
Generic Steath Detector 
Pseudocode Summary
Gary M. Watson
FWIW, donated to the public domain.
3 May 1993  version
 
Summary: a typical stealth virus, if present and active in RAM, atttempts
to evade detection by av software by intercepting int 21 or int 13 file 
open or block read services, and presenting the requestor with the simulated
image of an uninfected file or block.  The routine proposed below attempts
to take advantage of this fact to expose the virus.  The method used
involves comparing the results of obtaining the physical disk image
of an item on disk (by directly manipulating the hardware ports on the
disk controller to force block reads into the av program's private 
buffer), with the (possibly tainted) results obtained by int 13 and int
21 calls to bios and dos respectively.  Any difference reveals some kind
of data translation, which must be accounted for.  Differences could be 
caused by mapping software, Stacker, Double Disk, Dos 6 compression, or 
other non-malicious software, but these cases can be compensated for.
Any remaining translation is therefore suspicious and merits further
study.
 
Method:
 
1. Save timer int vect, change to our code, mask all other interrupts, count
ticks within our program (we will update bios when we are done)
 
2. Verify program integrity.  Check to see if disk controller is compatible
with WD 1003 style command set.  If not, see if any special disk hw 
handling drivers are available (e.g. SCSI etc)
 
3. Set standard video mode, clear screen, put up title with users name
obtained when s/w was ordered (prevents spoofing attacks)
 
4. Set kbd int to our handler, unmask this interrupt
 
5. Ask user which physical disks to check
 
6. For each block on the disk:
 
	a) do int 13 read into buffer 'x'
	b) do secure block read into buffer 'y' (secure
	   read is defined later in this document)
	c) do another int 13 read into buffer 'z'
	d) if x=y=z then ok, else, print error info
	   or attempt to use special code to interpret
	   Stacker, Dos 6, or Double Disk partn
 
7. If step 6 went ok, then inform user that no int 13 level
translation or stealth virus was present
 
8. For each file on disk:
 
	a) do secure file read of fat, directory, and file into buff 'x'
	b) do int 21 read of file into buffer 'y'
	c) do secure read of file into buffer 'z'
	d) if x=y=z then all is well, else stealth virus or
	   fast infector is present, in which case side by side
	   comparison of x, y and z will yield the virus object code
 
9. If step 8 went ok, then tell user all is well, option to test
more stuff, or restore video, interrupts, vectors, see how
many timer ticks have happened and update bios accordingly, and
exit.
 
 
 
Secure Sector Read:
 
1. Be sure IRQ for disk is disabled
 
2. Load up disk controller regs @ 1f0 thru 1f8 with cyl, track,
sector, per IDE (ATA) ANSI spec or WD1003 spec, then load up pc's
dma controller with memory buffer address, then fire off read using
disk controller command register.
 
3. Either user dma as indicated, or use pio to handshake bytes out
of the disk controller.  Poll disk done status, as interrupts are
disabled.
 
 
Secure File Read:
 
1. Use Secure Sector Read to find FAT, to find Directory Entry, and 
finally to find the file data itself.  Do not use any dos or bios 
calls.
 
 
As noted earlier, disk compression programs will prevent the 
simple-minded approach above from working.  I would suggest that
someone considering writing a program to do what I described
contact the authors of these compression programs and ask them
to compile for you read-only versions of their programs that
use your secure block read routine instead of INT 13h.  For
experimental purposes, it might be possible simply to hack
their disk driver, and include it within your anti-virus program. 
 
 
 
The ATA/IDE specification can be obtained from the NCR SCSI bbs
operated by John Lohmeyer, chairman of the SCSI committee.   The 
latest version is ATA-R4A.TXZ which is a .ZIP file 7 bit ASCII.
SnailMail or NetMail me if you need to get this file..
 
Gary M. Watson
Trimm Industries
North Hollywood, CA 
internet: trimm@netcom.com
fido 1:202/204 Programmers Workshop

