WO2014048367A1 - Method and apparatus for processing malicious program in master boot record - Google Patents

Method and apparatus for processing malicious program in master boot record Download PDF

Info

Publication number
WO2014048367A1
WO2014048367A1 PCT/CN2013/084467 CN2013084467W WO2014048367A1 WO 2014048367 A1 WO2014048367 A1 WO 2014048367A1 CN 2013084467 W CN2013084467 W CN 2013084467W WO 2014048367 A1 WO2014048367 A1 WO 2014048367A1
Authority
WO
WIPO (PCT)
Prior art keywords
malicious
boot record
disk
driver
master boot
Prior art date
Application number
PCT/CN2013/084467
Other languages
French (fr)
Chinese (zh)
Inventor
邵坚磊
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201210380353.XA external-priority patent/CN102867141B/en
Priority claimed from CN201210375717.5A external-priority patent/CN102930201B/en
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2014048367A1 publication Critical patent/WO2014048367A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to the field of computer security technologies, and in particular, to a method and apparatus for processing a master boot record malicious program. Background technique
  • the master boot record (MBR) of the disk is located on the 0 head of the disk. 0 sector 1 sector. There is a fixed size storage area, which is the first area read by the computer after accessing the disk.
  • the master boot record typically consists of three parts: the main boot program, the disk partition table, and the end flag word. Among them, the main boot program is used to check whether the partition table is correct when the computer starts, and hand over control to the system boot program on the disk after the system hardware completes the self-test.
  • the main boot program in the MBR has independence from the operating system.
  • the general calculation startup process is to perform a self-test after the computer is powered on, and when it is determined that the disk is used as the startup source, the basic The input/output system reads the MBR into the memory, and the control is given to the main boot program.
  • the master boot program checks the partition table, finds the active partition, and then passes control to the system boot program of the active partition, which is loaded by the system boot program. operating system.
  • the loading of the main bootloader and the loading of the operating system are two relatively independent processes throughout the process, so the main bootloader in the MBR has independence from the operating system, that is, the main bootloader in the MBR is loaded before the operating system. And does not depend on, nor belongs to the operating system.
  • the MBR area has become the object of some malicious programs, and the "ghost" virus is the representative.
  • the virus is hosted in the master boot record of the disk, can be booted before the computer is booted, and can cause the infected computer to load another malicious driver B that has been carefully hidden at system startup.
  • the malicious driver B succeeds. After loading, it will implement operations such as shutting down anti-virus software and downloading other malicious programs to achieve theft of user information and damage to the user's computer.
  • the present invention has been made in order to provide a method for processing a master boot record malicious program that overcomes the above problems or at least partially solves the above problems, and a corresponding apparatus for processing a master boot record malicious program.
  • a method for processing a master boot record malicious program including:
  • the secure driver is loaded
  • the read/write data is detected. If it is detected that the read/write data contains malicious code, the return disk read fails to block The link between a malicious program in the master boot record and a malicious driver in the disk partition.
  • loading the security driver includes:
  • the security driver is registered as a system reservation type in the operating system's registry so that the operating system loads the security driver during kernel initialization during startup.
  • the invoking the secure driver after the hard disk initialization is completed includes: when the secure driver is loaded, registering a callback function with the system, so that the secure driver is invoked by the operating system after the hard disk initialization ends .
  • the method further includes:
  • the clearing the malicious program in the master boot record comprises: reconstructing a master boot record.
  • the method further includes:
  • an apparatus for processing a master boot record malicious program including: a loading unit, configured to load a security driver during kernel initialization during startup of the operating system;
  • a calling unit configured to invoke the secure driver after the hard disk initialization is completed
  • a monitoring unit configured to monitor, by the secure driver, a read operation of the disk
  • a detecting unit configured to detect read/write data when a read/write operation to the disk is detected, and if the detected read/write data includes malicious code, return to the disk to read Failed to block the connection between the malicious program in the master boot record and the malicious driver in the disk partition.
  • the loading unit includes:
  • a registry write unit that registers a secure driver as a system reservation type in the operating system's registry so that the operating system loads the secure driver during kernel initialization during startup.
  • the calling unit includes:
  • a callback function registration unit is configured to register a callback function with the system when the secure driver is loaded, so that the secure driver is called by the operating system after the hard disk initialization is completed.
  • the method further includes:
  • a clearing unit configured to clear a malicious program in the master boot record.
  • the clearing unit includes:
  • Rebuild subunit for rebuilding the master boot record.
  • the method further includes:
  • a delete unit is used to delete a malicious driver in the disk partition.
  • an apparatus for processing a master boot record malicious program comprising the apparatus for processing a master boot record malicious program according to any of the preceding claims.
