mike2@lcuxa.UUCP (05/21/87)
The June, 1987 issue of Computer Shopper magazine contains a useful
public domain program to protect against not-totally-subtle "Trojans",
i.e., ones that seek to do their damage through INT 13 and INT 26
(absolute disk write) calls to the hard disk. It redirects these
interrupts for damaging write, format and absolute write calls to the
hard disk; it leaves the calls to the floppy unaffected so that
suspect programs can be tested there. The author concludes that
anyone who might get more subtle, and use direct IN/OUT port routines,
would probably not be writing "Trojans." While I am more cynical, I
suspect that he is correct.
Below, find the assembler source (modified by yours truly for
compatibility with MASM 2.0), and a uuencoded version of the resulting
program, sentry.com:
; HARD DISK SENTRY - FIXED DISK PROTECTION AGAINST TROJAN PROGRAMS:
; Copyright 1987 by Andrew M. Fried
;
; HDSENTRY is the copyrighted property of its author. You are free to use
; this program without charge with my compliments. This program may be
; freely districuted so long as the following limitations are adhered to:
; o No charge is made for its distribution
; o The product is distributed in unmodified form
; o The author's copyright notice is left in the program
; o No portion of this program is included in any commercial package
; without written consent of its author.
;
; Andrew M. Fried
; 895 Cynthia Drive
; Titusville, Fla. 32780
; (305) 268-4500
;
;--------------------------------------------------------------------------
page 60,132
TITLE TITLE - HARD DISK SENTRY DISK PROTECTION UTILITY
CSEG SEGMENT BYTE PUBLIC
assume cs:cseg
org 100h ;create a com program
Public maincode, go, copyright, alert_msg, old_13, old_26, install, tsr
Public sentry, which_disk, ok, abort, dummy, init, show_copr, get_int_13
Public set_int_13, set_int_26
maincode proc far
go: jmp install
copyright db 13,10
db 'ZDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?',13,10
db '3 HARD DISK SENTRY 1.01 3',13,10
db '3 (c) Copyright 1987 by 3',13,10
db '3 Andrew M. Fried 3',13,10
db '@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDY',13,10
db ' NO DESTRUCTIVE CALLS WILL BE ',13,10
db ' PERMITTED TO THE FIXED DISK ',13,10,'$'
alert_msg db 13,10,07,'<<<ALERT>>> Destructive disk call prevented!$'
old_13 dd 0 ; address of original interrupt 13h
old_26 dd 0 ; address of original interrupt 26h
install: call init ; initialize system
tsr: lea dx,init ; boundary of program
mov cx,4
shr dx,cl ; transform from bytes to paragraphs
inc dx ; add extra paragraph for stragglers
mov ax,3100h ; terminate and stay resident DOS call
int 21h
maincode endp
sentry proc
which_disk: cmp dl,80h
jb ok ; continue normally if not hard disk
cmp ah,3 ; is it a write command?
je abort ; if so, abort
cmp ah,5 ; is it a format command?
je abort ; if so, abort
cmp ah,0Bh ; is it an extended fd command?
je abort ; if so, abort
ok: jmp dword ptr [old_13] ; go back to original handler
abort: push ax ; save registers
push dx
push ds
mov ah,9 ; DOS print string function request
push cs ; ensure ds = cs
pop ds
lea dx,alert_msg ; require ds:dx string addressing
int 21h ; print the string
pop ds ; and restore the registers
pop dx
pop ax
sub ah,ah ; show no error code return
iret
sentry endp
;--------------------------------------------------------------------------
; This procedure becomes the 'new' interrupt 26h handler. As you can see,
; when any application program makes this call it does not get much chance
; to do any damage.
;--------------------------------------------------------------------------
dummy proc
sub ax,ax ; zero the ax register
push ax ; place extra word on stack
iret ; return to call w/ modified stack
dummy endp
;--------------------------------------------------------------------------
; This procedure sets the interrupt vectors and displays the copyright
; notice (which I ask that you leave undisturbed).
;--------------------------------------------------------------------------
init proc
show_copr: mov ah,9
lea dx,copyright ; require dx:dx string addressing
int 21h ; call DOS to print string
get_int_13: mov ax,3513h ; get hard disk interrupt vector
int 21h
mov word ptr old_13,bx ; store offset
mov word ptr old_13[2],es ; store segment
set_int_13: mov ax,2513h ; make int 13 point to our handler
lea dx,sentry ; get address of interrupt routine
int 21h ; call DOS to set new vector
set_int_26: mov ax,2526h ; make int 26 point to our handler
lea dx,dummy ; get address of interrupt routine
int 21h
ret
init endp
;--------------------------------------------------------------------------
CSEG ENDS
END GO
-END OF ASSEMBLER SOURCE-
begin 600 sentry.com
MZ2@!#0K:Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$OPT*LR`@("`@
M2$%21"!$25-+(%-%3E1262`Q+C`Q("`@(+,-"K,@("`@("AC*2!#;W!Y<FEG
M:'0@,3DX-R!B>2`@(""S#0JS("`@("`@("!!;F1R97<@32X@1G)I960@("`@
M("`@LPT*P,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q-D-"B!.3R!$
M15-44E5#5$E612!#04Q,4R!724Q,($)%("`-"B!015)-2514140@(%1/(%1(
M12!&25A%1"!$25-+("`-"B0-"@<\/#Q!3$525#X^/B`@1&5S=')U8W1I=F4@
M9&ES:R!C86QL('!R979E;G1E9"$D``````````#H/P"-%FT"N00`T^I"N``Q
MS2&`^H!R#X#\`W0/@/P%=`J`_`MT!2[_+B,"4%(>M`D.'XT6\@'-(1]:6"KD
MSRO`4,^T"8T6`P'-(;@3-<TA+HD>(P(NC`8E`K@3)8T6/0+-(;@F)8T6:0+-
"(</`
`
end
No warranties whatsoever. Take your beefs up with the author; I'm
passing it along pretty much as received.
Mike Slomin