Twenty Year Anniversary

dis1.c

dis1.c
Posted Jun 7, 2007
Authored by Piotr Bania | Site piotrbania.com

Gaara virus disinfector type 1 for the TI-89.

tags | virus
MD5 | 14c04c934d383f4b5d40a6e0fc9df19d

dis1.c

Change Mirror Download
/*



Gaara virus disinfector type 1
--------------------------------------
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com


Details:

Firs of all, the disinfector checks if the GAARA is already resident
if so you may want to clear the RAM memory. And this seems to be
the best way of disinfection but you will loose all your RAM programs
unless they are archived. Anyway i made an another approach.
Which i hope can teach you how to clear the virus.

This little file, is going prevent Gaara virus from execution.
It simply checks all variables (files) for the marker occurency
then if it is found, we are searching for the const bytes of gaara
body within the virus execution starts. Then we patch those bytes
with orginal bytes from the host. Due to that fact, Gaara will not
get executed, and the execution flow returns to the orginal program.
Finally the GAARA marker is erased from the orginal file. Well
i could also re-design the heap memory and change the size but i
was too lazy to do so. Nothing more like few minutes code.

*/



#include <tigcclib.h>

#define get_romb(x) ({(long)x = *(long*)0xC8;})
#define LOW_GAARA_SIZE 400



/* signatures */
unsigned char sig_gaara_mark[] = {'G','A','A','R','A','X'};
unsigned char sig_gaara_start[] = {0x4E, 0x71, 0x4E, 0x71, 0x48, 0xE7, 0xFF, 0xFE};


/* repair */
unsigned char repair_bytes[] = {0x4E, 0x5E, 0x4E, 0x75};

unsigned short gaara_m_offset = 0;
int d_files = 0;


void is_infected(void)
{
unsigned long a;
get_romb(a);

if (!(a & 0xE00000))
{
printf("Disg: Seems the ROMCALL-JUMP-TABLE is redirected\n");
printf("Disg: Please reset RAM to make it clean.\n");

/* well i should rewrite the ROMCALL-JUMP-TABLE ptr here by hand
but i guess it would be a cool job for you :)*/

ngetchx();
return;
}

printf("Disg: Seems the RAM is clean\n");
}


unsigned short get_sig_off(void *mem, unsigned short size, unsigned char *sig, int sig_s)
{

int i,ii, found;
for (i = 0; i < (size-3); i++)
{
found = 1;
for (ii = 0; ii < sig_s; ii++)
{
if (*(unsigned char*)(mem+i+ii) != sig[ii])
{
found = 0;
goto next;
}
}

next:
if (found == 1)
{
if (*(char*)(mem+i+ii) == 'X')
return 0; // to avoid fail on itself
return i;
}

}

return 0;
}


int is_gaara(void *mem, unsigned short size)
{
int i;
unsigned long offset;

printf("Disg: Scaning for the infection mark\n");

gaara_m_offset = get_sig_off(mem,size,&sig_gaara_mark,sizeof(sig_gaara_mark)-1);
if (gaara_m_offset != 0)
{
printf("Disg: File is infected with Gaara, trying to repair\n");
return 1;
}

printf("Disg: File is clean\n");
return 0;
}


void disinfection_one(void *mem, unsigned short size)
{
void *where;
unsigned short offset;

offset = get_sig_off(mem,size,&sig_gaara_start,7);

if (!offset)
{
printf("Disg: Disinfection failed, cannot find second signature\n");
return;
}

where = (void*)(mem + offset);
printf("Disg: Gaara entry found at 0x%lx\n",where);

/* lets set orginal bytes just after the virus entry point, so
the body will not be executed, and the execution flow will return to the host at start*/

memcpy((void*)(where+4),(void*)&repair_bytes,sizeof(repair_bytes));


/* and now destroy the Gaara marker, pad it with 0 */
memset((void*)(mem + gaara_m_offset),0,5);

printf("Disg: File is repaired\n");
d_files++;
return;
}




void in_infected_file(SYM_ENTRY *se)
{
unsigned short size;
void *mem = HeapDeref(se->handle);

printf("Disg: Checking %s\n",se->name);

if (!mem)
{
printf("Disg: Error, cannot HeapDeref();\n");
return;
}

size = *(unsigned short*)mem;

printf("Disg: Variable size is %d bytes \n",size);

if (size < LOW_GAARA_SIZE)
{
printf("Disg: The file is not infected (size is too low)\n");
return;
}

if (!is_gaara(mem,size))
return;

disinfection_one(mem,size);

}




void dis_loop(void)
{

SYM_ENTRY *se;

if (!FolderOp(NULL, FOP_LOCK | FOP_ALL_FOLDERS))
{
printf("Disg: Locking folder table failed\n");
return;
}

se = SymFindFirst(NULL, FO_RECURSE | FO_SKIP_TEMPS);

while (se)
{
in_infected_file(se);
se = SymFindNext();
}

FolderOp(NULL,FOP_UNLOCK | FOP_ALL_FOLDERS);

}


// Main Function
void _main(void)
{
clrscr();
printf("*** DISG - Gaara virus file disinfector ready.\n");
printf("*** by Piotr Bania - http://www.piotrbania.com\n");

is_infected();
dis_loop();


printf("Disg: Disinfection ended, %d file were disinfected\n",d_files);
ngetchx();
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close