ti_DetectVar only detects bytes at the start of a variable. You should pass it an empty string to get a list of all variables available.
So then this is the scanning code I'm using instead:

Code:
 for(i = 0; i < sizeof(searchtypes); i++){
            uint8_t *search_pos = NULL;
            while((progname = ti_DetectVar(&search_pos, NULL, searchtypes[i])) != NULL) {
                if (strcmp(progname, "#") && strcmp(progname, "!")){
                    ti_var_t tempfile = ti_Open(progname, "r");
                    uint8_t filebyte, searchloc = 0;
                    while((filebyte = ti_GetC(tempfile)) != EOF) {
                        if(scan_AreBytesEqual(filebyte, optemp.opcodehex[searchloc])){
                            if(searchloc == opsize){
                                ypos += 12;
                                gfx_PrintStringXY(progname, xpos, ypos);
                            } else {
                                searchloc++; }
                        } else {
                            searchloc = 0;
                        }
                    }
                    // repeat until ti_DetectVar returns NULL
                    // ti_DetectVar returns program name
                    // should simply output any filename containing byte sequence
                    ti_Close(tempfile);
                }
            }
        }

This hangs up when it runs on BLASTCSS.
filebyte should be an "int", since both ti_GetC returns an int and you're comparing against EOF which is an int as well. Other than that I see no problems. Smile
Are you going to include PUP (Potentially Unwanted Program) scanning eventually?
By that I mean any really badly optimized program, or a program that creates a lot of empty variables that it never uses, also a program that stores keystrokes.
These features could be applied to not only compiled ASM, but also scan ICE source codes and even hybrid BASIC programs (regular BASIC too, but the only notable problem with those programs would be an infinite loop which you are unable to edit).

A stellar program though! (if the bugs can be fixed Razz )
Bear in mind, this is a TI calculator, so the CPU time taken to add more and more scanning features (and the program size) might render complex functions like that more of drawback. The program is already ~7400 bytes and it still needs to get the intercepts for running and editing, and the firewall.

I could append file-modified timestamps to the end of AppVars, and automatically delete any whose timestamps become over a certain age.

And thanks!
Version 0.5b is live at http://clrhome.org/blastav . This version fixes the scanner not scanning issue (Which was caused by me mistakingly using ti_Open(), rather than ti_OpenVar()). For functional mal-code scanning, please update to 0.5b. The new virus definitions file is also added. This virus definitions file also has a definition for any program that has the strings "BLASTCSS", "AVDEFS", or "AVData". This will cause any program that might be attempting to modify those files to be detected as malicious. (BLASTCSS itself is whitelisted for this).
I see a "glitch": when you update attributes, exit then delete a program, re-run the av and check the attributes, when it hits the prgm that was deleted, it doesn't leave a full line after, the next prgm's name gets lined up in the 'size' column of the deleted one. If a screenshot is needed, I'll get one up over the weekend. Also, could you add up arrow to jump to the bottom of the main menu? And maybe 2ND to select as well? Other that that, keep it up! And don't get attacked! Razz
So I'm sharing the code I started putting together for the Parser Hook. Bear in mind that this is the first time I have dabbled in assembly in over a year, maybe more, so go easy on me.
This code should:
1. Look for AVDEFS appvar, return Z if not found. Move to RAM
2. Return start of program run.
3. For each virus in definitions file:
4. Skip opcode string.
5. Load opcode size and starting byte
6. Compare first byte of vdef with current byte in program.
If match, increment vdef and byte in program
If no match, reset to start of vdef, reset to where we started searching, then increment.
7. If matched bytes in a row equal to size of opcode, ReturnNZ to not run program.
8. Compare current parsing address to address of endPC.
If no match, repeat steps 6-8 until we do or we exit
If match, we reached end of program, so time to parse next definition.
9. Skip opcode description
10. Compare current address in vdefs file with pre-calced address of vdefs start + size
If no match, we still have definitions to parse, repeat 3-10.
If match, we reached end of vdefs, return Z to run program.