  • the method and apparatus for processing a master boot record malicious program according to the present invention may be capable of initializing MBR, B00TL0ADER, B00TMGR, etc. in an early stage of system startup After that, when the system initializes the kernel, the security driver is loaded, and then the H00K system reads and writes the disk. When the read sector contains malicious code, the return fails, so that the malicious driver cannot be loaded, completely cut off. MBR and the connection with the malicious driver System, the MBR malicious program is completely invalid, and then the residual MBR virion can be easily handled, effectively preventing the damage of such malicious programs to the computer system.
  • FIG. 1 shows a flow chart of a method in accordance with one embodiment of the present invention
  • FIG. 2 shows a schematic diagram of an apparatus in accordance with one embodiment of the present invention.
  • a method for processing a master boot record malicious program includes the following steps:
  • the kernel space consists of four major parts: process management (responsible for allocating CPU time), file access (provisioning the device into a file system, and providing a consistent interface for upper-level program calls), security control (responsible for mandatory processes) Specific permissions and separate memory ranges to avoid conflicts between processes) and memory management (responsible for the allocation, use, release, and reclamation of memory resources while the process is running).
  • process management responsible for allocating CPU time
  • file access provisioning the device into a file system, and providing a consistent interface for upper-level program calls
  • security control responsible for mandatory processes
  • memory management responsible for the allocation, use, release, and reclamation of memory resources while the process is running.
  • the kernel is A data structure, Rootki t technology hides the process, files, network communication and other related information of other programs (such as the registry and system logs that may be generated by modification) by modifying the data structure of the kernel.
  • Bootki t is a more advanced Rootki t. Bootki t bypasses kernel checking and starts stealth by infecting MBR (Master Boot Record). Bootki t is an MBR-based Rootki t. It can be considered that all technologies that load and implement kernel hijacking earlier than the Windows kernel at startup can be called Bootki t, such as later BIOS Rootki t, VBootki t, SMM Rootki t and so on. Since the MBR virus (MBR BOOTKIT) is parasitic in the MBR, the virus release driver can destroy most security tools and system aids. When the system restarts again, the virus program will load earlier than the operating system kernel.
  • MBR Master Boot Record
  • the security driver can be loaded before the hard disk drive is initialized.
  • the system initializes the NT KERNEL.
  • the secure driver is loaded in order to get executed before the malicious driver in the MBR area is loaded.
  • BOOTLOADER is a system boot program that runs before the operating system kernel runs. Through this system boot program, you can initialize the hardware device and establish a memory space map to bring the system's hardware and software environment to a suitable state, in order to prepare the correct environment for the final call of the operating system kernel.
  • BIOS Basic Input Output System
  • BOOTMGR is an acronym for Boot Manager. It is a boot manager used in Windows Vi sta and Windows 7, similar functions, as well as a boot manager in Windows XP, NTLDR, and so on.
  • NT KERNEL is the system kernel.
  • the boot process of the computer system is: Power on self-test 1.
  • the motherboard BIOS starts from the floppy disk, hard disk or CD-ROM drive according to the boot sequence specified by the user.
  • the system BIOS reads the master boot record MBR.
  • the main boot program checks the status of the partition table, looking for the active partition.>
  • the main boot program passes control to the boot record of the active partition, and the boot record is loaded. System startup file.
  • the MBR is powered on by the computer. After the self-test of the motherboard is completed, the first read position is located at the 0 head of the hard disk, and the size of the disk is 512 bytes. It does not belong to any operation. The system cannot be read by the disk operation commands provided by the operating system.
  • DPT disk Partition Table
  • PBR Partition Boot Record
  • the security driver in order to ensure that during the process of starting the operating system, when the kernel is initialized, the security driver is loaded, and the security driver can be registered as the system reservation type in the registry of the operating system (that is, registered as system reserved). This allows the system to load the secure driver as early as possible.
  • the system that comes with the simple file reading and writing system inside the system has already read the file into the memory through INT13 in real mode, and then accesses it in protected mode. So the system will automatically load the driver with BOOT TYPE 0 in the registry into memory without having to go through disk drive and file drive.
  • the security driver After the secure driver is loaded, the security driver needs to be called by the operating program to perform the related operations and play a real role. For this reason, when the security driver is loaded, the callback function can be registered with the system, so that After the hard drive initialization is complete, the operating system immediately calls the secure driver, allowing the secure driver to run immediately.
  • the reason why the callback function is registered with the system is because the secure driver needs to hook up the operation of the hard disk drive, but the operation must be performed after the hard disk drive is initialized, so it is necessary to register a callback function to the system so that the hard disk drive is initialized. , the security driver can get the execution in time.
  • the secure driver can monitor the read operation of the disk. Since the malicious program in the MBR area wants to contact the malicious driver in the disk partition, it needs to read the malicious driver code in the disk partition into the memory, thereby loading the malicious driver in the disk partition. In the process of reading into the memory, the disk needs to be read.
