d88-cwe@nada.kth.se (Christian Wettergren) (02/06/90)
I think that the discussion about an Universal Virus Scanner is very intresting but is it even possible to conclude that a program doesn't modify itself? What I mean is that I don't think that you could create a program that could say YES, this program modifies itself, or NO, this program doesn't modify itself. That depends of course of what microprocessor you use. On an ordinary 8086 you couldn't, I think. Imagine this; The program has an instruction that contains a reference to it's own code- adress. ( MOV CS:0199h, XXXX ) OK, then don't tolerate that. But what if it calculates it from a formula? ( MOV CS:[BX], XXXX ) Then don't tolerate a reference that uses a CS-prefix. But the same adress is reachable from perhaps some Data Segment. ( MOV DS:1238h, XXXX ) OK, then don't tolerate direct references to the code through a Data Segment But what if it is calculated through a formula? ........ ( MOV DS:[BX], XXXX ) Then don't tolerate writes at all.... 8-) Of course some micros could prohibit this behavior by some sort of MMU-scheme, but I think that at least 8086 and 68000 (not so sure there, though) couldn't contain an algorithm that could determine if the program was self-modifying or not. (Of course it could contain it, but it would have to be simulating the micro itself, and hence has the same problem there, etc) Christian Wettergren d88-cwe@nada.kth.se Royal Institute of Technology, Stockholm, Sweden