Code:
.assume adl = 1
XDEF _SetHook
XDEF _RemoveHook

_SetHook:
    ld hl, HookAppV
    call 0020320h       ; mov9toOP1
    call 002050Ch       ; chkfindsym
    jr nc, varexists
    ld hl, ParserHook_End-ParserHook
    call 0021330h       ; CreateAppVar
    ex de, hl
    inc hl
    inc hl
    ld de, ParserHook
    ld bc, ParserHook_End-ParserHook
    ldir
    ld b, 0
    ld hl, HookAppV
    call 0020320h       ; mov9toOP1
    call 002050Ch       ; chkfindsym
varexists:
    ex de, hl
    inc hl
    inc hl
    ld a, b
    call 002149Ch       ; setparserhook
    ret

_RemoveHook:
    call 00214A0h
    ret


HookAppV:
db 15h, "AVHook",0


ParserHook:
    db 83h             ; Required for all hooks
    or a                ; Which condition?
    jr nz,ReturnZ
    ld hl, AppVName
    call 0020320h           ; mov9toop1
    call 002050Ch        ; check for virus defs
    jr c, ReturnZ           ; parse var if doesnt exist
    ex de, hl
    xor a
    cp b
    jr z, unarchived
    call 0021448h
    call 002050Ch
    ex de, hl
unarchived:
    ld c, (hl)
    inc hl
    ld b, (hl)    ; size into bc
    inc hl
    push hl
    add hl, bc
    push hl
    pop bc      ; save address vdefs should stop at
    pop hl
    push bc
    push bc
    ld bc, 4
    add hl, bc               ; jump past timestamp
loopvdef:
    ld de, 0D0231Ah                       ; set de to current place in var
    ld a, (hl)
    ld c, a
    ld b, 0      ; get size of opcode string
    push bc                             ; keep opcode size on stack
    add hl, bc
    inc hl                ; jump size of opcode string + 1 (for size)
    ld a, (hl)
    ld b, a
    inc hl      ; get size of opcode data, set to b, move to start of opcode
loopscanprog:
    ld a, (de)                          ; load byte at current parse spot into a
    push de
    push hl
    cp (hl)
    jr z, match               ; compare (de) to (hl), if match, parse forward
    pop bc
    pop hl
    pop de            ; restore b (size), start of opcode (de), and parse addr (hl)
    dec hl
    inc b
match:
    dec b
    ld a, b
    or a
    jr z, ReturnNZ
    push bc
    ld bc, 0D0231Dh
    ex de, hl
    sbc hl, bc
    jr z, nextdef
    add hl, bc
    ex de, hl
    pop bc
    inc hl
    inc de
    jr loopscanprog
nextdef:
    inc hl
    ld a, (hl)         ; size of description
    ld c, a
    ld b, 0
    add hl, bc                  ; jump past description
    pop bc
    sbc hl, bc
    jr z, ReturnZ     ; definitions parsed, ok to run program
    add hl, bc
    push bc
    inc hl
    jr loopvdef
ReturnZ:
    cp a
    ret
ReturnNZ:
    or 1
    ret
AppVName:
db 15h, "AVDEFS",0
ParserHook_End:


If someone wants to propose smaller/simpler method or correct something blatantly wrong, feel free.
How would I build this into a C program, such that I can reference, say ParserHook:?
After much pain, Version 0.7b is finally out

This new version sports a few graphical updates, and functionality updates.

