Virus Protection
| Volume Number: | | 8
|
| Issue Number: | | 2
|
| Column Tag: | | Pascal Workshop
|
Related Info: Resource Manager
Simple Antivirus Protection
An anti-virus scheme that can be painlessly added to every application.
By Nicholas Pisarro, Jr., Westport, Connecticut
About the author
Nick Pisarro is the principle architect of Aperture Visual Information Manager by the Graphic Management Group, Inc. He has been involved with all aspects of computer design including both hardware and software since 1961 and with the Macintosh since 1986.
The Virus Scout Pascal unit described in the January 1991 Programmer’s Forum is a nice idea. One problem with Virus Scout was that it was coded to handle only those specific viruses that the author knew about and could offer no protection against any future viruses that may infect an application.
It did set me to wondering, however, if there is a way to make both a simpler yet more universal virus detection scheme. I began to think about how viruses infect and reproduce themselves through an application, and how I could have applications I have developed protect themselves from becoming infected.
In order for a virus to infect an application it needs to either modify the existing resources of an application and/or add resources of its own. In order to reproduce it needs to seize program control from the application and the user’s Macintosh in order to issue its own instructions of death and destruction. This requires modification of a code resource such as ‘CODE’, ‘WDEF’, ‘MDEF’, or ‘LDEF’ resource types.
Usually a virus inserts a small stub of code in an existing resource to branch to one of its own resources, or it inserts a whole new code resource of its own to seize control. I don’t believe any viruses try to insert all their code in an existing application resource but always have to add a resource. Adding to a code resource, by linking in code, is a difficult operation and runs the risk of overflowing the size restrictions of code resources.
One advantage a virus detection scheme has within an application is that it knows how many and what types of resources the application should have! Rather than checking for the addition of specific virus resources, the virus detection scheme presented here just checks the number of resources the application should have against the number it actually has. In addition there is a Toolbox call that tells me the number of types of resources a resource fork has as well as specific counts. This may be used to check for the addition of additional types of resources. As the resource map for an application is in memory when it is running these types of checks do not use significant amounts of computer time.
It would be possible to check counts of all the resource types an application has, but I believe just checking the specific counts of its code resources is sufficient. A virus must insert or modify a code resource to gain control.
The Pascal unit here reads a resource with a count of the number of types of resources an application has as well as counts of specific types. If it finds any mismatch between expectations and reality, it notifies the user and causes the application to quit early. Note the “Get1” form of the resource call is used to get counts only from this application. This unit must be run before any data file resource forks are opened. If the application modifies its own resource fork, it must be careful not to do it in a way that triggers this virus check.
In the sample code no specific resource type has been assigned for the information resource. If all applications used the same type for this resource, a new virus could be written to circumvent this protection scheme. Use your own type.
Note that the code here is only concerned with viruses that infect an application, rather than viruses that infect files in the System Folder or the Desktop. Code like that from Virus Scout or elsewhere could be added to do this additional checking.
Listing
{Written by Nicholas Pisarro, Jr., Aperture Technologies, Inc.
No rights reserved.}
UNIT VirusCheck;
INTERFACE
USES
{$LOAD}
MemTypes, QuickDraw, OSIntf, ToolIntf, PackIntf;
{Returns TRUE if Application can run.}
FUNCTION ApplicationCanRun: BOOLEAN;
IMPLEMENTATION
{Returns TRUE if Application can run.}
FUNCTION ApplicationCanRun: BOOLEAN;
CONST
kVirusChkKinds = '????';{Rsrc type for the # 'CODE' & # of Kinds of
resources}
kVirusChkID= 32; {Resource ID for the Virus Check Rsrc}
{The Virus found alert and its sub-messages}
kVirusAlrt = 1282; {A Virus has been detected!}
kCountRsrcMissing = 1; {The Resource count Resource is missing}
kTypeMiscount = 2;{Wrong number of resource types}
kRsrcMiscount = 3;{Wrong number of a specific res. kind}
TYPE
{Resource & Count list.}
RsrcCount = RECORD
RType: ResType;
RCount:INTEGER;
END;
RsrcRSRC = ARRAY[0..0] OF RsrcCount;
pRsrcRSRC = ^RsrcRSRC;
hRsrcRSRC = ^pRsrcRSRC;
VAR
{For counting Resources.}
theResType:ResType; { The kind we’re looking for }
subMsgNo:INTEGER; { Submessage number }
msgStr,{ Submessage to go into dialog}
workStr: Str255;{ Resource name to go into the message }
aRsrcRSRC: hRsrcRSRC; { Handle to the Count Rsrc}
i:INTEGER;
dummy: INTEGER;
LABEL 100;
BEGIN { ApplicationCanRun }
ApplicationCanRun := FALSE;{Assume failure.}
{Virus Check: Load resources with counts of various kinds of resources
in Application. Make sure the counts in the resource match the actual
counts in Application.}
workStr[0] := CHR(0); {Make WorkStr have no length.}
{Try to get the counts of the various resources in the Application.}
aRsrcRSRC := hRsrcRSRC(Get1Resource(kVirusChkKinds, kVirusChkID));
IF aRsrcRSRC <> NIL THEN BEGIN
{Check out each of the counts read.}
FOR i := 0 TO GetHandleSize(Handle(aRsrcRSRC)) div SIZEOF(RsrcCount)
- 1 DO BEGIN
{If the kind is a 0, a total resource count is wanted.}
IF ORD(aRsrcRSRC^^[i].RType[1]) = 0 THEN BEGIN
{Does the total number of resource kinds in the Application
match the count the resource?}
IF (Count1Types <> aRsrcRSRC^^[i].RCount) THEN BEGIN
subMsgNo := kTypeMiscount; { Sub message }
{Issue a Virus Alert to the user.}
100: GetIndString(msgStr, kVirusAlrt, subMsgNo);
ParamText(msgStr, workStr, '', '');
dummy := StopAlert(kVirusAlrt, NIL);
EXIT(ApplicationCanRun);
END;
END
{Otherwise, check a specific type.}
ELSE BEGIN
{Does the number of this kind of resource in the Application
match the count the resource?}
theResType := aRsrcRSRC^^[i].RType;
IF Count1Resources(theResType) <> aRsrcRSRC^^[i].RCount THEN BEGIN
{ Make a string out of the resource type. }
WorkStr[0] := CHR(4);
BlockMove(@theResType[1], @workStr[1], 4);
subMsgNo := kRsrcMiscount; { Sub message }
GOTO 100;
END;
END;
END; {End FOR i }
{Finished with the resource}
ReleaseResource(Handle(aRsrcRSRC));
END {End IF aRsrcRSRC <> NIL}
{Count Resource not found.}
ELSE BEGIN
subMsgNo := kCountRsrcMissing; { Sub message }
GOTO 100;
END;
{Possibly put other virus checks, checks for the proper system version,
etc. here.}
ApplicationCanRun := TRUE; {Success!}
END; { ApplicationCanRun }
END.
