i、發明説明() 本發明傜有關於電腦病毒防止控制方法及裝置: 1 9 8 7年,在値人電腦中出現病毒之第一例“ B R A IN ” ,而在這數年以來,亦有各種電腦病毒大量産生,且偏佈 廣範c_ 雖然這些病毒之數量之正確统計並不清楚,然而至今 為止,全世界所介绍岀來之電.腦病毒數量已高逹2800種; 因此,因該病毒所引起之經濟性損失傜相當重大的,便期 望有一對於相關各種電腦病毒之有效預防或防止技衔。 [習知技術] 至今為止,都是..利用病毒掃毒(疫苗)軟·體或單纯之保 護軟體等,來對電腦病毒之侵害採取預防及防止之葑策, 然而,在所述之掃毒軟體或單纯之保護軟饅等中,節有如 下所述之種種問題: (1) 在除去病毒以前,必須知道病毒之“待戡值”:亦 即,病毒亦為一種電腦軟體,每種病毒具有固有之規則性 ;因此,在預防及防止病毒時,即有必要知道該“持歡值 ”之規則性。 經濟部中央標準局員工消費合作杜印製 (2) 當病毒已經發病時,即使啓動病毒掃毒軟體,擋案 或資料等有可能已經被破壞,要對其加以防止實相當困難 C. (3) 若使用病毒疫苗(掃毒軟體),疫苗之副作用有可能 出現在正常資料中。 (4 ) ¥使用單纯之保護軟體時,有可能在起動該軟體保 衛資料以前,對DOS (磁碟操作糸统)具有攻擊性之病毒, 本纸伕尺度適用中國國家揉準(CNS ) A4規格(2丨〇X297公釐) 4 83. 3. !〇,〇〇〇 經濟部中央標準局員工消費合作社印製 A7 —~__ 五、發明説明() 或是開機型病毒,己绖進入記憶體,而且發作(改變記億 體區之大小,或是變更資料本葑等)C. (5 )進一步,有可能保諶軟體本葑受到病毒之侵害,而 成為病m之寄生體_ [本發明所要解決之問題] 因此,本發明之目的即在於提供一種用以解決如上所 記,因使用習知病毒掃毒軟體或保護軟體等所産生之數種 間題之電腦病毒的防止控制方法以及裝置,:.i. Description of the invention () The present invention relates to a method and device for preventing and controlling computer viruses: In 1987, the first case of "BRA IN" appeared in a human computer, and in the past few years, there have been Various computer viruses are produced in large numbers, and they are widely distributed. Although the correct statistics of the number of these viruses are not clear, but so far, the world ’s introduction of electricity. The number of brain viruses has been higher than 2,800 species; therefore, due to this If the economic loss caused by the virus is quite significant, it is expected that there will be an effective prevention or prevention skill for various computer viruses. [Knowledge Technology] So far, it has been using virus scanning (vaccine) software or simple protection software to prevent and prevent computer virus attacks. However, the In anti-virus software or simple protection software buns, etc., there are various problems as follows: (1) Before removing the virus, you must know the "waiting value" of the virus: that is, the virus is also a computer software, Each virus has inherent regularity; therefore, when preventing and preventing viruses, it is necessary to know the regularity of the "holding value". Du printed by the Ministry of Economic Affairs, Central Bureau of Standards and Staff Consumer Cooperation (2) When the virus has become ill, even if the virus scanning software is activated, the file or data may have been destroyed, it is very difficult to prevent it C. (3 ) If you use a virus vaccine (virus scanning software), the side effects of the vaccine may appear in normal data. (4) ¥ When using simple protection software, it is possible to attack viruses that are aggressive to DOS (disk operation system) before starting the software to protect data. This paper is applicable to China National Standard (CNS) A4 Specification (2 x 297 mm) 4 83. 3. A! A7 printed by the employee consumer cooperative of the Central Standards Bureau of the Ministry of Economic Affairs-~ __ 5. Description of the invention () or a boot-type virus that has entered memory C. (5) Further, it is possible to protect the software from the virus and become a parasite of disease m_ [this [Problems to be Solved by the Invention] Therefore, the object of the present invention is to provide a method for preventing and controlling computer viruses caused by using conventional virus scanning software or protection software, etc. as noted above, and Device,
[用以解決課題之手段][Means to solve the problem]
申請專利範圍第〗項所述之發明傜一種·將B IOS (基本 輸出人糸统)、DOS (磁碟操作条統)、以及儲存於僅讀記億 體中之病毒防止用程式(VP)連接至条统記億體之位址空間 的電腦病毒防止控制方法。其在起動該B 10 S後,立即起動 該程式(VP),而使其常駐於糸統擴充甩r〇h空間中藉此, 即可確立一種經常監視B I0S ,且在必要時會進行保護之 擴充B I0S 在確立擴充B I0S之後,檢査應起動之磁碟片的起動磁 區.同時,亦將起動磁區内之閟鍵資料儲存於一在条统記 億體位址空間中之被連接至条统用擴充ROM位址之主記億 •體以外的RAM中,然後,再藉由該擴充B I0S ,來監視DOS在 起動中的不正常操作: 並且,加入該用以在必要之情況進行保護之程式(V P ) 而確立擴充DOS,再藉由該擴充DOS,將IV了(中斷常式向量 表)儲存於該主記憶體以外之R AM中: J — I - . 訂 * 一 - (請先閱讀背面之注意事項再填寫本頁) 本紙張尺度適用中國國家標準(CNS ) A4規格(210X29*7公釐) 5 83. 3. 10,000 311204 A7 B7 五、發明説明() 申請專利範圍第2項所述之發明,偽指在申謓專利範 圍第]項所界定之發明中,該擴充B IOS監視磁碟Η之初始 化操作,並在對起動磁區進行寫入當中,當被寫入之起動 磁區所特有之資料與要寫入之資料不同時,發出警告: 同時,對於所有的寫入操作,進行DDP(装置驅動程式 )之EP (结束點)是否有被修正之檢査,並在有被修正時, 發出警告·: 前述擴充DOS绖常將IVT與該儲存於前述RAH中之IVT作 —比較.並在结果不同時,判斷檔案之修正是否以常駐中 斷常式來進行修正,·若不是利用常駐中斷器來進行修正的 話,則發出聱告。 當檔案之修正被進行時,判斷是否為COMMAND. COM,若 是的話,則發出警報然後中斷修正命令,反之若不是的話 ,則判斷目前所打開之檔案分段與要進行修正之檔案分段 是否儲存在同一常駐記億體分段中。 若不是同駐的話,則視為正常操作而允許修正,若同 駐的話,則再次將被打開之檔案(儲存於R AM3中)之擋案名 與將被修正之檔案名作一比較,當兩者並非相同時,發出 經濟.砰中央榡準局員工消費合作社印袈 (請先閱讀背面之注意事項再填寫本頁) 進一步,對配有.COM或.ΕΧΕ副檔名之檔案進行檢索, 並在要對帶有該副檔名之檔案進行修正時,發出警告 申請專利範圍第3項所述之發明傜一:搭載有上述固 定性儲存記億韹(唯讀記億體)以及RAM ,並在該唯讀記憶 體中記憶有申請專利範圍第1項所述之病毒防止用控制程 本纸铁尺渡適用中國國家標準(CNS ) A4規格(210X297公嫠) 6 83.3. !〇,〇〇〇 經濟部中央標隼局員工消費合作社印製 A7 B7 i、發明説明() 式(V P ),且將各各連接至該条统記憶體位址空間中之擴充 用R Ο Μ位址上者 進一步,設置一些分別對憋於該唯讀記億韹以及RAM 之恝存器,並葙由來自暫存器之附加信號以及來自相對m 唯讓記億體之K料,對電腦之糸统位址空間中之糸統用擴 充ROM用空間位址加以特定。 