It would work in programs perfectly well; the Doors CS runprog hook, for instance, is restricted to programs run directly from the homescreen.

New Progress Report

What's Done:

-Data
-Installer (waiting on mal hex search strings)
-Write Update Definitions routine.
-Get OS checksum routine (2 byte)

Left to Do:

-Get hex mal search strings
-Get program list generator routine
-Get hook installation routine
>Write main part of program
-Write Scanner
-Write Setting display and Settings change

> means currently underway.

Expecting sufficient progress tomorrow.

Good stuff, good luck. You could help me a lot in the mal hex department by finding programs that you consider "malware" of some sort so I can figure out what commonalities define a program as malware in your sight.

I'm with KermM, I don't quite see how you could identify a program a malicious...

Program list generator: There used to be an amazing tool to do this, unfortunately, I can never remember where it was. I just know it came with something to make TI Basic shells. If you'd like, I'll look for it in a few?

Hooks! I love love love hooks! I'll gladly help in that department when the time comes


What are the settings for? Like flags, such as lowercase, or general program settings like turning on/off the hook?

@ Player--general settings. I'd need asm for flags.

@ Kerm, well, there's BRICK.8xp by Brandon W, containing both certificate editing, flash unlocking, boot code modifying, and OS invalidation. I'll look for more.

I consider a program to be malware if it does dangerous action like these. Like you said right at the start, were not going to be able to intercept every potential crash or freeze, but if we can prevent the more severe stuff, then we have a purpose. And remember, Kerm. If we just put those mal-codes in for now, then we find more, I just put them in a virus definitions update file and upload it. The program is designed to auto-update if it finds an update file. That's already done.

@Player and Kerm, the purpose of the parser hook is to do this.

Let's say arbitrary program prgmAAA is about to be run.

The hook intercepts it and reads through prgmAAA, looking for malcodes. If some are found, it says "Found issues:" It tells you what it found (unless thats too much work), then says do you want to trust or block. It needs to do this any time a program is run. And, would such a hook activate when a program is called from within another?

Also, I would, obviously, need a small routine to check for whether the hook is currently installed or not.


I'm done with what I can do without the routines. Everything else requires the routines present for testing purposes.

List of bad programs:

-BRICK.8xp

-the program to screw up the screen (makes it turn blue and burns it) forgot the name. I saw it once in the ticalc.org archives and i believe on brandonw's site.

-OFFBY1 prank (http://www.ticalc.org/archives/files/fileinfo/410/41073.html) there's another version in the omnimaga forums somewhere that i requested.


I'll update this as i find more.

Now Kerm, will your HOOK require a manual confirmation on these before it runs the BCALL or before it runs the PROGRAM?

Wait, I thought that your program is handling everything. All that I was going to make the hook do was invoke your program with the name of the program about to be run before running said program, to give your program the opportunity to check the program for possible malicious code, prompt the user to allow or block the program, and act accordingly.

Would that cause issues, I could do it, but it would be a little smoother if the Hook was in complete control at that point. I will test a little bit and let you know. It will require more complex Axe coding, though, as Axe's inData( command only supports searching for one byte in zero-terminated data.

That would mean that the hook would have to be in charge of reading all programs being executed, looking for all the malicious code segments, and prompting the user as to whether to run or block the said program.

Indeed. I would think that would be smoother than transferring control to a program, would it not. If you would be willing to code that, as I know you are quite busy.

I will be playing around with this for the full system scanner inside the program, and once I get it working I'll bump this topic with whether I could do it hookwise as well.

It is possible for me to do it as that your hook transfers control to a program that I write. However, I would guess that, then, not only would the hook have to be installed, but the hook would then have to check for whether its needed program is installed and throw an error if it isn't. Couldn't that get messy? Correct me if I'm wrong.

Current progress is on rewriting the main menu...

I think 'messy' is a bit too strong of a word for it, but I get your point regardless. The problem though is that if I implement everything in the hook, then there's not much more for you to add. Don't forget, the hook is going to have to be inline ASM inside your app.

Yes. I understand. But, I have other features I'm working on. And the hook will be a separate entity from the full system scanner, which I will be doing as soon as I have a routine for returning the program list.

Also, Kerm, another question. What would be required if I wanted the antivirus's installer to auto-create a DCS folder for itself call BLAST, and place itself in that folder? Edit: Forgot to add: It only does this if it finds DCS installed on calc.

All you'd need to do is a quick scan through the filesystem to find the highest folder ID, then create your folder (which is just a protect program). It's quite trivial. Programs are simply tagged as in a folder using their T2 byte.

How exactly would I scan for the files? And what data should I add to create the new folder structure? And then, how would I alter the byte? Where is it in relation to the start of the program?

You scan for the files in the VAT. To create the new folder, you create a protected program called %FLD[byte of folder number] with T2 byte 01 (putting it in the main folder) with eight bytes of contents, eg. "BLASTAV[null]".

So,


Code:


Now I have a pointer to a program called "%FLD". Is % what makes it hidden? And how do I name the folder?

Then, I do


Code:


That copies the name BLAST5 to the program "%FLD", with 2 null chars, for the 8.

What about T2 byte 01. In Axe, the start of the data of program BLAST5 would be obtained by doing.


Code:


{V} is the start of the data.
{V-2}r is the two byte size of the file

Where is the T2 byte (if you know)?




Edit:

Here is some things of interest for the hex malcodes:


Code:



It is the opening section of BrandonW's brick.8xp

Firstly, no on your first piece of code. Doors CS creates each folder as a separate file called %FLDN, where N is a byte value from $00 to $FF. If you want to do the lame, Omega(n^2) method instead of the Omega(n) method, you search for %FLD[$01], then %FLD[$02], etc, and create the first one that doesn't exist. Once you figure out how to create that with size 8 bytes, you copy the name in with nulls padding it out to 8 bytes.

You're really tempting me to flare my nostrils with that "if you know" line. I wrote the freaking shell and the entire folder system, how could I not know where the T2 byte is? It's the byte below the first byte of the VAT entry for a given program. I don't know if Axe has a way to give you the VAT entry of a program.

I know you know where the T2 byte is. Sorry. I typed that bad. I was asking if you know how to access it in AXE, in relation to where the size byte is. If you can tell me how many bytes below the size bytes it is, I can do this:

assume the T2 byte is 4 bytes below the size byte (just picking a random number). Then it is accessed in Axe by

{V-6}

because the size bytes are two below the data start (V) and the T2 byte is 4 below that, so thats V-6 to get to it.


Oh, and what is the "%". Is it necessary?

Hehe, no problem. Actually, the T2 byte of a program (along with the pointer to the program, its Flash page, and its name) are all stored in the VAT, not with the program's data. Axe does not return the VAT pointer from any of its functions?