193 lines
6.7 KiB
Plaintext
193 lines
6.7 KiB
Plaintext
|
||
ûirogen's Thunderbyte Anti-Virus Signature File Reader
|
||
version 3.0 02-05-95
|
||
for TBSCAN.SIG v6.22+
|
||
Last Tested On: v6.31
|
||
Coded by ûirogen
|
||
[615.586.9515]
|
||
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
Welcome to the latest VG-TBSIG version. It appears that X number of
|
||
versions ago [I've not had luxury of a computer for some time now],
|
||
the TBSCAN.SIG file exceeded VG-TBSIG's heap and would cause a lockup
|
||
after you gut thru about 64k of the file. This is fixed, this version
|
||
should be able to handle TBSCAN.SIG files of an infinite length.
|
||
|
||
I've distributed the complete source code and format (as much as I
|
||
know) of the TBSCAN.SIG file. Feel phree to make any enhancments
|
||
you wish as long as you redistribute the source code and give credit
|
||
to the original author [thatz me], and any authors of new mods.
|
||
|
||
Usage
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
Place VG-TBSIG.COM in the same directory as TBSCAN.SIG and run.. the
|
||
output is via DOS, so you can redirect it to a file.
|
||
eg: VG-TBSIG > TBSIGS.TXT
|
||
|
||
You'll get a listing of all signatures for virii and other programs
|
||
defined in the data file. XCEPT, there are a few polymorphic virii
|
||
which I'm not sure on how to extract the algotihm/signature as of yet.
|
||
|
||
The groups of two hex bytes (4 ascii bytes) surrounded by '_'s are
|
||
wildcards, and are defined as shown below in the technical info.
|
||
|
||
Optional Switches:
|
||
"l" - Do not list virus signatures.
|
||
e.g.: VG-TBSIG l
|
||
|
||
|
||
Technical Info
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
WildCards/Variable Positions:
|
||
UserDef Ex Description Signature String
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
?n = Skip n amount of bytes and continue. = 388n
|
||
?@nn = Skip nn amount of bytes and continue. = 38nn (see note 1)
|
||
nn should not exceed 7F.
|
||
*n = Skip up to n bytes. = 384n
|
||
*@nn = Skip up to nn bytes and continue. = 38nn (see note 1)
|
||
nn should not exceed 1F.
|
||
nL = One of the values in the range n0-n7. = 382n
|
||
nH = One of the values in the range n8-nF. = 383n
|
||
|
||
þnote1: The highest bit is set to 1 provided nn is in the range suggested
|
||
above. If it exceeds that range, then the highest bit is not set
|
||
to 1.
|
||
þnote2: I believe all 00 bytes in the signatures are interpreted as
|
||
wildcards.
|
||
|
||
|
||
Example:
|
||
Virus : PC-Flu_II�
|
||
ÀÄSignature : 50_383B_2001_3882__383B__3884__383B__3848_2E30_384E_E2
|
||
Xlation : 50 Bh 2001 ?2 Bh ?4 Bh *8 2E30 *E 12
|
||
|
||
|
||
|
||
|
||
Format of TBSCAN.SIG:
|
||
There are two types of blocks in the data phile; I didn't need all
|
||
the info from them so I didn't goto the trouble of filling in the missing
|
||
blanks.
|
||
|
||
The data blocks start at offset 80h in the phile.
|
||
|
||
1) for virii which have multiple-scan strings defined, or some
|
||
algorithmic approach (polymorphic):
|
||
byte 0 = If 0 then no more entries
|
||
1 = 0FFh
|
||
2 = ?
|
||
3 = ?
|
||
4 = ?
|
||
5 = ?
|
||
6 = ?
|
||
7 = ?
|
||
8 = ?
|
||
9 = ?
|
||
A = length of virus name
|
||
B = ?
|
||
C = index to virus name (from start of block)
|
||
D = ?
|
||
E = index to next data block (from start of block)
|
||
|
||
ptr to next block calculation: oldptr+ byte Eh
|
||
|
||
|
||
2) for normal virii:
|
||
byte 0 = if 0 then no more entries
|
||
1 = if 0Fh then non-virus entry or special entry
|
||
2 = ?
|
||
3 = ?
|
||
4 = if bit 6 = 1 then entry is user-defined
|
||
5 = ?
|
||
6 = ?
|
||
7 = length of signature
|
||
8 = length of virus name
|
||
9 = ?
|
||
A = start of virus name
|
||
|
||
ptr to next block calculation: oldptr+ 0Ah+ byte 7h+ byte 8h
|
||
|
||
|
||
Encryption of Virus Names:
|
||
|
||
The virus names are encrypted in the following technique, which
|
||
is actually a form of compression; if you'll notice every encrypted
|
||
word decrypts to three bytes.
|
||
|
||
þ string XORed by A5h
|
||
þ NULL appended at end for stop point of next loop
|
||
þ string then processed thru the following loop:
|
||
|
||
assume si=start of string, di=new location, bx=table [alphabet_. ,]
|
||
start:
|
||
lodsb ; get byte
|
||
test al,al ; not all chars compressed/crypted..
|
||
js continue
|
||
stosb ; store byte
|
||
jnz start ; 0 designates end of string
|
||
ret
|
||
continue:
|
||
mov ah,al ; save byte
|
||
lodsb ; get next byte
|
||
mov dx,ax ; save retrieved word
|
||
mov al,ah ; process first byte retrieved
|
||
shr al,1 ; shift-right .. [xtract nibble]
|
||
shr al,1
|
||
call xlation ; xlat- stosb- ret:ax=dx
|
||
shl ax,1 ; shift-left
|
||
shl ax,1
|
||
shl ax,1
|
||
mov al,ah
|
||
call xlation ; xlat- stosb- ret:ax=dx
|
||
call xlation
|
||
jmp start
|
||
|
||
xlation:
|
||
and al,1Fh
|
||
dec ax
|
||
xlat ; xlation table defined below - al=bx[al]
|
||
stosb ; save byte
|
||
mov ax,dx ; restore retrived word
|
||
ret
|
||
|
||
table db 'abcdefghijklmnopqrstuvwxyz_. ,'
|
||
|
||
|
||
|
||
|
||
Encryption of Virus Signatures is a simple byte XOR by A5h.
|
||
|
||
|
||
|
||
History
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
1.0 - Initial release - 07-04-94
|
||
1.01 - Minor bug fix - - 07-04-94 (yes the same damn day)
|
||
If two wildcards were located
|
||
in a sequence, the second would
|
||
not be designated by the '_'s.
|
||
2.0 - Updated to read new TBSCAN.SIG - 07-19-94
|
||
format in version 6.22
|
||
3.0 - Updated to read TBSCAN.SIG files - 02-05-95
|
||
exceeding 60k+.
|
||
|
||
Have phun!
|
||
Live to die.
|
||
ûirogen '95
|
||
|
||
|
||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||
Version: 2.6
|
||
|
||
mQCNAixt9g4AAAEEANN3KDJ5NjmN1bm5cQGs352wJsQH6FBtOgnHEpZczJBXBwU1
|
||
HiMIL0a4ST16h/flarD2Jsekk5KMz0XF0/+ZAy98Ng3AglsWT+9mXnYxlnUwMaIc
|
||
0QeCU8ECQzQSRzSznWidEKsemYLC179eOEfOqNeYR5NndCo3mVS0HwB6IcbpAAUR
|
||
tAdWaXJvZ2Vu
|
||
=Hvsw
|
||
-----END PGP PUBLIC KEY BLOCK-----
|
||
|
||
|