FindEmAll V5.3 Copyright © 1991-1992 Koen Peetermans All rights reserved Release date JUL 26, 1992 FREEWARE/VOLUNTARY SHAREWARE User Manual TABLE OF CONTENTS ----------------- A) DISCLAIMER B) PREFACE C) HOW TO GET A NEW VERSION D) ERIK LØVENDAHL'S ANTI-VIRUS WORK E) SYSTEM REQUIRMENTS F) WHY DID I WRITE THIS PROGRAM ??? G) WHAT DOES THIS PROGRAM DO ?? H) PACKAGE LIST I) QUICK START/EXPERIMENTING J) THE DISPLAY USED IN THE FINDEMALL PROGRAMS 1) Special "User-friendly" ANALYSE display in CLI 2) Example Display of a CLEAN computer with kickstart 1.2/1.3 K) TECHNICAL STUFF 1) ColdCpt,CoolCpt,WarmCpt 2) KickMem 3) KickTag 4) Debug 5) Execint 6) SftList 7) ErrVec 8) HardInt 9) TrapVec 10) TaskVec 11) DosBase 12) KBReset 13) INTERRUPT SERVERS -What are interrupt servers ? -Examples 14) LIBRARIES/DEVICES/RESOURCES -What are libraries/devices/resources ? -Examples -THE INTERNAL DOS LIBRARY 15) TASKS -Normal Display -Example : diskdoctors virus -Harddisk problems -Tips & Tricks 16) RESIDENTS -What are resident programs ? -Multiple viruses example 17) Message Ports L) THE FINDEMALLVECTORS PROGRAM M) MORE TECHNICAL STUFF 1) The Printname routine. 2) The Cold Reset routine. L) "SHORT" FINDEMALL HISTORY M) CLI CHECKING VERSUS BOOTBLOCKCHECKING / CLI MEMCHECK INSTALLATION N) FUTURE UPGRADE PLANS + HELP NEEDED. O) ***THE RESIDENT FEA PROGRAM*** P) THE AUTHOR - ME ! Q) THANKS R) QUESTIONS ?? S) BUGS ?? T) SOURCE CODE DISCLAIMER FindEmAll has been tested thoroughly and is not able to damage your system in any way. However, the author is not responsible for any loss of data caused by bad use of the program. See especially in the section that explains the use of the installer. PREFACE This program is freeware, this means that you can copy it freely as long as you don't ask any more money for it than a nominal fee for copying. If you want to distribute this program you should keep this document with it. This program cannot be used for commercial purposes without written permission from the author. I hereby give explicit permission to Erik Løvendahl Sørensen and Fred Fish to include this program in their series. HOW TO GET A NEW VERSION New versions are available from me directly, just send enough money for stamps,disk,... Although this program is freeware, more money than needed won't be refused, the money will be used in the battle against Viruses and Virus-authors. If you send me more than $15, you can also get the source of the previous version and you can get the next 2 versions directly from me (Fast !). Or you could write to Erik Løvendahl Sørensen (see below), he will always get new versions from me directly, and hopefully he'll place it on his splendid "New SuperKillers" disks. If you have suggestions or remarks about this program, or if you find any bugs, please contact me. I like to have mail about this program and other Virus subjects. New Viruses would also be appreciated. Write to the following address: Koen Peetermans Vrijheersstraat 8 B-3891 Gingelom Belgium (Europe) Erik Løvendhal's Anti-virus work -------------------------------- Our motto: "Safe Hex..." I want to mention the work of Erik Løvendhal Sørensen from Denmark. He has founded a group of Amiga Enthusiast, all fighting against viruses. This group has over 250 international members now, among them some of the programmers of wellknown anti-virus programs like Steve Tibbet and Jonathan Potter. Among the activities of this group are: - Spreading information to anti-virus programmers as fast as possible. - Trying to get names and proof against virus programmers and giving the information to the justice departement of his/her country to press charges. Remember, there is a reward of 1000$ (Wow !) for the person that helps convicting a Virus programmer. - Writing articles in popular magazines to inform new Amiga users about viruses and how to protect themselves. All this is voluntary work. If you want some more information about this organization or you want to sponsor his work, contact Erik at the following address: Erik Løvendahl Sørensen Snaphanevej 10 4720 Præstø Denmark - Europe Phone: 00 45 55 99 25 12 Fidonet 2:23424/43 Persons in Belgium can contact me directly, I'm also responsible for the Regional Virus Centre in Belgium (Dutch language). SYSTEM REQUIREMENTS FindEmAll should run on ALL amiga's, who have their kickstart logically at $f80000 or $fc0000. People with kickstart e.g. at $200000 or so can get an adjusted version from me if they send me a description of their kickstart address. Future versions of FindEmAll will probably be able to bypass this problem by using a special installer. (comments are welcome !) If you're an experienced Amiga freak, you can "patch" the code if you want, just change the values $efffff and $1000001 inside the programs to the right kickstart addresses. It has been tested with KickStart 1.2,1.3 and 2.0 on A500/2000/3000 Amiga models (Not on an Amiga 1000,but these won't cause a problem I guess.) It has a NTSC/PAL detection for automatic sizing of the display. Should you have any trouble running FindEmAll on your machine, please write to me with the full specifications of your machine, that is KickStart version, model, expansion boards etc... Use a good sysinfo program to determine your setup, if needed. A printout of the output of the "FindEmAllVectors" program (see further) would also help me solve your problem. WHY DID I WRITE THIS PROGRAM ?? Some time ago I noticed that a new virus, the Saddam Virus, had infiltrated about 10 disks of me, even though I already knew quite a lot about viruses. At the moment I had no viruskiller for this virus so I had quite a few problems deleting it. At that time I said that I should have a program that should be able immediately to detect ALL new viruses, no matter how devious their tricks or "INVISIBLE" modes would be. The FindEmAll programs work a bit like the Ram-check option of the new BOOTX versions, and at the moment it does also some other things. The main difference is that I managed to make my program so short that I was able to place it in a bootblock (1Kb !), which is very difficult if you see the abilities of this program. Since it is a bootblock you are able to detect future viruses very fast in memory, and a lot of disks which don't use things like loaders can be installed with this bootblock. Don't under-estimate the work that has gone into these programs. I've been working on it the last months and it has changed a LOT since the first version (See the History). A lot of research was needed in order to understand all the things that are and COULD be used by viruses. WHAT DOES THIS PROGRAM DO ???? This program checks a LOT of things in memory, some are very important, where some are less important and some are maybe not even needed, but you can never have enough information when dealing with viruses. Here is a short summary of the things it does (Detailed information can be found further in this manual) : - It checks + shows ALL the main vectors used by viruses (cold,Cool,...) - It checks + shows some "important" values in Execbase - It checks ALL sorts of interrupts, from Hardware interrupts, to Execbase Interrupts (handlers AND SERVERS !), the serverlist is even displayed on-screen !!! - It shows + COMPLETELY checks ALL libraries and Devices, and ALL the Resources that can be checked. - It shows ALL names of reset-proof resident modules (Very useful !) - It shows all the tasks running. - The CLI programs also check the Internal Doslibrary and 2 important vectors in DosBase, this is VERY EXTRAORDINARY AND RARE !!! - It can wipe out ANY virus from MEMORY !!! by doing a reset !. - ....... As you can or can't see, this program is the MOST powerful Virus-DETECTOR available for the Amiga at the moment, certainly when compared with other BOOTBLOCK checkers, I've never seen one even coming close !! (STOP bragging, Koen !!). Most other bootblock checkers only check about 3 values in memory, my programs check even more than 500 values in memory !!!!!. PACKAGE: The package should contain (Names can be changed a BIT,if needed): - This doc file "FindEmAll.doc" - The Bootblock installer "FindEmAllInstaller" - The CLI program "FindEmAllCLI" (V5.2) - A Program called "FindEmAllvectors "(V1.7) - The RESIDENT checker "FindEmAllRES" (preview) -> See further !! QUICK START/EXPERIMENTING Run the installer (from CLI or WorkBench), insert a Disk with a normal bootblock (so not with a loader !), and press the Install gadget. The Boot- block will now be installed on that disk. Press a key during the execution of that boot to display the current status (so,hold down shift or something else during bootup and the display will always pop up). If there is something wierd, like a virus, is in memory, the display will come up automatically, even withouth a key-press. During the display, press Left-MouseButton to wipe everything out of memory, and the Right one to perform a normal boot and leave everything in memory. Sorry for so little mousebutton information on the display, I had no place left, I thought security was more important than user friendlyness and after a few times using the programs you'll work with it with your eyes closed !!!. THE BOOTBLOCK INSTALLER The installer is pretty straight-forward and user-friendly, if I may say so. just run it from CLI command or from workbench, and a window will pop up. Just select the appropriate "gadgets" to do an install with my bootblock, display the current bootblock on that disk, and select another drive. The only gadget that could confuse you is the 'TaskCheck' gadget. This is a switch that allows you to put task checking on and off. After you've selected that you'll still have to install the disk with the chosen bootblock. Why is this selection possible ??? Well see further in the doc's in the part on TASKS !!. For now, leave the taskcheck on, it's safer !!! Important: Be sure NOT to overwrite loaders or special intro's !!! You can also install an other version that doesn't display a message, but that checks more things, the names of these bootblocks have an "/X" or something like that behind the name. THE DISPLAY USED IN THE FINDEMALL PROGRAM/BOOTBLOCK. After the Boot, the screen will become BLACK to enable you to notice the presence of the FindEmAll bootblock on that disk (Black is beautiful !) I use an Alert Window to display the status/.... The programming of such a window doesn't need a lot of programming so I had more space for detection routines. The Alert Window also assured me maximum Kickstart compatibility. SPECIAL "USER-FRIENDLY" ANALYSE DISPLAY IN CLI The "OLD" FindEmALL versions were not very userfriendly, so I did an effort to make at least the CLI checker a bit more userfriendly. When there is something wierd in memory, a special alert window will pop up, saying that there is a suspicious program found in memory, and that this COULD be a virus. If nothing is found in memory, this window will NEVER pop up ! In the Middle of the screen you see an ANALYSE window that quickly shows the most frequently performed actions of some viruses, and if they are done at the moment. If there are some Yes-es in this display, you should be EXTREMELY cautious !!. If you want more information (see further), you can press the left mouse button. I am planning to keep this ANALYSE window updated so that with ANY resident VIRUS, there is at least one YES in the analyse window. IF there is no YES in the display, normally there is NO OLD virus in memory, but beware for NEW viruses, but these are normally found and displayed in a more technical way in the "Technical display". Here's a short explanation of the ANALYSED functions : - Reset proof program found in memory : There is a program in memory that can survive a RESET !!! - Drive I/O intercepted : Bootblock/... read/writes intercepted by a program (VERY LIKELY a VIRUS !!). - Hard/Software interrupts changed : Used a lot by viruses, but sometimes also by "badly" written utilities. - Reset Proof memory allocated : The least important function of this ANALYSE display, this is sometimes used by viruses, or a RAMDISK - DOSBase changed (traveling Jack) : 99 % sure that this is a VIRUS !!! - DosLib LOAD offset intercepted : Could be a LINK-virus, or maybe also explode.library,LVD,pp.library - DosLib WRITE offset intercepted : Could be a LINK-virus, or also patchpp,.... EXAMPLE DISPLAY OF A CLEAN COMPUTER ON A KICKSTART 1.2/1.3 AMIGA ************************************************************************ * LEFT=KILL/RESET K.P. FindEmAll V5.2 * * * * ColdCpt OK -ciaa.resource OK -potgo.resource OK * * CoolCpt OK -?????? OK -keymap.resource OK * * WarmCpt OK -gameport.device OK -ciaa.resource OK * * KickMem OK -timer.device OK -ciab.resource OK * * KickTag OK -ciab.resource OK -disk.resource OK * *{Debug OK} {-Internal DOS library OK} -misc.resource OK * * ExecInt OK -exec.library OK * *{SftList OK} -expansion.library OK -keyboard.device OK * *{ErrVec OK} -graphics.library OK -gameport.device OK * * HardInt OK -layers.library OK -timer.device OK * *{TrapVec OK} -intuition.library OK -audio.device OK * *{TaskVec OK} -mathffp.library OK -input.device OK * *{DosBase OK} {.............