申請專利範圍第4項所述之發明係構設成搭載有申請 專利範圍第3項所述之擴充記憶體板,並將該擴充記億體 板之位址設定成H:該条统記憶體空間之条統擴充用ROM空 間之位址還上位。. - [作用] 藉由本發明,病毒防止用控制程式(V P )傜以韌體之形 態被儲存於供讀取專用之唯讀記億體中,因此,任何病毒 都無法進入該病毒防止用控制程式(VP)。 起動磁區中之關鍵資料以及IVT係被儲存·於条统記億 體以外之記億體(R AM)中,因此,任何病毒都無法攻擊儲 存於該RAM中之資料: 進一步,在碟片之初始化中,若寫入起動磁區中之起 動磁區所持有的資料和要寫入之資料不同時,會發出警告 .。藉此,卽可對開機型病毒達到防禦功能。 另外,經常將IVT與儲存於RAM中之IVT加以比較,當 兩者不同,且未利用常駐中斷常式修正檔案時,即發出警 告。藉Itt,卽可對未進入常駐中斷常式且以非法手段常駐 之檔案型病毒達到防禦之功能。 .I I!— 1—.....- - —^1 - - - I - -........ I -I ,1""^ • - (请先閱讀背面之注意事項再填寫本頁) 本紙乐尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 7 83. 3. !〇,〇〇〇 經濟部中央標準局員工消費合作社印製 A7 B7 五、發明説明() 又,在檔菜彼咚it:時,會判斷是否為COMMAND . COM,若 足-COMMAND . D:)M的,¾ , El]使异報發作;倘非 COMMAND . COM的 a,則在s的打開之檔萊分段與要終正之檔菜分段偽同駐 於記憶體,且波打開之檔菜與要終正之檔案的檔菜名稱不 相同時,發出警報:褚此,即可對利用中斷常式之檔案型 病毒達到防梁之功能 進一步.當有檔菜被檢索時,若所要修正之檔案的畐a 檔名傜.COM或.ΕΧΕ的話,則發出警報:藉此,Ε卩可對不利 用中斷常式亦不利用記億韹之檔案型病毒達到防禦之功能 [實施例] 第1圖為一甬以儲存一作為本發明之電腦病毒防止控 制方法之程式(V Ρ )的擴充記憶證板之構成實施例。第2圖 顯示電腦糸统記億疆之一架構實施例。進一步,第3與第 4圖為本Μ明之電腦病毒防止控制方法之實施例動作流程 圖: 第1圖之擴充記億體板1雖然可以是一單獨之外部裝 置,然而最好是被連接至未顯示於圖中之電腦主機本體之 記億饋擴充槽上:在該擴充記憶證板1中,2為包含有兩 .屆晶片(CS 1,CS2 )之讀取專用記億il (以下稱之為ROM 2 ) ,而在實施例中,偽使用EPROM :在該ROM 2中,儲存有 該供電腦病毒防止控制用之程式(V P )。 3為寫入/讀取記億體,以兩_ RAM構成:4、5為暫存 器,6為晶Η選擇用之控制器。進一步,7、S分別為資料 (請先閱讀背面之注意事項再填寫本頁) 装· 本紙張尺度適用中國國家標準(CNS ) Α4規格(210Χ297公釐) 8 S3. 3. 10,000 經濟部中央標準局負工消費合作社印装 3批〇4 Α7 Β7 i、發明説明() 匯流排與位址匯流排.其連接至范腦之擴充用擴充槽匯流 排上:.晶片遛擇用控制器(5根裤一透過位址匯流排送過來 之位址信號來jl擇晶片CS 1至CS4 ,並將選擇信號送绐相對 應;之晶片 第2圔為一未顯示於圖中之電腦的糸统記億體空間之 構成實施例640K位元組之記億體區域20為作為標準記億 體之主記億體區:在第2圖中,比640K位元組還上位處有 V R AM區2 1 ,而比此區還上位處則還有糸統甩擴充ROM之位 址空間22、BIOS、BASIC用ROM位址空間23等,至於更上位 則有擴充R A Μ用位址空間2 4 · 在本發明之實施例中,第1圖之擴充記憶體板1上之 ROM 2與RAM 3連接至条统用擴充ROM之位址空間22,更具 體而言,偽連接於該糸統用擴充ROM之位址空間中,比其它 条统用擴充ROM還上泣之位址: 儲存於ROM 2之供電腦病毒防止控制用之程式(VP)由 多數値程式所構成,此等多數程式偽藉由來自R0M2之資料 ,而被連接至糸統記憶體内之糸統用擴充R0H之位址空間 22中之同位位址上: . 第1圖之暫存器4、5偽搆設成會對那些被連接至糸統 .用擴充ROM之位址空間中之同位位址上之多數程式,將附 加之資料加至該來自ROM 2之資料,並轉移各各所連接之 位址。 藉此,在条统用擴充ROM所闬之位址空間中,即有可 能將第1圖之擴充記億體板上之ROM所佔有之位址空間抑 (請先閲讀背面之注意事項再填寫本頁) 裝· 訂 本紙張尺度適用中國國家標準(CNS ) Α4規格(210Χ297公釐) 9 83. 3.10,000 經濟部中央標準局負工消費合作社印製 A7 _B7__ 五、發明説明() 制得較小_ -· 進一步,在存取R Ο Μ 2内之程式時,由於必需要有來 自暫存器4、5之附加资料,若僅取得ROM 2即解析被記存 於其中之供電腦病谨防止控制用之程式(VP )將相當困難。 因此,將可以防止第三者易於知道程式(V P )之資料 在本發明之莨施例中,如上所述般,傜將ROM 2連接 至条統用擴充ROM所用位址空間中之比其它擴充用ROM還上 位之位址中,Μ此,ROM 2中之程式(VP)將優先被執行。 為此,電腦將可以在B I0S之起動中或是起動DOS之前 即執行病毒防止控制.程式,而作成具有抗病、毒能力之擴充 BIOS、擴充DOS等。 第3與第4圖為依據本發明所成病毒防止控制方法之 一賁施例的動作流程圔(之1 ,之2 ):該流程圖之一連串動 作傜藉由該被記存於R 0 Μ 2中之程式(V P )而被控制執行的 以下,就第3與第4圖作一說明,其中,*亦就上述擴 充B I0S與擴充DOS之意義加以詋明。 藉由對電腦之電源切入,即起動該連接至第2圖所説 明之電腦之糸统記憶體空間位址23的ROM中所記憶之糸統 .3 I 0S。然後,取入第1圖所示本發明擴充記億體板之ROM 2所記億之程式(V P ),使其發展成具有抗病毒能力之擴充 BIOS : 進一步,藉由已確立之擴充BIOS,同樣地亦對DOS加 V第1圖之ROM 2所記億之程式(VP),而使其發展成擴充 本纸張尺度適用中國國家標準(CNS)A4规格( 210X297公釐) 83.3.10,000 (請先閏讀背面之注意事項再填寫本頁) 装. 訂 A7 B7 S11204 五、發明説明() DOS(步驟S1),俾對DOS進行DOS之非正常操作監視,並在 必要的情況下,進行保諶: 在此,所諧擴充之B 10S傜指:在電腦執行擴充記億體 板(第1圖)之ROM 2内之程式(VP )時,會將安全檢査之程 式(V P )加至磁碟中斷常式中,Μ由經常監視,而在糸統 Β 10S上發展成具有抗病毒能力者的東西。 其次,藉由擴充之Β 10S ,將應起動磁碟片之起動磁區 、IVT等之關鍵資料儲存於與条統記億體分開之擴充記億 體板的R A Μ 3 (第1圖)中(步驟2)。 進一步,作為步,2之接缙處理的是,·在糸統起動之 後,擴充B I0S會監視所有的磁碟片初始化,並在將資料寫 入起動磁區時,當被寫入之起動磁區所特有之資料與要寫 入之資料不同時,發出警告: 又,對於所有的寫入操作而言,會追尋DPB(裝置參數 集)之鐽路、檢査DDP (裝置驅動程式)之ΕΡ (结束點)是否有 被修正。 萬一有披修正的話,卽發出警告,並依使用者之選擇 ,根據目前保存於R AM 3内之先前資料來修正資料。 其次,磁碟HE卩被起動,而在DOS之下,執行檔案(步 驟 S 3 )。 有可能因檔案之執行而使病毒被誘導,而在檔案被執 行以前即存在有病毒:而且,在執行程式時,有必要使執 行檔案之程式資料與磁碟中斷常式常駐於RAM空間20上, 並透過被常駐之中斷常式來執行程式: -----------A裝------訂 -- ' (請先閱讀背面之注意事項再填寫本頁) 經濟部中央標準局員工消費合作社印製 本紙張尺度適用中國國家標準(CNS ) A4規格(2丨0X297公釐) 11 83. 3. !0,〇〇〇 經濟部中央標準局員工消費合作杜印製 A7 B7 五、發明説明() 因此,病茁之R入迚迠感染的可能性一般而言都是括 山如下所述之態极迤ίί 亦[1卩,第],病沿不侵入常駐中 Κ常式屮,犯非沾地常5丨:於S恺§2内之诘況;第2 .利用 常駐中_常式之沾況;以及,笫3 ,不利用中斷常式亦不 利用記恺體之诘況 在第一種情況下.所發生之現象是記億體大小改變了 第二種倩況則為中旣常式被爱更了,第三種倩況則為帶 有副檔名為.COM或.ΕΧΕ之檔案被檢索,且被改寫 因此,應捉注相関現象,來進行起動磁區之查核(步 聲S4 ,第3 _ )、記镡體大小有無變更之判定(步罱S5 ,第 3圖)、中斷常式有無改寫之判定(步認S 6,第4圖)、以及 在檔案檢索之同時其它檔案(帶有.COM或.ΕΧΕ之檔案;是否 有改寫之判定(步認S7,第4圖): 以下,就每膣步驟之處理倩形作説明·· [起動磁區之查核:步認S4,第3圖]· 起動磁區為用以儲存磁碟片之關键資料的一部份,其 在被初始化後,在一般狀態下,通常不行變更··因此,起 動磁區如果有變更的話,即大略可推定有因病毒而起之侵 害: 因此,與先前保存於R AM 3之起動磁區相比較,以進 行起動磁區是否有差異之查核。 當有差異存在時,ε卩視為病毒有侵入,而發出警告( 步驟sh):對此警告,依使用者之選擇,看是要進行中止 U i、再起動(R )、全更新(Μ )、或是病毒刪除(Ε ί等之處理 本纸張尺及適用中國國家標準(CNS ) Α4規格(210X297公釐) -12 - 83.3. 10.000 1, 1 裝-- t - (請先閲讀背面之注意事項再填寫本頁) 訂 經濟部中央標準局貝工消費合作社印製 3112Ό4 Α7 Β7 五、發明説明() (步琛 S4 2) : 若為全更新(Μ )之怙況,ΕΠ有可能允許病毒進入 病芾刪除刖偽各判定步驟中所含之共通處理(步驟S10 ),其内容説明於浚… ί記憶體大小的查核:步驟S5 :第3圖] 當起動磁區沒有變更時,依使用者之選擇,在認同全 部之變更(Μ ),或是後面所說步驟S 1 0之處理完了時,其次 即查核記億體大小有無變更(步驟S 5 ): 擴充DOS只承認条統内之正常檔案的修正:亦即,若 檔案之中斷常式之修正偽常駐於糸统記億il ‘内之中斷常式 的話,擴充DOS即予以認可;若以除此以外之手段修正資 料之中断常式的話,即懷疑是否為病毒所為: 亦即,在因病毒而改寫中斷常式之後,由於無法與正 常之程式同時常駐於記億體内,將以所謂改寫記億體空間 ,或改寫MC B (記億體控制器集)之資料乏類的不合法,亦 即不合法地使用常駐中斷常式之方法,侵入記億體。 因此,查核記億IS大小是否有變更(步驟S5),並在有 變更時,即暫且視為有病毒之疑慮,而再判定糸統記億體 内之IV T (中斷常式向量表)是否有變更(步驟S 5 1 ): 亦即,擴充DOS會經常地將糸統記億體内之ιντ (中斷 常式向量表)與擴充DOS起動時所備存於擴充記億體板之 R A Μ 3中的IV T相比較。 