Date: Wed, 15 Mar 2000 16:11:25 +0100 Message-Id: <200003151511.QAA21524@acp3bf.physik.rwth-aachen.de> From: Hans-Bernhard Broeker To: djgpp AT delorie DOT com Subject: Re: self-mod code and DJGPP - writable code segment? X-Newsgroups: comp.os.msdos.djgpp In-Reply-To: User-Agent: tin/1.4-19991113 ("No Labels") (UNIX) (Linux/2.0.0 (i586)) Reply-To: djgpp AT delorie DOT com Errors-To: dj-admin AT delorie DOT com X-Mailing-List: djgpp AT delorie DOT com X-Unsubscribes-To: listserv AT delorie DOT com Precedence: bulk In article you wrote: > On Tue, 14 Mar 2000 09:53:35 Eli Zaretskii wrote: >> >>On 14 Mar 2000, Alistair_P SHILTON wrote: >> >>> I was wondering if it is possible to link self-modifying assembler >>> code to DJGPP. When I try, I get an error message. So I checked >>> the documentation, which says that the code segment is not writable. > I was just curious about this. If the code > segment is not writable, it seems to imply some > sort of immunity to viruses for DJGPP programs. Not really. The fact that CS=DS in DJGPP programs means that you can still write into the code, by using the DS segment selector, as detailed in other answers to that question. > And I also read from somewhere in the FAQ that DJGPP programs have > the ability to detect if their COFF image becomes corrupted. Yes. But that test is not too hard to fool, either, if the virus writer knows his art... but so far, no virus author has ever bothered to create a virus hosted by DJGPP programs, yet. Not even as a 'proof of concept' implementation. The protection against viruses in DJGPP programs is mainly in the fact that viruses don't understand anything about the structure of a DJGPP program, and so instead of 'properly' infecting one, they tend to break its structure. So far, this has allowed for early detection and killing of at least two viruses. I should know: I collected the samples from people reporting they had the 'Check for Viruses' messages from DJGPP, but definitely *no* (known) virus on their system, analyzed the viral DNA and reported it to the agencies. > With so many viruses spreading around, does this mean that DJGPP > programs are safer from viruses? A little. But that's not really safety by immunity, but safety by obscurity. DJGPP-compiled apps are (still) not suitably widely spread to 'host' a virus population. The real basis of viruses is a *big* market share of the the hosting platform. That's why M$ Word and Excel viruses are so widely spread, but there is little or no relevance to, say, an AMIPro virus. -- Hans-Bernhard Broeker (broeker AT physik DOT rwth-aachen DOT de) Even if all the snow were burnt, ashes would remain.