TW446872B - Detection method of boot-up virus - Google Patents

Detection method of boot-up virus Download PDF

Info

Publication number
TW446872B
TW446872B TW88114587A TW88114587A TW446872B TW 446872 B TW446872 B TW 446872B TW 88114587 A TW88114587 A TW 88114587A TW 88114587 A TW88114587 A TW 88114587A TW 446872 B TW446872 B TW 446872B
Authority
TW
Taiwan
Prior art keywords
address
register
hard disk
boot
debug
Prior art date
Application number
TW88114587A
Other languages
Chinese (zh)
Inventor
Jiun-Nan Tsai
Original Assignee
Mitac Int Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitac Int Corp filed Critical Mitac Int Corp
Priority to TW88114587A priority Critical patent/TW446872B/en
Application granted granted Critical
Publication of TW446872B publication Critical patent/TW446872B/en

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

A detection method of boot-up virus is provided. At first, there are set up the pre-defined parameters in the relevant registers of computer system, including setup for diagnostics expansion bits, setup for address of hard disk status/command register concerning hard disk drive, the interrupt function generated when the CPU is set up to execute the IO interface actions, and the setup bit length. When debugging state takes place, it is first determined if the condition of the terminated point in the debugging state register is set up. Next, it is determined if the currently executing command is the output command for executing data transfer. Then, it is determined if the address data of the direct address of IO port or the indirect address of register is the address for writing data into the hard disk drive. Finally, it is determined if the IO port address is exactly the address of the boot sector of the hard disk drive. If yes, a warning is immediately issued to alert user that the computer might be infected with boot-up virus.

Description

五、發明說明(1) 1. 創作領域: 本發明是關於一種電腦病毒之偵測方法,特別是指一 種偵測開機型電腦病毒之方法。 2. 背景說明: 在各種類型之電腦病毒中,都有其特有的病毒型態、 傳播途徑,這些電腦病毒對一電腦系統而言,都會造成不 同程度的破壞。典型之開機型電腦病毒型態一般都是感染 一電腦系統中硬碟裝置之啟動磁區(Β ο 〇 t S e c t 〇 r ),並利 用這些區域作為傳佈之媒介。 為了要偵測電腦病毒,有許多種偵測方法被提出。例 如當一待執行之程式要在電腦中執行時,首先會執行一自 我測試,以判斷該程式是否已被修改過,若該程式碼已被 修改過,則即表示該程式可能已受到電腦病毒之感染。另 一種方法是以檢查碼(C h e c k S inn)之方式*在執行程式之 前,會首先進行檢查碼之核對,如此以判別該程式是否已 被修改過。 雖然上述之病毒偵測方法,皆能達到某一程度的效 果,但其前提要件是必需電腦系統必需完成正常的啟動程 序之後,才有可能執行該病毒彳貞測之功能。亦即,這些病 毒偵測方法並無法適用於某些開機型之病毒偵測。 在開機型之病毒方面,其病毒程式是存在於可執行啟 動之資料儲存裝置(例如一硬碟裝置)之啟動磁區中。當利 用感染有開機型病毒之硬碟執行電腦系統的啟動時,該病 毒程式即會被載入至電腦系統記憶體中,並執行其病毒功V. Description of the invention (1) 1. Creative field: The present invention relates to a method for detecting computer viruses, and particularly to a method for detecting boot-type computer viruses. 2. Background: Among all types of computer viruses, there are unique virus types and transmission routes. These computer viruses can cause different degrees of damage to a computer system. The typical boot-type computer virus type usually infects the boot sector (B ο 〇 t S e c t 〇 r) of a hard disk device in a computer system, and uses these areas as a transmission medium. In order to detect computer viruses, many detection methods have been proposed. For example, when a program to be executed is to be executed in a computer, a self test is first performed to determine whether the program has been modified. If the code has been modified, it means that the program may have been infected by a computer virus. Infection. Another method is to check the code (C h e c k S inn) * Before executing the program, the check code will be checked first, so as to determine whether the program has been modified. Although the above-mentioned virus detection methods can achieve a certain degree of effectiveness, the prerequisite is that the computer system must complete the normal startup procedure before it can perform the virus detection function. That is, these virus detection methods are not applicable to some boot-type virus detection. In the case of boot-type viruses, the virus program exists in the boot sector of a data storage device (such as a hard disk device) that can perform booting. When using a hard disk infected with a bootable virus to start the computer system, the virus program will be loaded into the computer system memory and perform its virus function.

