CN110909354A - Method for cleaning malicious codes in firmware area of Western digital hard disk - Google Patents
Method for cleaning malicious codes in firmware area of Western digital hard disk Download PDFInfo
- Publication number
- CN110909354A CN110909354A CN201911196194.6A CN201911196194A CN110909354A CN 110909354 A CN110909354 A CN 110909354A CN 201911196194 A CN201911196194 A CN 201911196194A CN 110909354 A CN110909354 A CN 110909354A
- Authority
- CN
- China
- Prior art keywords
- module
- firmware
- address
- area
- reading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004140 cleaning Methods 0.000 title claims abstract description 96
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000005516 engineering process Methods 0.000 claims abstract description 5
- 238000010586 diagram Methods 0.000 description 12
- LMDZBCPBFSXMTL-UHFFFAOYSA-N 1-ethyl-3-(3-dimethylaminopropyl)carbodiimide Chemical compound CCN=C=NCCCN(C)C LMDZBCPBFSXMTL-UHFFFAOYSA-N 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0646—Horizontal data movement in storage systems, i.e. moving data in between storage devices or systems
- G06F3/0652—Erasing, e.g. deleting, data cleaning, moving of data to a wastebasket
Abstract
The invention discloses a method for cleaning malicious codes in a firmware area of a Western digital hard disk, which is characterized by comprising the following steps of: s100: reading a map module of a Western digital hard disk by adopting a hard disk firmware area access method of a virtual disk technology; s200: analyzing the map module, acquiring the ID number of each module of the current hard disk, and analyzing the byte length of the firmware area; s300: comparing a module list shown in a table I according to the obtained ID number of each module of the current hard disk and counting a cleaning area, wherein the module list comprises the ID numbers of the modules which do not influence the work of the hard disk in the Western digital hard disk; s400: cleaning each cleaning area counted in the step S300: and filling zero in the counted data in each cleaning area to clean malicious codes in the western digital hard disk firmware area.
Description
Technical Field
The invention belongs to the technical field of data recovery and hard disk firmware safety, and relates to a method for cleaning malicious codes in a western digital hard disk firmware area.
Background
In the field of information security, with the increasing capacity of hard disks and the increasing usage of hard disks, the information security and data security of users are seriously threatened. Aiming at a series of security threats, a plurality of security software appears at home and abroad, and the information security of users can be well protected, and the security software lacks the security protection on the hard disk firmware no matter cleaning after the hard disk firmware is infected, detecting the infection of the hard disk firmware and intercepting and isolating the known firmware infection. In the prior art, no technical scheme for hard disk firmware security exists.
Although there is no product for hard disk firmware security in the market, there are some technical solutions for cleaning malicious codes in the hard disk firmware area, such as integrity detection and coverage method of original firmware upgrade package. The method is used for detecting and covering the firmware of the firmware area, but the prior art scheme has great limitation and incompleteness, and firstly, the firmware upgrade package is not arranged on each type of hard disk; secondly, this coverage method only covers a small part of the firmware area, which results in the inapplicability of this solution. The invention provides a more practical and reliable technical scheme for cleaning malicious codes in a hard disk firmware area.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for cleaning malicious codes in a firmware area of a Western digital hard disk. The invention comprises the following steps:
s100: reading a map module of a Western digital hard disk by adopting a hard disk firmware area access method of a virtual disk technology;
s200: analyzing the map module, acquiring the ID number of each module of the current hard disk, and analyzing the byte length of the firmware area;
s300: comparing the module list shown in the table I according to the obtained ID number of each module of the current hard disk and counting the cleaning area, wherein the module list comprises the ID number of the module which does not influence the work of the hard disk in Western digital hard disks,
table one: module list
The step S300 includes the steps of:
s301: counting the first cleaning area: comparing the obtained ID number of each module of the current hard disk with the module ID number in the module list shown in the table I, and recording an area with the same module ID number in the module list as the first cleaning area;
s302: counting a firmware reserved area as a second cleaning area, wherein the firmware reserved area is an area where one/more module ID numbers which are not contained in the module list are located;
s303: counting 01 cleaning areas in a firmware module;
s304: counting 02 cleaning areas in the firmware module;
s305: counting 31 cleaning areas in the firmware module;
s306: counting 33 a cleaning area in the firmware module;
s307: counting 40 cleaning areas in the firmware module;
s400: cleaning each cleaning area counted in the step S300: and filling zero in the counted data in each cleaning area to clean malicious codes in the western digital hard disk firmware area.
