On Wednesday, 12-28-1994  Robert King wrote to David Noon about
"Sub-cellular life forms" as follows:

RK> LINK386.EXE isn't designed to perform writes on an open file. 

It has nothing to do with "design". LINK386.EXE uses DosOpen(),
DosWrite(), etc., just like any other normal program attempting to
write to disk. It is locked out by the DosOpen() request that the OS/2
loader issues (the OPEN_SHARE_DENYWRITE flag); this request locks out
all attempts to write to the .EXE file being run. I simply cited
LINK386.EXE as an example of this locking mechanism in action.

An .EXE file is locked, by the file system, from all updates when it
is loaded; it is not released until the program terminates. Since OS/2
doesn't permit port I/O in ring 3, the file system cannot be bypassed
and so the program cannot modify itself, nor can any other program
modify it while it is running.

RK> DN> I suppose "page descriptor table" means nothing
also. Such concepts 
RK> DN> do
RK> DN> tend to limit the memory access of ring 3 (normal program)
RK> DN> applications. Getting into ring 0 (operating system) privileges is
RK> DN> impossible without being booted as a device driver or the kernel and
RK> DN> having ring 0 privileges established at boot time. All ring 3 access
RK> DN> to ring 0 functions is done by API calls that have ring transitions
RK> DN> established when the system is booted, or inherited from such.
RK> 
RK>  You sure don't know much about programming device drivers..

Well, a freshly downloaded virus cannot just up and say "I'm a device
driver. Let me run in ring 0." Nor can any other program under OS/2,
especially a DOS program running in a VDM. Device drivers are only
established during bootstrap.

Your post, to which I replied, stated that viruses perform port I/O
from inside a VDM. Programs in a VDM run in ring 3 and so are not
capable of port I/O. Any driver in the DOS_DEVICE list for the VDM is
locked while the VDM is active, plus its code segment's area of memory
is usually read-only and is not addressable from within the VDM (i.e.
the "in-core" copy cannot be modified either). If the VDM is shut down
to release the driver, the virus dies with its host.

I will admit that my knowledge of programming device drivers is not
"of the same magnitude" as yours.

RK> DN> Actually, the hardware itself prevents this. There is a flag bit
RK> DN> called I/O Privilege Level that can only be set at ring 0 (when the
[Text deleted]

RK>  Toggling IOPL isn't exactly dificult...

Perhaps you'd like to tell us how you would go about that from inside
a VDM. Remember that the descriptor tables are not even addressable
from within the VDM, let alone modifiable.

RK> DN> virus scanner is no better than its signature file. Incidentally, the
RK> DN> plural of "virus" is "viruses".
RK> 
RK> Clearly you don't speak latin, virus, virusi....

Now the off-topic stuff:

1. Names of national languages (even extinct ones) are proper nouns
and as such should begin with a capital letter; thus, it is "Latin",
not "latin".

2. The rule-of-thumb for forming Latin plurals is to change the "us"
ending to "i", not to append an "i". Applying this
r-o-t would make
"virus" into "viri".

3. We are discussing the real topic in English, so the r-o-t is not
applicable.

Regards

Dave

 * KWQ/2 1.2i * Pardon me, do you have any grey poop on?
--- Maximus/2 2.02