-------- 二 五、發明說明(2) 能。 中 毒 病 腦 電 型 機 開 的 份 部 大 在 中 戴 插 會 先 首 後 之 式 程 勤 啟 之 常 正 代 亥 取7 式h 程 3 毒NT 疡丨 ^ * -I向 日斷 .到 截 攔 當 ο 能 功 取 存 之 碟 欧 Jull / 碟 制 控 是 能 功 之 量 向 斷 中 向該 之以 量並 向 ’ 斷能 中功 該之 變量 改向 會斷 式中 程該 毒代 病取 該式 ,程 時副 3h新 T1一 N以 T1 量並 向 , 斷址 中位 該量 徑 途 之 佈 傳 病在。 型並染 機,感 開中之 該統毒 ,系病 腦述 月 在行 存執 直復 一 一 ^3 I 合曰 中皆 態’ 狀時 毒啟動 病開啟 為源新 1^^»fr&\lttul TpBT 式腦腦 程電電 副在次 的會一 新毒每 古口 而 Λ又 病的 型大 機極 開有 該會 測將 憤性 效全 有安 即之 期料 初資 動及 啟用 統使 系之 (<<&甾 在於 法對 無 ^ 若’ ,話。 此的脅 因毒威 本發明概述: 因此,本發 之方法,當本發 的硬碟啟動磁區 使用者該電腦可 本發明之另 方法’該方法直 器、斷點暫存器 執行病毒之偵測 為達到本發 一控制暫存器中 之·斷-------- II. 5. Description of the invention (2) Yes. The parts of the electroencephalography machine that are poisoned by the disease are mostly in the form of the Chinese Dai Club. Cheng Qinqi's Changzhengdai took the type 7 h process 3 poison NT ulcers ^ * -I to the sun. The discou jull / disc control that energy can be saved is that the amount of energy can be changed to the middle and the amount of the energy can be changed. Cheng Shijun 3h new T1-N in the direction of T1, the location of the fault in the middle of the path to spread the disease. Type and dyeing machine, feeling the systemic poison in the onset, is the disease, the brain and the moon are in the bank, and it keeps repeating one by one ^ 3 I together with the state of the disease. When the virus starts the disease, the source is new 1 ^^ »fr & \ lttul TpBT-type brain-brain circuit electrical and electronic deputy will meet a new drug every ancient mouth and Λ and sick type of large machine is very open. This meeting will test the anger and all the benefits. The initial funding and activation of the commander It is (< < & steroids) that the law is right. If it is, then. The threat of this is a summary of the present invention. Therefore, the method of the present invention, when the hard disk of the present invention starts up the user of the computer Another method of the present invention may be used. The method performs virus detection in the straightener and the breakpoint register to achieve the interruption in the control register of the present invention.

明之主要目的即提供一種偵測開機型病毒 明之方法偵測到任何企圖寫入至電腦系统 之動作時,即可發出—警告,以適時駐主 能已感染到開機型病毒。 a σ -目的是提供-種早期偵測開機 接利用令央處理單元中相關之控 、除錯控制暫存器’、除錯狀態暫存器‘ 。 寻來 上述目的,首先是在該中 设定除錯擴展位元;在該中央處器之 4 4 G ____ 五、發明說明(3) 點暫存器中設定該電腦系統所連接硬碟裝置之硬碟狀態/ 命令暫存器之位址;在除錯控制暫存器中,設定該中央處 理器於執行輸出入界面動作時,產生中斷功能、以及設定 位元長度值;判斷是否發生除錯狀況;判斷中央處理器之除 錯狀態暫存器中之對應的斷點條件是否被設定;判斷中央 處理器目前所執行之指令是否為執行資料轉移之輸出指 令;判斷中央處理器中,輸出入埠位址直接定址或暫存器 間接定址之位址資料是否為寫入資料至硬碟裝置之位址; 判斷輸出入埠之位址是否恰為硬碟裝置啟動磁區之位址, 若是的話即發出警示,以警告使用者該電腦可能已感染到 開機型病毒。 本發明之其它目的及其進一步之病毒偵測方法,將 藉由以下之較佳實施例說明及附呈圖式,作進一步之說 明,其中: (一) 圖式簡要說明: 圖一係顯示一典型個人電腦系統中,中央處理單元、 輸出入界面、硬碟裝置、記憶體間之簡略連接示 意圖; 圖二係顯示一 P e n t i u πι級中央處理器内部相關暫存器 之示意圖; 圖三係顯示本發明病毒偵測方法之流程圖。 (二) 圖號說明: 1 中央處理單元 21 位址匯流排The main purpose of Ming is to provide a method to detect boot-type viruses. When the method of Ming-type detects any attempt to write to the computer system, it can issue a warning, so that the host can be infected with the boot-type virus in a timely manner. a σ -The purpose is to provide a kind of early detection and start-up, and then use the relevant control, debug control register 'and debug status register' in the central processing unit. To find the above purpose, first set the debug extension bit in it; in the central processor, 4 4 G ____ 5. Description of the invention (3) Set the hard disk device connected to the computer system in the point register. The address of the hard disk status / command register. In the debug control register, set the CPU to generate an interrupt function and set the bit length value when the input / output interface is executed. Determine whether a debug occurs Status; determine whether the corresponding breakpoint condition in the debug status register of the central processor is set; determine whether the instruction currently executed by the central processor is an output instruction to perform data transfer; Whether the address data of the direct address of the port address or the indirect address of the register is the address for writing data to the hard disk device; determine whether the address of the input / output port is exactly the address of the hard disk device's boot sector, if so An alert is issued to warn users that the computer may be infected with a boot virus. The other objects of the present invention and its further virus detection method will be further explained by the following preferred embodiments and attached drawings, wherein: (1) Brief description of the drawings: In a typical personal computer system, a schematic diagram of the central processing unit, the input / output interface, the hard disk device, and the memory; Figure 2 shows a schematic diagram of the internal registers of a Pentiu π-level CPU; Figure 3 shows Flow chart of the virus detection method of the present invention. (II) Drawing number description: 1 Central processing unit 21 address bus

第6頁 ψ 446872 (4).. 22 資料匯流排 23 控制匯流排 3 輸出入界面 4 硬碟裝置 5 記憶體 10 通用暫存器 11 節區暫存器 12 狀態及指令 暫存器 13 控制暫存器 組 1 4 除錯暫存器 組 CR0-CR4 控制暫存器 DR0-DR3 斷點暫存器 DR6 除錯狀態暫存器 DR7 除錯控制暫存器 較佳實施例說明: 圖一係顯示一典型個人電腦系統中,中央處理單元 1、輸出入界面3、硬碟裝置4、記憶體5間之簡略連接示意 圖,其中該中央處理單元1經由系統匯流排及輸出入界面3 而與硬碟裝置4連接,而中央處理單元1則經由該系統匯流 排而與一記憶體5相連接。其中該系統匯流排係包括有位 址匯流排2 1、資料匯流排2 2、及控制匯流排2 3。 在以下之實施例中,是以Intel公司Pentium級中央處 理器作一較佳實施例說明,且該硬碟裝置4係經由一 I DE界Page 6 ψ 446872 (4) .. 22 Data bus 23 Control bus 3 I / O interface 4 Hard disk device 5 Memory 10 General purpose register 11 Section register 12 State and instruction register 13 Control register Register group 1 4 Debug register group CR0-CR4 Control register DR0-DR3 Breakpoint register DR6 Debug status register DR7 Debug control register Description of preferred embodiments: Figure 1 shows In a typical personal computer system, a schematic connection diagram between a central processing unit 1, an input / output interface 3, a hard disk device 4, and a memory 5, wherein the central processing unit 1 communicates with a hard disk via a system bus and an input / output interface 3 The device 4 is connected, and the central processing unit 1 is connected to a memory 5 via the system bus. The system bus includes an address bus 2 1, a data bus 2 2, and a control bus 23. In the following embodiments, a Pentium-class central processor from Intel Corporation is used as a preferred embodiment, and the hard disk device 4 is passed through an I / D interface.

SBB 446h 五、發明說明(5) 面而與中央處理器1相連接。 參閱圖二所示,在一典型的Pentium級中央處理器内 部依其功能約略可分為通用暫存l〇(General Purpose Register)、節區暫存器ll(Segment Register)、狀態及 4曰令暫存器12(Status and Instruction Register)。其 中該通用暫存器1 〇 —般是用來處理位元組資料,節區暫存 器Π是用來決定記憶體位址節區的基底位址,狀態及指令 暫存器1 2是用來指定欲執行指令、以及指示在執行指令後 的結果狀態。 此外’在Pentium級中央處理器内部尚包括有其它系 統暫存器’這些系統暫存器中,與本發明之病毒偵測方法 有關之暫存器包括有控制暫存器組丨3及除錯暫存器組丨4。 控制暫存器組13中包括有數個控制暫存器CR〇〜CR4, 其中控制暫存器CR4之位元定義中,共有位元〇至位元6, f中之位元3乃為除錯擴展功能之設定位元,當該位元設 疋為1時,乃啟動輸出入界面斷點除錯擴展功能,當該位 几設定為0時,乃解除輸出入界面斷點除錯擴展功能。 除錯暫存器組14中包括有數個暫存器dR〇~DR7,其中 之DRO DR3疋作為斷點暫存器,每一個斷點暫存器中含μ 位元的斷點線性位址e DR6是作為除錯狀態暫存器其可 用來暫存該斷點暫存器DR0_DR3的狀態。DR7係作、 子器(Debug Control Register),其係用來制』 斷點暫存器DR0〜DR3的動作。 每一個斷點暫存器DR0〜DK3皆有一些各自的控制位元SBB 446h V. Description of the invention (5) and connected to the central processing unit 1. As shown in FIG. 2, a typical Pentium-level CPU can be roughly divided into a general purpose register 10 (General Purpose Register), a section register 11 (state register), a state, and a 4 command according to its functions. Register 12 (Status and Instruction Register). Among them, the general register 10 is generally used to process byte data, and the section register Π is used to determine the memory address of the base address of the section, and the status and instruction register 12 is used to Specify the instruction to be executed and the result status after the instruction is executed. In addition, there are other system registers in the Pentium-level CPU. Among these system registers, the registers related to the virus detection method of the present invention include a control register group 3 and debugging Register group 丨 4. The control register group 13 includes several control registers CR0 to CR4. Among the bit definitions of the control register CR4, there are a total of bits 0 to 6, and bit 3 in f is for debugging. Extension function setting bit. When this bit is set to 1, the I / O interface breakpoint debugging extension function is enabled. When the bit is set to 0, the I / O interface breakpoint debugging extension function is cancelled. The debug register group 14 includes several registers dR0 ~ DR7, among which DRO DR3 疋 is used as a breakpoint register. Each breakpoint register contains a μ-bit breakpoint linear address e. DR6 is used as a debug status register which can be used to temporarily store the status of the breakpoint register DR0_DR3. DR7 is used as a slave control register (Debug Control Register), which is used to control the operation of breakpoint registers DR0 ~ DR3. Each breakpoint register DR0 ~ DK3 has its own control bit