} -console.device OK * *{KBReset OK} -exec.library OK -trackdisk.device OK * * * * -input.device OK * * -trackdisk.device OK * * * * * * * * * * * * * * * * Resident: OK * ************************************************************************ Note that the field places of the left column are different in BOOT, and there are also some fields not displayed in boot. In CLI: 'K.P. FindEmAll v5.2',DOSBase & dos.library & internal DOS library & some extra libraries/ports displayed ( see {}) + KBReset checked & servers displayed below the devices !!! TECHNICAL STUFF Hmmm..... for a non-programmer or a non-virus specialist there should be at least a few problems understanding all this, that's why I'll try to explain all of them ....... I won't get TOO deep into some parts,since I would give would-be virus programmers too many tips and that's absolutely not what I want to do. It's rather technical, but READ it, it's quite important if you want to understand and use this bootblock to the limit. I kept the information as simple as I could possibly write it !!! I have divided the displayed vectors/... into three classes : - Class A : Very important, very often used by viruses. These Vectors HAVE to be used to create reset-proof software. - Class B : important, frequently used by viruses for hooking into memory,hiding in memory,... - Class C : Vectors that aren't really critical or normally couldn't be used by a Virus. ColdCpt,CoolCpt,WarmCpt (Class A) ----------------------- - These are vectors that are very often used by viruses since they enable a program to be reset-proof. The three vectors' full names are ColdCapture,CoolCapture and WarmCapture. They are found in the Execbase structure (The 'Main' system structure). These values are checked for being zero, if they're NOT than there is almost certainly a reset-resident program (A Virus ?) in memory. The ColdCapture and the CoolCapture vectors are much more important than the WarmCpt vectors, since that vector is apparantly not possible to use for creating reset-resident programs with the current kickstarts. These vectors are considerd Very important Vectors, if there is anything wrong with these the chances are great that there is a virus in memory (or another reset-proof program.) => Class 'A' Vectors When a Vector is not zero, the "OK" is changed into a "BAD!" Kickmem (Class B) ------- - This is a vector that allows programmers to keep a certain part of memory reserved AFTER a reset, so that part of memory can be "protected" from being overwritten after a reset. When this Vector isn't zero, this vector will be displayed 'BAD!'. This vector is not as important as the previous vectors, but is sometimes used by some viruses. So, CAUTION when this vectors is 'BAD!'. If ONLY this vector is BAD!, there is little chance that there is a reset-proof PROGRAM in memory, since it is not possible to START some sort of routine or program by using this vector, maybe it could be some sort of reset-proof ramdisk that keeps its memory allocated after a reset. KickTag (Class AA) ------- - Now this IS a very important one !!!. This one is used to be able to even create MULTIPLE reset-resident programs (See the Resident explanation). Because of the way FindEmAll searches for residents I thought it would be safer to ALSO display/check this vector seperatly, since this is one of the most important vectors. Debug (Class CC) ----- - This appears to be an entrypoint for the Amiga Debugger, I haven't been able to call it until now, so I guess it's not important, but it's checked anyway, to see if this one points to ROM. ExecInt (Class BA) ------- - This field stands for the status of 16 Interrupt vectors (Interrupts are RUN when some special thing happens, like the refresh of a screen,I/O). When one of the 16 Vectors checked doesn't point to ROM or isn't Zero, there could be a program (likely a VIRUS) in memory that has deviated it for it's own use, like for calling a routine that keeps filling Class A Vectors with the viruses' entrypoints. This is wat e.g. the ByteBandit Virus does. These 16 IntVects are found in Execbase and are used by the operating system. They define the entrypoint of a single routine (a so-called 'interrupt-handler'), or the entrypoint of a routine that handles an 'interrupt-server-list' - see further for explanation on servers SftList (Class C) ------- - This also stands for some sort of interrupt, but one that isn't controlled by hardware, like the other interrupts, but by software ONLY. I just check if there is something in the 5 softlists, and if there IS something in the list it's "BAD!". These Vectors are NOT important, but were just included because I had a few bytes to spare. ErrVec (Class CB) ------ - These are some values that define the entrypoints of the processor when for example there is an address-error, like when you have a GURU or something else. Sometimes changed by a Virus, don't ask me why but it seems rather unimportant. HardInt (Class BA) ------- - This stands for 7 vectors, that are DIRECTLY accessed by the processor when a hardware interrupt occurs. Normally these point to a ROM-routine that executes a handler/server (see ExecInt), so if some devious virus changes this , it's 'BAD!'