Thunderbyte Residency Test

Vlad [3]
February 1995

As you may or may not know, the Thunderbyte resident av utilities hook themselves to the device driver chain using the following device names: TBDRVXXX, TBFILXXX, TBDSKXXX, TBMEMXXX, TBCHKXXX and TBLOGXXX. Now, by doing trial handle opens you can detect if those devices do or do not exist et voila, you have a method for testing residency. TBAV itself scans the actual device driver chain for the TB???XXX devices which is unlike this method, pretty much impossible to confuse, but also undocumented and thus it's not guaranteed to work under future versions of DOS! Yes, Frans Veldman calls vile and unsafe functions in his battle against replicating codefragments.

Added note: Just recently I was looking at the EMM virus written by the author of the OneHalf family and found that it traces the device chain to detect thunderbyte residency. This means that this kind of detection isn't exactly new. Oh well, what the heck.

                .model tiny


                org 100h

                mov ah, 09
                mov dx, offset startmsg
                int 21h
                mov cx,6
                mov dx, offset tbdrvxxx
                mov ah,09
                int 21h
                mov ax, 3d00h
                add dx,9
                int 21h
                push dx
                mov dx, offset not_resident
                jc dont_add
                add dx, (resident-not_resident)
                mov bh,3eh
                xchg ax,bx
                int 21h
                mov ah, 09
                int 21h
                pop dx
                add dx,9
                loop detect_loop
                int 20h
startmsg        db 'Thunderbyte Residency Test by Rhincewind [Vlad]'
                db 0dh,0ah,0dh,0ah,'$'
tbdrvxxx        db 'TbDriver$'
                db 'TBDRVXXX',0
tbfilxxx        db 'TbFile$',0,0
                db 'TBFILXXX',0
tbdskxxx        db 'TbDisk$',0,0
                db 'TBDSKXXX',0
tbmemxxx        db 'TbMem$',0,0,0
                db 'TBMEMXXX',0
tbchkxxx        db 'TbCheck$',0
                db 'TBCHKXXX',0
tblogxxx        db 'TbLog$',0,0,0
                db 'TBLOGXXX',0
not_resident    db ' - Not Resident',0dh,0ah,'$'
resident        db ' - Resident',0dh,0ah,'$'

                end start