當有所不同時,即判斷是否為常駐中斷常式所修正的 ,若不是使用常駐中斷常式來進行修正的話.即發出聱告 I- -I . ml 1 -1 .......... In n m^— 一-▼ (請先閱讀背面之注意事項再填寫本頁) 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 13 83.3.10,000 經濟部中央樣準局員工消費合作.社印裝 A7 B7 五、發明説明() (步薛S 5 2 ) U大,!fi试山被P正.以m之1 V T (保存於R A Μ 3中),來 π m系統S位K;内之丨VT (步!S S] 0-1 ): 進-步,追Θ中既常式偽以何種命今被改窝的,並消 除病毐:亦即,追縱MCB (記憶體控制器集)鐽路,由糸统 記铠Si内刪除想要改窝之步驟(PROCESS )(步驟S1 0之2 ), 使正常之實行過程正常的實行(步認S10之3): 藉由以上之處理,即有可能作到對不侵入常駐中劻常 式且以非法手段常5£之檔案型病毒的防禦:進一步,藉由 步驟S ] 0之]至3除去病毒,而且,作成即使為病毒所侵害 之程式亦可安全地執行: [中斷常式之改寫查核:步認S6,第4圖] 擴充D 0 S取出常駐程式之P S Ρ ί程式分段標頭(p r e fi X i ) 的S A (分段位址(s e β m e n t a d d r e s s )),並將其儲存於R A Μ 3 (第1圖)中:同時,擴充DOS經常監視檔案操i作,並在打 開檔案時,将要打開之檔粟的檔案句柄(f i 1 e h a n d 1 e )與 檔案名連同SA儲存於RAM 3中;這些檔案句柄、檔案名以及 SA為丨票定檔案之三基本要_ : 藉由中睛常式之愛更,來查核(步驟S6)檔案是否有修 .正之可能性:其次,判斷被修正之檔案是否為COMMAND . C0 Μ檔;COMMAND. CGM為DOS之固定式指令,由於其在通常狀 態不會被修正,因而被修正之檔案若為COMMAND. COM的話, 即發出替告,中止昨正命令(步驟S 6 1、6 3 ): 又,若非COMMAHD.COM的話.刖判斷目前所打開之檔 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 83. 3. 10,000 (請先閱讀背面之注意事項再填寫本頁) 裝· 訂 311204 經濟部中央標準局員工消費合作社印— Α7 Β7 i、發明説明() 案分段與要修正之檔菜分段是否儲存於同一常駐記億體分 段内,若不是同駐的話,即允許正常之修正: 若同駐的話,再-.·次地比較目前所打開之檔案(儲存 於R AM 3中)的檔菜名與被修正之檔案名;若不同,亦即, 所要修正者為常駐記億體内之程式以外之檔案時,發出警 告(步驟 S 6 2、6 3 ) _: 對於是項警告,依使用者之選擇,看要進行:允許修 正(M >、處理中止(A )、再起動(R )、或是與先前所述一樣 之步驟S10之1至3等處理。 籍由如上所述之.處理,將可以對於利用'常駐中斷常式 之檔案型病毒加以防梁:進一步,藉由步驟S10之1至3除 去病毒,而且,作成即使偽已為病毒所S入之程式亦可以 安全地執行。 [檔案之檢索以及其它檔案之修正S7 :第4圖] 另一方面,在步驟S6中,中斷常式若沒t變更的話, .其次即查核一些帶有.COM或· ΕΧΕ之副檔名之檔案的檢索 是否舆帶有這些副檔名之執行檔案的修正同時(步驟S7)。 未常駐於記憶體,而旦亦不利用中斷常式之病毒會檢 - 索一些帶有.COM或.ΕΧΕ副檔名的檔案,並感染至其後之正 常的執行檔案,或是破壞之。而檢索之有無係籍由磁碟中 斷常式之檢索程式來進行。 壙充DOS監視像這樣之檔案操作,若有進行槽案之檢 索操作,則在想要修正一與目前所打開之搶案不同之其它 檔案時,亦即,帶有.COM或.ΕΧΕ副檔名之檔案時,表示出 (請先閱讀背面之注意事項再填寫本頁) 裝. 訂 本紙張尺度適用中國國家標準(CNS ) Α4規格(210X297公釐) 15 83.3. 10,000 經濟部中央榡準局員工消費合作社印裝 A7 B7 i、發明説明() 要被修正之檔菜名以及一些餐告文,俾詧告之(步驟S7 1 ) 對此.依使用者之筵擇,替要進行:允許修正(Μ)、 處理中止(A )、再起動(R ) '或是與先前所述一樣之步驟S 1 0之3等處理:又,由於此處之病毒不使用中斷常式亦不使 甩記億體,所以不進行步驟S 1 0之1與之2之處理。 藉由如上所述之處理,將可以對於不利用中斷常式亦 不利用記憶體之檔案型病毒作到防禦。 雖然已經如上所述般,就實施例說明本發明,然而本 發明並不限定於所述.之實施例。與本發明之 '主旨—致者當 然在本發明之保護範圍内。 [發明之效果] 如同以上已説明者,在本發明中,為了防止電腦病毒 所設定之資料即使受到病毒之浸害,亦不會成為寄生體。 又,藉由本發明,由於具有病毒防止能力之擴充B IOS 在DOS起動前即被完成,在任何一種病毒發作以前,都可 以保護条统:同時,對於DOS亦給與安全的外殼,因而在 DOS下之檔案操作與進行中,對於來自病毒之攻擊與侵害, 都可予以保護與防止。 [圖示之簡單説明] 第1圖為瞜用本發明之擴充記億體板之一構成例的方 塊圖。 弟2圖為電腦之糸統記億疆的一構成例。 第3圖為本發明之控制方法的動作流程圖(其1 > c. I = i -- - - - - -- - - ....... 1- « 1-1--^I ...... ! - ...... - -- -. (請先閲磧背面之注意事項再填寫本頁) 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 83. 3.10,000 A7 B7 五、發明説明() 第4 _為本發明之控制方法的動作流程圖(其2)。 ί符號説明] 1 擴充記億體板 2 讚取專用記憶體(ROM)The invention mentioned in item § 1 of the patent application scope · B IOS (Basic Output System), DOS (Disk Operation System), and a virus prevention program (VP) stored in a read-only memory A method for preventing and controlling computer viruses connected to the address space of all accounts. After the B 10 S is started, the program (VP) is started immediately, so that it is resident in the system expansion space, and a regular monitoring B I0S can be established, and protection will be performed when necessary. Expansion B I0S After establishing the expansion B I0S, check the starting magnetic area of the disk that should be started. At the same time, the key data in the starting magnetic area is also stored in a connected address space in the system memory Go to the main memory of the expansion ROM address of the system, and then use the expansion B I0S to monitor the abnormal operation of DOS during startup: And, add this to be used when necessary The protected program (VP) is used to establish the extended DOS, and the extended DOS is used to store the IV (interrupt routine vector table) in the R AM outside the main memory: J — I-. Order * 1- (Please read the precautions on the back before filling in this page) This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210X29 * 7mm) 5 83. 3. 10,000 311204 A7 B7 V. Description of invention () Patent scope The invention mentioned in item 2 is falsely referred to as item in the scope of the patent application] In the defined invention, the extended B IOS monitors the initialization operation of the magnetic disk Η, and when writing to the starting magnetic area, when the data unique to the written starting magnetic area is different from the data to be written, Warning: At the same time, for all write operations, check whether the EP (end point) of the DDP (device driver) is corrected, and issue a warning when it is corrected .: The aforementioned extended DOS tool often uses IVT and The IVT stored in the aforementioned RAH is used for comparison. When the results are different, it is judged whether the file correction is modified by the resident interrupt routine. If it is not rectified