. These vectors can be used by a virus just like the ExecInts. TrapVec (Class C) ------- - This is comparable with the ErrVec Vectors, so not really important, and I've not yet seen a Virus using it. TaskVec (Class C) ------- - 3 Vectors in Execbase that define the Entrypoints for taskExit(s), exception routines,...... I've not been able to use them, so probably a virus won't be able also. DOSBase (Class BA) ------- - These 2 vectors can and are only checked in CLI/Workbench because there is no dos.library during boot. If one of these is changed, you can be quite sure that there is some sort of (link)virus in memory. The travelling Jack uses the first one of these two. KBReset (Class ????? A ??? B ???) ------- - I don't think this one should be checked at the moment (with the current kickstarts), but since VMK checks it I'll check it also. I'll have to say that the routine I use is based heavily on the VMK routine, since I have no documents that explain this sort of pointers. I also noticed that the VMK program isn't able to check it on 68030 boards since some values in the keyboard device are a bit dissimilar. ($21->$22,$24->$25) FindEmAll also checks these values. I don't think that it is possible to create reset-proof programs with these vectors, but when it's possible the program will find it. Until now, I must say that these Vectors are not the real power of this program, since this was rather easy to make and doesn't take much routine- space/programming. The following things, however, were not THAT easy !! Interrupt Servers (Class BA) ----------------- In the upper-mid part of the window you'll normally see this: -ciaa.resource OK Class B -?????? OK Class BA -gameport.device OK Class BA -timer.device OK Class BA -ciab.resource OK Class B "Now what the hell is this ??" I hear the whole Amiga World asking...... Well remember when I told you about interrupt-servers ????. Well, that's it !!!! These servers are used when a programmer needs to install an interrupt 'by the book'. All interrupts are placed in a "list", and they are one by one executed after each other when an interrupt occurs. Some sort of interrupts are used so much at 'the same time' that these sort of lists were 'invented'. Notice that there is more than one type of server. You normally have the servers caused by a CIA-A interrupt (ciaa.resource), caused by the Vertical Blank interrupt (started when the electron beam returns to the top of the screen) (-??????,gameport. device,timer.device) and a CIA-B interrupt (ciab.resource). So, in this situation we have 3 different sort of servers displayed (and they are okay !). The names you see appear to be the names of the 'routines' that USE the server. Don't worry about that -?????? name, that NAME is ALWAYS bad, but that ROUTINE IS also executed so it's also checked for the right jumpaddress. Notice that you don't see if a server is a CIA or a VBlank server, that's not really important. Don't worry if there is a 'other' server displayed like '_SCSI_' (A3000), as long as it's 'OK' there can be nothing wrong !!!. Also, with a LOT of harddisks you have will probably also a few BAD servers, it's impossible for me to know the difference between these and a virus-server. So you should know your 'usual' BAD servers so you can see a DIFFERENCE when there is something else in memory. If you look at the example display, you see the STANDARD servers, if one of these is changed, you can be quite sure that that change is NOT done by a harddisk !!. If you put the taskchecks off (with the installer), the servers will be still SHOWN, but the warning window WON'T pop up if there are ONLY tasks or SERVERS changed. The servers weren't use by viruses in the 'old days', I think the Saddam Virus was one of the first to do it.... quite Devious !!!!!!!! That one changes the one with the BAD name, but my bootblock will say : -ciaa.resource OK -?????? BAD! -gameport.device OK -timer.device OK -ciab.resource OK Gotcha !!!.... another virus bites the dust !!!!!! (Well, the Saddam Virus changes SO much that is was found anyway, but you never know, future viruses will try to hide in memory, and now they have an important place less to hide. ('There ain't much bytes safe for a Virus when there is a FindEmAll bootblock on your disks !!') A special feature of the programs is that they are able to distinguish between a server and a handler, so if someone can change a handler into a server (this is normally not possible, but since I've been able to do it,....) this program will automatically detect if it's a server and it will display and check that 'Undocumented Server'. Another Virus Bites the dust !!! (And it ain't over yet !!) Please note that some programs like Xoper,ARTM will add new servers to the system. Usually these servers have a good name like 'Xop I/O counter' , but some programs like 'blanker' don't use good names,so beware !! Viruses don't normally set a good name, but I guess they could do that in the future, so watch out !!!. Libraries/Devices/Resources (Class BA / BA / B) --------------------------- This works a bit like the RamCheck option of the new BootX versions, only that my one is a bit less documented but therefore small enough to fit in the boot. On the screen during the FindEmAll Boot you can see the names of ALL the libraries/devices/resources that are present in memory during the Boot (There is NO dos.library during the boot !). Now what are Libraries/Devices/Resources ???? Well, to make a long story short, each Lib/Dev/Res is a collection of routines that are put together in a special structure in order to make it easier for programmers to make programs and to insure future compatibility when e.g. a new kickstart is published. A specific routine from one library is run by calling a certain negative offset of that library. Now, my bootblock doesn't only checks the offsets OFTEN used by viruses, but checks ALL offsets of a library so that even a Virus that changes ANY offset in ANY L/D/R will be found. Because of the special list-following-routine of my program, NEW libraries like on the A3000 are checked also. L/D/R that run COMPLETELY in RAM instead of ROM can't be checked but normally also aren't be used by a virus since they must be loaded from disk. In this case there won't be an 'OK' after the L/D/R name. The programs display the offsets that are BAD in hexadecimal values. Examples of bad libraries/devices: -exec.library -$01C8:BAD! * The DoIO() routine is changed (used by a LOT of viruses !!!) -trackdisk.device -$001E:BAD! * Can be compared with the DoIO() routine, but this one only applies for disk-drives, while the ExecLib-DOIO works for most drives/HD's !!! Here's a list of offsets used often by viruses: - exec.library : -trackdisk.device : -$0060 : FindResident routine -$0006 : Open Device -$00D8 : Availmem routine -$000C : Close