第8頁 44β8-7 - 五 '發明說明(6) 1 446872 (在除错控制暫存器DR7中),例如LEN之值決定在斷點位址 的存取長度’當LEN = 00時,位元組;LEN = Oi:語句: LEN = 1 1 :雙語句。R/W之值決定在斷點位址上發生斷點的原 因’ R/W = 00 ’指令碼存取;R/W = 01 ,資料寫入:R/W=ll ,資 料讀取與寫入。 ' 以下將同時參閱圖二所示之中央處理器内部暫存器組 架構及圖三所示之控制流程圖,對本發明之病毒偵測方法 作一詳細說明如后。 在系統啟始後,本發明首先於步驟1 〇 1中,在中央處 理器之控制暫存器CR4中設定除錯擴展位元(Debug Extention)。此一步驟中即是將中央處理器中之控制暫存 器C R 4之第三位元設定為1,以啟動輸出入斷點除錯擴展功 能。 然後在中央處理器之斷點暫存器(DR0-DR3)中之任兩 個暫存器中設定十六進位數值資料lF7h及177h(步驟 1 0 2 )。其中該數值1 F 7h係表示電腦系統中所連接之第一個 硬碟狀態/命令暫存器之位址*而數值1 77h乃為第二個硬 碟狀態/命令暫存器之位址。 於步驟103中’在t央處理器之除錯控制暫存器⑽了對 應之R / W位元(讀取/寫入控制位元)中設定數值1 〇,其咅謂 當中央處理器在執行輸出入時,會執行中斷功能。此外, 在此一步驟中,亦在該除錯控制暫存器DR7對應之len位元 (長度位元)中設定數值00(其數值係代表位元長度值是j位 元)。Page 8 44β8-7-Description of the invention (6) 1 446872 (in the debug control register DR7), for example, the value of LEN determines the access length at the breakpoint address. When LEN = 00, the bit Tuple; LEN = Oi: statement: LEN = 1 1: double statement. The value of R / W determines the cause of the breakpoint at the breakpoint address 'R / W = 00' Instruction code access; R / W = 01, data write: R / W = ll, data read and write Into. '' The following will simultaneously refer to the structure of the internal register group of the central processing unit shown in FIG. 2 and the control flowchart shown in FIG. 3 to describe the virus detection method of the present invention in detail as follows. After the system is started, the present invention first sets a debug extension bit (Debug Extention) in the control register CR4 of the central processor in step 101. In this step, the third bit of the control register C R 4 in the central processing unit is set to 1 to enable the I / O breakpoint debug extension function. Then set the hexadecimal value data lF7h and 177h in any two registers in the breakpoint registers (DR0-DR3) of the CPU (step 102). The value 1 F 7h is the address of the first hard disk status / command register connected in the computer system *, and the value 1 77h is the address of the second hard disk status / command register. In step 103, a value of 1 is set in the corresponding R / W bit (read / write control bit) in the debug control register of the central processor, which means that when the central processor is in When I / O is executed, the interrupt function is executed. In addition, in this step, a value of 00 is also set in the len bit (length bit) corresponding to the debug control register DR7 (its value represents that the bit length value is j bits).

第9頁 7 ^46 8 五、發明說明(7) 在元成上述之相關暫存器資料設定之後,即執行步驟 104,此一步驟是判斷是否有除錯狀況(Debug Exceptlon) 產生,若無,則繼續迴圈測試,若有,則執行下一步驟 1〇5,進一步判斷中央處理器令除錯狀態暫存器DR6之狀 態,該除錯狀態暫存器DR6中係用來暫存斷點暫存器 DR0-DR3的狀態。 在步驟105中,判斷中央處理器之除錯狀態暫存器DR6 中之對應中斷點條件(Breakpoint c〇nditi〇n )是否被設 定。若無,則回到步驟104,若有,則進行下一步驟1〇6。 在步驟1 06中,判斷中央處理器目前所執行之指令是 否為組合語言中執行資料轉移之輸出指令(〇υτ或⑽以)。 若不疋,則回到步驟1 0 4,若是,則進行下一步驟〗〇 7。其 中該輸出指令OUT在組合語言指令中乃為簡單的輸出入界 面指令’係執行簡單資料之轉移,其資料轉移的對象是一 序列的輪出入埠,其在作資料的轉移時,係經過中央處理 器中之通用暫存器(例如8位元時乃為暫存器AL)來進行資 料之轉移。而輸出指令〇UTS乃為字元串輸出入界面指令, 該指令將由中央處理器中之節區暫存器Ds與指標暫存器s j 所指定的記憶器位元組資料輸出到由暫存器DX所指定的輸 出入界面淳中。 在步驟107中,進一步判斷中央處理器中通用暫存器 10中之暫存器AL或DS:SI位址之資料(輸出入埠位址直接定 址或暫存器間接定址)是否為CAh、CBh、或30h、3Ih、或 C5h。若並非這些預定值,則回到步驟丨04,若恰為這些預Page 9 7 ^ 46 8 V. Description of the invention (7) After Yuancheng has set the above-mentioned related register data, step 104 is executed. This step is to determine whether there is a debug status (Debug Exceptlon). , Then continue the loop test, if there is, then perform the next step 105, to further determine the status of the central processor order debug status register DR6, which is used to temporarily store the interrupt The status of the point registers DR0-DR3. In step 105, it is judged whether a corresponding interruption point condition (Breakpoint cone) in the debug status register DR6 of the CPU is set. If not, go back to step 104, and if so, go to the next step 106. In step 106, it is determined whether the instruction currently executed by the central processing unit is an output instruction (〇υτ or ⑽) to perform data transfer in the combined language. If not, go back to step 104, and if yes, go to the next step [0077]. Among them, the output instruction OUT is a simple input / output interface instruction in the combined language instruction. 'It performs a simple data transfer. The object of data transfer is a sequence of in-out ports. When transferring data, it passes through the center. A general-purpose register in the processor (for example, the register AL in 8-bit) is used to transfer data. The output instruction 〇UTS is a character string input / output interface instruction. This instruction outputs the memory byte data specified by the section register Ds and the index register sj in the central processing unit to the register. The output specified by DX is in the interface. In step 107, it is further judged whether the data of the register AL or DS: SI in the general purpose register 10 of the central processing unit (direct address of the input / output port address or indirect address of the register) is CAh, CBh , Or 30h, 3Ih, or C5h. If it is not these predetermined values, go back to step 丨 04.

ΙβΗΙ 第ίο頁 4 -7 五、發明說明(8) '定值,則進行下一步驟108。其中該數值CAh、CBh係表示 寫入資料至一DMA通道,30h、31h係表示寫入資料至一磁 區、C5h係表示寫入資料至數個磁區之動作β 經由前述步驟之判斷之後’若恰為寫入資料至D Μ Α或 磁區時’即表示有可能為病毒程式正在執行將病毒碼寫入 之動作。此時,在步驟1 〇 8中,最後再判斷輸出入埠之 lF3h-lF6h(或173h-176h)之磁區位址是否恰為硬碟之啟動 磁區(boot sector)。若判斷結果為是,則即代表可能即 為病毒程式正在執行將病毒碼寫入至硬碟啟動磁區之動ΙβΗΙ page 4 -7 5. Description of the invention (8) 'Set value, then proceed to the next step 108. The values CAh and CBh represent writing data to a DMA channel, 30h and 31h represent writing data to a magnetic zone, and C5h represents writing data to several magnetic zones. After judging by the foregoing steps, ' If it is just writing data to D Μ Α or magnetic sector ', it means that the virus program may be writing the virus code. At this time, in step 108, it is finally judged whether the magnetic sector address of lF3h-1F6h (or 173h-176h) of the input / output port is just the boot sector of the hard disk. If the result of the judgment is yes, it means that the virus program may be writing the virus code to the hard disk boot sector.

作。此時,即可由電腦系統發出警示(步驟1 〇 g ),以,、 使用者β T 藉由以上之病毒彳貞測方法以及利用中央處理單元 相關之控制暫存器、斷點暫存器、除錯控制暫存器、 狀態暫存器,使本發明可以有效早期偵測到任何企二錯 至電腦系統的硬碟啟動磁區之病毒,一旦偵測到該開 病毒後,即可發出-警告’ U適時警告使用者該電 t 已感染到開機型病毒。在實際之應用時,本發明之月^ 以以控制軟體之型態在電腦系統中執行其病毒偵測之^/ 能,亦可存鏵至一個人電腦之系統韌鱧(Firmware)中, 提供電腦系統之即時病毒偵測功能。 綜言之,本發明所提供之開機型病毒偵測方法, 高度之產業利用價值,可達到預期之功效,且在專:^ 前亦未有相同或類似之技術公開在先,業已符合於 利之要件’爰依法提出發明專利之申請。 早Make. At this time, a warning can be issued by the computer system (step 10g), so that the user β T uses the above-mentioned virus detection method and the use of a control register, a breakpoint register, The debug control register and the state register enable the present invention to effectively detect any virus that has mistakenly entered the hard disk boot sector of the computer system. Once the virus is detected, it can be issued- Warning 'U warns the user timely that the battery has been infected with a boot virus. In actual application, the month of the present invention ^ / can perform its virus detection in a computer system in the form of control software, and can also be stored in a system's firmware of a personal computer to provide a computer The system's real-time virus detection function. To sum up, the boot-type virus detection method provided by the present invention has high industrial utilization value and can achieve the expected effect, and before the special: ^, no same or similar technology has been disclosed before, which has already been in line with the profit Requirements': The application for an invention patent is filed according to law. early

Claims (1)

