TW448402B - Virus detecting method for IDE hard disk device set in PIO access mode - Google Patents

Virus detecting method for IDE hard disk device set in PIO access mode Download PDF

Info

Publication number
TW448402B
TW448402B TW88116039A TW88116039A TW448402B TW 448402 B TW448402 B TW 448402B TW 88116039 A TW88116039 A TW 88116039A TW 88116039 A TW88116039 A TW 88116039A TW 448402 B TW448402 B TW 448402B
Authority
TW
Taiwan
Prior art keywords
hard disk
register
address
data
debug
Prior art date
Application number
TW88116039A
Other languages
Chinese (zh)
Inventor
Jiun-Nan Tsai
Original Assignee
Mitac Int Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitac Int Corp filed Critical Mitac Int Corp
Priority to TW88116039A priority Critical patent/TW448402B/en
Application granted granted Critical
Publication of TW448402B publication Critical patent/TW448402B/en

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

A virus detecting method for IDE hard disk device set in PIO access mode that first determines if the interrupt condition of instruction register corresponding to IDE hard disk in the debug status register is set. If the condition is set, it determines if the present executing instruction is the data transmission output instruction, and if the action of writing data into hard disk device is in PIO access mode and sets a flag if it is. Then, when the determined debug status register corresponding to the data register of IDE hard disk and the determined flags are set, it writes the general register AX or 16 bit data of the memory address DS:SI into the selected memory buffer. It scans and compares pre-stored known virus codes after entire data disk areas or sectors are written into memory buffer and sends a warning message when finding the match known virus codes.

Description

4434 0 2 五、發明說明(l) —- 1.創作領域: 本發明是關於一種電腦病毒之偵測方法,特別是指— 種用來伯測—〖DE硬碟裝置設定在P 10傳輪模式下之病^惰 測方法’可在偵測到丨DE硬碟裝置設定在p I 〇傳輪模式下之 任何寫入動作時,即時偵測可能之病毒。 2 *背景說明: 由於電腦科技的快速發展,使得個人電腦的功能越來 越強,因而在現代工商業杜會中的各項的文書作業、會計 作業、工作安排等皆深深依賴電腦的輔助,故使得電腦資 料的安全性益形重要。然而’電腦系統或電腦資料卻經常 會受到電腦病毒的破壞,特別是在網際網路的普遍使用之 後’標案資料之交換、傳輸機率越來越高,也使得電腦病 毒的感染機會益形提高。 在各種類型之電腦病毒中,都有其特有的病毒型態及 傳播途徑’這些電腦病毒對一電腦系統而言,都會造成不 同程度的破壞。一般來說,電腦病毒可區分為檔案型、開 =型、複合型、巨集变等型態。有些電腦病毒的型態是以 、特有的病毒碼寫入裘電腦系統中之硬碟装置中,並利用 這些區域作為傳佈之媒介,以對該電腦系統之資料擋、執 行樓或啟動磁區進行破壞。 因此’若要有效防制病毒碼破壞電腦系統,則應在該 病秦碼寫入至硬磲機之前,即予以偵測、警告,方能達到 有效防制電腦病毒之破壞。此外,由於各種電腦系統所使 用之界面規格、工作模式等並不相同,故若要有效防制電4434 0 2 V. Description of the invention (l) —- 1. Creative field: The present invention relates to a method for detecting computer viruses, in particular-a method used for primary testing-[DE hard disk device set to P 10 transmission wheel Diseases in the mode ^ Inert test method 'can detect any possible virus in real-time when any writing action of the DE hard disk device is set in the p I 0 pass mode. 2 * Background note: Due to the rapid development of computer technology, the functions of personal computers have become more and more powerful. Therefore, the paperwork, accounting operations, work arrangements, etc. of modern industrial and commercial clubs rely heavily on computer assistance. Therefore, the security of computer data is increasingly important. However, 'computer systems or computer data are often damaged by computer viruses, especially after the widespread use of the Internet.' The probability of exchange and transmission of data in the project is getting higher and higher, and the chance of computer virus infection is increasing. . In various types of computer viruses, they have their own unique virus types and transmission routes. These computer viruses can cause different degrees of damage to a computer system. Generally speaking, computer viruses can be classified into file type, open type, compound type, and macro change type. Some types of computer viruses use special virus codes written to hard disk devices in the computer system, and use these areas as a medium of transmission to block, execute, or activate the data on the computer system. damage. Therefore, if you want to prevent virus codes from damaging the computer system, you must detect and warn the virus codes before writing them to the hard disk, so that you can effectively prevent the damage of computer viruses. In addition, since the interface specifications and working modes used by various computer systems are not the same, it is necessary to effectively prevent electricity

