Lesson 6A. Virus Prtection Programs: How It Works.
Virus protection software was a good idea. It worked for a
while. Then it became a commercial product. Virex, SAM, etc. The best one out in the world
today is freeware: Disinfectant. A beautifully-written piece by John Norstad. I personally
am against commercially-written virus protection. However, I am not here to give praise to
independent software authors. I am here to tell you how some of their mechanisms work.
Patching toolbox traps is a popular method of modifying the system's own code. Before it
calls the real thing, it calls the patch (your code). Virus detectors use this method to
keep an eye out for parameters passed through certain toolbox calls to check to see if
they are virus-related.
One popular patch is AddResource. If a virus detector sees that the type of resource that
is being added is of type 'nVir', then it'll catch you. If it sees 'WDEF' with ID=0 and
the open resource file is the desktop, then it'll catch you. Since AddResource is a very
dependent call used for replications, it's almost certain to work every time. Other
less-popular but more efficient patches are those at the base level of the operating
system, not even documented by Apple. Traps such as _vBasicIO, _VInstall, _NewHandle,
_vMRdAddr, and even _ADBReInit get trapped by the Disinfectant extension. Because these
are very basic calls (used by nearly anything that does input and output, in the case of
_vBasicIO), it can catch nearly anything coming toward it. It's nearly foolproof. After
knowing what type of virus it is, the software can delete the virus quickly and easily.
Good applications also use their own version of virus protection. At the startup of their
application, the number of resources in the file is counted, and the more important
executable resources in the file are checked for their size. This way, if an application
has had a resource added, it will be able to alert the user and stop execution.