home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
World of A1200
/
World_Of_A1200.iso
/
programs
/
disk
/
antivirus_utils
/
bbbf
/
filevirlib
/
rl.doc
< prev
next >
Wrap
Text File
|
1995-02-27
|
15KB
|
432 lines
****************************************************************************
* REMOVELINK.LIBRARY VERSION 32-25 DOC *
* *
* *
* Update 24-08-93 *
* *
* Copyright © Safe Hex International 1993 *
* *
****************************************************************************
Welcome to this release version of this library. I hope it's a library
you can use in your virus killer or whatever you are doing. This library
purpose is to help a viruskiller programmer or another file utility to find
virus infected files.
This library is copyrighted by SHI and may NOT be used in commercial
programs without a written permission from SHI. All the SHI members and
shareware programmers can of course use this library for free. Remember to
send your address and program to SHI, to get a written premission.
Please add the "Wanted-Viruses.txt" (a list containing wanted viruses for
update), and remember to credit the author (Johan Öhman) and SHI in your
program as stated in the following:
Here is a little message about SHI:
----------------------------------------------------------------------------
ABOUT SAFE HEX INTERNATIONAL
If you know a virus programmer you can get a reward of $ 1000 for
supplying his name and address. The fact is that the law punishes data
crime very severely. (5 years in jail in most countries).
We are an international group with more than 500 members who have started
trying to stop the spread of virus. Let me give you some example:
1. Our motto is: "Safe Hex", who dares do anything else today?".
2. A virus bank containing more than 1800 Amiga and PC viruses for
supporting good shareware antivirus programs.
3. We help people to get money back lost by virus infection.
4. We write articles about virus problems for about 20 computer
magazines worldwide.
5. We release the newest and the best virus killers around from
about 25 wellknown programmers worldwide.
6. We have more than 35 PC and Amiga "Virus Centers" worldwide
where you can get free virus help by phoning our "Hotline", and
the newest killers translated in your own language at very
little cost.
For more information contact:
SAFE HEX INTERNATIONAL (Please send 2 "Coupon-Response
Erik Loevendahl Soerensen International" and a self addres-
Snaphanevej 10 sed envelope, if you want infor-
DK-4720 Praestoe mation about SHI by letter).
Denmark
Phone: + 45 55 99 25 12
Fax : + 45 55 99 34 98
----------------------------------------------------------------------------
BASIC NEEDS: Some wierd kind of documentation for programmers
(Knowledge of MC68000 code is needed,plus
basic knowledge of 'C' to understand this fully...)
(C) Copyright SHI,
written by Johan Öhman 1993
For 'removelink.library' version 32.000 and higher
(first public release of the library)
Legal:
THIS PACKAGE SHOULD CONTAIN:
RL.doc (this file)
Removelink.i (assembler include file)
Removelink_lib.i (assembler include file)
TestProg1.s (assembler test prog)
TestProg2.s (assembler test prog)
removelink.library (the library itself)
WantedViruses (a list containing wanted viruses)
* All parts are of this package are written by Johan Öhman,
and are therefor legal properties of the autor.
The contents are copyright Safe Hex Internatioal
No profit may be made of these products,
unless you have a written permission from the autor himself.
(A small amount like 5 US$ is OK, for copycharges and like)
The only exception to this, are public domain disks like the
Fred Fish collection.
"RemoveLink library ...
What the f..k is that ?
I have a lot'a libraries, as I can't programme, or
understand any of ...
I don't need this one ..."
This was my personal expericence of many libraries, so my goal was
to write a library that was relatively simple to use, not to big,
and most important; usefull.
That is what RL is, and what it does it very important today,
when our Amigas are attacked by viruses from all corners of the world,
that is - Removing viruses from disk (files/sectors) and from memory.
My second reason was that many disk/file handeling programmes could easly
be expanded and get viruskillerfeatures, which by my means would
decrease the spreading of viruses very much, or at least (more pessemisticly)
don't help spreading.
This is the first stabil version (32.000) and won't change to much now.
All the most important things are covered in this version.
Older versions won't be compatible with ver 32+, but those are very
buggy, so don't use these.
From ver 32 all libraries will be backwards compatible, so you can
use older libraries (but remember, the newer library, the safer Amiga).