  • the security driver in the embodiment of the present invention is loaded earlier than the malicious driver, and therefore, the malicious program reads and writes to the disk. It can be monitored by the secure driver.
  • the H00K disk drive read and write related operations can be used to monitor the disk read and write operations.
  • the security driver can intercept the read data and perform security detection. If it finds that the read data contains malicious code, it proves that the malicious program in the MBR area may be Read the malicious driver code on the disk, so you can directly return to the disk to read the failure, so that the malicious driver code can not be read into the memory, it can not run, and then, can block malicious programs and disks in the MBR.
  • the connection between the malicious drivers in the partition after the connection between the two is blocked, the malicious programs and malicious drivers in the MBR will not cause any harm to the user's computer even if they still exist. For example, ghost 5, when reading a disk sector, will verify a certain feature code. If it matches, it will think that the code of the malicious driver is read, so that the code will be executed.
  • the malicious program in the MBR can also be cleared, and in addition, the disk partition can be Malicious driver removed. Among them, the malicious driver is saved on the disk, so it can be deleted directly through the disk operation command.
  • the malicious program in the MBR is located in the MBR. Since the MBR is located on the 0 head of the hard disk, the sector 1 is 512 bytes.
  • the malicious program in the MBR is cleared, it can be implemented by rebuilding the MBR or the like.
  • an existing application for MBR reconstruction can be called.
  • the default MBR of the system can be written into the MBR area or the system command FDISK /MBRo to restore the MBR area by using the program in the embodiment of the present invention.
  • the malicious program in the MBR since the malicious program in the MBR is executed after the MBR is executed, it will mount INT13, when loading B00TMGR, perform H00K, and when loading NT KERNEL, perform H00K, and then load its own malicious driver code to complete Self-protection.
  • a malicious program in the MBR will mount the underlying driver ATAPI.SYS and the file system driver NTFS.SYS, which causes the security program to fail to obtain the information of the original disk file or obtain the original MBR information. The false information redirected, that is, after the malicious driver is loaded, it is difficult for the security program to detect and clear it.
  • the system loads the security driver when the NT KERNEL is initialized, and then the H00K system reads and writes the disk operation.
  • the return fails, so that the malicious driver can not be loaded, completely cut off the connection between the MBR and the malicious driver, completely invalidating the MBR malicious program, and thus can easily handle the residual MBR virion.
  • the device for processing the malicious program of the master boot record is provided in the embodiment of the present invention.
  • the embodiment of the present invention further provides a device for processing the malicious program of the master boot record.
  • the device may specifically include:
  • the loading unit 201 is configured to load a security driver when the kernel is initialized during the startup of the operating system
  • the calling unit 202 is configured to invoke the secure driver after the hard disk initialization is completed; and the monitoring unit 203 is configured to perform a read/write operation on the disk by the secure driver after the secure driver is called. monitor;
  • the detecting unit 204 is configured to detect read/write data when the read/write operation of the disk is detected, and return to the disk if it is detected that the read/write data contains malicious code The read failed to block the connection between the malicious program in the master boot record and the malicious driver in the disk partition.
  • the loading unit 201 may include:
  • a registry write unit that registers a secure driver as a system reservation type in the operating system's registry so that the operating system loads the secure driver during kernel initialization during startup.
  • the calling unit 202 can include:
  • a callback function registration unit is configured to register a callback function with the system when the secure driver is loaded, so that the secure driver is called by the operating system after the hard disk initialization is completed.
  • the device may further include:
  • a clearing unit configured to clear a malicious program in the master boot record.
  • the clearing unit includes:
  • Rebuild subunit for rebuilding the master boot record.
  • the device may further include: a deleting unit, configured to delete the malicious driver in the disk partition.
  • the malicious driver code in the disk partition can be deleted using the disk operation command.
  • the system loads the security driver when the kernel is initialized, and then the H00K system reads and writes the disk. Operation, when the read sector contains malicious code, the return fails, so that the malicious driver can not be loaded, completely cut off the connection between the MBR and the malicious driver, completely invalidating the MBR malicious program, and thus can be easily
  • the residual MBR virion is treated.
  • the embodiment of the present invention further provides a method for performing a master boot record malicious program.
  • the device needs to be described.
  • the device can effectively block the MBR through the CPU, the memory, the hard disk, and other related parts, the BIOS, and the like. The destruction of computer systems by malicious programs in the area.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by the same, equivalent or similar purpose, unless stated otherwise.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some of some or all of the components of the device for processing a master boot record malicious program in accordance with an embodiment of the present invention. Or all features.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the present invention may be stored on a computer readable medium or may have the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.