第4頁 44840^ 五、發明說明(2) 腦病毒,則尚應針對該電腦系統之組態及該電腦系統所使 用之特定界面規格及工作模式,設計出一有效的病毒偵測 方法,方能奏效。 再查,在目前個人電腦系統中’所使用的硬碟機仍以 I DE界面為主。較早期的I DE界面係透過1 6位元的IS A匯流 排作資料之傳輸,而在較近期的I D E界面則已漸改由透過 3 2位元的PC I匯流排來作資料之傳輸。 [DE界面所連接之IDE裝置依其傳輸模式與最高傳輸速 率’概可區分為ΡΙ0傳輸模式及DMA傳輸模式兩種。例如在 目前所廣泛使用之Pent ium級個人電腦系統一般可同時連 接四部IDE裴置,而這些IDE裝置依其資料傳輪模式可區分 為ΡΙ0傳輸模式(ΡΪ〇 Access M〇de)與DMA傳輸模式〇ΜΑ Access Mode)兩種模式,其中PI〇傳輸模式又可依據其最 率分為四種模式Pl〇 M〇de 〇〜ρι〇 Μ〇& 3,而dma 傳輸Μ式亦可依據其最高傳輸速率而分為數種棋式。 DMA傳輸模式與ΡΙ0傳輪模式之差別㈣前者是以_ ΐϋίϊΓ4私而後者則係透過中央處理器之控制, 本凡成•育料傳輸之動作。 因此’若要有效防制電腦系統 則需針對其在特定$ R & 、,又黾腦病毒之铋入, 執行狀、、兄ί 不同的工作模式下之特殊 執仃狀况,來設計病毒之偵測方法, 目的。例如,肖一iDE界面之硬碟裝置二達到有效憤測之 資料傳輪模式俜被机定ΑΡ⑺穡私,置而& ’若該硬碟之 供八係被6又疋在PI〇傳輪模 一組態之特性設計出 ^卜⑴即應針對此 雒乞病蚕偵測方法,才能真正達到Page 4 44840 ^ V. Description of the invention (2) For brain viruses, an effective virus detection method should be designed for the configuration of the computer system and the specific interface specifications and working modes used by the computer system. Works. Check again that the hard drives used in current personal computer systems are still based on the I DE interface. Earlier I DE interfaces used 16-bit ISA buses for data transmission, while more recent I DE interfaces have gradually changed to 32-bit PC I buses for data transmission. [IDE devices connected to the DE interface can be divided into PI0 transmission mode and DMA transmission mode according to their transmission mode and maximum transmission rate. For example, currently widely used Pent ium-class personal computer systems can generally be connected to four IDE devices at the same time, and these IDE devices can be divided into PI transmission mode (P0Access Mode) and DMA transmission mode according to their data transfer mode 〇ΜΑ Access Mode) two modes, of which PI〇 transmission mode can be divided into four modes according to its maximum rate Pl0M〇de 〇 ~ ρι〇Μ〇 & 3, and dma transmission M type can also be The transmission rate is divided into several chess styles. The difference between DMA transfer mode and PI0 transfer mode. The former is _ ΐϋίϊΓ4 private, while the latter is controlled by the central processing unit. Therefore, if you want to effectively prevent computer systems, you need to design viruses for their specific execution status under different working modes, such as specific R & Detection method, purpose. For example, Xiao Yi ’s iDE interface ’s hard disk device II has reached a valid data transfer mode. It is set to be private by the machine, and “If the hard disk ’s eight-series device is 6 and then transferred to PI 0, Based on the characteristics of the modular configuration, it is necessary to respond to this detection method of beggar silkworm in order to truly achieve

第5頁 五、發明說明(3) 病毒防制之目的。 本發明概述: 因此’本發明之主要目的即提 方法,其可在病毒裎式企圖寫查#測電腦病毒之 ’並發出-警告’以適時警告 傳於的是提供一種咖硬碟裝置設定在PI0 方法。當病毒程式企圖寫入任何資 可即時偵測出該可能之病毒碼。 ’ 本發明之另一目的县接伍 ^ . 丨即時偵測15…傳輸模式 :=軍毒方法,該方法結合了電^ 中處ΪΪ7!中 控制暫存器、除錯位址暫存器、除 錯控制暫存器,除錯狀態暫存器等來& ° 為了實現上述之本發明目:等在來束執二該病毒之❹】。 方法中,係在當積測出中央處理器所發出的除錯狀況/ 首先判斷該中央處理器中之除錯狀態暫存 於 及㈣之中斷點條件是否被設定。若是,則判斷目 之指令是W㈣或〇UTS ’若是’則判斷該寫入^ 碟裝置之動作Μ為PH)傳輸模$ H則判斷 理器中之通用暫存器AL或DS:S〖位址之資料是否為3此、處 31h、或C5h ’其令該數值30h、31h係表示寫入資料 中之一磁區、而C5h係表示寫入資料至數個磁區之此 一步驟之目的即是判斷該寫入資料至硬碟裝置之動作^是否Page 5 5. Invention Description (3) Purpose of virus control. Summary of the invention: Therefore, the main purpose of the present invention is to provide a method, which can be written in a virus-type attempt to check and test the computer virus and issue a warning. A timely warning is provided by providing a coffee hard disk device set at PI0 method. When the virus program attempts to write any data, the possible virus code can be detected immediately. 'Another purpose of the present invention is to connect with the county ^. 丨 Real-time detection 15 ... Transmission mode: = Military poison method, this method combines electricity ^ in the 中 7! Control register, error address register, delete Error control register, debug state register, etc. & ° In order to achieve the above-mentioned purpose of the present invention: wait for the second to control the virus]. In the method, when the debug status issued by the central processing unit is measured / first, it is judged whether the interruption point conditions of the central processing unit's debug state temporarily stored in and are set. If yes, judge the command is W㈣ or 〇UTS 'If yes', judge the write operation of the disc device M is PH) transfer mode $ H judge the general register AL or DS: S in the processor Whether the data of the address is 3, 31h, or C5h, which makes the value 30h, 31h means to write one magnetic zone in the data, and C5h means the purpose of this step of writing data to several magnetic zones It is to judge whether the operation of writing data to the hard disk device ^

Η ^ 44840^Η ^ 44840 ^

10傳輪模式。若是的話即設立一旗標。然後在中央處 ° ^另兩個除錯位址暫存器中設定為117〇}1及17〇11,並在 中央處理器之除錯控制暫存器對應之R/w位元中設定數值 1 0,然後,繼續作除錯狀況之彳貞測。當判斷除錯狀態暫存 器中之10埠lFOh及17 Oh對應之中斷點條件已被設定、再判 斷旗標已被設立的話’即將通用暫存器AX或記憶體位址 DS..S1位址之16位元資料寫入指定之記憶體緩衝區 中,在一整個磁區或區段之資料完全寫入記憶體緩衝區之 後掃描並比對預存之已知病番碼,若找到相吻合之已知病 毒碼,則發出警示。 本發明之其它目的及其詳細之病毒偵測步驟,將藉由 以下之較佳實施例說明及附裏圖式’作進一步之說明,其 中: (一) 圖式簡要說明: 圖一係顯示一典型個人電腦系統中,中央處理單元、 輸出入界面、硬碟褒置、記憶體間之簡略連接示 意圖; 圖二係顯示一Pentium級中央處埋器内部相關暫存器 之示意圖; 圖三係顯示本發明病毒搞'則方法之流程圖; 圖四係接:續圖三之本發明控制流程圏。 (二) 圄號說明: _ 1 中央處毽草元 21 位址匯流排10 pass mode. If so, set a flag. Then set 117 °} 1 and 17〇11 in the other two debug address registers in the central area, and set the value 1 in the R / w bit corresponding to the debug control register of the CPU. 0, then, continue to make a false test of the debug status. When it is determined that the interruption point conditions corresponding to the 10-port lFOh and 17 Oh in the debug status register have been set, and then it is judged that the flag has been set, 'the general register AX or the memory address DS..S1 address The 16-bit data is written into the specified memory buffer. After the data of an entire sector or sector is completely written into the memory buffer, it is scanned and compared with the pre-stored known disease code. If a match is found, If a virus pattern is known, an alert is issued. The other objects of the present invention and its detailed virus detection steps will be further explained by the following description of the preferred embodiments and the accompanying drawings, wherein: (1) Brief description of the drawings: In a typical personal computer system, the schematic diagram of the central processing unit, the input / output interface, the hard disk drive, and the memory; Figure 2 is a schematic diagram showing the relevant registers in a Pentium-level central embedded device; Figure 3 is a schematic The flow chart of the method of the virus in the present invention is shown in FIG. 4; FIG. (2) Explanation of 圄 #: _ 1 Bus at the center of Caoyuan 21

~4-48 40 d—— 五、發明說明(5) _ — --- 22 資料匯流排 23 控制匯流排 3 輪出入界面 4 硬碟裝置 5 1己憶體 10 通用暫存器 11 節區暫存器 12 狀態及指令暫存 13 控制暫存器組 14 除錯暫存器組 CR0-CR4 控制暫存器 DR0-DR3 除錯位址暫存器 DR6 除錯狀態暫存器 DR7 除錯控制暫存器 器 較佳實施例說明: 圖一係顯示一典型個人電腦系統中,t央處理單元 1、輸出入界面3、硬碟裝置4、記憶體5間之簡略連接示意 圖,其中該中央處理單元1經由系統匯流排及輸出入界面3 而與硬碟裝置4連接,而中央處理單元1則經由該系統匯流 排而與一記憶體5相連接。其中該系統匯流排係包括有位 址匯流排21、資料匯流排22、及控制匯流排23。 在以下之實施例t,是以I n t e 1公司Pen t i um級中央處 理器作一較佳實施例說明 > 且該硬碟裝置4係經由一 i de界 面而與中央處理器1相連接。~ 4-48 40 d—— V. Explanation of the invention (5) _ — --- 22 Data bus 23 Control bus 3 Wheel access interface 4 Hard disk device 5 1 Memory device 10 Universal register 11 Section temporary Register 12 Status and instruction temporary storage 13 Control register group 14 Debug register group CR0-CR4 Control register DR0-DR3 Debug address register DR6 Debug status register DR7 Debug control register Description of the preferred embodiment of the device: FIG. 1 is a schematic diagram showing the connection between a central processing unit 1, an input / output interface 3, a hard disk device 4, and a memory 5 in a typical personal computer system. The central processing unit 1 The system bus and the input / output interface 3 are connected to the hard disk device 4, and the central processing unit 1 is connected to a memory 5 via the system bus. The system bus includes an address bus 21, a data bus 22, and a control bus 23. In the following embodiment t, a Pen t ium-level central processor from Inte 1 is described as a preferred embodiment. The hard disk device 4 is connected to the central processing unit 1 through an interface.

第8頁 448 4 Ο 2 五、發明說明(6) 參閱圖二所示’在一典型的Pentium級中央處理器内 部依其功能約略可分為通用暫存1〇(General Purp〇sePage 8 448 4 Ο 2 V. Description of the invention (6) Please refer to Figure 2. ′ Inside a typical Pentium-class CPU can be roughly divided into general temporary storage 10 (General Purpse) according to its function.

Register)、節區暫存器u(segment Register)、狀態及 才曰 7 暫存器l2(Status and Instruction Register)。其 中§玄通用暫存器包括有AX、BX、CX、DX、BP、SP、SI、 D I等暫存器’ 一般是用來處理位元組資料。節區暫存器j j 包括有SS、DS、ES、FS、GS等暫存器,是用來決定記憶體 位址節區的基底位址。狀態及指令暫存器丨2包括有ιρ、 FLAGS暫存器’是用來指定欲執行指令、以及指示在執行 指令後的結果狀態。 此外,在Pentium級中央處理器内部尚包括有其它系 統暫存器,這些系統暫存器中,與本發明之病毒偵測方法 有關之暫存器包括有控制暫存器組丨3及除錯暫存器組14 ^ 控制暫存器組13中包括有數個控制暫存器〜CR4, 其中控制暫存器CR4之位元定義中,共有位元〇至位元6, 其中之位元3乃為除錯擴展功能之設定位元,當該位元設 定為1時’乃啟動輸出入界面斷點除錯擴展功能,當該位 元設定為0時,乃解除輸出入界面斷點除錯擴展功能。 除錯暫存器組14中包括有八個暫存器dr〇〜DR(?,其中 之DR0〜DR3是作為除錯位址暫存器(Debug AddressRegister), section register u (segment register), status and status 7 register 12 (Status and Instruction Register). Among them, Xuan general purpose registers include AX, BX, CX, DX, BP, SP, SI, D I and other registers. Generally used to process byte data. The section register j j includes registers such as SS, DS, ES, FS, and GS. It is used to determine the base address of the memory address section. The status and instruction registers 2 include ιρ, FLAGS registers', which are used to specify the instruction to be executed and to indicate the result status after executing the instruction. In addition, other system registers are included in the Pentium-level CPU. Among these system registers, the registers related to the virus detection method of the present invention include a control register group 3 and debugging. The register group 14 ^ The control register group 13 includes several control registers ~ CR4. Among the bit definitions of the control register CR4, there are bits 0 to 6, and bit 3 is This is the setting bit for the debug extension function. When this bit is set to 1, it is to enable the I / O interface breakpoint debug extension function. When this bit is set to 0, it is to cancel the I / O interface breakpoint debug extension. Features. The debug register group 14 includes eight registers dr0 ~ DR (?, where DR0 ~ DR3 are used as debug address registers (Debug Address