Device -$0114 : FindName routine -$001E : BeginIO routine -$0198 : OldOpenLibrary routine -XXXXXXX.device : -$01C8 : DoIO routine Almost Every device has the - intuition.library : same offsets !!! => same as -$00CC : OpenWindow trackdisk.device !! I advice you to experiment a bit with the bootblock and some resident utilities like Pseudo-ops Viruskiller (don't USE it !!) to see how changed L/D/R are chown. Try some viruses if you have any !! (But KILL them AFTER testing !!!) THE INTERNAL DOS LIBRARY ------------------------ This library only can be checked in CLI/Workbench, since there is no dos.library during boot. I've made a routine that should be able to check ALL the vectors in the internal doslibrary. I've made this routine 'intelligent', so if there is no internal doslibrary with kickstart 2.0, it will find that out automatically. If there's something bad in the internal doslibrary, the vectors that are printed are NOT the offsets in the internal doslibrary, but the offset-numbers are just the same as the vectors in the normal dos.library. This makes life just a bit easier for some guys I guess. (And also made my code SHORTER !!!) Please allow me to mention that this check is very special, it's the first program on Amiga that checks all the vectors in the Internal DOS-library and IT WORKS (It detects the change done by the LZ-virus!) Tasks (Class B) ----- - Since the Amiga is a multitasking system, some virus-creators thought it would be "useful" to start a task in the background that keeps the Virus firmly hooked into memory. So I had to show all the Tasks that are running during the boot. YES, there IS multitasking running during the boot, there are normally about 3 tasks running (This can be more if you own a harddisk,..) With my standard Amiga these tasks are called: -exec.library (The current running tasks, controlled by exec) -input.device (So a task started or controlled by the input.device) -trackdisk.device (Same here, used to control the disk drive) The tasks are displayed below the libraries. Now, when a virus like the diskdoc virus gets into memory, it will install a task named "clipboard.device", that keeps putting the virus back into memory when you try to kill it. FindEmAll V5.2 will find and show this task as a BAD one. This is what shown at that moment: -exec.library OK -clipboard.device BAD! -input.device OK -trackdisk.device OK So FindEmAll is able to find BAD tasks ???. I hear a lot of programmers wondering how I do this. Well, first I have to say that this only works during the boot, and the check-"routine" is not ideal by far. You will notice this when you have a harddisk, most of the time the harddisk task is 'BAD!' also. That is why there is an option with the installer (see previous) to switch this routine off, when it's annoying you when you have a harddisk. I would advice you to leave the task-check on, since it offers a slightly better protection. DON'T be to sure that everything is allright when all TASKS are 'OK', since it is possible to bypass the routine (I'm not saying HOW to do that, search it for yourself you Virus Creating LAMER !!!). A tip on task-checking : -If there are MORE tasks displayed than normally on your system, you should be extremely CAREFULL. Things I've seen are 2 trackdisk tasks during BOOT,..... So, if you have problems and you think it is a virus, try pressing a key during the boot when normally no warning is chown by the bootblock. If you see new tasks or suchlike, BINGO !!!. So far all this is not needed, but Viruses -unfortunately- get better and better all the time. For the experts : all RUNNING,READY and WAITING tasks are chown !!! (NORMALLY there aren't any ready-tasks during boot, but the diskdoc virus has another opinion about that !!). Another program I found that installed a task was the viruskiller "Viruscontrol V1.3" (This time it was a WAITING task !). Residents (Class AA) --------- - At the bottom of the screen the "resident" programs are chown. These are generated by using the kicktag, explained previously. The Residents allow it to have MORE THAN ONE reset-proof program in memory at the same time !!!. Now this can be very dangerous, since viruses can intrude in memory even if there is a checker like Guardian also in memory, and Guardian won't notice the other Virus !!!!. So I made a routine that displays the names of ALL resident programs present in memory. When there is NO resident program in memory the display reads 'Resident:OK'. When there is a resident program in memory the name is displayed, if possible (read the comment about the printname routine, further in the manual). I've been able to put about 5 resident programs in memory at the same time. These were : TurboPrint,Guardian,PowerUtility,The Lamer Exterminator Virus and a other virus with a bad resident name. So the display looked somewhat like this: Resident:-printer.device (Turboprint) -PowerUtility !!! -??????? (Virus With BAD name) -strap (Guardian) -The Lamer Exterminator !!! (Guess what ....) (This is just an example, the actual places were different) The resident program with the highest priority is chown at the lowest place, due to the text-build-up of my routine. The program with the highest priority is executed first during the reset-routine. Message Ports (Class CC) ------------- - Very unimportant, I think I'm gonna remove this check ! The Ports are displayed below the devices (if there ARE ports). Don't worry if you get ports with the -?????? name that just are ports that aren't used anymore (although I'm really not sure about that). In CLI,there usually ARE ports like 'IDCMP','-??????' !!! THE FINDEMALLVECTORS PROGRAM This is a program that can only be run from CLI (or with iconx). This program shows all the things checked by the other FindEmAll programs in hexadecimal values. This is normally used by people that know a bit more about viruses and things. I use this program to determine the address of a possible virus in memory, to do specific tests,.... There is a lot of room for improving this program (user-friendly ??), but you can work with it if you want. The output can be redirected so 'FindEmAllvectors > prt:' will print the output on printer. With this program it is possible to determine almost all activities of a virus very quickly !! (I hope this program will turn out to be very useful for other anti-virus programmers, and hope they'll use it and send me suggestions !!) This program is comparable with the VMK program, it only does many things more. Send me your tips on how I could improve this program ! PS: The VMK program has some bugs (e.g. with 'special' resources like the keymap.resource), use the FindEmAll programs !!! From version 1.2, there is also a ASCII display of the memory. The program figures out which part of memory to display,by way of sorting and selecting bad pointers. Now, the program can be made to display the memory in ASCII when a certain number of BAD vectors are close to each- other in memory. The default number for this is 3, so a program has to change at least 3 vectors in order to be displayed in ascii. The number used by the program can be given as parameters in CLI, for example: 'FindEmAllvectors' => No ASCII displays. 