Preferably, the step S200 includes the steps of:
s201: taking the initial address of the map module as an initial address, and reading the content of 0x30 and 0x31 bytes as the number of firmware modules of the current Western digital hard disk;
s202: sequentially reading the description information of each module by taking the initial address of the map module as a starting address and taking the byte length of the module description information of the current Western digital hard disk as a unit, wherein the byte length of the module description information is 0x14 bytes;
s203: reading the 1 st byte content of the current module description information as a module header mark;
s204: reading the 3 rd and 4 th byte contents of the current module description information as the ID number of the firmware module;
s205: reading the 5 th and 6 th byte content of the current module description information as the size of the firmware module, wherein the unit of the firmware module is a sector;
s206: reading the 13 th to 16 th byte contents of the current module description information as the initial address of the current firmware module in the firmware area;
s207: and searching the firmware module with the largest address in the map module, acquiring the address of the firmware module with the largest address and adding the sum of the byte lengths of the module description information as the byte length of the firmware area.
Preferably, the step S303 includes the steps of:
s3031: taking the first address of the 01 firmware module as a starting address, reading the content of the 10 th byte and the 11 th byte as the size of the 01 firmware module, wherein the unit of the size is a sector;
s3032: taking the first address of the 01 firmware module as a starting address, reading the contents of the 48 th byte and the 49 th byte as a first factor, and reading the content of the 50 th byte as a second factor;
s3033: the sum of the product of the first factor multiplied by the second factor and 50 is used as the first address of the cleaning area of the 01 firmware module, and the area from the first address of the cleaning area of the 01 firmware module to the last address of the 01 firmware module is used as the cleaning area in the 01 firmware module.
Preferably, the step S304 includes the steps of:
s3041: taking the first address of the 02 firmware module as a starting address, reading the content of 0x0A and 0x0B bytes as the size of the 02 firmware module, wherein the unit of the size is a sector;
s3042: reading the content of 0x30 and 0x31 bytes as a third factor by taking the first address of the 02 firmware module as a starting address, wherein the sum of the product of the third factor multiplied by 4 and 0x2E is taken as a first offset address;
s3043: addressing the first offset address and continuously reading the content of 4 bytes as a fourth factor by taking the first address of the 02 firmware module as a starting address;
s3044: reading the high 2 byte and the low 2 byte of the fourth factor, wherein the sum of the high 2 byte and the low 2 byte is used as the first address of the cleaning area of the 02 firmware module, and the area from the first address of the cleaning area of the 02 firmware module to the last address of the 02 firmware module is used as the cleaning area in the 02 firmware module.
Preferably, the step S305 includes the steps of:
s3051: taking the first address of the 31 th firmware module as a starting address, reading the content of 0x0A th and 0x0B th bytes as the size of the 31 th firmware module, wherein the unit of the size is a sector;
s3052: taking the first address of the 31 firmware module as the starting address, reading the contents of the 0x34 th to 0x37 th bytes as a fifth factor, and reading the contents of the 0x38 th to 0x3B th bytes as a sixth factor;
s3053: the sum of the product of the sixth factor multiplied by 3 plus the fifth factor plus the sum of 0x08 is used as the first address of the cleaning area of the 31 firmware module, and the area from the first address of the cleaning area of the 31 firmware module to the last address of the 31 firmware module is used as the cleaning area in the 31 firmware module.
Preferably, the step S306 includes the steps of:
s3061: taking the first address of the 33 th firmware module as a starting address, reading the content of 0x0A th and 0x0B th bytes as the size of the 33 th firmware module, wherein the unit of the size is a sector;
s3062: reading the contents of the 0x30 th to 0x33 th bytes as a seventh factor with the first address of the 33 firmware module as a starting address;
s3063: the sum of the product of the seventh factor multiplied by 0x08 plus 0x34 is the first address of the cleaning area of the 33 firmware module, and the area from the first address of the cleaning area of the 33 firmware module to the last address of the 33 firmware module is the cleaning area in the 33 firmware module.
Preferably, the step S307 includes the steps of:
s3071: reading the 0x0A and 0x0B bytes of content as the size of the 40 firmware module by taking the first address of the 40 firmware module as a starting address, wherein the unit of the size is a sector;
s3072: reading the contents of the 0x58 th to 0x5B th bytes as a second offset address by taking the first address of the 40 firmware module as a starting address;
s3073: addressing the second offset address, using the current addressed address to look forward a first group with contents not all zero as an eighth factor and reading the eighth factor, wherein one group is two bytes or four bytes;
s3074: reading the content of the first four bytes of the eighth factor as a ninth factor, wherein the sum of the eighth factor and the ninth factor is used as the first address of the cleaning area of the 40 firmware modules, and the area from the first address of the cleaning area of the 40 firmware modules to the last address of the 40 firmware modules is used as the cleaning area in the 40 firmware modules.
Preferably, the byte length of the module description information may also be 0x12 or 0x1A bytes.
Preferably, the start address of the current firmware module in the firmware area can also be obtained by reading the 17 th to 20 th bytes of the description information of the current module.
The invention has the following beneficial effects: the cleaning range is larger, the cleaning is more flexible, and the limitation is small.
Drawings
FIG. 1 is a general flow diagram of a method provided by the present invention;
FIG. 2 is a flowchart illustrating the details of obtaining the ID number of the module and the byte length of the firmware area according to an embodiment of the present invention;
FIG. 3 is a detailed flow chart of counting each cleaning region according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a data structure of a 01 firmware module in one embodiment of the invention;
FIG. 5 is a diagram illustrating a data structure of a 02 firmware module in one embodiment of the invention;
FIG. 6 is a diagram illustrating a data structure of a 31 firmware module in one embodiment of the invention;
FIG. 7 is a diagram illustrating a data structure of a 33 firmware module in one embodiment of the invention;
FIG. 8 is a diagram illustrating a data structure of a firmware module 40 according to an embodiment of the present invention.
Detailed Description
Fig. 1 shows a general flow chart of the method provided by the present invention. As shown in fig. 1, the method comprises the following steps:
s100: and reading a map module of the Western digital hard disk by adopting a hard disk firmware area access method of a virtual disk technology. The hard disk firmware area access method of the virtual disk technology is the prior art, and is not described herein.
S200: and the map analyzing module is used for acquiring the ID number of each module of the current hard disk and analyzing the byte length of the firmware area.
FIG. 2 is a flowchart illustrating the details of obtaining the ID number of the module and the byte length of the firmware area according to one embodiment of the present invention. As shown in fig. 2, the method comprises the following steps:
s201: taking the first address of the map module as an initial address, reading the content of 0x30 and 0x31 bytes as the number of firmware modules of the current Western digital hard disk;
FIG. 3 illustrates a data structure diagram of a map module in one embodiment of the invention. As shown in fig. 3, the content 0x01D9 of the 0x30 and 0x31 bytes is the number of firmware modules of the current west hard disk. It should be noted that the content D901 shown by the small rectangular box in fig. 3 is the number of firmware modules, which are stored in the small-end format, so the actual data is 0x01D9, the following is the same.
S202: sequentially reading the description information of each module by taking the initial address of the map module as an initial address and the byte length of the module description information of the current Western digital hard disk as a unit, wherein the byte length of the module description information is 0x14 bytes; the content is the description information of the first module as shown by the rectangular box of 0x14 bytes in fig. 3.
