluation copy.
You may copy this file and give it to as many others as
you wish. I require that you distribute ALL of the files
AS-IS in the state that