Resister),每一個除錯位址暫存器中含32位元的斷點線 性位址(Breakpoint Linear Address) dDR6 是作為除錯狀 態暫存器(Debug Status Register),其可在除錯狀況產 生時’告知該除錯狀況之條件。DR 7係作為一除錯控制暫Resister), each debug address register contains a 32-bit Breakpoint Linear Address dDR6 is used as a debug status register (Debug Status Register), which can be used when a debug status occurs 'Inform the conditions of the debug status. DR 7 series is used as a debugging control

448402 五、發明說明(7) 存器(je bug Control Register),其可用來致能或禁能斷 點功能、以及可用來設定斷點條件。 每一個除錯位址暫存器DR〇〜DR3皆有一些各自的控制 位元在除錯控制暫存器DR7中),例如在DR7中之LEN位元 值決定了斷點位址的存取長度,當LEN = 〇〇時,其位元長度 為一個位兀;LEN = 〇l時其位元長度為二個位元,LEN = 1 j 時,其位兀長度為四個位元。R/w之值決定在斷點位址上 發生斷點的原因,當R/w = 〇〇時係表示指令碼存取,R/w = 〇i 時係表示資料寫入,當R/w=1〇時係表示1/〇讀取或寫入’ 當R/ff=ll時是表示資料讀取與寫入。 以下將同時參閱圖二所示之中央處理器内部暫存器組 架構及圖三、圖四所示之控制流程圖,對本發明之病毒偵 測方法作一詳細說明如后。 如圖三所7F,在系統啟始後,本發明首先於步驟丨〇〇 中,在電腦系統之記憶體中指定一緩衝區。然後於步驟 101中,在中央處理器之控制暫存器CR4中設定除錯擴展位 元(Debug Extent ion)。此一步驟中之目的是將中央處理 器中之控制暫存器CR4之第三位元設定為i,以啟始輪出入 斷點除錯擴展功能。 然後在中央處理器之除錯位址暫存器(DR〇_DR3)中之 其中兩個暫存器中設定十六進位數值資料1F7h&17?h (步 驟102)。其中該數值lF7h係表示電腦系統中所連接之第— 個IDE硬碟狀態/命令暫存器(IDE c⑽邮以Register)之位 址,而數值177h乃為第二個硬碟狀態/命令暫存器之位448402 V. Description of the Invention (7) Register (je bug Control Register), which can be used to enable or disable the breakpoint function, and can be used to set breakpoint conditions. Each debug address register DR0 ~ DR3 has its own control bits in the debug control register DR7). For example, the value of the LEN bit in DR7 determines the access length of the breakpoint address When LEN = 〇〇, its bit length is one bit; when LEN = 〇l, its bit length is two bits, and when LEN = 1 j, its bit length is four bits. The value of R / w determines the cause of the breakpoint at the breakpoint address. When R / w = 〇〇 means instruction code access, R / w = 〇i means data writing, when R / w When it is 10, it means 1/0 read or write. When R / ff = ll, it means data read and write. The following will simultaneously refer to the architecture of the internal register group of the central processing unit shown in FIG. 2 and the control flowcharts shown in FIGS. 3 and 4 for a detailed description of the virus detection method of the present invention as follows. As shown in FIG. 7F, after the system is started, the present invention first designates a buffer in the memory of the computer system in step 丨 〇. Then in step 101, a debug extension bit (Debug Extent Ion) is set in the control register CR4 of the CPU. The purpose of this step is to set the third bit of the control register CR4 in the central processor to i, so as to start the round-trip breakpoint debug extension function. Then set the hexadecimal value data 1F7h & 17? H in two registers of the CPU's debug address register (DR0_DR3) (step 102). The value lF7h is the address of the first IDE hard disk status / command register (IDE c) registered in the computer system, and the value 177h is the second hard disk status / command temporary storage. Device position