1. The alert for outdated file is now a yellow icon, rather than red.
2. You now can see what menu you are on: Main Menu or Settings Menu.
3. Whenever you return to the main menu, the option you last were hovering on is still hovered on.
4. You can now press up/down on the top and bottom menu options to jump to the bottom/top.
5. Enable/disable firewall is now in the Advanced Settings menu.
6. Firewall State indicator is removed from the splash screen and now exists only on the Settings menu
7. A Settings menu has been added, with the ability to toggle Smart-Detect (the progrun interception), the firewall, and a file quarantine (automatic conversion to appvar). The last two are not implemented yet.
8. Smart-detect feature, a parser hook that intercepts program running and aborts if a mal-code is found. This works by creating an appvar in Archive with the code for the hook within it, and setting the hook address to the start of that appvar (post-size-word). Whenever BLASTCSS runs, if Smart-Detect is on, the program can: repair the hook installation by recreating the appvar if necessary and re-setting the hook address. Setting Smart-Detect off deletes the appvar and turns off the hook.

** Hook itself is yet untested!! This will not crash your calc, but might result in programs not being detected! Feel free to activate the Smart-Detect feature and try to execute a virus that's in the definitions **

** Program will be uploaded to cemetech and the Official project page soon **
Referring to your new version. The quit feature doesn't work. At least I don't think so, I forgot to ask you which key quits the scan so I tried every key but nothing worked. Sad

Also, still no Cesium icon?!

One bug I found with this is it wont scan hidden programs. I had a dangerous ASM code (uncompiled) on my calculator but hidden with Cesium so Blast failed to detect it.
Well if the program is uncompiled, then the byte codes aren't going to match because a string of hex characters are not the same as those hex characters as hex.

The key to quit should be Clear. Clearly I have to mess around with that a bit more.

Haven't gotten around to the icon yet. I'll do it now.
I haven't tried executing a virus on CEmu yet (that's probably what I have to do later...), but when prgms are deleted, can they show up as "DELETED" in red in the "Verify Attributes" section?

EDIT: it does detect a compiled ASM virus code
Update
A few feature additions and bug fixes.

1. As requested, you can now [Clear] out of a malware scan. This should instantly quit back to the main menu.

2. When malware is detected within a program, you are now given, in addition to the name of the program, (1) The offset (in bytes) in the program that the opcode was found at, and (2) The address in memory of the opcode.

3. As requested, when Verifying the attributes of a file, if a file in the database no longer exists, the text "file not found" is shown in orange, akin to a warning. (I chose orange over red because red is typically associated with errors not warnings, and a deleted file in this check is not a major concern)

4. The names of the appvars within which the code for the Parser Hook and the AppChange Hook are stored have been added to the virus definitions file. Thus any program other than this suite attempting to modify them is assumed to have malicious intent. (this will be built into the next update which occurs every Sunday)

http://clrhome.org/blastav now has this version available for download.

Edit:
SM84CE wrote:
EDIT: it does detect a compiled ASM virus code

Yea, for future reference, there is a major difference between the hex typed into the Basic program editor, but not compiled (more or less a string), and the compiled version of that program.
Iirc, on OS 5.3, compiling is not needed to run asm typed into the editor, so checking for that might also be needed. Or maybe you can do Asm(prgmVIRUSSRC instead of compiling it...

Maybe also indexing appvars bc with ICE, you might be able to read and run code stored within an appvar. I haven't confirmed anything yet, especially the ICE appvar code thing, due to my lack of ICE knowledge Razz

Also, add a Cesium icon!

Why not do what Microsoft does and release patches and new versions on Tuesday?
SM84CE wrote:
Iirc, on OS 5.3, compiling is not needed to run asm typed into the editor, so checking for that might also be needed. Or maybe you can do Asm(prgmVIRUSSRC instead of compiling it...
The program is already on the fringe of going over 10,000 bytes. I really don't want to cross that threshold and I still have the firewall, the quarantine, and the appchange hook to finish. I can't test for everything, sadly :/

SM84CE wrote:
Maybe also indexing appvars bc with ICE, you might be able to read and run code stored within an appvar. I haven't confirmed anything yet, especially the ICE appvar code thing, due to my lack of ICE knowledge Razz
I could (and might) add a configurable option to scan and store attributes on "supporting filetypes". That would be accessed via the Advanced Settings menu.

