Documentation for PPECHECK v1.0b written by Codeblaster. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Table of contens: 1.0 - General info 1.1 - Parameters 1.2 - Design and layout 1.3 - Commands added in PPECHK.EXE 1.4 - Using PPECHK with an upload processor/Batch files 1.5 - Logical backdoor (what is it?) 1.6 - Possible bugs/false warnings 1.7 - Contacting the author 1.8 - Some last greetings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1.0 GENERAL INFO ~~~~~~~~~~~~~~~~ It is well known that many PPE authors put in some extra commands in their PPE's, that will fex. give them SYSOP ACCESS, USERS & PASSWORDS etc, and PCBOARDS around the world are beeing hacked using backdoors in PPE's. PPECHECK was made in Turbo Pascal 7.0, and is designed to find even the most hidden backdoors that you almost wouldn't spot if you went through the file line for line yourself. And if you run a board and get lodsa PPE's up every day, you just can't check them all. PPECHECK can therefore also be used with your upload processor (Look 'Using PPECHCK with a...' for more info) This is just a BETA version, and I would appreciate some feedback if you find out that there's a backdoor that it doesn't find etc. Although this is a BETA, you're pretty secure anyway. It has been tested a while by a PCB hacker. PPECHK is fast enough for everyone :), on a 486dx33 it checked 7000 lines in aprox 3-4 secs. 1.1 PARAMETERS ~~~~~~~~~~~~~~ There are only 2 parameters in this beta version of PPECHK: -S : Silent mode; Will not display anything on the screen. -L : Log; Will write a log of what it finds. (PPECHK.LOG) 1.2 DESIGN AND LAYOUT ~~~~~~~~~~~~~~~~~~~~~ When you run PPECHK.EXE on a PPE that contains commands like the ones mentioned above, you will see lines popping up on your screen. The lines have diffrent color, all after how dangerous the commands is. The line in Bright White (15) tells you what command PPECHK found and where. The line in ordinary white (07) gives you some info about that command. The flashing red line (20) will pop up if PPECHK found a backdoor. So, if PPECHK finds lotsa suspicious commands, that doesn't nessesary mean that the PPE contains a backdoor. Many ordinary PPE's use the suspicious commands in an useful way, but if they're misused, it could be a backdoor. 1.3 COMMANDS ADDED IN PPECHK.EXE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is a list of PPE commands I've told PPECHECK to search for in this version of the program: ----------------- COMMANDS THAT WILL BE TAKEN AS BACKDOORS ----------------- GETALTUSER 1 : To get sysop's data (Why should a PPE get his data?) U_SEC= : Redefinition of USER's Security Level.. Backdoor!! ------------- COMMANDS AND SUSPICIOUS ROUTINES THAT ARE NOTICED ------------ SYSOPSEC() : Why should a PPE know the SYSOP's security? GETALTUSER : Get another user's stats. GETUSER : Get current user's stats. PUTALTUSER : Save another user's stats. PUTUSER : Save current user's stats. U_PWD : User's password. COMMAND + FORMAT/DEL/*.* : >Could be execution of one of the commands, but SHELL + FORMAT/DEL/*.* : >could also be just a sentence containing the words. DOWNLOAD + USER*.* : Can be downloading of USER.DAT or just a sentence. ---------------------------------------------------------------------------- Note that the last commands will not be taken as a backdoor themself, but the commands together, and used in a special way (fex. to list all users with NAME+PWD+SEC.LVL) will be taken as a backdoor. 1.4 USING IT WITH AN UPLOAD PROCESSOR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PPECHECK is perfect to use with an upload processor, and if you run PCBOARD, it is even more perfect :)... You can use PPECHK.EXE wiht fex. BOOMLAB or the PCBTEST.BAT that comes with PCBOARD 15.22. An updated version of PCBTEST.BAT follows this archive, and you can use that one if you want, but it is mainly meant as an example to get you started. PPECHK will automaticly find out if the file you specify to check is a PPE or a decompiled PPE (PPD). If it's a PPE, PPECHK will use PPLD.EXE to decompile the PPE. PPLD.EXE must therefor be located in current directory. ERRORLEVELS (feedback from PPECHK.EXE): -------------------- Clean / Suspicious / Backdoor ------------------------- 1 - No backdoor found. 