44^8γ2 六、申锖專利範团 種開機型病毒偵測方法,用以偵測一開機型病毒碼是 否寫入至一電腦系統之硬碟裝置的啟動磁區,該電腦系 =中包括有一中央處理器,經由一輸出入界面與該硬碟 置連接’該争央處理器内部配置有控制暫存器、斷點 存器、除錯控制暫存器、除錯狀態暫存器,該偵測方 法包括下列步驟: ’該中央處理器之一控制暫存器中設定除錯擴展位元 ’以啟動輸出入斷點除錯擴展功能; •在該中央處理器之斷點暫存器中設定該電腦系統所連 接硬碟裝置之硬碟狀態/命令暫存器之位址; c.在除錯控制暫存器中,設定該中央處理器於執行輸出 入界面動作時’產生中斷功能、以及設定位元長度值 d·判斷是否發生除錯狀況; e•判斷中央處理器之除錯狀態暫存器中之對應的斷點條 件是否被設定; f. 判斷中央處理器目前所執行之指令是否為執行資料轉 移之輸出指令; g. 判斷中央處理器中,輸出入埠位址直接定址或暫存器 間接定址之位址資料是否為寫入資料至硬碟裝置之位 址; h. 判斷輸出入埠之位址是否恰為硬碟裝置啟動磁區之位 址; i •發出警示。44 ^ 8γ2 VI. The patented patent-type boot-type virus detection method is used to detect whether a boot-type virus code is written to the boot sector of a hard disk device of a computer system. The computer system includes a The central processing unit is connected to the hard disk device through an input / output interface. The contention processing unit is internally provided with a control register, a breakpoint register, a debug control register, and a debug status register. The test method includes the following steps: 'Set one of the CPU's control registers to set the debug extension bit' to enable the I / O breakpoint debug extension function; • Set in the CPU's breakpoint register The address of the hard disk status / command register of the hard disk device connected to the computer system; c. In the debug control register, setting the CPU to generate an interrupt function when performing input / output interface actions, and Set the bit length value d · Judge whether a debug situation has occurred; e • Judge whether the corresponding breakpoint condition in the debug status register of the CPU is set; f. Judge whether the instruction currently executed by the CPU is Whether it is an output instruction to execute data transfer; g. Determine whether the address data of the direct input or indirect address of the input / output port address in the central processing unit is the address of the written data to the hard disk device; h. Judgment Whether the address of the input / output port is exactly the address of the hard disk device boot sector; i • Issue a warning. ^^8 y2 六 中請專利範固 如申請專利範圍第1 Jg % .+. + 中步驟b包括下列步: 開機型病毒偵測方法’其 匕::Ξ Γ硬碟狀態’命令暫存器之位址數值;以及 如二Λ 碟狀態/命令暫存器之位址數值。 中該第-個硬碟狀雖型病毒镇測方法,其 %狀匕、/命令暫存器之位址數值為01F7h’ Γί 個硬碟狀態/命令暫存器之位址數值為0177h。 2請專利範圍以項所述之開機型病毒㈣方法,其 中步驟c包括下列步驟: cl.在中央處理器之除錯控制暫存器之讀取/寫人控制位 元中設定一預定數值;以及 c2.在該除錯控制暫存器之長度設定位元中設定數值位 元長度。 5. 如申請專利範圍第1項所述之開機型病毒偵測方法其 中步驟f之資料轉移輸出指令為〇UT/〇UTS。 6. 如申請專利範圍第1項所述之開機型病毒偵測方法, 中步驟g中寫入資料至硬碟裝置之位址值包括有眘 料至DMA通道之位址。 7.如申請專利範圍第1項所述之開機型病毒偵測方法’ 中步驟g中寫入資料至硬碟裝置之位址值包括有咨 料至一磁區之位址。 ^馬入貢 8 如申請專利範圍第1項所述之開機塑病毒偵測方法, 中步脒g中寫入資料至硬碟裝置之位址值包括有'答 料至數個磁區之位址<» ’’’ 育^^ 8 y2 The six Chinese patent applicants Fan Guru applied for patent scope 1 Jg%. +. + Step b in the + includes the following steps: Open the virus detection method 'its dagger :: Ξ Γ hard disk status' command register The address value of the address; and the address value of the status / command register. In the first hard disk-like virus detection method, the address value of the% status dagger // command register is 01F7h ’, and the address value of the hard disk status / command register is 0177h. 2 Please refer to the bootable virus method described in the item of the patent, wherein step c includes the following steps: cl. Set a predetermined value in the read / write control bit of the debug control register of the central processing unit; And c2. Setting a numerical bit length in a length setting bit of the debug control register. 5. The boot-type virus detection method described in item 1 of the scope of patent application, wherein the data transfer output instruction of step f is 〇UT / 〇UTS. 6. According to the boot-type virus detection method described in item 1 of the scope of the patent application, the address value of the data written to the hard disk device in step g includes the address to the DMA channel carefully. 7. The address value of writing data to the hard disk device in step g of the boot-type virus detection method described in item 1 of the scope of patent application includes the address of the information to a magnetic sector. ^ Ma Jingong 8 As described in the method for detecting virus on booting in the first scope of the patent application, the address value of the data written to the hard disk device in the step 脒 g includes the answer to the address of several magnetic sectors < »'' 'Education 第13頁 44以72 六、申請專利範圍 9.如申請專利範圍第1項所述之開機型病毒偵測方法’其 中步称h中輸出入埠之位址為lF3h~lF6h。 1 0.如申請專利範圍第1項所述之開機型病毒偵測方法,其 中步驟h中輸出入埠之位址為173h〜176h。Page 13 44 to 72 6. Scope of patent application 9. The boot-type virus detection method described in item 1 of the scope of patent application, wherein the address of the input / output port in h is lF3h ~ lF6h. 10. The boot-type virus detection method as described in item 1 of the scope of patent application, wherein the addresses of the input and output ports in step h are 173h to 176h. 第14頁Page 14
TW88114587A 1999-08-26 1999-08-26 Detection method of boot-up virus TW446872B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW88114587A TW446872B (en) 1999-08-26 1999-08-26 Detection method of boot-up virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW88114587A TW446872B (en) 1999-08-26 1999-08-26 Detection method of boot-up virus

Publications (1)

Publication Number Publication Date
TW446872B true TW446872B (en) 2001-07-21

Family

ID=21642054

Family Applications (1)

Application Number Title Priority Date Filing Date
TW88114587A TW446872B (en) 1999-08-26 1999-08-26 Detection method of boot-up virus

Country Status (1)

Country Link
TW (1) TW446872B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI494751B (en) * 2009-07-29 2015-08-01 Reversinglabs Corp Automated unpacking of portable executable files

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI494751B (en) * 2009-07-29 2015-08-01 Reversinglabs Corp Automated unpacking of portable executable files

Similar Documents

Publication Publication Date Title
JP6404283B2 (en) System and method for executing instructions to initialize a secure environment
JP5363187B2 (en) Computer system, method for initializing computer system, and computer program
TWI612439B (en) Computing device, method and machine readable storage media for detecting unauthorized memory access
JPH04233624A (en) Apparatus for protecting system utility in personal computer system
CN114222975A (en) Data preservation using memory aperture flush sequence
TWI275940B (en) Secure system firmware by disabling read access to firmware ROM
JP5392263B2 (en) Information processing apparatus and memory protection method thereof
US20060047858A1 (en) ROM scan memory expander
TW446872B (en) Detection method of boot-up virus
US11163644B2 (en) Storage boost
JP2004326751A (en) Logical partitioning
JP2005149503A (en) System and method for testing memory using dma
US8165847B2 (en) Implementing a programmable DMA master with write inconsistency determination
TW571187B (en) Hardware information capturing and monitoring method for a computer system
US7107375B2 (en) Method for improving selection performance by using an arbitration elimination scheme in a SCSI topology
US20050108605A1 (en) Pseudo random test pattern generation using Markov chains
JP2003150458A (en) Fault detector, fault detecting method, program and program recording medium
JP2008305398A (en) Dynamic linking and loading of post-processing kernel
JP6919399B2 (en) Judgment program, information processing device, and judgment method
US20090040232A1 (en) Method to record bus data in a graphics subsystem that uses dma transfers
TWI225593B (en) Auxiliary pressurizing method during PC pressure test
CN112148201A (en) Data writing method, device and storage medium
WO2019019800A1 (en) Hard disk data access method and device
JPS59121455A (en) Prefixing system
JPH04160655A (en) Execution detecting system

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent
MM4A Annulment or lapse of patent due to non-payment of fees