5. The Disk Editor (RESQDISK).

Probably the most useful (or, shall we say, the least useless)
part of InVircible is its disk editor - RESQDISK. The program works
only on hard disks - a rather unfortunate limitation. It uses a
rather advanced tunnelling technique - direct access of the hard
disk via the ports - to read and write the sectors of the hard
disk. Unfortunately, this technique works only on IDE and EIDE
hard disks. On SCSI and MFM hard disks ResQdisk is just as helpless
against stealth boot sector viruses as any other disk editor.

Nevertheless, ResQdisk does contain some useful features. When the
tunnelling technique (named "SeeThru") works, it can be used to
disinfect an active stealth virus very easily. Even if the virus is
not stealth, ResQdisk can be used to locate the original boot
sector, if it is stored elsewhere by the virus, read it from there,
and write it to its original place.

According to the documentation, ResQdisk can be also used to
repair a damaged MBR or DOS boot sector. Unfortunately, we were
unable to test this, because this feature is available only in the
registered version of the product. However, we discovered that
ResQdisk (as well as IVScan) carries within itself a copy of the
code part of a standard MBR and a copy of the DOS boot sector
program used by MS-DOS versions 5.0 and above (it is one and the
same in all versions above 5.0).

Supposedly, the MBR code is used in a manner equivalent to the
FDISK/MBR method, while the DOS boot sector can be used in
situations when the DOS program SYS would be needed. It is worth
mentioning that having a program to install a copy of the DOS boot
sector is much more convenient than using SYS - because in many
cases SYS refuses to work properly and always tries to transfer
also the DOS files - a completely unnecessary operation, if all we
want is to recover the DOS boot sector.

However, having a third-party program carry a copy of the DOS boot
sector poses several other problems. The first question to come in
our mind is - has the author of InVircible obtained a license from
Microsoft for using their code in his programs? We didn't have the
means to check this, and weren't particularly concerned by the
answer, but users who are worried to use a potentially infringing
piece of software should probably contact Microsoft and ask for
more information.

Using a particular DOS boot sector code poses another, technical,
and much more serious problem. Unlike the program in the MBR, the
DOS boot sector program is DOS version-dependent. While one and the
same program can be used to boot DOS versions 5.0 to 6.22, the same
is not true for all the earlier DOS versions or for other brands of
DOS - like DR-DOS, Novell DOS, Compaq DOS, Zenith DOS, and so on.
We strongly suspect that "recovering" the DOS boot sector with
ResQdisk will make a disk formatted with one of those DOSes
non-bootable. Unfortunately, we could not directly verify our
suspicion, because this function of ResQdisk is available only in
the registered version of the product.

However, we tested our conjecture by replacing the boot sector of
a 3.5" 1.44 Mb DR-DOS 6.0 system diskette with the boot sector of a
MS-DOS 6.20 system diskette of the same size, also taking care to
change the names of the two DOS files. According to our
expectations, the diskette became non-bootable.

Next, we used another program from the same author - FixBoot -
which is supposed to rebuild the boot sectors of the diskettes if
they become corrupted or infected. We instructed the program to
rebuild the boot sector of a bootable DR-DOS 6.0 diskette. Again,
as a result of this operation, the diskette became non-bootable. We
are pretty sure that the same will happen to a DR-DOS formatted
hard disk whose DOS boot sector is "recovered" by ResQdisk or
IVScan.

This is, however, not the only way that "rebuilding" the boot
sectors with ResQdisk would cause damage. As we have already
mentioned, the "SeeThru" technique works only on IDE and EIDE
drives. However, it does not work properly on all kinds of such
drives.

For instance, one of the newer Western Digital Caviar 850 EIDE
drives has 1654 cylinders. The INT 13h handler of the older BIOSes
that do not have the LBA translation capability cannot address the
whole drive, because it has a limitation that allows it to handle
only drives with no more than 1024 cylinders. In order to circumvent
this problem, Western Digital ships a product from Ontrack which is
an "AT Register Set Compatible BIOS Extension V3.08". It works by
booting its own code from sectors 0,0,2 - 0,0,30 on the drive, and
then replacing INT 13h in the BIOS (or whatever INT 13h code you
are at that time running) with its own INT 13h code. It redirects
attempts to read the 0,0,1 partition table so that the partition
table looks like a normal one starting the bootable partition at
1,0,1 - i.e., it is acting much like a stealth virus.

When ResQdisk is run on it, it comes up in "SeeThru" mode ON. It
beeps, and alerts the user:

"Caution ! Boot spoofing detected !"

which is actually pretty much accurate, but is not caused by a
virus. The "SeeThru" code does indeed allow the original odd MBR to
be seen, and under "special functions" Ctrl-F1 announces that it
will "rebuild master partition sector". Since we do not have the
registered version, we were unable to test whether this rebuild
would indeed overwrite the Ontrack/Western Digital "Dynamic Drive
Overlay V6.03" bootable partition. If it actually does restore the
partition table to bring up the partition on 1,0,1 without the
Dynamic Drive Overlay code and replacment of INT 13h being
installed, this will definitely corrupt the drive when the user
starts to write to it after the next boot, assuming it could
complete the boot process with the now-incorrect drive geometry at
all.

We also noticed another odd thing. Under the F5 key display of the
drive's geometry, if the user boots from a floppy without loading
the BIOS Extension code, ResQdisk will report that the CMOS
settings for the drive only have 1024 cylinders and that it is a
500 Mb drive. The CMOS, of course, actually has it listed as a 1654
cylinder drive, but it appears that Invircible is either ignoring
the CMOS when reporting its contents, or it is misinterpreting the
CMOS, due to a bug.

Bookmark/Search this post with:

delicious | digg | reddit | newsvine | furl | google | yahoo | technorati