CN1173266C - Starting-up type virus detection method - Google Patents
Starting-up type virus detection method Download PDFInfo
- Publication number
- CN1173266C CN1173266C CNB001010468A CN00101046A CN1173266C CN 1173266 C CN1173266 C CN 1173266C CN B001010468 A CNB001010468 A CN B001010468A CN 00101046 A CN00101046 A CN 00101046A CN 1173266 C CN1173266 C CN 1173266C
- Authority
- CN
- China
- Prior art keywords
- address
- register
- central processing
- processing unit
- starting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a method for detecting a starting-up type virus. Predetermined numerical values and data are set in a relevant register of a computer system and comprise the operation of setting a debugging and expanding bit, setting the address of a hard disc state / command register of a hard disc device, setting an interruption function generated when a central processing unit executes actions of an output interface and an input interface, and setting a bit length value. The present invention comprises the following procedures: when debugging is generated, judging whether the breakpoint condition in a debugging state register of the central processing unit is set or not; then, judging whether a command currently executed by the central processing unit executes an output instruction of data transfer or not, judging whether address data of direct addressing or register indirect addressing of addresses on an output end and an input end are addresses which assign data to the hard disc device or not, and judging whether addresses on the output end and the input end are addresses in a guiding area of the hard disc device or not, if true, alarm is sent out.
Description
Technical field
The present invention relates to a kind of detection method of computer virus, particularly a kind of method that detects the turnon type computer virus.
Background technology
In various types of computer viruses, its distinctive viral kenel, route of transmission are all arranged, these computer viruses all can cause destruction in various degree to a computer system.Typical turnon type computer virus kenel generally all is the boot section (BootSector) of infecting hard disk unit in the computer system, and utilizes these zones as the media of spreading.
In order to want detection computations machine virus, there are many kinds of detection methods to be suggested.For example when a pending program will be carried out, at first can carry out a selftest in computing machine, whether be modified,, represent promptly that then this program may be subjected to the infection of computer virus if this procedure code was modified to judge this program.Another kind method is to check and the mode of (Check Sum), before executive routine, can at first check and check, so whether be modified to differentiate this program.
Though above-mentioned method for detecting virus all can reach the effect of a certain degree, its prerequisite important document is that computer system must be finished after the normal start-up routine, just might carry out the function that this virus detects.That is these method for detecting virus also can't be applicable to that the virus of some turnon type detects.
Aspect turnon type viral, its Virus is to be present in the boot section of the data storage device (a for example hard disk unit) that can carry out startup.When utilizing the startup of infecting the hard disk computer system that starting-up type virus is arranged, this Virus promptly can be loaded in the computer system memory, and carries out its viral function.
In most turnon type computer virus, in case this Virus replaces after the normal start-up routine, at first can tackle interrupt vector INT 13h, the function of this interrupt vector is the access facility of control hard disk/floppy disk.When intercepting this interrupt vector INT 13h, this Virus can change the vector address of this interrupt vector, and replaces the function of this interrupt vector with a new subprogram, and the approach of spreading as virus with this new subprogram.Generally speaking, this starting-up type virus can exist in the computer system in the computer power supply opening always, and when restarting the computer each time, all can repeat the infection of aforementioned virus.Therefore, if can't promptly effectively detect this starting-up type virus at the computer system starting initial stage, then use and the safety of data for computing machine will have great threat.
Summary of the invention
Fundamental purpose of the present invention provides a kind of method that detects starting-up type virus, when method of the present invention detects any attempt and is written to the operation of hard disk boot section of computer system, a warning can be sent, starting-up type virus may be infected with in good time this computing machine of warning user.
Another object of the present invention provides a kind of method of early detection starting-up type virus, and this method directly utilizes control register, breakpoint register, debug control register, debug status register relevant in the CPU (central processing unit) to wait the detection of carrying out virus.
For reaching above-mentioned purpose of the present invention, at first be in a control register of this central processing unit, to set the debug extension bits; In the breakpoint register of this central processing unit, set the address of the disk state/command register of hard disk unit that this computer system connects; In the debug control register, set this central processing unit when carrying out the output/input interface operation, produce interrupt function and set the bit length value; Judge whether to take place the debug situation; Whether the breakpoint condition of judging the correspondence in the debug status register of central processing unit is set; Judge whether central processing unit performed instruction at present is the output order of performing a data-transfer operation; Judge that in the central processing unit, output goes into to hold whether the bit data of address direct addressing or register indirect addressing is to write the address of data to hard disk unit; Judge that output goes into the address of end and whether just be the address of hard disk unit boot section, if words promptly send caution, may infect starting-up type virus to warn this computing machine of user.
Description of drawings
Other purpose of the present invention and further method for detecting virus thereof will be further described by following preferred embodiment explanation also in conjunction with the accompanying drawings, wherein:
Fig. 1 shows in the typical personal computer system the simple connection diagram between CPU (central processing unit), output/input interface, hard disk unit, storer;
Fig. 2 is the synoptic diagram that shows the inner related register of a Pentium level central processing unit;
Fig. 3 is the process flow diagram that shows method for detecting virus of the present invention.
Embodiment
Fig. 1 shows in the typical personal computer system, the simple connection diagram that CPU (central processing unit) 1, output/input interface 3, hard disk unit 4, storer are 5, wherein this CPU (central processing unit) 1 is via system bus and output/input interface 3 and be connected with hard disk unit 4, and CPU (central processing unit) 1 then is connected with a storer 5 via this system bus.Wherein this system bus includes address bus 21, data bus 22, reaches control bus 23.
In following embodiment, be to do preferred embodiment explanation, and this hard disk unit 4 is to be connected with central processing unit 1 through an IDE interface with the Pentium of Intel Company level central processing unit.
With reference to shown in Figure 2, inner according to rough general destination register 10 (General Purpose Register), segment register 11 (SegmentRegister), state and the order register 12 (Status and Instruction Register) of being divided into of its function at a typical Pentium level central processing unit.Wherein this general destination register 10 generally is to be used for handling byte data, segment register 11 is with the substrate address of deciding the storage address section, and state and order register 12 are to be used for specifying desire execution command and the result phase of indication after execution command.
In addition, still include other system register in Pentium level central processing unit inside, in these system registers, the register relevant with method for detecting virus of the present invention includes control register group 13 and debug registers group 14.
Include several control registers CR0~CR4 in the control register group 13, wherein in the position definition of control register CR4, total position 0 is to the position 6, position 3 wherein is the setting position for the debug expanded function, when this position is set at 1, being to start output/input interface breakpoint debug expanded function, when this position is set at 0, is to remove output/input interface breakpoint debug expanded function.
Include several registers DR0~DR7 in the debug registers group 14, DR0~DR3 wherein is as breakpoint register, contains 32 breakpoint linear address in each breakpoint register.DR6 is as the debug status register, and it can be used to the state of temporary this breakpoint register DR0~DR3.DR7 is that it is the operation that is used for controlling this breakpoint register DR0~DR3 as a debug control register (Debug Control Register).
Each breakpoint register DR0~DR3 has some control bits (in debug control register DR7) separately, and for example the value of LEN determines the access length at breakpoint address, when LEN=00, and byte; LEN=01: statement: LEN=11: bilingual sentence.The reason of breakpoint, R/W=00, order code access take place in the value decision of R/W on breakpoint address; R/W=01, data write: R/W=11, data read with write.
Below will be simultaneously with reference to central processing unit internal register group structure and control flow chart shown in Figure 3 shown in Figure 2, to method for detecting virus of the present invention do one describe in detail as after.
After system opened the beginning, the present invention at first in step 101, set debug extension bits (Debug Extention) in the control register CR4 of central processing unit.Promptly be that with the control register CR4 in the central processing unit the 3rd is set at 1 in this step, go into breakpoint debug expanded function to start output.
Set hexadecimal numeric data 1F7h and 177h, step 102 then in any two registers in the breakpoint register (DR0-DR3) of central processing unit.Wherein this numerical value 1F7h is the address of first disk state/command register of being connected in the computer system of expression, and numerical value 177h is to be the address of second disk state/command register.
In step 103, in the R/W position (read/write control bit) of the debug control register DR7 of central processing unit correspondence, set numerical value 10, it means when central processing unit fashionable in execution output, can carry out interrupt function.In addition, in this step, also in the LEN position (length position) of this debug control register DR7 correspondence, set numerical value 00 (its numerical value be represent the bit length value be 1).
After finishing above-mentioned related register data setting, it is execution in step 104, this step is to have judged whether that debug situation (Debug Exception) produces, if do not have, then continue repeated test,, then carry out next step 105 if having, further judging the state of debug status register DR6 in the central processing unit, is the state that is used for keeping in breakpoint register DR0-DR3 among this debug status register DR6.
In step 105, judge whether the corresponding point of interruption condition (Breakpoint Condition) among the debug state working storage DR6 of central processing unit is set.If do not have, then get back to step 104, if having, then carry out next step 106.
In step 106, judge whether central processing unit performed instruction at present is the output order (OUT or OUTS) of performing a data-transfer operation in the compositional language.If not, then get back to step 104, if then carry out next step 107.Wherein this output order OUT is simple output/input interface instruction, it is the transfer of carrying out simple data, end is gone in the output to liking a sequence that its data shift, it is to carry out the transfer of data through the general destination register in the central processing unit (for example 8 time be to be register AL) when carrying out the transfer of data.And output order OUTS is the instruction of character string output/input interface, and this instruction will be outputed to by in the specified output/input interface end of register DX by the specified storer byte data of the segment register DS in the central processing unit and index register SI.
In step 107, judge further whether the data (output goes into to hold address direct addressing or register indirect addressing) of register AL in the general destination register 10 in the central processing unit or DS:SI address are CAh, CBh or 30h, 31h or C5h.If be not these predetermined values, then get back to step 104, if be these predetermined values just, then carry out next step 108.Wherein this numerical value CAh, CBh are that expression writes data to DMA passage, and 30h, 31h are that expression writes data to a magnetic region, C5h is that expression writes the operation of data to several magnetic regions.
After the judgement of abovementioned steps,, promptly represent and to carry out the operation that virus code is write for Virus if just when writing data to DMA or magnetic region.At this moment, in step 108, whether the address, magnetic region that the 1F3h-1F6h (or 173h-176h) of end is gone in the last output of judgement more just is the boot section of hard disk (boot sector).If judged result is for being, then promptly represent to be Virus and to carry out the operation that virus code is write to the hard disk boot section.At this moment, can send caution by computer system, step 109 is with the caution user.
By above method for detecting virus and utilize in the CPU (central processing unit) relevant control register, breakpoint register, debug control register, debug status register, make the present invention effectively early detection write to the virus of the hard disk boot section of computer system to any attempt, in case after detecting this starting-up type virus, a warning can be sent, starting-up type virus may be infected with in good time this computing machine of warning user.When the application of reality, method of the present invention can be carried out the function that its virus detects with the kenel of Control Software in computer system, also can deposit in the system firmware (Firmware) of record to a personal computer, and the instant viral measuring ability of computer system is provided.
In a word, starting-up type virus detection method provided by the present invention has the industrial utilization of height, can reach the effect of expection.
Claims (10)
1. starting-up type virus detection method, in order to detect the boot section whether a starting-up type virus sign indicating number writes to the hard disk unit of a computer system, include a central processing unit in this computer system, be connected with this hard disk unit through an output/input interface, this central processing unit internal configurations has control register, breakpoint register, debug control register, debug status register, and this detection method comprises the following steps:
A. in one of this central processing unit control register, set the debug extension bits, go into breakpoint debug expanded function to start output;
B. in the breakpoint register of this central processing unit, set the address of the disk state/command register of hard disk unit that this computer system connects;
C. in the debug control register, set this central processing unit when carrying out the output/input interface operation, produce interrupt function and set the bit length value;
D. judge whether to take place the debug situation;
Whether the breakpoint condition of e. judging the correspondence in the debug status register of central processing unit is set;
F. judge whether central processing unit performed instruction at present is the output order of performing a data-transfer operation;
G. judge in the central processing unit that output goes into to hold whether the address date of address direct addressing or register indirect addressing is to write the address of data to hard disk unit;
H. judge whether the address that output goes into to hold just is the address of hard disk unit boot section;
I. send caution.
2. starting-up type virus detection method as claimed in claim 1, wherein step b comprises the following steps:
B1. set the address numerical value of first disk state/command register; And
B2. set the address numerical value of second disk state/command register.
