Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!csus.edu!ucdavis!iris!lim From: lim@iris.ucdavis.edu (Lloyd Lim) Newsgroups: comp.sys.mac.programmer Subject: Re: Question for THINK C gurus Message-ID: <8743@ucdavis.ucdavis.edu> Date: 9 Apr 91 00:07:35 GMT References: <3142@murtoa.cs.mu.oz.au> <8695@ucdavis.ucdavis.edu> Sender: usenet@ucdavis.ucdavis.edu Reply-To: lim@iris.ucdavis.edu (Lloyd Lim) Organization: U.C. Davis - Department of Electrical Engineering and Computer Science Lines: 31 In article d88-jwa@byse.nada.kth.se (Jon W{tte) writes: >In article <8695@ucdavis.ucdavis.edu> lim@iris.ucdavis.edu (Lloyd Lim) writes: > > day. Sometimes it's useful to know when you are running from a project > or a built application. If Count1Resources('CODE') is 0, then you're > running from a project. I need to know this because my apps checksum > themselves after they are first built and then check themselves at > subsequent startups for viruses. Obviously, I don't want this to happen > when it's a project. > >So, of course, the virus just patches _Count1Resources to return 0 for >CODE (and no, you can't check if it's patched, since there may be >legitimate patches to it too...) True, there are other easier ways too - but only if you know MY virus checking scheme. The strength of such schemes lies not in some standard but in all of different ways programmers implement their own virus checking schemes. There are a couple very simple ways I could make the above mentioned patch useless (and no I won't even check if it's patched or patch anything else), but... I won't tell you what they are. :-) I was not proposing that you adopt my method - it was only an example of checking whether you are running from a project. Since we're on the subject, I do suggest that each programmer implement their own minimal detection scheme even if it is simple. +++ Lloyd Lim Internet: lim@iris.eecs.ucdavis.edu America Online: LimUnltd Compuserve: 72647,660 US Mail: 215 Lysle Leach Hall, U.C. Davis, Davis, CA 95616