'FindEmAllvectors -d5' => Only ASCII displays above 5 changed vectors. 'FindEmAllvectors -d1' => Always ASCII displays of changed vectors. 'FindEmAllvectors -d' => Default => Value = 3 This can be quite confusing, so try fiddling with it a bit, I hope you understand it. Please note that the parameter-parser of the program is very primitive, it won't give error messages or help !! THE PRINTNAME ROUTINE : - When printing names from libraries/devices/resources/residents/tasks, I get these names out of RAM, and some virus-makers try to do some special tricks to give some things BAD names. When you see a -?????? displayed that means that the name begins with a zero (so it is an empty name), so I placed question marks instead of nothing. Now, a SMART virus programmer (That's not possible since all these "programmers" are not smart enough to get out of their ....) could give the name all blanks (" "), but I've outsmarted them, I just place the "-" character before each name, so NO name can stay undetected !!!!. This was also done in case an Extremely clever virus maker would program a resident virus with the 'OK' name. (The OK-virus ??? Hahahaha !!! Don't give them ideas, Koen !!!! ) Normally that would cause the Resident display to read "Resident:OK", but now it is : "Resident:-OK'. Gotcha !!!. I guess you still need a sharp eye, but it's better than the old printname routine I guess.... THE COLD RESET ROUTINE : Like mentioned before, by pressing the left mouse button during the warning display, you can kill ALL resident programs/viruses in memory. This routine will be similar like putting the computer off and on, so NOTHING can survive this sort of reset. I've tried a lot of 'reset versions' to see which one was the most compatible one and would work on each system. First I used an adjusted version of the 'official' reset routine published by commodore. Well, this one didn't seem to work at all on an A3000 or on some autoboot harddisks. From version V4.9, there is a new reset routine , that should work much better and more compatible. Special thanks must go to Geert Coelmont for sending an official reset routine !!. There is also a new reset version in boot now, that should solve the previous problems with autoconfig boards. SHORT FINDEMALL HISTORY -V1.0 : checked only ColdCpt,CoolCpt,WarmCpt and KickTag -V1.1 : added KickMem and KickChckSum test(the last one shouldn't be checked) -V2.0 : First 'advanced' version. - First library checker routine for exec.library and trackdisk.device - Checked residents => only one resident displayed - checked ColdCpt,CoolCpt,WarmCpt,KickMem,KickTag,KckCheckSum and hardints. - memory allocated, 80 cols (didn't work on kick 2.0), 'official' reset-routine. -V2.1 : Included intuition.library and graphics.library check, and a few much used ExecInts. -V2.1+: Better display -V2.2 : added timer.device and layers.library check, checked ALL execints -V3.0 : First version of FindEmAll that went trough list to check ALL libraries/devices/resources. Included TrapVec and ErrVec check. -V3.1 : RAM/ROM L/D/R detection, TaskVecs checked, multiple (5) residents displayed, KickTag field removed (because of the checked residents) -V3.2 : test version -V3.3 : First version with task-check, ExecInt checked better, SoftList checked, max. 7 residents displayed -V3.4 : test version -V3.5 : DebugEntry check added, checks included for use with 'special' 32-bit RAM outside 16 MB area. -V3.5+: added Port-display -V3.6 : Better and new task-check. -V3.7 : First check of interrupt servers -V3.8 : New Checklibrary routine (safer) -V4.0 : Much better interrupt server check ('BAD' ones also checked) automatic server<->handler detection included. -V4.1 : safer server check (no more GURU's with BAD lists) -V4.2 : much safer library checker, display reorganised -V4.3 : shorter and fast library check-routine memory used is NOW allocated properly PAL/NTSC check -V4.4 : KickTag check reinserted (You never know .....) Code tidied up a bit. library check routine more watertight against 'smart' guys. FIRST OFFICIAL RELEASE. -V4.5 : ONLY CLI/workbench programs improved, since the added things can only be checked in CLI/workbench. Added DOSBase check,internal dos.library check and KicKMemList(s) display. Fixed the Task- check bug. -V4.6 : -Exec library test made safer (99% watertight). The new bootblock does this test. -CLI checkers even more safer (99.9% Watertight !!) -FastFonts and Blitzfonts programs support added in vectors program, and also LoadWB (AmigaWiz !) and explode library recognized. -KickMemlist display 'bug' in FindEmAllvectors fixed. -'smart' ASCII display of memory in vectors program. -SoftList and Ports checks removed from bootblock (rather useless ?). -rt_init field (jumpaddress of a resident-routine or data's) and rt_Endskip field (end of structure) from residents displayed by vectors program. -V4.7 : -Hmmm, I (at last !) found that the ExecPatch isn't done yet during boot, so I could remove this routine, and so I had space to re-include the SftList check. Because of this new library test the bootblock has become just as watertight as the CLI version!!!! -Security improved drastic by not using the NT_TYPE (node !) values. -Exec.library test made mega-safe !!! (99.999% Waterproof !) -Dos.library check also made extra safe. -Much Safer RAM/ROM detection -Running Task is now also displayed. -Drive Motor is stopped during