by the resident interrupter, a notice is issued. When the correction of the file is carried out, it is judged whether it is COMMAND. COM, if yes, an alarm is issued and the correction command is interrupted, otherwise if not, it is judged whether the currently opened file segment and the file segment to be modified are stored In the same resident record billion body segment. If it is not co-located, it is regarded as normal operation and correction is allowed. If co-located, the file name of the opened file (stored in R AM3) is compared with the file name to be corrected. If they are not the same, issue the economy. Bang Bang Central Bureau of Precinct Employee Consumer Cooperative Seal (please read the precautions on the back before filling out this page). Further, search for files with .COM or .ΕΧΕ file extensions, and When the file with the file extension is to be amended, a warning is issued to apply for the invention described in item 3 of the patent scope: First: equipped with the above-mentioned fixed storage memory (only read memory) and RAM, and In the read-only memory, there is the virus control control program described in item 1 of the patent application scope. The paper ruler is applicable to the Chinese National Standard (CNS) A4 specification (210X297 public daughter) 6 83.3.! 〇, 〇. 〇 The A7 B7 i, the invention description () type (VP) printed by the Employee Consumer Cooperative of the Central Standard Falcon Bureau of the Ministry of Economic Affairs, and each connected to the expansion memory address space in the system memory R Ο Μ address is further , Set some separate The read-only memory and RAM memory, and the additional signal from the temporary memory and the K data from the relative m memory, are used to expand the system in the computer's system address space. The ROM is specified by the space address. The invention described in item 4 of the patent application scope is configured to carry the expansion memory board described in item 3 of the patent application scope, and the address of the expansion memory board is set to H: the general memory The address of the ROM space for space system expansion is still higher. -[Function] With the present invention, the virus prevention control program (VP) is stored in the form of firmware in a read-only memory for reading only. Therefore, no virus can enter the virus prevention control. Program (VP). The key data in the boot sector and the IVT system are stored in the memory system (R AM) other than the system memory system. Therefore, no virus can attack the data stored in the RAM: Further, on the disc During the initialization, if the data held in the starting magnetic zone written in the starting magnetic zone is different from the data to be written, a warning will be issued. In this way, it can achieve a defense function against boot-up viruses. In addition, IVT is often compared with the IVT stored in RAM. When the two are different and the resident interrupt routine is not used to modify the file, a warning is issued. With Itt, it is possible to prevent file viruses that have not entered the resident interrupt routine and are resident by illegal means. .II! — 1 —.....--— ^ 1---I--........ I -I, 1 " " ^ •-(Please read the notes on the back first (Fill in this page) This paper music standard is applicable to China National Standard (CNS) A4 specification (210X297 mm) 7 83. 3. 〇, 〇〇〇 A7 B7 printed by the Employee Consumer Cooperative of the Central Standards Bureau of the Ministry of Economy V. Description of invention () In addition, when it is filed, it will determine whether it is COMMAND. COM, if it is -COMMAND. D:) M's, ¾, El] will cause the abnormal report; if it is not COMMAND. COM a, it will be in s When the opened file segment of the file and the file segment to be finalized are pseudo-resident in the memory, and the file name of the file opened by the wave is different from the file title of the file to be finalized, an alarm is issued: Using the file-type virus that interrupts the routine to achieve the function of anti-beam. When a file is retrieved, if the file name to be amended is a file name 傜 .COM or .ΕΧΕ, an alarm is issued: With this, Ε 卩The file-type virus that does not use the interrupt routine or the billion-dollar virus can be used for defense. [Embodiment] Figure 1 is an example of a computer virus prevention method of the present invention. The method of the program configuration system (V Ρ) memory card expansion board of the embodiment. Figure 2 shows an example of the architecture of the computer history of Yijiang. Further, FIGS. 3 and 4 are flowcharts of an embodiment of the computer virus prevention and control method described in FIG. 1. Although the expansion memory board 1 in FIG. 1 may be a separate external device, it is preferably connected to Not shown on the computer's main body of the computer's main body Yiji feed expansion slot: In the expansion memory card 1, 2 is containing two. The chip (CS 1, CS2) read special memory il (hereinafter referred to as It is ROM 2), and in the embodiment, EPROM is used pseudo: in ROM 2, the program (VP) for computer virus prevention control is stored. 3 is a write / read memory, composed of two RAMs: 4, 5 are temporary registers, and 6 is a controller for crystal H selection. Further, 7 and S are data (please read the precautions on the back before filling in this page). The paper size is applicable to China National Standard (CNS) Α4 specification (210Χ297mm) 8 S3. 3. 10,000 Central Standard of the Ministry of Economic Affairs 3 batches of printed and printed by the Bureau ’s Consumer Cooperative Society 〇4 Α7 Β7 i. Description of the invention () bus and address bus. It is connected to the expansion expansion bus of Fannao :. Chip optional controller (5 Root pants 1 selects the chips CS 1 to CS4 through the address signals sent from the address bus, and sends the selection signals to the corresponding ones; the second chip of the chip is a computer record not shown in the figure. Example of the composition of the 100 million body space The 100 million body area of 640K bytes is the main body area of the 100 million body as the standard 100 million body: in the second figure, there is a VR AM area 2 1 above the 640K byte , And higher than this area, there is the address space 22 of the ROM expansion ROM, BIOS, BASIC ROM address space 23, etc., as for the upper level, there is the extension RA Μ address space 2 4 · In this In an embodiment of the invention, the ROM 2 and RAM 3 on the expansion memory board 1 of FIG. 1 are connected to the system The address space 22 of the expansion ROM, more specifically, is pseudo-connected to the address space of the expansion ROM for the system, and it is more than the address of the expansion ROM for other systems: stored in ROM 2 for computer viruses The program for preventing control (VP) is composed of a majority of programs, and most of these programs are connected to the parity in the address space 22 of the R0H extension of the system memory by the data from R0M2. On the address:. The temporary registers 4 and 5 of Figure 1 are pseudo-configured to add the additional data to most programs on the co-located addresses in the address space of the expansion ROM. To the data from ROM 2, and transfer each connected address. In this way, in the address space of the conventional expansion ROM, it is possible to remember the expansion of the first image of the ROM on the body board Occupied address space (please read the precautions on the back before filling out this page) The size of the paper for binding and binding is applicable to China National Standard (CNS) Α4 specification (210Χ297mm) 9 83. 3.10,000 Central Standard of the Ministry of Economic Affairs A7 _B7__ printed by the Bureau ’s Consumer Cooperatives V. Description of invention () _-· Further, when accessing the program in R Ο Μ 2, because additional data from the registers 4, 5 is necessary, if only the ROM 2 is obtained, the analysis is stored in it for the computer to prevent it. The control program (VP) will be quite difficult. Therefore, it will prevent the third party from easily knowing the data of the program (VP). In the embodiment of the present invention, as described above, ROM 2 is connected to all In the address space used by the expansion ROM, which is higher than other expansion ROMs, the program (VP) in ROM 2 will be executed first. For this reason, the computer will be able to execute the virus prevention control program during the startup of the B I0S or before starting the DOS, and create an expanded BIOS, expanded DOS, etc. with disease resistance and poison capabilities. Figures 3 and 4 are the operation flow of the embodiment of one of the virus prevention and control methods according to the present invention (No. 1, No. 2): a series of actions in the flow chart are recorded in R 0 M The program (VP) in 2 is controlled and executed as follows, and an explanation will be made on the third and fourth figures. Among them, * also clarifies the meaning of the above-mentioned expansion B I0S and expansion DOS. By switching on the power of the computer, the system stored in the ROM connected to the computer's system memory space address 23 described in Figure 2 is started. The system is .3 I 