S203: as shown in fig. 3, reading the 1 st byte content 0x14 of the current module description information as a module header label;
s204: as shown in fig. 3, the 3 rd and 4 th byte contents 0x0001 of the read current module description information are ID numbers of the firmware modules, that is, the ID numbers are 1;
s205: as shown in fig. 3, the 5 th and 6 th byte contents 0x0020 of the current module description information are read as the size of the firmware module, and the unit is a sector;
s206: as shown in fig. 3, reading the 13 th to 16 th byte contents 0x0002EDAC of the current module description information is the start address of the current firmware module in the firmware area, and may also be obtained by reading the 17 th to 20 th byte contents of the current module description information, and the value is also 0x0002 EDAC;
s207: and searching the firmware module with the largest address in the map module, acquiring the address of the firmware module with the largest address and adding the sum of the byte lengths of the module description information to be used as the byte length of the firmware area.
In addition, the byte length of the module description information may also be 0x12 or 0x1A bytes, depending on the specific model/series of the western digital hard disk.
S300: comparing the module list shown in the table I according to the obtained ID number of each module of the current hard disk and counting the cleaning area, wherein the module list comprises the ID numbers of the modules which do not influence the hard disk work in the Western hard disk,
table one: module list
Step S300 includes the steps of:
s301: counting the first cleaning area: comparing the obtained ID number of each module of the current hard disk with the module ID number in the module list shown in the table I, and recording an area with the same module ID number in the module list as a first cleaning area;
s302: counting a firmware reserved area as a second cleaning area, wherein the firmware reserved area is an area where one/more module ID numbers which are not contained in the module list are located;
for example, the size of the entire firmware area is 10 sectors, the firmware module sectors recorded in the module list occupy the 1 st to 5 th and 7 th to 8 th sectors, and then the 6 th, 9 th and 10 th sectors are the firmware reserved area and are used as the second cleaning area.
S303: counting 01 cleaning areas in a firmware module;
FIG. 4 is a diagram illustrating a data structure of a 01 firmware module according to an embodiment of the present invention.
Step S303 includes the steps of:
s3031: taking the first address of the 01 firmware module as the initial address, reading the content 0x0020 of the 10 th byte and the 11 th byte as the size of the 01 firmware module, and taking the unit as a sector;
s3032: taking the first address of the 01 firmware module as a starting address, reading the content 0x01ED of the 48 th and 49 th bytes as a first factor, and reading the content 0x1A of the 50 th byte as a second factor;
s3033: the sum of the product of the first factor multiplied by the second factor, i.e., 0x1ED x 0x1A +50, is 12868, and 12868 is taken as the first address of the cleaning area of the firmware module 01, and the areas from the first address of the cleaning area of the firmware module 01 to the last address of the firmware module 01 are taken as the cleaning areas in the firmware module 01.
S304: counting 02 cleaning areas in the firmware module;
FIG. 5 is a diagram illustrating a data structure of a 02 firmware module according to an embodiment of the present invention.
Step S304 includes the steps of:
s3041: reading the 0x0A th byte and the 0x0B th byte as shown in FIG. 5, wherein the 0x0006 is the content of the 02 th firmware module, and the unit is a sector, by taking the first address of the 02 th firmware module as a starting address;
s3042: taking the first address of the 02 firmware module as the starting address, reading the content 0x0032 of the 0x30 th byte and the 0x31 th byte as a third factor, and adding the sum of 0x2E to the product of the third factor multiplied by 4, namely 0x0032 × 4+0x2E is 0xF6, and taking 0xF6 as the first offset address;
s3043: with the start address of the 02 firmware module as the starting address, address the first offset address 0xF6 and continuously read the 4 bytes of content 0x002B0B16 as shown in FIG. 5 as the fourth factor;
s3044: the high 2 byte 0x0B16 and the low 2 byte 0x002B of the fourth factor are read, and the sum of the high 2 byte plus the low 2 byte, i.e., 0xB16+0x2B is 0x0B41 as the head address of the wash area of the 02 firmware module, and the area from the head address 0x0B41 of the wash area of the 02 firmware module to the end address of the 02 firmware module is used as the wash area in the 02 firmware module.
S305: counting 31 cleaning areas in the firmware module;
FIG. 6 is a diagram illustrating a data structure of a 31 firmware module according to an embodiment of the present invention.
Step S305 includes the steps of:
s3051: reading the content 0x05a5 of the 0x0A th and 0x0B th bytes as shown in fig. 6 as the size of the 31 firmware module with the head address of the 31 firmware module as the starting address, and the unit is a sector;
s3052: reading the content 0x 00016931 of the 0x34 th to 0x37 th bytes as the fifth factor and the content 0x00000242 of the 0x38 th to 0x3B th bytes as the sixth factor as shown in FIG. 6 by taking the first address of the 31 firmware module as the starting address;
s3053: the sum of the product of the sixth factor multiplied by 3 plus the fifth factor plus the sum of 0x08, i.e., 0x00000242 x 3+0x 000169935 +0x08 is 0x17003, and 0x17003 is used as the first address of the cleaning area of 31 firmware modules, and the first address of the cleaning area of 31 firmware modules is 0x17003 to the last address of 31 firmware modules, and is used as the cleaning area in 31 firmware modules.
S306: counting 33 a cleaning area in the firmware module;
FIG. 7 is a diagram illustrating a data structure of a 33 firmware module according to an embodiment of the invention.
Step S306 includes the steps of:
s3061: reading the 0x0A th byte and the 0x0B th byte as shown in fig. 7, wherein the 0x95C is the content of the 33 th firmware module with the head address of the 33 th firmware module as the starting address, and the unit is a sector;
s3062: reading the contents 0x00000A88 of the 0x30 th to 0x33 th bytes as shown in FIG. 7 as a seventh factor with the first address of the 33 firmware module as the start address;
s3063: the sum of the product of the seventh factor multiplied by 0x08 and 0x34, that is, 0x00000a88 × 0x8+0x34 is 0x5474, and 0x5474 is used as the head address of the cleaning area of the 33 firmware module, and the head address of the cleaning area of the 33 firmware module is 0x5474 to the area of the end address of the 33 firmware module, which are used as the cleaning area in the 33 firmware module.
S307: counting 40 cleaning areas in the firmware module;
FIG. 8 is a diagram illustrating a data structure of a firmware module 40 according to an embodiment of the present invention.
Step S307 includes the steps of:
s3071: reading the 0x0A and 0x0B bytes of the content shown in FIG. 8 as the size of the 40 firmware module with the head address of the 40 firmware module as the starting address, and the unit is a sector;
s3072: reading the content 0x1FF of the 0x58 th to 0x5B th bytes as shown in fig. 8 as a second offset address with the first address of the 40 firmware module as the starting address;
s3073: addressing the second offset address 0x1FF, looking forward at the currently addressed address 0x1FF for the first group 0x0000002A as shown in fig. 8 with all zeros as content, taking 0x0000002A as the eighth factor and reading the eighth factor 0x0000002A, where one group is two or four bytes;
s3074: reading the content 0x00025a42 of the first four bytes of the eighth factor 0x0000002A as a ninth factor, and the sum of the eighth factor 0x0000002A and the ninth factor 0x00025a42, namely, 0x0000002A +0x00025a42 ═ 0x25A6C, and taking 0x25A6C as the first address of the cleaning area of the 40 firmware module, and taking the first address of the cleaning area of the 40 firmware module from 0x25A6C to the area of the last address of the 40 firmware module as the cleaning area in the 40 firmware module.
S400: each cleaning area counted in the cleaning step S300 is: and filling zero in the counted data in each cleaning area to clean malicious codes in the western digital hard disk firmware area.
The method solves the technical problem that no method for cleaning malicious codes in the firmware area of the Western digital hard disk exists in the prior art.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations are possible to those skilled in the art in light of the above teachings, and that all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.
Claims (9)
1. A method for cleaning malicious codes in a firmware area of a Western digital hard disk is characterized by comprising the following steps:
s100: reading a map module of a Western digital hard disk by adopting a hard disk firmware area access method of a virtual disk technology;
s200: analyzing the map module, acquiring the ID number of each module of the current hard disk, and analyzing the byte length of the firmware area;
s300: comparing the module list shown in the table I according to the obtained ID number of each module of the current hard disk and counting the cleaning area, wherein the module list comprises the ID number of the module which does not influence the work of the hard disk in Western digital hard disks,
table one: module list
The step S300 includes the steps of:
s301: counting the first cleaning area: comparing the obtained ID number of each module of the current hard disk with the module ID number in the module list shown in the table I, and recording an area with the same module ID number in the module list as the first cleaning area;
s302: counting a firmware reserved area as a second cleaning area, wherein the firmware reserved area is an area where one/more module ID numbers which are not contained in the module list are located;
s303: counting 01 cleaning areas in a firmware module;
s304: counting 02 cleaning areas in the firmware module;
s305: counting 31 cleaning areas in the firmware module;
s306: counting 33 a cleaning area in the firmware module;
s307: counting 40 cleaning areas in the firmware module;
s400: cleaning each cleaning area counted in the step S300: and filling zero in the counted data in each cleaning area to clean malicious codes in the western digital hard disk firmware area.
2. The method of claim 1, wherein the step S200 comprises the steps of:
s201: taking the initial address of the map module as an initial address, and reading the content of 0x30 and 0x31 bytes as the number of firmware modules of the current Western digital hard disk;
s202: sequentially reading the description information of each module by taking the initial address of the map module as a starting address and taking the byte length of the module description information of the current Western digital hard disk as a unit, wherein the byte length of the module description information is 0x14 bytes;
s203: reading the 1 st byte content of the current module description information as a module header mark;
s204: reading the 3 rd and 4 th byte contents of the current module description information as the ID number of the firmware module;
s205: reading the 5 th and 6 th byte content of the current module description information as the size of the firmware module, wherein the unit of the firmware module is a sector;
s206: reading the 13 th to 16 th byte contents of the current module description information as the initial address of the current firmware module in the firmware area;
s207: and searching the firmware module with the largest address in the map module, acquiring the address of the firmware module with the largest address and adding the sum of the byte lengths of the module description information as the byte length of the firmware area.
3. The method of claim 1, wherein the step S303 comprises the steps of:
s3031: taking the first address of the 01 firmware module as a starting address, reading the content of the 10 th byte and the 11 th byte as the size of the 01 firmware module, wherein the unit of the size is a sector;
s3032: taking the first address of the 01 firmware module as a starting address, reading the contents of the 48 th byte and the 49 th byte as a first factor, and reading the content of the 50 th byte as a second factor;
s3033: the sum of the product of the first factor multiplied by the second factor and 50 is used as the first address of the cleaning area of the 01 firmware module, and the area from the first address of the cleaning area of the 01 firmware module to the last address of the 01 firmware module is used as the cleaning area in the 01 firmware module.
4. The method of claim 1, wherein the step S304 comprises the steps of:
s3041: taking the first address of the 02 firmware module as a starting address, reading the content of 0x0A and 0x0B bytes as the size of the 02 firmware module, wherein the unit of the size is a sector;
s3042: reading the content of 0x30 and 0x31 bytes as a third factor by taking the first address of the 02 firmware module as a starting address, wherein the sum of the product of the third factor multiplied by 4 and 0x2E is taken as a first offset address;
s3043: addressing the first offset address and continuously reading the content of 4 bytes as a fourth factor by taking the first address of the 02 firmware module as a starting address;
s3044: reading the high 2 byte and the low 2 byte of the fourth factor, wherein the sum of the high 2 byte and the low 2 byte is used as the first address of the cleaning area of the 02 firmware module, and the area from the first address of the cleaning area of the 02 firmware module to the last address of the 02 firmware module is used as the cleaning area in the 02 firmware module.
5. The method of claim 1, wherein the step S305 comprises the steps of:
s3051: taking the first address of the 31 th firmware module as a starting address, reading the content of 0x0A th and 0x0B th bytes as the size of the 31 th firmware module, wherein the unit of the size is a sector;
s3052: taking the first address of the 31 firmware module as the starting address, reading the contents of the 0x34 th to 0x37 th bytes as a fifth factor, and reading the contents of the 0x38 th to 0x3B th bytes as a sixth factor;
s3053: the sum of the product of the sixth factor multiplied by 3 plus the fifth factor plus the sum of 0x08 is used as the first address of the cleaning area of the 31 firmware module, and the area from the first address of the cleaning area of the 31 firmware module to the last address of the 31 firmware module is used as the cleaning area in the 31 firmware module.
6. The method of claim 1, wherein the step S306 comprises the steps of:
s3061: taking the first address of the 33 th firmware module as a starting address, reading the content of 0x0A th and 0x0B th bytes as the size of the 33 th firmware module, wherein the unit of the size is a sector;
s3062: reading the contents of the 0x30 th to 0x33 th bytes as a seventh factor with the first address of the 33 firmware module as a starting address;
s3063: the sum of the product of the seventh factor multiplied by 0x08 plus 0x34 is the first address of the cleaning area of the 33 firmware module, and the area from the first address of the cleaning area of the 33 firmware module to the last address of the 33 firmware module is the cleaning area in the 33 firmware module.
7. The method of claim 1, wherein the step S307 comprises the steps of:
s3071: reading the 0x0A and 0x0B bytes of content as the size of the 40 firmware module by taking the first address of the 40 firmware module as a starting address, wherein the unit of the size is a sector;
s3072: reading the contents of the 0x58 th to 0x5B th bytes as a second offset address by taking the first address of the 40 firmware module as a starting address;
s3073: addressing the second offset address, using the current addressed address to look forward a first group with contents not all zero as an eighth factor and reading the eighth factor, wherein one group is two bytes or four bytes;
s3074: reading the content of the first four bytes of the eighth factor as a ninth factor, wherein the sum of the eighth factor and the ninth factor is used as the first address of the cleaning area of the 40 firmware modules, and the area from the first address of the cleaning area of the 40 firmware modules to the last address of the 40 firmware modules is used as the cleaning area in the 40 firmware modules.
8. The method of claim 2, wherein the module description information may be 0x12 or 0x1A bytes in byte length.
9. The method of claim 2, wherein the start address of the current firmware module in the firmware area is further obtained by reading the contents of bytes 17 to 20 of the description information of the current module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911196194.6A CN110909354A (en) | 2019-11-29 | 2019-11-29 | Method for cleaning malicious codes in firmware area of Western digital hard disk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911196194.6A CN110909354A (en) | 2019-11-29 | 2019-11-29 | Method for cleaning malicious codes in firmware area of Western digital hard disk |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110909354A true CN110909354A (en) | 2020-03-24 |
Family
ID=69820609
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911196194.6A Pending CN110909354A (en) | 2019-11-29 | 2019-11-29 | Method for cleaning malicious codes in firmware area of Western digital hard disk |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110909354A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113885882A (en) * | 2021-10-29 | 2022-01-04 | 四川效率源信息安全技术股份有限公司 | Method for restoring iOS type character string |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902487A (en) * | 2011-07-25 | 2013-01-30 | 鸿富锦精密工业(深圳)有限公司 | Hard disk drive data access method and system |
| CN104714869A (en) * | 2015-03-31 | 2015-06-17 | 四川效率源信息安全技术有限责任公司 | Method for repairing Western Digital hard disk unable to access data |
