MMCCUNE@SCTNVE.BITNET (10/19/90)
Thanks for your comments on my stealth detector program. I re-wrote it to check for Interrupt 21 modifications before trying to test for stealth viruses in memory. Most TSRs do not redirect Int 21 (Disk Caches and Side Kick are the only two I can name off hand) but these programs will fool my detection technique. Program follows.... ADD [BX+SI],AL ADD [BX+SI],AL ADD [BX+SI],AL MOV AH,52h INT 21h ES: MOV CX,[BX-2] MOV AX,3521h INT 21h MOV AX,ES CMP CX,AX JBE TSR ES: CMP B[BX],0EAh JE FOUND MOV AH,9h LEA DX,NOT_FOUND_MESSAGE INT 21h INT 20h TSR: MOV AH,9h LEA DX,TSR_MESSAGE INT 21h INT 20h FOUND: MOV AH,9h LEA DX,FOUND_MESSAGE INT 21h INT 20h NOT_FOUND_MESSAGE: DB 'Stealth Virus not found in memory$' TSR_MESSAGE: DB 'TSR active in memory. Can not detect stealth viruses!$' FOUND_MESSAGE: DB 'Stealth Virus active in memory!$' Any comments and suggestions are appreciated. I can also be reached on the Interlink and Fidonet virus conferences. My Bitnet address is MMCCUNE@SCT.NVE (It should be on the top of this letter)....<MM>.