Very important:
This is a LINK/FILE removing library.
No other (like bootblock-type) viruses are covered whatsoever...
(For bootblocks; use the library written by Johan Eliasson).
Now to the programming of the library:
- Opening of the library is made like any other disk-based
library.
*
start: ...
...
...
move.l SysBase,a6
moveq #32,d0
CallExec OpenLibrary
move.l d0,RLBase
- The first thing you should do when you use the library (after
opening) is to allocate some memory by using the 'AllocRLTableMem'
function.
I strongly recomend you to use this function, or else your
programme won't work when using future versions of RL.lib.
CallRL AllocRLTableMem
move.l d0,RL_StructPtr
- This function is the only function which will return
a result into a register.
If you there's not enough memory, NULL will be returned instead
(Happens rarely, due to the low number of bytes required)
* move.l RL_StructPtr,a0
CallRL KillMemVirus
- Is a good continuation, which will remove any of the covered viruses
from memory.
Please notice that the RL_StructPtr MUST be in reg. A0 whenever
you call any function in the library.
Let's suppose you had the 'CCCP' virus in memory a structure would
be initialized within the RL_Struct, looking like this:
RemoveLinkStruct:
(struct*) FileInfection
(struct*) MemoryInfection=
{
>>> APTR NULL (No more memory-infection)
==========>>> CHAR* 'CCCP' (a pointer to the 'CCCP' string)
===========>>>> ULONG -1 (This virus has no copycount)
==========>>>
>>> }
... (and a lot of more data)
- Please notice that most of the fields are read-only,
(all except for RL_BufferPtr,RL_BufferLen and RL_SectorOffset)
ie. should only be READ, not altered.
... Well, our virus is dead, but we suspect that the virus has
infected some files on the disk.
We find out by random that the file 'PowerPacker2.2a'
is infected.
What to do ?
Let's assume the file is loaded at $50000 (=0x050000)
and contains 46500 bytes
* move.l RL_StructPtr,a0
move.l #$0050000,RL_BufferPtr(a0)
move.l #0046500,RL_BufferLen(a0)
CallRL RemoveVirus
- Voila - The file will be stripped from the virus
(The _LVOGetName works almost thesame.
The difference is that _LVOGetName will not alter any
parts of the file, or RL_Structure)
If you wanto to print the name, that is possible too:
* move.l RL_StructPtr,a0
move.l RL_FileInfection(a0),a0
;-Get into the structure which
;has been created by the function above
move.l FI_VirusName(a0),-(sp) ;FI_ as in FileInfection[Node]
;and we have the name of the virus on
;the stack
jsr _printf
addq.w #4,Sp ;Return the stack
- The name will then be printed into you CLI-window or standard
output window.
Please notice that I just READ the fields, not alter them.
One important thing about the FI_ / MI_ fields:
After allocation (_LVOAllocRLTableMem) those are set to zero,
and they won't change until you use a function which changes
them for you.
After every functioncall the corresponding structure will be
set to zero if there were no infection, or pointing at a sub-
structure on infection.
This was ment to be used like a status-check for infection,
ie. If you for instance load an infected file and use
the _LVORemoveVirus (a FILE-based function) the
RL_>>>File<<<Infection will be pointing at the name
etc. of the virus.
Else if our file was NOT infected, the RL_FileInfection field
will be NULL.
Therefor we can check for FILE-infection by checking if the
RL_>>>File<<<Infection field.
Section2:
- We have talked about memoryinfections and fileinfections,
but not SECTOR-INFECTIONS.
The sector-infection is nothing but a infection of a data-sector
of the disk.
The infection is usually made by the 'SADDAM' virus (or any of
the many SADDAM clones), and the purpuse is that the virus
has to be in memory for the disk-reading routines to read and decode
the sectors properly.
The library can handle those too.
A number of special fields are dedicated to this;
When reading a 'SADDAM' file, a special flag will be set in the
RL_Structure. The RL_NeedsRepair flag, and as the name of the field
shows, the disk (probably) needs to be repaired.
Then you initiallize a trackdisk - supporting programme
and want to use the library.