3. starting-up type virus detection method as claimed in claim 2, wherein the address numerical value of this first disk state/command register is 01F7h, and the address numerical value of this second disk state/command register is 0177h.
4. starting-up type virus detection method as claimed in claim 1, wherein step c comprises the following steps
C1. in the read/write control bit of the debug control register of central processing unit, set a predetermined value; And
C2. in the length setting position of this debug control register, set value bit length.
5. starting-up type virus detection method as claimed in claim 1, wherein the data of step f transfer output order is OUT/OUTS.
6. starting-up type virus detection method as claimed in claim 1 wherein writes data to the address value of hard disk unit and includes and write the address of data to the DMA passage in the step g.
7. starting-up type virus detection method as claimed in claim 1 wherein writes data to the address value of hard disk unit and includes the address that writes data to a magnetic region in the step g.
8. starting-up type virus detection method as claimed in claim 1 wherein writes data to the address value of hard disk unit and includes and write the address of data to several magnetic regions in the step g.
9. starting-up type virus detection method as claimed in claim 1, wherein the address that output goes into to hold among the step h is 1F3h~1F6h.
10. starting-up type virus detection method as claimed in claim 1, wherein the address that output goes into to hold among the step h is 173h~176h.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB001010468A CN1173266C (en) | 2000-01-11 | 2000-01-11 | Starting-up type virus detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB001010468A CN1173266C (en) | 2000-01-11 | 2000-01-11 | Starting-up type virus detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1304093A CN1304093A (en) | 2001-07-18 |
| CN1173266C true CN1173266C (en) | 2004-10-27 |
Family
ID=4575758
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB001010468A Expired - Fee Related CN1173266C (en) | 2000-01-11 | 2000-01-11 | Starting-up type virus detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1173266C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100374969C (en) * | 2004-11-18 | 2008-03-12 | 联想(北京)有限公司 | Method for searching and killing virus and computer therefor |
-
2000
- 2000-01-11 CN CNB001010468A patent/CN1173266C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100374969C (en) * | 2004-11-18 | 2008-03-12 | 联想(北京)有限公司 | Method for searching and killing virus and computer therefor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1304093A (en) | 2001-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1297401B1 (en) | Histogram-based virus detection | |
| US6851057B1 (en) | Data driven detection of viruses | |
| US7467272B2 (en) | Write protection of subroutine return addresses | |
| US6192512B1 (en) | Interpreter with virtualized interface | |
| US7647457B2 (en) | Method and apparatus for hardware awareness of data types | |
| US8479050B2 (en) | Identifying access states for variables | |
| US6282601B1 (en) | Multiprocessor data processing system and method of interrupt handling that facilitate identification of a processor requesting a system management interrupt | |
| US7992147B2 (en) | Processor control register virtualization to minimize virtual machine exits | |
| EP0192232A2 (en) | Data processing apparatus | |
| JP2001504957A (en) | Memory data aliasing method and apparatus in advanced processor | |
| JP3609552B2 (en) | Central processing unit and computer system having non-cacheable repetitive operation instructions | |
| JPS6275735A (en) | Emulating method | |
| EP0098172B1 (en) | Register control processing system | |
| US20050251707A1 (en) | Mothod and apparatus for implementing assertions in hardware | |
| CN1173266C (en) | Starting-up type virus detection method | |
| CN1187685C (en) | Tracking detection method for file infected by computer virus | |
| US20030217355A1 (en) | System and method of implementing a virtual data modification breakpoint register | |
| CN1173268C (en) | Virus detection method for IDE hard disk device in DMA transmission mode | |
| JP2001519955A (en) | Translation memory protector for advanced processors | |
| US5864701A (en) | Apparatus and method for managing interrupt delay associated with mask flag transition | |
| US6202145B1 (en) | System and method for eliminating a ring transition while executing in protected mode | |
| US7882336B2 (en) | Employing a buffer to facilitate instruction execution | |
| US20030217356A1 (en) | Register allocation for program execution analysis | |
| JP6827244B1 (en) | Auditing equipment, auditing methods, auditing programs and auditing systems | |
| CN1168006C (en) | Virus detection method of IDE hard-disk device setting in PIO transmission mode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20041027 Termination date: 20130111 |