Remember me

Lost Password?

Register now!


Who's Online
98 user(s) are online (81 user(s) are browsing Forums)

Members: 2
Guests: 96

Arthas, broadblues, more...


Information needed to update VirusZ & xvs.library for OS 4.x
Just popping in
4/7 23:27
From Germany
Posts: 1
Hi to all developers of OS 4.x,

now I'm here myself with my questions about OS 4.x. Thanks to samo79 for his efforts so far here in the forum.

As has been told before, usually no program in the running system needs to know the inner workings of memory management, location of Kickstart modules, etc.

BUT: A virus-scanner needs those information, otherwise it would lead to hundreds of illegal accesses to unexisting memory regions while scanning for viruses/patches...

So once again the one and only question:

How can I determine the physical (and maybe virtual) address ranges of each Kickstart module and the available memory of the system? I can't do a vector check without knowing the normal address of a library function, and I can't limit the memory monitor to existing memory boundaries without knowing them.

So, are the .kmod-files located one after the other without other stuff between? And is there a list of these addresses? Or is there at least a defined memory area to which they are all loaded (eg. $1800000 - $2200000) and nothing else?

Is the 'kernel' always loaded first? I saw that the RT_INIT of kernel points to an even address like $1800000.

Are there any functions anywhere else than in exec.library to determine the physical memory boundaries (any resource or something like that)?

Is the version/revision of 'kernel' actually the Kickstart version?

No more questions until now :-) If I can't get any solutions for the above problems, I will have to disable vector and memory checks under OS 4.x, so VirusZ would only be available to scan files/archives/sectors/bootblocks...

Thanks in advance,
Georg Wittmann (formerly Hörmann), author of VirusZ and xvs.library

   Report Go to top

Re: Information needed to update VirusZ & xvs.library for OS 4.x
Just can't stay away
2006/12/1 18:01
From Copenhagen, Denmark
Posts: 1258

The question is, does such a check make sense at all under OS4? Just as your program is having trouble getting access to memory not belonging to your own process, so will any virus.

I have personally never seen or heard of any virus being active under OS4, I don't know if anybody else has?

Anyway, I hope somebody who knows the internals better than me will chime in and advise.

Best regards,


   Report Go to top

Re: Information needed to update VirusZ & xvs.library for OS 4.x
Home away from home
2006/11/20 16:26
From Norway
Posts: 2969

Theoretically a 68k virus can run, it does not need to modify programs memory, I guess what he trying to do here is identify viruses after it has decrypted Itself. The virus will have to play nicely, instruction flush caches and so on, lot of early viruses did not do that.

I remember a virus checker on the PC / MSDOS, it created a check sum of all binary files, and checked if length or CRC had changed. To see if virus had spread from one EXE file to another.

Anyway, it be interesting to monitor if program try open ELF’s and HUNK files, even so viruses can also be script format, like Phyton, or Perl, or AREXX or even shell scripts. Basically, anything that can be executed and runs.

Let say ELF program won’t decompress some ugly code, it needs to allocate memory as executable, or as modify the memory to make it executable. In that case it won’t be too hard to monitor if that action is taken

Anyway, floppy drives are not so common anymore, and we can’t run Boot block viruses.
We do not have autorun scripts, so virus cannot spread from a USB stick by just plug in USB stick.

I think more likely scenario is that you get malware, software that does bit more then you expect, back doors, or monitor what you do. Or programs do things you did not expect like mine crypto currency.

Edited by LiveForIt on 2021/4/9 0:33:15

Basilisk II for AmigaOS4
and other tools and apps.
   Report Go to top

[Advanced Search]

Powered by XOOPS 2.0 © 2001-2016 The XOOPS Project