boot-display. -Replaced OldOpenLibrary into OpenLibrary in CLI programs -Placed Servers on another place in screen in CLI, because there are more libraries and tasks in CLI !!! -V4.7+: -Bootblock/Programs now also have Safer RAM/ROM detection -Ports check deleted (again ???) from bootblock. -V4.8 : -Brand new and very good ROM/RAM L/D/R detection routine, very safe. Because of this new and long routine, the softlist check was deleted again in the bootblock (forever ???) -Vectors program now also checks librarychecksums and the Resident's matchword. -No more fiddling possible with libraries' negative sizes. -Libraries closed after use in CLI (no place for it in BOOT !) -V4.9 : -LMB "bug" fixed in CLI program -Table added with the negative sizes of some very important ROM libraries/devices/resources, making CLI-checks mega-safe. -New COLD-reset routine in CLI programs. -V5.0 : -I was out of 4.x versions, so what's new ???? -Many code changes to make the bootblock code even shorter and more compatible + waterproof. -Negative size of exec.library checked in boot also. -Negative size of libraries not CHANGED anymore, just checked, so no more BAD library checksums caused by the FindEmAll program. (Many viruses, however, WILL corrupt library checksums !!!) -New, very SHORT and compatible COLD-reset routine in boot. -checks against odd addresses added (less GURU's with bad lists). -no more self-modifying code in programs, so there cannot be problems with 680X0 caches (although the previous versions modified their code in a quite compatible way, no GURU's there !!!!) -KeyboardReset is checked (Important ????) ONLY in CLI,since the check routine takes too much space (almost 100 Bytes !!) -Many ß-testing was done of this version on Kickstart 1.2,1.3,2.0 ,on Amiga 500,2000+HD+68030,Amiga 3000 in order to 'earn' the 5.0 version. -V5.1 : -The name of the programs were changed from 'Memcheck' to 'FindEmALL' ,that should sound more logical (thanks to Erik for this tip). -The CLI program is made much more user-friendly, and I added an analyze display for activities done a lot by viruses. -There is also a WARNING text in boot also, but unfortunately I had to remove the more unimportant fields from the boot (but normally these vectors won't be used by viruses). -V5.2 : -Just some small stuff changed, please send me more suggestions next time, so I can make better improvements !! -The CLI version didn't seem to always "switch" properly from one "big" alert window to the other on my kick 1.2, the present versions tries to solve this by using a Delay between the displays. -No more key press check in CLI, only LMB check !! -The bootblock installer now saves 4 versions of the bootblock, so "experts" can save the 'no-warning-prompt versions' also. -The installer should run okay now when started from WORKBENCH, I forgot to ReplyMsg the Workbench message, causing memory loss and sometimes a GURU. The CLI FEA program now also does this, YES you CAN run it ALSO from WORKBENCH, did you know this ?? -I don't use the Kick2.0 ColdResetRoutine anymore, it didn't seem to be safe in all days use..... -V5.3 : This can not be called a "real" V5.3 version, I'm tired of changing version numbers for eg. the bootinstaller, when the boot stays the same. This policy will probably be kept in the future. -The Vectors program can be called now from Workbench also, and it will automatically open a window for it's output. -There is a preview included of the FindEmAll checker that keeps on checking the vectors permanently. Concerning the fully functional version, read the FindEmAllResident section. CLI CHECKING VERSUS BOOTBLOCK CHECKING / CLI FINDEMALL INSTALLATION There are a few differences between virus-memory-checking in CLI/Workbench and checking during the boot : - Viruses (LINK) that don't stay in memory during a reset (XENO !), WON'T use 'Class A' Vectors to stay in memory. These viruses are quite difficult to find in memory since they usually stay resident by way of libraries. Viruses of this type won't be found in memory during boot since they ARE NOT in memory at that time. These viruses are very rare at the moment. The solution to this is to use a checker that starts from CLI and that can deal with that virus. The CLI version of my FindEmAll program or the FindEmAllvectors program could be used for this. - Some viruses use special techniques to hide from memory DURING the boot. AFTER the boot they re-install the Class A vectors in order to survive the following reset. So, when a virus manages to bypass detection from my boot (Which is unlikely, but never impossible), I advice you to put the CLI version somewhere at the 1-3'th place in the s/startup-sequence. I do it this way: I place the CLI FindEmAll command in the first AND the third place, just to be on the safe side. REMEMBER, a reset proof virus can NOT be hided from detection after startup (=> in CLI), this is their main weakness !!!!! - Some viruses "skip" the real bootblock, so my Bootblock detector would not be run => no warning (Waft Virus!), so beware of this. Try the CLI program if you see wierd things like no black screen with a FEA installed disk !!!. - Some Viruses, like bombs (Taipan...) are NOT resident in memory and can therefore NOT be detected by this program (rather obvious...) By the way, if you run SetPatch before the FindEmAll CLI program is run, you can see that there are a LOT bad libraries. This is a inconvinience that hasn't been dealt with until now. So run the CLI program BEFORE the setpatch command. Also when you start up the WorkBench, you could notice that there is one vector changed in the intuition.library (-$0114). Don't worry about this. If you have doubts about some changed vectors, run the vectors program since it knows a few programs that change libraries, like FastFonts,.... More programs will probably be added !! - The bootblock is intended to find a virus in boot,even if it uses hiding techniques. FUTURE UPDATE PLANS + HELP NEEDED - If possible, even more checked !! - An installer that automatically finds the kickstart start address. (This could cause problems with ROM-modules at $f..... ) - Bigger and more flexible CLI FindEmAllvectors version Setpatch,... recognition, if possible (the recognition routine should be quite short but still VERY safe) - The program "FindEmAllvectors" can be improved a lot. Ability to break the program by 'Ctrl-C', but I don't know how to do it .... Any hints ?? (In assembler !!!) - Maybe a reset-proof checker if time allowes it. - More library checks. Does anyone have a good description of the COMPLETE (POSITIVE part) dos.library, xx.library ,xx.device, xx.resource structures,... eventually also on kickstart 2.0 ??? Send it to me,please !!! - ANY SUGGESTIONS ???? -> Write me !!! THE RESIDENT FINDEMALL PROGRAM ------------------------------ Well, I've got a lot of demands from my friends, to make the CLI checker so, that he keeps on checking the vectors permanently in memory, every x seconds or so. I first thought this would take too much CPU time, if the program checked every 1-3 seconds. But, when testing the speed of the routines more closely, I noticed that I was able to call the complete routine 15(!) times / second. So, I decided to make this sort of checker. The Resident checker on this disk is some sort of a preview. It NEEDS to be started with the RUN command, and it keeps on checking all the things checked by the other programs. When you get a warning window, the ONLY way to keep the checker resident is to press the RIGHT mousebutton ("CONT") in the "technical info". So, the order to keep the program resident is: LEFT-RIGHT. To Exit: RIGHT-RIGHT or LEFT-RIGHT-RIGHT. For a HARD reset: RIGHT-LEFT or LEFT-RIGHT-LEFT. This preview version is still quite hungry on CPU usage (± 10%), and it can still have some bugs. Now, The FINAL working version of this resident checker will do the following things: - It won't need the RUN command to run (This is already finished) - Hopefully less CPU usage. - You can select the # of seconds between each check (CPU usage!). - It runs with only ±10 Kb of memory usage. - It can be started from WB (The preview crashes when started from WB ;->) -..... ATTENTION !!!!!!! This "FINAL" version will ONLY be given to REGISTRED USERS of FEA !!! In my opinion, I had too less feedback on my previous versions of FEA, I only had a few BUG reports or suggestions for improvements. A "registred" version will carry your personal name, and this one WILL be copyrighted (although the AMIGA world don't gives a damn about copyrights.....). It is not my goal to earn money when releasing this registred version, it is only a way to get some recognition for my spend time. People who I consider to be a good help will get this version for free, if you want to order this version together with the newest version of the other programs, 5$ or an equivalent amount will be enough for me to cover the costs for mail,disk,..... Please state your real name and address (no PO boxes!), when ordering the registred version. THE AUTHOR - ME ! Hmm.... I am a 20 year old Amiga freak, graduated as a programmer- analist since last year. I'm working as a systems manager/programmer since the 6th of January 1992 (It's a great job !!). I use an Amiga 500 with a KCS Power PC Board (Shame on me ??? - well, the reset-proof ramdisk is quite good .... The Emulator isn't used !!), together with a STAR LC24-200 (Help !! My printer's 1.2 ROM has a few bugs when printing graphics, he sometimes skips lines when he had to PRINT... anyone has a similar problem ????) and one 5 1/4 disk drive. For the moment it's quite poor but when I earn enough money I'll maybe get a super-charged A2000 !, or a Tower-3000 maybe....I'll just wait and see. THANKS I wish to thank the following people for their help and moral support: - Geert "Cóóóóóól-G" Coelmont for his high-tech remarks and enthousiasm. Write more of those great demos and mega-blasts, Geert !!! - Grégoire Jean Christophe for everything ... (yeah !!) - The Emro store in "Hasselt" for free use of their A3000, with that nasty 32-bit memory ,that mega-68030 processor and kickstart 2(.01 ??) - Walter Schoenaers for his technical electronic bullshit and his 1001 questions and comments. - Elen Joachim for giving me some competition with his Medicine Viruskiller and for always ripping off my ideas or routines ! - Ronny Joris for his moral support, crazy mind and para-psychologic headaches (and also his wonderful ice-creams ...) !! - Ronny Plevoets for his "expert" opinion on "rasters",copper-"lines" and 11 ms harddisks. - Beatiful girls with curly hair that keep me dreaming and hoping !.. (although they don't need to have curly hair !!!) (I would like to have some mail from ANY girls !! - 300 % reply !!!). (26-07-92: No responses until now ..... Come on girls !!!!) QUESTIONS.... Like stated earlier, questions can be send directly to me and I'll try to find an answer for them. If there are some confusing things in the manual, let me know as the manual for this program is quite new. I'll change the doc file, if possible. Urgent questions can be answered directly, by mail. If you have Virus problems, send also the virus, if you can. If it is a new virus, I'll also forward it to Erik Løvendahl. Discretion is assured about your name and address, unless you WANT it published !! BUGS Kickstart 1.2/1.3 probably has a bug in it's DisplayAlert function, when closing an Alert Window, you can sometimes get in trouble, the screen becomes messed up, or you get a GURU. I've noticed this happens more often when you try do drag a window at the same time the window get's closed. This is NOT a FEA program bug, it's a kickstart bug. This bug doesn't appear to exist on kick 2.0. There could be some bugs left !! If you find bugs, contact me !!! SOURCE CODE. Hmmm... Normally I don't give away source codes, but if you don't trust me, it would be possible that I sended the source to one or two well-known anti-virus programmers, so they could check it. The latest source isn't normally send to persons that I don't know, but you never know if you can convince me of your good intentions (probably not). The source of the previous versions, however, CAN be obtained !! I'll have to say that the codes of the installer and the vectors program are not written with a lot of care for loops,.... since there is enough place for these programs, not every byte is important. The code of the bootblock/CLI checkers is written quite better and therefore much shorter. ------------------------ Good Virus hunting !! ----------------------------- Signed, Koen Peetermans alias 'The Exorcist'