第10頁 五、發明說明(8) 址 。 於步驟103中,在中央處理器之除錯控制暫存器卯7對 應之R/W位兀(讀取/寫入控制位元)中設定數值1〇 ,其意謂 當中央處理器在執行輪出入時,會執行中斷功能。此外, 在此一步驟令,亦在該除錯控制暫存器DR7對應之len位元 (長度位元)中設定數值〇〇(其數值係代表位元長度值是!位 元)。 在完成上述之相關暫存器資料設定之後,即判斷是否 有除錯狀況(Debug Excepti〇n)產生(步驟1〇4),若否則 重覆執行偵測,當偵測到有除錯狀況產生時,則執行步驟 1〇5(即中央處理器執行丨NT1中斷副程式),以判斷中央處 理器中除錯狀態暫存器卯6之狀態,該除錯狀態暫存器DR6 可用來暫存除錯位址暫存器DR〇_DR3的狀態。在步驟1〇5 中,判斷中央處理器之除錯狀態暫存器DR6中之1〇埠位址 lF7h及177h對應之中斷點條件(Breakp〇int 是 否被設定《若否,則步驟跳至圖四中之步驟n丨(後述), 若是’則進行下一步驟1 〇 6。 在$驟106中,判斷中央處理器目前所執行之指令是 ?為f合語言中執行資料轉移之輸出指令(OUT或OUTS)。 若不則回到步驟1 〇 4,若是,則進行下一步驟1 〇 7。其 中該輸出指令OUT在戈日人*五一4匕人士 π * 、 在組合s吾吕指令中乃為簡單的輸出入界 & ^ 執仃簡單資料之轉移,其資料轉移的對象是一 3? 47 ♦=埠其在作資料的轉移時,係經過中央處理 器中之通用暫存器(例如8位元時乃為暫存器AL)來進行資 4484 0 ? 五 '發明說明(9) 料之轉移。而輸出 該指令將由中央處 所指定的記憶器位 出入界面埠中。 指令0UTS乃為字元 理器中之節區暫存 元組資料輸出到由 串輸出入界面指令, 器DS與指標暫存器si 暫存器DX所指定的輸 在步驟1 0 7中,推 .Λ , 10中之暫存器u或二步:j二t央處:器中通用暫存器 # # — u n +飞°己隱體DS:s位址之資料(輸出入埠位址 ± ^ ^ 仔15間接定址)是否為30h、31h、或C5h之數 ,。若並非這些預定值,則回到步驟1〇4,若恰為這些預 疋值汰則進行下—步驟1 0 8。其中該數值3 G h、3 1 h係表示 寫至硬碟中之-磁區(Write Sector)、而C5h係表 不寫入資料至數個磁區(Write Multiple Sectors)之動 作。此一步驟之目的即是判斷該寫入資料至硬碟I置之動 作是否為PI0傳輸模式。 經由前述步驟之判斷之後,若通用暫存器10中之暫存 器AL或DS:SI位址之資料為3〇h、31h、或C5h,則在步驟 108中设立一代表寫入硬碟裝置之記憶磁區的旗標 CMITELSECTOR FLAG),其目的是作為辨識之用。 參閱圖四所示,其係延續圖三中之控制流程。在步驟 109中’在令央處理器之除錯位址暫存器(DR〇_DR3)中之另 兩個暫存器中設定十六進位數值資料1F〇h及丨7〇h。其中該 數值1 F 0 h係表示電腦系統中所連接之第一個][DE硬碟資料 暫存器(H)E Data Register)之位址,而數值170h乃為第 二個硬碟資料暫存器之位址。 於步驟110中,在中央處理器之除錯控制暫存器⑽7對 448402 五、發明說明(ίο) 應之R/W位元(讀取/寫入控制位元)中設定數值1〇,其衰謂 當中央處理器在執行輸出入時,會執行中斷功能。此外, 在此一步驟中,亦在該除錯控制暫存器DR 7對應之LEN位元 (長度位元)中設疋數值00 (其數值係代表位元長度值是1位 元)。然後’回到步驟1 0 4中,繼續作除錯狀況之债測η 在步驟105中’若判斷中央處理器之除錯狀態暫存器 DR6中之丨0埠lF7h及177h對應之中斷點條件(Breakp〇ilU Cond i t i on )未被設定,則在步驟1 1 1中進一步判斷除錯狀 態暫存器DR6中之10埠lFOh及170h對應之尹斷點條件是否 被設定。若否,則步驟回至步驟1 〇 4,若有,則進行下一 步驟112。 在步驟1 12中’係判斷前述之WRITE_SECTOR旗標是否 被設立,此步驟目的是判斷是否為正常之p丨〇傳輸模式 (PIO Access Mode)或只是單純對IDE資料暫存器之資料存 取。如果判別出該WRITE—SECTOR旗標未被設立,則回到步 驟1 04申。 若該代表寫入硬碟磁區之WRITE—SECTOR旗標已被設立 (即表示為P 10傳輸模式)’此時將執行步驟丨丨3,在此步驟 中,將中央處理器中之通用暫存器AX或記憶體位址DS:SI 位址之1 6位元資料寫入至前述步驟丨〇〇中在記憶體中所指 疋之記憶體緩衝區中。然後,在步驟1 1 4中判斷是否已將 整個磁區(Sec tor)或區塊(Block)完成寫入。當完成寫入 之動作後’即在步驟Π5令,將該tfRITE_SECT〇R旗標 清除。 4 4 8 4 0 五、發明說明(π) =除該而E_SE⑽旗標後,即在步驟ιΐ6中 描並比對預存之已知病毒碼,若找到相吻合之預掃 毒碼(步驟117),貝4由雷腦糸^0病 7…田电月知系統發出警不(步驟11 8),·、, 時警告使用者。 X適 藉由以上本發明之電腦病毒偵測方法以及配合中 理單元中相關之控制暫存器、除錯位址暫存器、除錯拎2 暫存器、除錯狀態暫存器等,使本發明可以有效憤測到 何企圖寫入至電腦系統中IDE硬碟裝置設定在ριο傳輸模式 下之可能病毒。 綜言之,本發明所提供之電腦病毒偵測方法,確具高 度之產業利用價值’可達到預期之功效’且在專利申請前 亦未有相同或類似之技術公開在先,業已符合於發明專利 之要件,爰依法提出發明專利之申請。Page 10 V. Description of Invention (8) Address. In step 103, a value of 10 is set in the R / W bit (read / write control bit) corresponding to the debug control register 控制 7 of the CPU, which means that when the CPU is executing When the wheel is in and out, the interrupt function is executed. In addition, in this step, a value of 00 is also set in the len bit (length bit) corresponding to the debug control register DR7 (its value represents the bit length value is! Bit). After completing the above-mentioned related register data setting, it is judged whether there is a debug status (Debug Exception) (step 104). Otherwise, if the detection is repeated, the debug status is generated. When it is, then execute step 105 (that is, the CPU executes the NT1 interrupt subroutine) to determine the status of the debug status register 卯 6 in the CPU. The debug status register DR6 can be used to temporarily store Status of the debug address register DR0_DR3. In step 105, determine the interruption point conditions (Breakp〇int is set to "Breakp〇int" if the port 10 addresses 1F7h and 177h in the debug status register DR6 of the CPU are set to "If not, the steps skip to Step n 丨 of four steps (described later), if it is', then proceed to the next step 1 06. In step 106, determine whether the instruction currently being executed by the central processing unit is? Is an output instruction for performing data transfer in f language ( OUT or OUTS). If not, go back to step 1 〇 04, if yes, go to the next step 1 007. Among them, the output instruction OUT is in the Gori people * 514 4 people π *, in the combination swulu instruction China is a simple input and output bounds ^ perform simple data transfer, the object of the data transfer is a 3? 47 ♦ = port in the transfer of data, it is through the general purpose register in the central processing unit (For example, the 8-bit register is the AL register) to transfer data from 4484 0 to 5 'Invention Description (9). The output of this instruction will be entered from the memory bit specified by the central location into the interface port. The instruction 0UTS is Temporarily store tuple data for the section in the character processor and output it to the string output Enter the interface instruction, register DS and index register si register DX, and specify the input in step 107, push the register u in step Λ, 10 or two steps: j two t central office: device General register # # — un + fly ° Hidden body DS: s address data (input and output port address ± ^ ^ 15 indirect addressing) whether it is 30h, 31h, or C5h, if not these If it is the preset value, go back to step 104. If it is just these preset values, proceed to step -10. The values of 3 G h and 3 1 h indicate the magnetic field written to the hard disk. Write Sector), and C5h is a table that does not write data to several multiple sectors (Write Multiple Sectors). The purpose of this step is to determine whether the action of writing data to the hard disk I is in the PI0 transmission mode. After the judgment in the foregoing steps, if the data of the register AL or DS: SI in the general register 10 is 30h, 31h, or C5h, a representative write hard disk device is set in step 108 The flag of CMITELSECTOR FLAG) is used for identification purposes. Refer to Figure 4, which is the continuation of the control flow in Figure 3. In step 109 ', the hexadecimal value data 1F0h and 7oh are set in the other two registers in the debug address register (DR0_DR3) of the ordering processor. The value 1 F 0 h is the address of the first [DE hard disk data register (H) E Data Register) connected in the computer system, and the value 170h is the second hard disk data temporary The address of the register. In step 110, set a value of 10 in the R / W bit (read / write control bit) of the corresponding R / W bit (read / write control bit) in the debug control register of the central processor (7 pairs 448402). Decay means that when the central processing unit executes the input and output, it will perform the interrupt function. In addition, in this step, a value of 00 is also set in the LEN bit (length bit) corresponding to the debug control register DR 7 (its value represents a bit length value of 1 bit). Then 'return to step 104 and continue to perform the debt measurement of the debugging status η in step 105' If it is judged that the CPU's debugging status register DR6 is the interruption point conditions corresponding to ports 0F7h and 177h (BreakpollU Cond iti on) is not set, then in step 1 1 1 1 it is further judged whether or not the Yin breakpoint conditions corresponding to the 10 port lFOh and 170h in the debug status register DR6 are set. If not, the procedure returns to step 104, and if so, proceed to the next step 112. In step 1 12 ', it is judged whether the aforementioned WRITE_SECTOR flag is set. The purpose of this step is to judge whether it is the normal pIO access mode (PIO Access Mode) or simply to access the data in the IDE data register. If it is determined that the WRITE_SECTOR flag is not set, return to step 104. If the WRITE_SECTOR flag written by the representative to the hard disk sector has been set (that is, it is indicated as P 10 transmission mode), step 3 will be executed at this time. In this step, the general temporary The 16-bit data of the register AX or the memory address DS: SI address is written into the memory buffer pointed to by the memory in the previous step 丨 〇〇. Then, it is determined in step 1 1 4 whether the entire magnetic sector (Sec tor) or block (Block) has been written. When the writing operation is completed ', the tfRITE_SECT〇R flag is cleared in step II5. 4 4 8 4 0 V. Description of the invention (π) = After the E_SE⑽ flag, the pre-stored known virus codes are compared and compared in step ιΐ6. If a matching pre-scanned virus code is found (step 117) , Bei 4 by Thunder brain 糸 0 disease 7 ... Tiandian Yuezhi system issued a warning (step 11 8), ..., warn the user. X applies the computer virus detection method of the present invention described above and cooperates with related control registers, debug address registers, debug address registers, debug status registers, etc. in the middle management unit. The present invention can effectively detect possible viruses that attempt to write to the IDE system of the IDE hard disk device in the computer system. To sum up, the computer virus detection method provided by the present invention does have a high industrial use value 'can achieve the expected effect' and has not disclosed the same or similar technology before the patent application, which has already accorded with the invention For the essentials of the patent, an application for an invention patent was filed in accordance with the law.

第14頁Page 14

Claims (1)

^ ^ 8 4 ϋ . —_S£l_15_(L3 六 申請專利範® .一種IDE硬碟裝置設定在!^^傳輪模式 法,用以偵測病毒碼是否寫入至—電之病^貞測方 模式之IDE硬碟裝置中,該中央處理器内部統配中Ρί0:輪 存器、除錯控制暫存器、除錯狀制態 暫存器’#亥病毒偵測方法包括下列步驟‘ 想 a. 在該電腦系統之記憶體中指定—緩衝區 b. 啟始該中央處理器之輸出入斷點除錯擴展功能. c·在中央處理器之除錯位址暫存器中之其中兩:暫 中設定電腦系統中所連接之IDE硬碟狀態/命令暫^ 之位址; " d. 設定該中央處理器在執行輸出入之動作時產生中斷功 能; e. 刼斷是否發生除錯狀況; f. 判斷中央處理器之除錯狀態暫存器尹,對應於該⑽ 硬樓裝置之硬碟狀態/命令暫存器之彳立址的斷點條件 是否被設定; g. 判斷中央處理器目前所執行之指令是否為執行資料轉 移之輸出指令; h. 判斷該寫入資料至硬碟裳置之動作是否為ρι〇傳輸模 式; i. 在邊中央處理器之另兩個除錯位址暫存器中設定該電 腦系統所連接IDE硬碟裝置之硬碟資料暫存器之位址; j. 在中央處埋器之除錯控制暫存器中,設定該中央處理 器於執行輸出入時產生中斷功能,然後回到前述步驟 第15頁 448402^ ^ 8 4 ϋ. —_S £ l_15_ (L3 Six application patents ®. An IDE hard disk device is set in the! ^^ pass mode method to detect whether the virus code is written to the disease of electricity ^ In the IDE hard disk device in square mode, the central processor is internally allocated with P0: carousel register, debug control register, and debug state register '# 海 virus detection method includes the following steps' a. Specify in the computer system's memory—buffer b. Start the CPU's I / O breakpoint debug extension function. c. Two of the CPU's debug address registers: Temporarily set the address of the IDE hard disk status / command temporary ^ connected to the computer system; " d. Set the CPU to generate an interrupt function when it executes input / output operations; e. Determine whether a debugging condition has occurred F. Determine whether the CPU's debug status register Yin corresponds to the breakpoint condition of the hard disk status / command register address of the ⑽ hard building device; g. Determine the CPU Whether the currently executed instruction is an output instruction to perform data transfer; h. Determine whether the action of writing data to the hard disk is in ρι〇 transmission mode; i. Set the IDE hard disk device connected to the computer system in the other two debug address registers of the edge CPU. The address of the hard disk data register; j. In the debug control register of the central processor, set the central processor to generate an interrupt function when it executes the input and output, and then return to the previous step on page 15 448402. 六、申請專利範圍 e I以判別是否發生除錯狀況; 二驟f中,若判斷出該中央處理器之除錯狀態 =子,二,對應於該1DE硬碟裝置之硬碟狀態/命令暫 # ^^址的斷點條件未被設定,則繼續判斷該除錯 哭存器中對應於該丨DE硬碟I置之硬碟資料暫存 二址的斷點條件是否被設定,若否則回到前述步 L將中央處理H中之利暫存器Αχ或記憶❹址DS:SI 之位元資料寫入至前述記憶體中所指定之記憶體 緩衝區t ; m.在正個磁區或區塊資料完全寫入後,掃描並比對預 存之已知病毒妈’並在找到相吻合之已知病毒碼時發 出警示。 2·如申請專利範圍第!項所述之IDE硬碟裝置設定在?{()傳 輸模式下之病毒偵測方法,其中步驟b係將中央處理器 中之控制暫存器CR4之第三位元設定為1,以啟始輸出入 斷點除錯擴展功能。 3. 如申請專利範圍第1項所述之ide硬碟裴置設定在ριο傳 輸模式下之病毒偵測方法’其中步驟c係在中央處理器 之除錯位址暫存器中之其中兩個暫存器中設定十六進位 數值資料lF7h及1 77h ’其中該數值iF7h係表示電腦系統 中所連接之第一個IDE硬碟狀態/命令暫存器之位址,而 數值177h乃為第二個硬碟狀態/命令暫存器之位址。 4. 如申請專利範圍第1項所述之IDE硬碟裝置設定在p丨〇傳6. Apply for the patent scope e I to determine whether a debugging situation has occurred; in step f, if it is determined that the CPU's debugging status = sub, second, corresponding to the hard disk status / command temporary of the 1DE hard disk device # ^^ address breakpoint condition is not set, then continue to determine whether the breakpoint condition corresponding to the hard disk data temporarily stored in the 丨 DE hard disk I temporary storage address is set, if not Go to the foregoing step L to write the bit data of the profit register Aχ or the memory address DS: SI in the central processing H to the specified memory buffer t in the foregoing memory; m. After the block data is completely written, the pre-stored known virus mom 'is scanned and compared, and an alert is issued when a matching known virus code is found. 2 · If the scope of patent application is the first! Which IDE hard disk device is set in? {() Virus detection method in transmission mode, where step b is to set the third bit of the control register CR4 in the central processing unit to 1 to start the I / O breakpoint debug extension function. 3. As described in item 1 of the scope of patent application, the virus detection method of the IDE hard disk set in ροο transmission mode 'where step c is two of the temporary registers in the debug address register of the central processing unit. Set hexadecimal value data lF7h and 1 77h in the register, where the value iF7h is the address of the first IDE hard disk status / command register connected to the computer system, and the value 177h is the second Address of hard disk status / command register. 4. The IDE hard disk device described in item 1 of the patent application is set to p 丨 〇 第丨6頁 L 448 4 υPage 丨 6 L 448 4 υ 六、申靖專利範圍 輪模式下之病秦偵測方法,其中步驟d包括有: dl.在中央處理器之除錯控制暫存器對應之讀取/寫入控 制位元中設定數值1 〇,以啟始該中央處理器在執行 輪出入時產生中斷功能; d2.在該除錯控制暫存器對應之長度設定位元中設定數 值0 0,其數值係代表位元長度值是1位元。 5. 如申請專利範圍第1項所述之IDE硬碟裝置設定在p 1〇傳 輸模式下之病毒偵測方法,其中步驟g中之資料轉移輸 出指令為0UT/0UTS。 6. 如申請專利範圍第1項所述之IDE硬碟裝置設定在ΡΙ0傳 輸模式下之病毒偵測方法,其中步驟h係判斷該中央處 理器中之通用暫存器AL或記憶體DS:SI位址之資料是否 為寫入資料至硬碟中之一磁區或是寫入資料至數個磁區 之數值。 7. 如申請專利範圍第6項所述之IDE硬碟裝置設定在p丨〇傳 輸模式下之病毒偵測方法,其中該寫入資料至硬碟中之 一磁區之數值係為3〇h及31h,而寫入資料至數個磁區之 數值係為C5h。 8. 如申請專利範圍第6項所述之IDE硬碟裝置設定在ρ〖〇傳 輸模式下之病毒偵測方法,其中: 步驟h中’若判斷出該寫入資料至硬碟裝置之動作係為 P I 〇傳輸模時,則該步驟更包括有設立一代表寫入資料 至硬碟磁區之旗標; 在步驟k中,若判斷該中央處理器之除錯狀態暫存器中6. The method for detecting sickness and disease in Shenjing patent range wheel mode, wherein step d includes: dl. Set a value of 1 in the read / write control bit corresponding to the debug control register of the central processing unit. In order to start the central processor to generate an interrupt function when performing round in and out; d2. Set a value of 0 0 in the length setting bit corresponding to the debug control register, and the value represents the bit length value is 1 bit yuan. 5. The virus detection method in which the IDE hard disk device described in item 1 of the patent application is set to the p 10 transmission mode, wherein the data transfer output instruction in step g is 0UT / 0UTS. 6. The virus detection method of the IDE hard disk device set in the PI0 transmission mode as described in the first item of the patent application scope, wherein step h is to judge the general-purpose register AL or the memory DS: SI in the CPU. Whether the address data is a value written to one sector in the hard disk or a number of sectors. 7. The virus detection method in which the IDE hard disk device described in item 6 of the scope of patent application is set in the p 丨 〇 transmission mode, wherein the value of writing data to one of the magnetic disks in the hard disk is 30h. And 31h, and the value written to several magnetic zones is C5h. 8. The virus detection method in which the IDE hard disk device described in item 6 of the scope of the patent application is set to ρ [〇] transmission mode, wherein: 'If it is determined that the action of writing data to the hard disk device is in step h In the case of PI 〇 transmission mode, this step further includes setting a flag to write data to the hard disk sector; in step k, if it is judged that the central processing unit's debug status register 第17頁 六申明專利範® 々破碟資料暫存器之位址的斷點 對應於該[DE硬碟裝置之硬 々卓 — 檢查該旗標是否被設立之步 條件已被設定,則更包## 驟; 在步驟1之後,更包括清除該旗=之:驟。 9,如申請專利範圍第1項所述之iDE硬碟裝置設定在傳 輸模式下之病毒偵測方法’其中步驟丨係在該中央處理 器之除錯位址暫存器中設定十六進位數值資料lFOh及 1 7 0 h ’其中該數值1 F 0 h係表示電腦系統中所連接之第一 個IDE硬碟資料暫存器之位址’而數值17〇h乃為第二個 1 〇 =碟資料暫存器之位址。 申請專利範圍第1項所述之IDE硬碟裝置設定在ΡΙ0傳 :上式下之病毒偵測方法’其中步驟1之後,更包括有判 -fit 7Γ ^ 1 几貢料是否已完成寫入至指定之整個磁區或區塊 之步驟。The breakpoint on the address of page 17 of the patented patent document 范 Broken Disk Data Register corresponds to the [DE Hard Disk Device's Hard Drive—Check whether the flag condition has been set, and more Package ## Step; after step 1, it further includes clearing the flag = of: step. 9. The virus detection method of setting the iDE hard disk device in the transmission mode as described in item 1 of the scope of the patent application, wherein step 丨 is to set hexadecimal value data in the debug address register of the central processing unit. lFOh and 17 0 h 'where the value 1 F 0 h is the address of the first IDE hard disk data register connected in the computer system' and the value 17〇h is the second 1 0 = disk The address of the data register. The IDE hard disk device described in item 1 of the patent application is set to PI0: Virus detection method under the above formula, where after step 1, it also includes a judgment -fit 7Γ ^ 1 Steps for specifying entire sectors or blocks. 第18頁Page 18
TW88116039A 1999-09-17 1999-09-17 Virus detecting method for IDE hard disk device set in PIO access mode TW448402B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW88116039A TW448402B (en) 1999-09-17 1999-09-17 Virus detecting method for IDE hard disk device set in PIO access mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW88116039A TW448402B (en) 1999-09-17 1999-09-17 Virus detecting method for IDE hard disk device set in PIO access mode

Publications (1)

Publication Number Publication Date
TW448402B true TW448402B (en) 2001-08-01

Family

ID=21642323

Family Applications (1)

Application Number Title Priority Date Filing Date
TW88116039A TW448402B (en) 1999-09-17 1999-09-17 Virus detecting method for IDE hard disk device set in PIO access mode

Country Status (1)

Country Link
TW (1) TW448402B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI623850B (en) * 2016-08-29 2018-05-11 趨勢科技股份有限公司 Computer-implemented method, system and non-transitory computer-readable medium of evaluating files for malicious code

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI623850B (en) * 2016-08-29 2018-05-11 趨勢科技股份有限公司 Computer-implemented method, system and non-transitory computer-readable medium of evaluating files for malicious code

Similar Documents

Publication Publication Date Title
TWI342492B (en) Method of providing extended memory protection
US20170293754A1 (en) Sensitive data tracking using dynamic taint analysis
TWI406131B (en) Memory controller and method for handling dma operations during a page copy
JP2005317023A (en) Breakpoint logic unit, debug logic, and breakpoint method for data processing apparatus
JP4898155B2 (en) How to allow a user mode process to operate in privileged execution mode
TW200403586A (en) Control register access virtualization performance improvement in the virtual-machine architecture
US8612708B2 (en) Hardware data protection device
CN102207913B (en) The control method and device of write-protect in embedded system
US7426644B1 (en) System and method for handling device accesses to a memory providing increased memory access security
JP5536191B2 (en) Method for protecting sensitive data on a storage device with wear leveling
TWI334082B (en) Apparatus, processor, system and method for control registers accessed via private operations,and computer-readable media
JPH04229322A (en) Method for performing boolean operation between tow arbitrary bits of two arbitrary registers
US7383584B2 (en) System and method for controlling device-to-device accesses within a computer system
TW448402B (en) Virus detecting method for IDE hard disk device set in PIO access mode
CN117331741A (en) Data verification method, processor and electronic equipment
TW451125B (en) Tracking and inspecting method for files infected with computer virus
CN1121012C (en) Method for preventing BIOS from virus damage
CN1173266C (en) Starting-up type virus detection method
JP3130798B2 (en) Bus transfer device
TW446872B (en) Detection method of boot-up virus
JPS6095658A (en) Virtual storage controlling method
JPH02239351A (en) Micro processor
JPS5864688A (en) Data processor
JPS60124747A (en) Debug control system of computer
JPH10289128A (en) Program evaluation device, program evaluation method and mechanically readable recording medium recording program evaluation program

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent
MM4A Annulment or lapse of patent due to non-payment of fees