Hi,

Here is a outline of Slayer's SWI Interface.  The interface does have holes,
for example not all of the SWIs have been implemented, and some have limited
functional value in more recent versions of Slayer.  If you want a SWI added,
or you want me to make use of Slayer's message block (it was planned to be
used so you could start multiple scans in different processes (or even in the
future threads, in the same way the Filer Action Window operates) then ask;
it should be simple to add.

I've also included some BASIC programs that demonstrate how to use the SWI
interface, and how to call the various engines in their plug-in form.

Some general terms used in these documents;
  VDEngine; Virus Detection Engine.  The bit of code that actually idendifies
            viruses.
            
  VREngine; Virus Removal Engine.  The bit of code that removes/deletes
            viruses from disc.
            
  FPEngine; Finger Print Engine.  The bit of code that generates values for
            files, to aid detection of modifications.
            
  Parasite; A virus that attaches it's self onto another file, such as
            the 'Module' virus.
  
  Companion; A virus which exists in a seperate file from the infected
             program.  The virus then tends to edit the !Boot file of the
             application to run the virus when the filer boots it.
             The 'Icon' virus is the most common example.
             
  SlayerScript; Slayer's scripting language which is interpreted by the
                front end.  It is simple by design, not because I can't
                be bothered to extend it's functionality. :)
  
  Certification CRC; a value calculated when the plug-ins are assembled to
                     make sure that they are real plug-ins, not Trojans.
                     Slayer will not run if this is not correct.


-----------------------------------------------------------------------------
Slayer_Info                                                         (0x51c80)

 Returns various information about Slayer.
 
 <-  r0        Slayer version * 100 (for example, 52 = 0.52)
     r1        VDEngine version * 100
     r2        VREngine version * 100
     r3        Pointer to FPEngine description
     r4        Number of strains known to the VDEngine
     
     All other registers preserved.

-----------------------------------------------------------------------------
Slayer_VirusNumberToName                                            (0x51c81)

 Converts a VDEngine virus ID number to a virus name.
 
 ->  r0        Flags (0-31 reserved)
     r1        Virus ID
     
 <-  r0        Pointer to virus name.
               This is a pointer inside the VDEngine, which is present in the
               RMA for as long as Slayer is running.  You can write over this
               string (with one either the same length, or less) and it will
               effect the naming for all applications using the SWI interface
               including Slayer its self.
               
     All other registers preserved.

-----------------------------------------------------------------------------
Slayer_StartScan                                                    (0x51c82)

  Adds a path to the todo list.  It will be scanned when all other scans in
  the queue have been completed.  You must call Wimp_Poll after each, so 
  Slayer can take notice, and update it's todo list.  The scan is carried out 
  by the front end it's self, not the module; so you will have to multitask 
  while the scan is carried out.
  
  You must also supply a codeword, so other tasks (and possibly viruses) can
  not stop the scan, or remove the path from the todo list using other SWIs.
  
  ->  r0       Scan flags (see section at bottom for flag values)
      r1       Pointer to path to add to todo list.
      r2       Codeword to stop scan, or remove it from the todo list.
      
      All other registers preserved.
      
-----------------------------------------------------------------------------
Slayer_StopScan                                                     (0x51c83)

  Stops the scan if it is currently in progress, or removes one from the
  todo list.
  
  -> r0        Flags (0-31 reserved)
     r1        Pointer to path to stop or remove
     r2        Codeword specified in the call to Slayer_StartScan
     
     All other registers preserved.
     
     r1 is currently /not/ checked as Slayer only scans one location at a time
     
-----------------------------------------------------------------------------
Slayer_ScanFile                                                     (0x51c84)
     
  Scans a file for viruses, and returns a VDEngine virus ID (or 0 for none).
  You should note that this call scans /files/.  If it is used on a image
  file, it will treat it as a file, not a directory.  If you want to scan a
  image, use Slayer_StartScan, or use OS_GBPB to enumerate the contents of
  the image, and scan each one seperately.
  
  -> r0        Flags (0-31 reserved)
     r1        Pointer to filename
     
  <- r0        Virus ID, or 0 for no infection
  
     All other registers preserved, including r1.

-----------------------------------------------------------------------------
Slayer_CureFile                                                     (0x51c85)

  Removes the infection from a file, or deletes the file if it is not
  parasitic.  Please note that this SWI doesn't repair !Boot files.
  
  -> r0        Flags (0-31 reserved)
     r1        Pointer to filename
     r2        Virus ID as returned by Slayer_ScanFile	
     
     All other registers preserved.
     
     There is no actual reason why the Virus ID needs to be passed into this
     SWI per ce, as if neccessary it could be worked out again, but it is
     quicker if the ID is passed in, and for use in Slayer the ID is known
     anyway.  Let us know if you want it to calculate the Virus ID itself.
     
-----------------------------------------------------------------------------
Slayer_ExecuteScript                                                (0x51c86)
      
  This executes a SlayerScript.  You should note that scripts are interpreted
  by the frontend, not by the module; so you will have to poll for the
  script to be executed.  Slayer will only call Wimp_Poll while scanning or
  waiting for a responce from the user when a script is executing.
  
  I think it is possible to execute multiple scripts while another is running
  I can't see any reason why it wouldn't, but I haven't tried it, and I can't
  think of any reason why you should.
  
  One final note; if scripts are disabled in the options; the script will not
  be executed, and you will /not/ be informed.  If you would like this to be
  changed (so the SWI returns an error) please tell me.  (It shouldn't be
  difficult to do)
  
  -> r0        Flags (0-31 reserved)
     r1        Pointer to filename of script to execute
     
     All other registers preserved.
     
-----------------------------------------------------------------------------
Slayer_CRCFile                                                      (0x51c87)

  Uses the currently installed FPEngine to obtain the CRC (or other value
  which the FPEngine creates) from the given filename.  You should be careful
  to check which FPEngine is installed (by using Slayer_Info, described
  above) because different FPEngines will return different values.  For
  example, one FPEngine generates a 32bit CRC over the whole file, another
  only one the first and last 256 bytes (which is the default) and a final
  one which returns only the size of the file.
  
  -> r0        Flags (0-31 reserved)
     r1        Pointer to filename
  
  <- r0        Value returned from FPEngine
  
     All other registers preserved.

-----------------------------------------------------------------------------
Slayer_ScanMemory                                                   (0x51c88)
     
  Scans the memory for viruses using the MSEngine, and returns non-zero if
  a virus is present.
  
  -> r0        Flags (0-31 reserved)
  
  <- r0        Non-zero if a virus is present in memory.
  
     All other registers preserved.
     
     Currently this is disabled as we have had problems with it.  I'm fairly
     sure I know how to fix it, but I can't think of any reason ATM for it to
     be used, so it has a low priority.

-----------------------------------------------------------------------------
Slayer_Authorise                                                    (0x51c89)  
  This SWI is not currently implemented, and should not be called.
  It would be used for authorising (ADFS floppy) discs.
  
-----------------------------------------------------------------------------
Slayer_ProtectFile                                                  (0x51c8a)  
  This SWI is not currently implemented, and should not be called.
  It would be used to protect a file from deletion etc.

-----------------------------------------------------------------------------
Slayer_UnprotectFile                                                (0x51c8b)  
  This SWI is not currently implemented, and should not be called.

-----------------------------------------------------------------------------
Scanning Flags (for use with various SWI Calls)

  Bit	Meaning
  
   0	Faster (updates window less often)
   1	Confirm
   2	Dismount floppy discs after scan
   3	Heuristically scan !Boot and !Run files
   4	Scan ArcFS images
   5	Scan XFiles images
   6	Scan PC Partitions
   7	Auto-mount and scan raFS discs
   8	Remove viruses
   9    Single tasking scan
   
 10-31	Reserved (must be zero)
  
-----------------------------------------------------------------------------
Plug-in Formats

  All of Slayer's plug-ins follow a similar format.  The contain code, which
  starts at offset 0, so it can just be loaded and called simply.  Plug-in
  information is stored at the base of the plug-in.
  
  * VDEngine
  
    * 1 Word; pointer to copyright string
    * 1 Word; pointer to start of the virus ID/name table
    * 1 Word; VDEngine version * 100
    * 2 Words; Contains a 5 byte UTC timestamp, and reserved flags
    * 1 Word; Virus families known
    * 1 Word; Virus strains known
    * 1 Word; Reserved word
    * 1 Word; Certification CRC
    * 1 Word; 0x59414c53 'SLAY'
    
  * VREngine
    
    * 1 Word; pointer to copyright string
    * 1 Word; VREngine version * 100
    * 2 Words; Contains a 5 byte UTC timestamp, and reserved flags
    * 1 Word; Virus families known
    * 1 Word; Reserved word
    * 1 Word; Certification CRC
    * 1 Word; 0x59414c53 'SLAY'
    
  * MSEngine
    
    * 1 Word; pointer to copyright string
    * 2 Words; Contains a 5 byte UTC timestamp, and reserved flags
    * 1 Word; number of virus strains known
    * 1 Word; Reserved word
    * 1 Word; MSEngine version * 100
    * 1 Word; Certification CRC
    * 1 Word; 0x59414c53 'SLAY'
    
  * FPEngine
  
    * 1 Word; pointer to copyright string
    * 2 Words; Contains a 5 byte UTC timestamp, and reserved flags
    * 1 Word; pointer to type of finger print (eg '512-CRC v2')
    * 1 Word; Certification CRC
    * 1 Word; 0x59414c53 'SLAY'
    
-----------------------------------------------------------------------------
Virus IDs used to date

  0    No Virus
  1    EICAR (now depreciated)
  2    Extend
  3    Module
  4    Icon
  5    DataDQM
  6    DieHard
  7    IRQFix
  8    NetStatus
  9    BBCEconet
 10    Vandamme
 11    Breakfast
 12    MonitorDAT
 13    Thunder
 14    Jester
 15    Simple
 16    BigFoot
 17    Nitemare
 18    Link
 19    Archie
 20    HoneyMonster
 21    Millenium
 22    SatanI
 23    HTMLPrep
 24    SBrew
 25    HTMLJava
 26    HTMLWorm
 27    BRB
 28    SystemUtils (parasite)
 29    SystemUtils (companion)
 30    MyMod
 
More Virus IDs may be added as more virus families are discovered / added.
EICAR is a PC anti-virus utility test file. We have currently removed detection
for it, as it is not even executable under RISC OS, much less a virus.