0S. Then, take the program (VP) recorded in the ROM 2 of the expansion memory board of the present invention shown in Figure 1 to develop it into an expansion BIOS with anti-virus capabilities: Further, with the established expansion BIOS, In the same way, DOS adds the program (VP) recorded in the ROM 2 of Figure 1 of V V to expand it to expand the size of this paper to apply the Chinese National Standard (CNS) A4 specification (210X297 mm) 83.3.10,000 ( Please read the precautions on the back before filling in this page) Pack. Order A7 B7 S11204 V. Description of invention () DOS (step S1), to monitor the abnormal operation of DOS to DOS, and if necessary, carry out Bao Chen: Here, the harmonious expansion of B 10S means: when the computer executes the program (VP) in the ROM 2 of the expansion memory board (Picture 1), the security check program (VP) will be added to In the disk interruption routine, M is constantly monitored and developed into something with anti-virus capabilities on the system B 10S. Secondly, with the expanded B 10S, the key data such as the starting sector and IVT of the starting disk should be stored in the RA Μ 3 (Figure 1) of the expansion memory board that is separate from the system memory. (Step 2). Further, as a step, the connection of 2 is to deal with: After the system is started, the expansion B I0S will monitor all disk initializations, and when writing data to the starting magnetic area, when the written starting magnetic When the data unique to the area is different from the data to be written, a warning is issued: In addition, for all write operations, the DPB (device parameter set) path will be traced, and the DDP (device driver) EP (device driver) will be checked. End point) Has it been corrected. In case there is a correction, a warning will be issued and the data will be corrected according to the previous data currently stored in R AM 3 according to the user ’s choice. Next, the disk HE is activated, and under DOS, the file is executed (step S 3). It is possible that the virus is induced due to the execution of the file, and there is a virus before the file is executed: and, when executing the program, it is necessary to interrupt the program data and disk of the execution file. , And execute the program through the resident interrupt routine: ----------- A installed ------ order-'(please read the precautions on the back before filling this page) Economy The paper printed by the Ministry of Standards and Staff's Consumer Cooperative applies the Chinese National Standard (CNS) A4 specification (2 ~ 0X297mm) 11 83. 3.! A7 B7 Fifth, the description of the invention () Therefore, the possibility of the disease entering the paniculosis infection is generally Kuoshan's state as described below. It is also extremely [1 卩, 第], the disease edge does not invade the resident Κ 常式 屮, committing non-staining conditions 5 丨: In the § 2 of the situation; the second use of the resident in the _ regular conditions; and, 3, do not use the interrupt routine nor use the memory The condition of Kai is in the first case. The phenomenon that occurs is that the size of the body is changed. The second kind of condition is Zhong Zhong Chang Being loved and changed, the third kind of profile is that files with the extension .COM or .ΕΧΕ are retrieved and rewritten. Therefore, you should pay attention to related phenomena to check the starting magnetic zone (step sound S4 , No. 3 _), the judgment of whether the size of the body is changed (Step S5, Figure 3), the judgment of whether the interrupt routine is rewritten (Step S 6, Figure 4), and other files while the file is being retrieved (Files with .COM or .ΕΧΕ; whether there is a rewrite determination (step recognition S7, Figure 4): The following is an explanation of the processing of each step. [Initial magnetic zone check: step recognition S4 , Figure 3] · The starting sector is a part of the key data used to store the disk. After being initialized, it is usually not changed under normal conditions. Therefore, if the starting sector is changed, , That is, it can be presumed that there is an attack caused by a virus: Therefore, compared with the starting magnetic area previously stored in R AM 3, to check whether there is a difference in the starting magnetic area. When there is a difference, ε 卩 is regarded as Viruses are invaded and a warning is issued (step sh): This warning is based on the user's choice Select, see if it is necessary to suspend U i, restart (R), full update (Μ), or virus delete (Ε ί) processing of this paper ruler and apply China National Standard (CNS) Α4 specifications (210X297 mm ) -12-83.3. 