; Thunderbyte Residency Test, by Rhincewind [Vlad] ; ; As you may or may not know, the Thunderbyte resident av utilities hook ; themselves to the device driver chain using the following device names: ; TBDRVXXX, TBFILXXX, TBDSKXXX, TBMEMXXX, TBCHKXXX and TBLOGXXX. ; Now, by doing trial handle opens you can detect if those devices do or ; do not exist et voila, you have a method for testing residency. TBAV ; itself scans the actual device driver chain for the TB???XXX devices ; which is unlike this method, pretty much impossible to confuse, but also ; undocumented and thus it's not guaranteed to work under future versions ; of DOS! Yes, Frans Veldman calls vile and unsafe functions in his battle ; against replicating codefragments. ; ; Added note: Just recently I was looking at the EMM virus written by ; the author of the OneHalf family and found that it traces the device ; chain to detect thunderbyte residency. This means that this kind of ; detection isn't exactly new. Oh well, what the heck. .model tiny .code org 100h start: mov ah, 09 mov dx, offset startmsg int 21h mov cx,6 mov dx, offset tbdrvxxx detect_loop: mov ah,09 int 21h mov ax, 3d00h add dx,9 int 21h push dx mov dx, offset not_resident jc dont_add add dx, (resident-not_resident) mov bh,3eh xchg ax,bx int 21h dont_add: mov ah, 09 int 21h pop dx add dx,9 loop detect_loop int 20h startmsg db 'Thunderbyte Residency Test by Rhincewind [Vlad]' db 0dh,0ah,0dh,0ah,'$' tbdrvxxx db 'TbDriver$' db 'TBDRVXXX',0 tbfilxxx db 'TbFile$',0,0 db 'TBFILXXX',0 tbdskxxx db 'TbDisk$',0,0 db 'TBDSKXXX',0 tbmemxxx db 'TbMem$',0,0,0 db 'TBMEMXXX',0 tbchkxxx db 'TbCheck$',0 db 'TBCHKXXX',0 tblogxxx db 'TbLog$',0,0,0 db 'TBLOGXXX',0 not_resident db ' - Not Resident',0dh,0ah,'$' resident db ' - Resident',0dh,0ah,'$' end start