2 - Suspicious routine found. 3 - Backdoor found!! ----------------------- Specific commands found ---------------------------- 4 - "U_SEC =" found (redefinition of USER's sec.level) 5 - "GETALTUSER 1" found (Get sysop's data - Password etc.) ---------------------------------------------------------------------------- With these errorlevels as feedback from PPECHK you have many options of what to do if a backdoor is found. If you could fex. do this: IF ERRORLEVEL==3 ECHO @USER@ >>C:\PCB\BLACKLST.TXT This is a bit drastic :) ... heh... (what if it's not a backdoor after all?) You can also do this: IF ERRORLEVEL==3 ECHO @X84PPE CONTAINS A BACKDOOR >>C:\TEMP\FILE_ID.DIZ And then update the archives FILE_ID.DIZ with PKZIP. You can see PCBTEST.BAT if you want more details. When you use the "specific commands found" errorlevels, you should know that all the errorlevels belove the errorlevel that is put ON will also be put ON. So if the PPE finds number 7, all errorlevels belove will also be put ON. That means that if PPECHK finds number 7 (the execute routine) you can't know if it did find number 4 (U_SEC=) earlier in the file. 1.5 LOGICAL BACKDOOR ~~~~~~~~~~~~~~~~~~~~ Some commands, like GETALTUSER, U_PWD, PUTUSER etc. can be used in a backdoor, when they together are used in a specific way. Since these commands are very common to use in ordinary PPE's that have no backdoors, I've just added these commands to be suspicious commands (commands that COULD be used in a backdoor) Take a look at this example: ;---------------------------- INT X :BEGIN X = X + 1 GETALTUSER X PRINTLN U_NAME() PRINTLN U_PWD PRINTLN U_SEC PRINTLN "-----NEW-USER-------" GOTO BEGIN ;---------------------------- This is a backdoor that will show you all users with password and everything, but it does not contain any of those 100% sure backdoors like "U_SEC = ", "GETALTUSER 1", "SYSOPSEC()" etc. So what to do?! I couldn't add these commands as backdoors, since there would be too many false warnings then, so I've made the 'LOGICAL BACKDOOR'. The logical backdoor will notice every time a command like this are beeing used, and if the commands are together, and used in a specific way, the logical backdoor will most likely become 3, wich means that there most likely is a backdoor in the PPE. The logical backdoor can be from 1 - 3. 1.6 POSSIBLE BUGS/FALSE WARNINGS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are some commands that will be taken as a backdoor, that some ordinary backdoor-free PPE's use. Like fex. if a PPE shall blacklist a person, and set his security level to 0 : U_SEC = VAR001 ;(VAR001 = 0) This will be taken as a backdoor, as it is redefination of the USER's security and VAR001 could as well be SYSOPSEC(). There's only one way to get away these bugs/false warnings and that's by saving all variables in a PPE into variables in the program. This will most likely be done in a later version of PPECHECK. 1.7 CONTACTING THE AUTHOR ~~~~~~~~~~~~~~~~~~~~~~~~~ If you want to contact me, for any reason (feedback, error-report, questions, suggestions etc.) you can either E-MAIL me at: BJORNBO@ASKOY.VGS.NO or leave a message to me at some board in Norway, under Codeblaster . 1.8 SOME LAST GREETINGS ~~~~~~~~~~~~~~~~~~~~~~~ I would like to greet/thank the following persons: *TNSe - For helping me out sometimes *DARKTROOPER - 4 beeing patient *RIPPERJACK - Kewl dewde! *BRAINDEAD - 4 beeing kewl! *PSYCH0 - Belgian scene rewle! :) *CYBERNETIC - Hacking 800's! *POSEIDON - For having such a dork name :)