rap@ardent.UUCP (Rob Peck) (02/20/88)
Last night, at the BADGE meeting, Jim Goodnow II showed a few slides describing a program he is working on to make most-any program "resident", even if it was not designed to be resident in the first place. Some programs, like those in BCPL, are pure code and don't modify their code segment while they run, allocating a data segment so to speak, when they run. C programs are not usually that lucky, having both a segment of initialized and noninitialized data. Jim's program patches a few things in the AmigaDOS tables, provides a custom loader for programs that runs as a resident library, and effectively relinks the seglists of the loaded program so that each invocation of the program can have a fresh copy of the data segments, with the pure code repositioned at the end of the seglist and the new data segments at the beginning, with a jump ahead of the data (since the first segment first word is usally the beginning of the code as far as AmigaDOS is concerned). For now, the program works best with code compiled with Aztec 3.4/3.6, but he is planning to extend the program to recognized other compiler constructs (the program binary image has to be patched in some areas to assure that the data is correctly referenced). As I understood, small model (data area less than 64k), data referenced through A4, works the best. When? Who knows, but it was certainly a stimulating lecture (slightly over an hour, with "slides" showing where the patches would be wedged in). Price? I cannot speak for Jim, but I think I heard him say maybe PD. Good job on the lecture, Jim. I'm looking forward to it! Hope the slides are part of the docs you release for it, WELL DONE! Rob Peck ...ihnp4!hplabs!ardent!rap
page@swan.ulowell.edu (Bob Page) (02/23/88)
[Rob, your Organization: line still says Dana] rap@ardent.UUCP (Rob Peck) wrote: Jim just released the second 'beta' version of REZ, his 'make anything resident-able' program. Looks pretty snazzy. >BCPL, are pure code and don't modify their code segment while they run, >allocating a data segment so to speak, when they run. Note the COPY and DELETE commands, written BCPL, _DO_ have a problem being resident-able when used with wildcards (like delete #?). Using a shell that checksums the segments can warn you about problems like this. I don't think REZ can fix these programs. >Price? I cannot speak for Jim, but I think I heard him say maybe PD. I read him say PD :-) a few weeks ago. ..Bob -- Bob Page, U of Lowell CS Dept. page@swan.ulowell.edu ulowell!page "I don't know such stuff. I just do eyes." -- from 'Blade Runner'
ccemdd@rivm.UUCP (Marco Dedecker) (05/16/89)
I've made my own virus detection program, to detect a resident program (possible virus) in memory. It checks : - The coolcapture. - The coldcapture. - The interrupt vectors. - KickTagPtr. I would like to know if I can be sure there is no resident program in memory after checking these points. If not, are there other ways a program or virus can stay resident in memory ? By the way, I've already encountered a virus which hooked itself to the exec-routine DoIO. This was to prevent it from being killed if the cool- or coldcapture were set to zero. If they were set to zero the virus reactivated itself after the next IO operation. (I think even a key stroke already reactivated it) The only way I know to kill it without turning the computer off, is to rebuild the exec-library using 'setfunction()'. However a program that does so is not very compatible since there are more versions of kickstart around. So I would welcome any suggestions about this too. Marco Dedecker
deven@rpi.edu (Deven Corzine) (05/18/89)
In article <1331@rivm05.UUCP> ccemdd@rivm.UUCP (Marco Dedecker) writes:
I've made my own virus detection program, to detect a resident program
(possible virus) in memory.
It checks :
- The coolcapture.
- The coldcapture.
- The interrupt vectors.
- KickTagPtr.
What I want to know is how these vectors work. Not the interrupts,
but coolcapture, coldcapture and KickTagPtr. There are programs I
would like to have survive a warm boot...
Where are these documented?
Deven
--
shadow@[128.113.10.2] <shadow@pawl.rpi.edu> Deven T. Corzine (518) 272-5847
shadow@[128.113.10.201] <shadow@acm.rpi.edu> 2346 15th St. Pi-Rho America
deven@rpitsmts.bitnet <userfxb6@rpitsmts> Troy, NY 12180-2306 <<tionen>>
"Simple things should be simple and complex things should be possible." - A.K.