10.000 1, 1 pack-t-(please read the precautions on the back before filling in this page) Order 3112Ό4 Α7 Β7 printed by the Beigong Consumer Cooperative of the Central Standards Bureau of the Ministry of Economy V. Description of invention () ( Buchen S4 2): If it is a failure of the full update (Μ), ΕΠ may allow the virus to enter the disease, delete, and fake the common processing included in each determination step (step S10), its content is explained in Jun ... ίMemory Body size check: Step S5: Figure 3] When the starting magnetic field has not been changed, according to the user ’s choice, after recognizing all the changes (Μ), or after the processing of step S 10 described later is completed, followed by That is, check whether there is any change in the size of the billion body (step S 5): Extended DOS only recognizes the modification of normal files within the system: that is, if the modification of the interruption routine of the file is falsely resident in the interruption of the Yiyiji If it is a routine, the expansion of DOS will be recognized; if it is otherwise If the interrupt routine of the segment correction data is suspected to be caused by a virus: That is, after the interrupt routine is rewritten due to a virus, since it cannot be resident in the memory of the billions at the same time as the normal program, the so-called rewriting of the billions will be used. The space, or rewriting the MC B (Embodiment Controller Set) data is not legal, that is, the method of using the resident interrupt routine illegally to invade the memory entity. Therefore, check whether there is a change in the size of the billion IS (step S5), and when there is a change, it is temporarily considered to be a virus, and then determine whether the IV T (interrupt routine vector table) in the body of Yitong Jiyi There is a change (step S 51): That is, the extended DOS will often store the ιντ (interrupt routine vector table) in the system and the extended DOS stored in the RA Μ of the extended memory board. Compare the IV T in 3. When it is different, it is judged whether it is corrected by the resident interrupt routine. If it is not corrected by the resident interrupt routine. I- -I. Ml 1 -1 ....... ... In nm ^ — 一-▼ (Please read the precautions on the back before filling in this page) This paper size is applicable to China National Standard (CNS) A4 specification (210X297mm) 13 83.3.10,000 Employee consumption cooperation. A7 B7 printed by the company. V. Description of the invention () (Bu Xue S 5 2) U big! fi test mountain was P positive. Take 1 of VT of m (stored in RA Μ 3), come to π m system S bit K; within 丨 VT (step! SS) 0-1): go forward, follow Θ What kind of routine is the fate of being changed to the nest, and eliminate the disease: that is, chase the MCB (memory controller set), and delete the steps you want to change the nest in the Si Si PROCESS) (Step S1 0 of 2), so that the normal execution process is carried out normally (Step S10 of 3): Through the above processing, it is possible to do not invade the resident routine and use illegal means to often 5. File file virus defense: further, remove the virus by step S] 0)] to 3, and, even if the program is compromised by the virus, it can be safely executed: [Rewrite check of interrupt routine: step recognition S6, Picture 4] Expand D 0 S Take out the SA (segment address (se β mentaddress)) of the PS PL program segmentation header (pre fi X i) of the resident program and store it in RA Μ 3 (Picture 1): At the same time, the extended DOS often monitors the file operations, and when opening the file, the file handle (fi 1 ehand 1 e) of the file to be opened is connected to the file name It is stored in RAM 3 with SA; these file handles, file names, and SA are the three basic requirements of the voted file _: Check whether the file has been repaired (step S6) with the love of the regular eye. Sex: Secondly, determine whether the modified file is COMMAND. C0 Μ file; COMMAND. CGM is a fixed command of DOS, because it will not be modified in the normal state, so if the modified file is COMMAND. COM, that is Issue a substitute notice to suspend yesterday's order (steps S 6 1, 6 3): And, if it is not COMMAHD.COM. It is judged that the current open paper size is applicable to the Chinese National Standard (CNS) A4 specification (210X297 mm) 83. 3. 