| US20190121519A1 (en) * | 2013-10-18 | 2019-04-25 | Samsung Electronics Co., Ltd. | Operating method for multiple windows and electronic device supporting the same |
| CN109684124A (en) * | 2018-12-25 | 2019-04-26 | 四川效率源信息安全技术股份有限公司 | A method of repairing western number hard disk firmware Read fault |
| CN109710192A (en) * | 2018-12-27 | 2019-05-03 | 公安部物证鉴定中心 | A kind of western number hard disk has used the data method for deleting in firmware area |
-
2019
- 2019-11-29 CN CN201911196194.6A patent/CN110909354A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902487A (en) * | 2011-07-25 | 2013-01-30 | 鸿富锦精密工业(深圳)有限公司 | Hard disk drive data access method and system |
| US20190121519A1 (en) * | 2013-10-18 | 2019-04-25 | Samsung Electronics Co., Ltd. | Operating method for multiple windows and electronic device supporting the same |
| CN104714869A (en) * | 2015-03-31 | 2015-06-17 | 四川效率源信息安全技术有限责任公司 | Method for repairing Western Digital hard disk unable to access data |
| CN109684124A (en) * | 2018-12-25 | 2019-04-26 | 四川效率源信息安全技术股份有限公司 | A method of repairing western number hard disk firmware Read fault |
| CN109710192A (en) * | 2018-12-27 | 2019-05-03 | 公安部物证鉴定中心 | A kind of western number hard disk has used the data method for deleting in firmware area |
Non-Patent Citations (3)
| Title |
|---|
| CONNOR BOLTON: "Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems", 《IEEE》 * |
| 张京生等: "硬盘固件区虚拟技术的原理与实用性分析", 《计算机工程与设计》 * |
| 张帆: "基于硬盘固件的窃密技术分析及对策研究", 《保密科学技术》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113885882A (en) * | 2021-10-29 | 2022-01-04 | 四川效率源信息安全技术股份有限公司 | Method for restoring iOS type character string |
| CN113885882B (en) * | 2021-10-29 | 2023-03-07 | 四川效率源信息安全技术股份有限公司 | Method for restoring iOS type character string |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10303601B2 (en) | Method and system for rearranging a write operation in a shingled magnetic recording device | |
| US20120102298A1 (en) | Low RAM Space, High-Throughput Persistent Key-Value Store using Secondary Memory | |
| CN1227610C (en) | File management system for image data | |
| US7437390B2 (en) | Information recording medium, information recording method, information recording apparatus, information reproducing method and information reproducing apparatus | |
| EP2176800A1 (en) | Coded removable storage device allowing change detection | |
| CN110297729B (en) | Method for recovering damaged data and deleted data in APFS (advanced persistent file system) based on interval block | |
| CN101706822B (en) | Method and device for improving speed of mounting journal file system | |
| US20100077138A1 (en) | Write Protection Method and Device for At Least One Random Access Memory Device | |
| CN110909354A (en) | Method for cleaning malicious codes in firmware area of Western digital hard disk | |
| CN102224489A (en) | Flash based memory comprising a flash translation layer and method for storing a file therein | |
| US8817104B2 (en) | Data processing device and data processing method | |
| CN109684124B (en) | Method for repairing read-only fault of firmware of Western digital hard disk | |
| CN111008378B (en) | Method for cleaning malicious codes in hard disk firmware area | |
| US8743669B2 (en) | Optical disc drive and method of accessing optical disc | |
| CN113010885B (en) | Method and device for detecting kernel thread disguised with start address | |
| CN104834690A (en) | Game application discrimination method and user equipment | |
| KR101028618B1 (en) | Spi communication system and method for communicating between main board and expansion board | |
| CN102662981A (en) | Windows recycle bin delete record forensics method based on feature scan | |
| CN111143110A (en) | Raid data recovery method based on metadata in logical volume management | |
| CN108563552B (en) | Method, equipment and storage medium for recording peripheral operation behaviors | |
| CN112346823B (en) | Cloud host data protection method and system | |
| CN101425337B (en) | Storage method and apparatus for flash memory data | |
| CN101197989A (en) | Image compression and storing method of radar video | |
| JP2007058987A (en) | Device and method for reproducing optical disk | |
| US20100070684A1 (en) | Memory device and operating method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200324 |