* move.l #CMD_READ,IO_COMMAND(a1)
move.l #$50000,IO_BUFFER(a1)
move.l #512,IO_LEN(a1)
move.l OFFSET,IO_OFFSET(a1)
CallExec DoIO
;And now we have read the specified sector.
;Now we want to decode it.
;We have to init the
move.l RL_Structure,a0
move.l OFFSET,RL_SectorOffset(a0)
;This field has to be init. too, or else
;the function won't be able to decode the
;datablock in order.
move.l #$50000,RL_BufferPtr(a0)
;Where in memory
move.l #>>>512<<<<,RL_BufferLen(a0)
;Important:
;the library can't handle more than 512 bytes
;a time. The Length-field has to be 512.
CallRL DeCodeDataBlock
- The specified datablock will now be decoded,
and if the datablock was infected the 'RL_SectorInfec' field will be
<>NULL.
A name pointer is available through 'RL_SectorVName' too.
Last:
When you want to see all the viruses as the library can handle,
you can get them through the 'RL_VirusList' field, which is
init. when you use _LVOAllocRLTableMem ...
The structure is as following:
*NextStruct (NULL if none)
*VirusName
and the prefix to those is 'VL' as in 'VirusList'.
The second assembler example shows this list.
-------------------------------------------------------------------------------
FunctionName: _LVOAllocRLTableMem
FunctionOffset: -30
Description: Allocates and initializes memory for use by other functions
in the library.
Reply Reg: d0, a pointer to the allocated area...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FunctionName: _LVOFreeRLTableMem
FunctionOffset: -36
Description: Free the initialized memory and sub-structures.
Calling reg: A0 (RL-mem pointer)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FunctionName: _LVOGetFileVirusName
FunctionOffset: -42
Description: Gets the name and other info from the file you've previously
loaded, without altering the file.
Calling reg: A0 (RL-mem pointer)
Other References: See _LVORemoveFileVirus
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FunctionName: _LVORemoveFileVirus
FunctionOffset: -48
Description: Strips the file you've previously loaded, from linkviruses
and sets up a node (the FileInfection-node).
From that node can you get virusname/infectiontimes/
copycount ('CC' - not in lib. ver 32.000).
Calling reg: A0 (RL-mem pointer)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FunctionName: _LVODeCodeDataBlock
FunctionOffset: -54
Description: Decodes ONE infected sector-data-block.
Returns: virusname/if infected/.
Calling reg: A0 (RL-mem pointer)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FunctionName: _LVOGetFileVirusName
FunctionOffset: -42
Description: Strips the file you've previously loaded, from linkviruses
and sets up a node (the FileInfection-node).
From that node can you get virusname/infectiontimes/
copycount (not in lib. ver 32.000).
Calling reg: A0 (RL-mem pointer)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FunctionName: _LVOGetMemName
FunctionOffset: -60
Description: Gets the name of the virus which has infected memory.
Sets up a 'MemoryInfection' structure.
Calling reg: A0 (RL-mem pointer)
Other references: See _LVOKillMemVirus
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FunctionName: _LVOKillMemVirus
FunctionOffset: -66
Description: Removes the virus which infected memory.
Info on the virus is available through the 'MemoryInfection'
field.
Calling reg: A0 (RL-mem pointer)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Others:
When examining a file the
'RL_BufferPtr' field must point at the start of the file, and
'RL_BufferLen' field must be the length of the file, which was read.
When examining a sector additionally the
'RL_SectorOffset' field must be thesame as the field
'io_offset' in the 'IOStdReq'-structure.
and
'RL_BufferPtr' field must be pointing at the memorylocation where the
read sector is.
'RL_BufferLen' field MUST BE 512, or else the sector wont be decoded.
When examining memory (using _LVOGetMemName/_LVOKillMemVirus)
you don't have to/should not initialize any of the structures above.
I really hope you can use this library. If you find any grammatical errors
in this doc file, feel free to correct them, and send them to me. And of
course any new viruses. Please see in the "Wanted-Viruses.Txt" for more
info! Thank you very much,
WE NEED YOUR HELP TO GET THIS LIBRARY EVEN BETTER, THANK YOU VERY MUCH!
Johan Öhman Member of the SHI Anti Virus Group.
Geografigränd 6A
S-90732 Umeå
Sweden
Phone: + 46 90 193 274