english documentation to program
written by
Zbigniew Trzcionkowski
Read all, please!
WatchDog is FREEWARE program
©2001-2002 by Zbigniew Trzcionkowski
DESCRIPTION
WatchDog is background memory checker. Time between checks is adjusted automagically somewhere between 5 and 10 seconds. Memory test is also performed just after watching about requester (take a look at Tools menu on WB)...
You can expect that WatchDog:
- checks memory for known viruses with xvs.library
- controlls memory with loads of internal routines
- keeps notification over S:startup-sequence and S:user-startup
REQUIREMENTS
AmigaOS 2.0 or newer.
xvs.library by Georg Hormann and Alex van Niel and Jan Erik Olausen.
Any problems should be sent to:
zeeball@interia.pl
HOW IT WORKS
Memory removals of known viruses are based on xvs.library and nothing more can be said about that, so let's see internal routines:
- Harrier .A memory disabler for virus that probably was never released to the public
- Vaginitis memory detector for clones of Fungus/Vaginitis viri
- Checker with generic clean:
tc_launch [seen in Beol viri...]
tc_switch [seen in Beol viri...]
pr_PktWait [seen in Beol viri...]
mp_sigTask [seen in Smeg and penetrator viri...]
overwritten $4EB9 opcode at some vital exec vectors [Illegal Access/HitchHiker4.11 infection scheme]
- Obsolete patch detector with removal:
crm.library on (New)LoadSeg [can be used to hide other patches!]
- Change detector with generic clean-up or cold reboot:
ColdCapture, CoolCapture, WarmCapture [rotfl, but these are tradition in virus killers...]
KickTagPtr, KickMemPtr [still used by some legal tools]
- Change detector with easy restore:
DoIO(), SendIO(), WaitIO() [bootblock and possibly cavity file infection...]
ExitIntr(), Schedule(), Reschedule(), Dispatch(), Switch() [packet interception, core patches]
PutMsg(),GetMsg(),ReplyMsg(),Wait(),WaitPort(),Signal() [packet interception]
DebugEntry, DebugData, AlertData, LastAlert [classic virus selfrecog fields]
execLibOpen(), execLibClose(), execLibExpunge() [new trend in virus selfrecogs]
dosLibOpen(), dosLibClose(), dosLibExpunge() [these cannot be used to intercept anything but I have added them anyways...]
Open(), Lock(), LoadSeg(), SetComment(), SetProtection(), Execute(), SystemTagList(), NewLoadSeg(), FilePart(), PathPart(), AddPart(), FindVar() [most popular/possible vectors in simple Open/Close based viruses like for example HappyNewYear and Elbereth series...]
Close(), Read(), Write(), UnLock(), Examine() [most popular/possible vectors for 'on fly' infectors like for example NoName(212 bytes)]
ExNext(), ExAll() [mass infection in BOBEK style or poor directory stealth...]
- Change detector only:
ExNext call inside reqtools.library (under construction!) [BOBEK3 infection scheme!]
return from Wait() pointer at volume's stack [SMEG2/HitchHiker5.00 infection scheme!]
CallGV(), EndGV() and GlobalVector table [viruses for OS1.3 and older...]
SysStackLower guard reports changes in last bytes of system stack. This area can be altered by very lame software including viruses (e.g. 212-bytes linkvirus) Note that this feature is rather somekind of debugger :-)
PARAMETERS
Currently WatchDog is controlled by ToolTypes in it's icon,
however I can add shell template if someone requests it.
Just take a look at the icon and be aware of the fact that some
of these ToolTypes are debug only and might be removed in future...
AUTHOR
Zbigniew Trzcionkowski
Astrow 7
43 250 Pawlowice
Poland
Send me bug reports, ideas and infected files.
100% responce to all disksenders
e-mail: [zeeball@interia.pl]
You can download WatchDog from VHT-DK page:
[www.vht-dk.dk]
You can also look for newest versions in util/virus directory of Aminet!