Date: Wed, 15 Mar 2000 11:04:21 +0200 (IST)
From: Eli Zaretskii <eliz AT is DOT elta DOT co DOT il>
X-Sender: eliz AT is
To: "nimrod a. abing" <synflood AT eudoramail DOT com>
cc: djgpp AT delorie DOT com
Subject: Re: self-mod code and DJGPP - writable code segment?
In-Reply-To: <INEPKJNPJEEIBAAA@shared1-mail.whowhere.com>
Message-ID: <Pine.SUN.3.91.1000315105955.17230V-100000@is>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Reply-To: djgpp AT delorie DOT com
Errors-To: dj-admin AT delorie DOT com
X-Mailing-List: djgpp AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk


On Wed, 15 Mar 2000, nimrod a. abing wrote:

> I was just curious about this. If the code 
> segment is not writable, it seems to imply some 
> sort of immunity to viruses for DJGPP programs.

The viruses don't attach themselves to the protected-mode code produced 
by DJGPP, they attach themselves to the short DOS stub prepended to DJGPP 
programs.  And since the COFF header follows that short stub, the virus 
has good chances overwriting the COFF magic signature, which will cause 
the startup code refuse to run the infected program.

So the fact that CS is write-protected has no importance here.

> With so many viruses spreading around, does 
> this mean that DJGPP programs are safer from 
> viruses?

The above-mentioned features do allow an early detection of an 
infection.  But more importantly, the viruses have all but abandoned DOS 
programs as their target.  They now concentrate on Windows programs, so 
any DOS program is probably more safe.