10,000 (please read the precautions on the back before filling in this page) Binding · Order 311204 Printed by the Consumer Cooperative of the Central Bureau of Standards of the Ministry of Economic Affairs-Α7 Β7 i. Description of the invention () Section of the case and the file to be amended Whether the segment is stored in the same resident account segment, if it is not co-located, normal corrections are allowed: If it is co-located, then-. · Compare the currently opened files (stored in R AM 3) The name of the file and it is amended Case name; if it is different, that is, if the file to be modified is a file other than the program in the resident memory, a warning is issued (step S 6 2, 6 3) _: For this warning, according to the user ’s choice, see To do: Allow correction (M >, processing abort (A), restart (R), or the same processing as steps 1 to 3 of step S10 described earlier. By processing as described above, the file-type virus using the 'resident interrupt routine can be protected: further, the virus is removed by steps 1 to 3 of step S10, and it is made even if the virus is false The program can also be executed safely. [Retrieval of files and modification of other files S7: Figure 4] On the other hand, in step S6, if the interruption routine is not changed, the second is to check for some file extensions with .COM or ΕΧΕ Whether the retrieval of the file is accompanied by the modification of the execution file with these file extensions (step S7). Viruses that are not resident in memory, but do not use interrupt routines-retrieve some files with .COM or .EXX file extensions, and infect subsequent normal execution files, or destroy them. The retrieval is carried out by a disk interrupt routine search program. DOS monitors file operations like this. If there is a slot search operation, when you want to modify a file that is different from the currently opened robbery, that is, with .COM or .ΕΧΕ file extension When the file is named, please indicate it (please read the precautions on the back before filling out this page). The size of the paper is applicable to the Chinese National Standard (CNS) Α4 specification (210X297 mm) 15 83.3. 10,000 Central Bureau of Economic Affairs of the Ministry of Economic Affairs Employee consumer cooperatives print A7 B7 i. Invention description () The name of the file to be amended and some meal notices are given (step S7 1). According to the user ’s choice, the alternative is: Allow Correction (Μ), processing abortion (A), restart (R) 'or the same steps S 1 0 3 as the previous processing: also, because the virus here does not use the interrupt routine nor does it make The number of billions is recorded, so the processing of step 1 1 and 2 is not performed. By processing as described above, it is possible to defend against file-type viruses that do not use interrupt routines or memory. Although the present invention has been described in terms of embodiments as described above, the present invention is not limited to the described embodiments. The "subject" of the present invention is certainly within the protection scope of the present invention. [Effects of the invention] As described above, in the present invention, the data set for the purpose of preventing computer viruses from being invaded by viruses will not become parasites. In addition, with the present invention, since the extension B IOS with virus prevention capability is completed before the start of DOS, the system can be protected before any virus attacks: At the same time, a safe shell is also provided for DOS, so DOS The following file operations and ongoing operations can protect and prevent attacks and violations from viruses. [Brief description of the drawings] Fig. 1 is a block diagram illustrating an example of the configuration of the expansion memory board of the present invention. Picture 2 is an example of the composition of the computer history of Yijiang. Fig. 3 is an operation flowchart of the control method of the present invention (Part 1 > c. I = i--------....... 1- «1-1-^ I ......!-......---. (Please read the precautions on the back of the moraine before filling out this page) This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210X297mm) 83. 3.10,000 A7 B7 5. Description of the invention () Article 4 _ is the operation flow chart of the control method of the invention (Part 2). Explanation of the symbol] 1 Expansion memory board 2 Praise dedicated memory (ROM)
3 RAM 4、5 暫存器 G 控制器 7 資料匯流排 S 位址匯流排 (請先閲讀背面之注意事項再填寫本頁) 装. 訂 經濟部中央標準局員工消費合作社印製 本紙法尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 17 83.3. 10,0003 RAM 4, 5 register G controller 7 data bus S address bus (please read the precautions on the back and then fill out this page). Installed. Printed by the Ministry of Economic Affairs Central Standards Bureau Employee Consumer Cooperative Printed paper standard applicable China National Standard (CNS) A4 Specification (210X297mm) 17 83.3. 10,000