SM84CE wrote:
Also, add a Cesium icon!
That's done already. 0.9b should have an icon. I know it shows up in CEmu when I test.

SM84CE wrote:
Why not do what Microsoft does and release patches and new versions on Tuesday?
I could.
The day I need a virus scanner for my calculator I know my life is worthless
davidclue wrote:
The day I need a virus scanner for my calculator I know my life is worthless


What 8s that even supposed to mean? It's never too late to be safe, and besides, there are some actual viruses that could render your calc useless...
Quote:
The day I need a virus scanner for my calculator

You don't.

Quote:
It's never too late to be safe

But no security suite will make your calculator even remotely safe, you know...

Blast CSS is definitely an interesting learning exercise for ACagliano and possibly others. It may also produce extra documentation for the community. As such, of course, it's still interesting to pursue it Smile
It's just that nobody should expect it to be, or ever become, really effective in practice.

The need for a firewall (should you be truly worried about remote vulns in the implementation of your calculator's communication protocol) can be reduced by using your own builds of libti*/tilp to communicate with your calculator.


Quote:
there are some actual viruses that could render your calc useless

Said calculator brickers can easily be made to evade any kind of detection - especially the reactive, signature-based detection implemented here (AFAICT).
Active code obfuscation (SMC, ROP / JOP, many others), compression, and others have been well-documented techniques to thwart detection for up to like 30 years, and they are used every single day for making virus programs which evade the usual commercial or non-commercial, nearly always closed-source pro-virus software.
Yes, "pro-virus", as that's what these pieces of **** have become in practice: their code bases are written just as insecurely as the rest of the code bases, if not worse (replacing strncpy with strcpy in an open source library integrated in a PV was documented). Most PV software still fail to implement any kind of sandboxing, for instance. There have been dozens of critical, embarassing security vulnerabilities in PV software, found by Jann Horn / Tavis Ormandy / Natalie Silvanovich (all three employed by Google Project Zero) and many others.
Web browser makers hate PV software as the leading cause of crashes in browsers (which are usually blamed on the browser by users) and therefore a leading cause of resource waste trying to examine crash reports for which the browser is not at fault. See what e.g. Justin Schuh (Google Chrome Security) and April King (Mozilla) have to write about that.

On the virus I found on several computers belonging to other persons over the years, and which I found without using a PV software (nearly all owners used one and still got infected...), the best detection rate I saw on VirusTotal was 12/36 (!). The worst one was 2/42.

4 years ago, I received some training in offensive security. At the time, well-known exploits from 2008 (6 years earlier), such as the one for MS08-067, encoded by Meterpreter's simplest payload obfuscators, were only detected by a minority of PV software available on VirusTotal; the detection rate fell as we switched to more advanced encoders. No, the situation has not improved since then - I'd wager that it has worsened, in fact, as obfuscation has progressed faster than detection.

I've written about the extremely high false negative rate, but let's not get started about the false positive rate. Over the lifetime of the libti*/gfm/tilp projects, the successive maintainers had to spend time, on multiple occasions, explaining that no, there was no virus in the installer, that we knew of. Their PV was just doing a bad job, that's all. I fully expect that the issue will spring up again, multiple times, for "my" projects or other computer projects of the calculator communities.

I could go on ranting about PV and so-called security software in general. The point and the fact are that these PoS are terrible. They consume lots of resources, they increase the attack surface. They're a lucrative endeavour, milking consumers again and again (for the paid PVs) with severely inefficient and even counter-productive programs.
To reiterate the above post: Antivirus software is 110% useless and can/will actually cause more harm to your computer. If you are using an antivirus, you are not using your computer correctly.
Did anyone notice that the Blast CSS Cesium description is "Star Trek Multiplayer"?
Yeah, either it's a troll, or ACag being weird... He did mention something about trolling us...

iirc, there's 2 trolls that I've found so far... One is this, the other: I'll leave it up to you guys to ruin it for everyone else Razz Just Joking
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 2 of 5
» All times are GMT - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement