TweetFollow Us on Twitter

Virus Protection
Volume Number:8
Issue Number:2
Column Tag:Pascal Workshop

Related Info: Resource Manager

Simple Antivirus Protection

An anti-virus scheme that can be painlessly added to every application.

By Nicholas Pisarro, Jr., Westport, Connecticut

About the author

Nick Pisarro is the principle architect of Aperture Visual Information Manager by the Graphic Management Group, Inc. He has been involved with all aspects of computer design including both hardware and software since 1961 and with the Macintosh since 1986.

The Virus Scout Pascal unit described in the January 1991 Programmer’s Forum is a nice idea. One problem with Virus Scout was that it was coded to handle only those specific viruses that the author knew about and could offer no protection against any future viruses that may infect an application.

It did set me to wondering, however, if there is a way to make both a simpler yet more universal virus detection scheme. I began to think about how viruses infect and reproduce themselves through an application, and how I could have applications I have developed protect themselves from becoming infected.

In order for a virus to infect an application it needs to either modify the existing resources of an application and/or add resources of its own. In order to reproduce it needs to seize program control from the application and the user’s Macintosh in order to issue its own instructions of death and destruction. This requires modification of a code resource such as ‘CODE’, ‘WDEF’, ‘MDEF’, or ‘LDEF’ resource types.

Usually a virus inserts a small stub of code in an existing resource to branch to one of its own resources, or it inserts a whole new code resource of its own to seize control. I don’t believe any viruses try to insert all their code in an existing application resource but always have to add a resource. Adding to a code resource, by linking in code, is a difficult operation and runs the risk of overflowing the size restrictions of code resources.

One advantage a virus detection scheme has within an application is that it knows how many and what types of resources the application should have! Rather than checking for the addition of specific virus resources, the virus detection scheme presented here just checks the number of resources the application should have against the number it actually has. In addition there is a Toolbox call that tells me the number of types of resources a resource fork has as well as specific counts. This may be used to check for the addition of additional types of resources. As the resource map for an application is in memory when it is running these types of checks do not use significant amounts of computer time.

It would be possible to check counts of all the resource types an application has, but I believe just checking the specific counts of its code resources is sufficient. A virus must insert or modify a code resource to gain control.

The Pascal unit here reads a resource with a count of the number of types of resources an application has as well as counts of specific types. If it finds any mismatch between expectations and reality, it notifies the user and causes the application to quit early. Note the “Get1” form of the resource call is used to get counts only from this application. This unit must be run before any data file resource forks are opened. If the application modifies its own resource fork, it must be careful not to do it in a way that triggers this virus check.

In the sample code no specific resource type has been assigned for the information resource. If all applications used the same type for this resource, a new virus could be written to circumvent this protection scheme. Use your own type.

Note that the code here is only concerned with viruses that infect an application, rather than viruses that infect files in the System Folder or the Desktop. Code like that from Virus Scout or elsewhere could be added to do this additional checking.

Listing

{Written by Nicholas Pisarro, Jr., Aperture Technologies, Inc.
 No rights reserved.}

UNIT VirusCheck;

INTERFACE

USES
 {$LOAD}
 MemTypes, QuickDraw, OSIntf, ToolIntf, PackIntf;
 

{Returns TRUE if Application can run.}
FUNCTION ApplicationCanRun: BOOLEAN;


IMPLEMENTATION

{Returns TRUE if Application can run.}
FUNCTION ApplicationCanRun: BOOLEAN;
 CONST
 kVirusChkKinds  = '????';{Rsrc type for the # 'CODE' & # of Kinds of 
resources}
 kVirusChkID=  32; {Resource ID for the Virus Check Rsrc}
 
 {The Virus found alert and its sub-messages}
 kVirusAlrt =  1282; {A Virus has been detected!}
 kCountRsrcMissing = 1;   {The Resource count Resource is missing}
 kTypeMiscount   = 2;{Wrong number of resource types}
 kRsrcMiscount   = 3;{Wrong number of a specific res. kind}
 
 TYPE
 {Resource & Count list.}
 RsrcCount = RECORD
 RType: ResType;
 RCount:INTEGER;
 END;
 
 RsrcRSRC = ARRAY[0..0] OF RsrcCount;
 pRsrcRSRC = ^RsrcRSRC;
 hRsrcRSRC = ^pRsrcRSRC;
 
 VAR
 {For counting Resources.}
 theResType:ResType; { The kind we’re looking for }
 subMsgNo:INTEGER; { Submessage number }
 msgStr,{ Submessage to go into dialog}
 workStr: Str255;{ Resource name to go into the message }
 
 aRsrcRSRC: hRsrcRSRC;  { Handle to the Count Rsrc}
 
 i:INTEGER;
 dummy: INTEGER;
 
 LABEL 100;
BEGIN   { ApplicationCanRun }
 ApplicationCanRun := FALSE;{Assume failure.}
 
 {Virus Check: Load resources with counts of various kinds of resources
  in Application. Make sure the counts in the resource match the actual
  counts in Application.}
 workStr[0] := CHR(0);    {Make WorkStr have no length.}
 
 {Try to get the counts of the various resources in the Application.}
 aRsrcRSRC := hRsrcRSRC(Get1Resource(kVirusChkKinds, kVirusChkID));
 IF aRsrcRSRC <> NIL THEN BEGIN
 
 {Check out each of the counts read.}
 FOR i := 0 TO GetHandleSize(Handle(aRsrcRSRC)) div SIZEOF(RsrcCount) 
- 1 DO BEGIN
 
 {If the kind is a 0, a total resource count is wanted.}
 IF ORD(aRsrcRSRC^^[i].RType[1]) = 0 THEN BEGIN
 
 {Does the total number of resource kinds in the Application
  match the count the resource?}
 IF (Count1Types <> aRsrcRSRC^^[i].RCount) THEN BEGIN
 
 subMsgNo := kTypeMiscount; { Sub message }
 
 {Issue a Virus Alert to the user.}
100:    GetIndString(msgStr, kVirusAlrt, subMsgNo);
 ParamText(msgStr, workStr, '', '');
 dummy := StopAlert(kVirusAlrt, NIL);
 
 EXIT(ApplicationCanRun);
 END;
 END
 
 {Otherwise, check a specific type.}
 ELSE BEGIN
 
 {Does the number of this kind of resource in the Application
  match the count the resource?}
 theResType := aRsrcRSRC^^[i].RType;
 IF Count1Resources(theResType) <> aRsrcRSRC^^[i].RCount THEN BEGIN
 
 { Make a string out of the resource type. }
 WorkStr[0] := CHR(4);
 BlockMove(@theResType[1], @workStr[1], 4);
 
 subMsgNo := kRsrcMiscount; { Sub message }
 
 GOTO 100;
 END;
 END;
 END;   {End FOR i }
 
 {Finished with the resource}
 ReleaseResource(Handle(aRsrcRSRC));
 END    {End IF aRsrcRSRC <> NIL}
 
 {Count Resource not found.}
 ELSE BEGIN
 subMsgNo := kCountRsrcMissing;    { Sub message }
 
 GOTO 100;
 END;
 
 {Possibly put other virus checks, checks for the proper system version,
  etc. here.}
 
 ApplicationCanRun := TRUE; {Success!}
END;    { ApplicationCanRun }

END.
 
AAPL
$570.56
Apple Inc.
+13.59
GOOG
$609.46
Google Inc.
+8.66
MSFT
$29.11
Microsoft Corpora
-0.65
MacNews Search:
Community Search:
See All
view counter

view counter
view counter
view counter
view counter
view counter
view counter
view counter
view counter

Fruit Ninja Gets New Update With Powerup...
Fruit Ninja is about to get its biggest update yet to celebrate its second anniversary on Thursday, May 24th. The key new element in the game appears to be that players will now be able to earn an in-game currency, called starfruit, that can be used to buy new powerups from new characters Gutsu and Truffles, introduced in the new trailer produced... | Read more »
Fotor – CameraBag Review
Fotor – CameraBag Review By Jennifer Allen on May 23rd, 2012 Our Rating: :: PLENTIFULiPhone App - Designed for the iPhone, compatible with the iPad A photography app that wants to be able to do everything that could ever be asked of it.   | Read more »
playGO AP1 is the Next Generation of Aud...
With all of Apple’s relatively recent success in the smartphone and tablet market, we can forget sometimes that what kicked off their modern dominance was a device that simply played music. BICOM, Inc. has been recognizing how important music is to the company with their playGo series of iOS receiver systems. The newest model, the playGo AP1, is... | Read more »
Monkey Pong Review
Monkey Pong Review By Angela LaFollette on May 23rd, 2012 Our Rating: :: BALL BUSTING ACTIONiPhone App - Designed for the iPhone, compatible with the iPad Help the hungry monkey reach all the fruit by bouncing a ball in this family-friendly arcade game.   | Read more »
Heroes & Generals Enters Closed Beta
Creators of Hitman, Roto-Moto, has launched a closed beta of their game, Heroes & Generals. The game is a massively multiplayer first-person shooter involving online fighting between the Axis and Allied forces in Europe. | Read more »
FeedFriendly Review
FeedFriendly Review By Angela LaFollette on May 23rd, 2012 Our Rating: :: EASY TO USEUniversal App - Designed for iPhone and iPad Combine the top three social network newsfeed updates into one location with the help of FeedFriendly.   | Read more »
Favorite 4: Euro 2012 Apps
In a matter of weeks, one of the biggest soccer tournaments out there begins: Euro 2012. Qualification is over and 16 European teams are all lined up to prove which one is the best of the bunch. As a Brit, I’m ever hopeful that England will achieve glory but regardless of what happens, I’ll be enjoying seeing some high quality action. In honor of... | Read more »
Zombie Farm 2 Review
Zombie Farm 2 Review By Rob LeFebvre on May 23rd, 2012 Our Rating: Universal App - Designed for iPhone and iPad Take on the role of a social game farmer who plants both crops AND zombies in this sequel to the original hit, Zombie Farm.   Developer: The Playforge | Read more »
Facebook Pages Manager Does Exactly What...
Sick of hearing about the Facebook IPO? Want to hear about something actually related to the Facebook product? Well, I have good news then. Facebook has launched a new app that will come in handy for users who manage Facebook Pages. | Read more »
Score! Classic Goals Review
Score! Classic Goals Review By Jennifer Allen on May 23rd, 2012 Our Rating: :: GOAL!Universal App - Designed for iPhone and iPad Relive some classic goals by creating them in this addictive soccer game.   | Read more »
See All
All contents are Copyright 1984-2010 by Xplain Corporation. All rights reserved. Theme designed by Icreon.