Abstract

Disclosed are a method and an apparatus for processing a malicious program in a master boot record. The method comprises: in a procedure of starting an operating system, and during kernel initialization, loading a safe driver; invoking the safe driver after the completion of hardware initialization; after the safe driver is invoked, monitoring a read operation on a magnetic disk through the safe driver; when it is monitored that the read/write operation is performed on the magnetic disk, detecting read/written data, and if it is detected that the read/written data comprises malicious codes, returning disk reading failure information, so as to block the correlation between the malicious program in the master boot record and a malicious driver in a magnetic disk partition. The present invention can effectively prevent the malicious program in the master boot record from damaging the computer.

Description

对主引导记录恶意程序进行处理的方法及装置 技术领域  Method and device for processing host boot record malicious program
本发明涉及计算机安全技术领域, 特别是涉及对主引导记录恶意 程序进行处理的方法及装置。 背景技术  The present invention relates to the field of computer security technologies, and in particular, to a method and apparatus for processing a master boot record malicious program. Background technique
磁盘的主引导记录 (Master Boot Record , 简称 MBR ) 是位于磁盘 的 0磁头 0磁道 1扇区, 有固定大小的一块存储区域, 是计算机开机 后访问磁盘所读取的首个区域。 主引导记录一般包含三个部分: 主引 导程序、 磁盘分区表、 以及结束标志字。 其中, 主引导程序用来在计 算机启动时检查分区表是否正确, 并且在系统硬件完成自检后将控制 权交给磁盘上的系统引导程序。 MBR中的主引导程序具有相对于操作系 统的独立性, 这种独立性体现在计算机的启动过程中: 一般的计算启 动过程是计算机通电后执行自检, 当确定以磁盘作为启动源后由基本 输入输出系统将 MBR读入内存, 控制权交给其中的主引导程序, 由主 引导程序检查分区表, 找到活动的分区, 而后将控制权交给活动分区 的系统引导程序, 由系统引导程序加载操作系统。 整个过程中主引导 程序的加载和操作系统的加载是两个相对独立的过程, 因此 MBR 中的 主引导程序具有相对于操作系统的独立性, 即 MBR 中的主引导程序先 于操作系统加载, 并且不依赖、 也不属于操作系统。  The master boot record (MBR) of the disk is located on the 0 head of the disk. 0 sector 1 sector. There is a fixed size storage area, which is the first area read by the computer after accessing the disk. The master boot record typically consists of three parts: the main boot program, the disk partition table, and the end flag word. Among them, the main boot program is used to check whether the partition table is correct when the computer starts, and hand over control to the system boot program on the disk after the system hardware completes the self-test. The main boot program in the MBR has independence from the operating system. This independence is reflected in the startup process of the computer: The general calculation startup process is to perform a self-test after the computer is powered on, and when it is determined that the disk is used as the startup source, the basic The input/output system reads the MBR into the memory, and the control is given to the main boot program. The master boot program checks the partition table, finds the active partition, and then passes control to the system boot program of the active partition, which is loaded by the system boot program. operating system. The loading of the main bootloader and the loading of the operating system are two relatively independent processes throughout the process, so the main bootloader in the MBR has independence from the operating system, that is, the main bootloader in the MBR is loaded before the operating system. And does not depend on, nor belongs to the operating system.
正是由于 MBR中的主引导程序这种相对于操作系统的独立性, MBR 区域成为了一些恶意程序利用的对象, "鬼影"病毒便是其中的代表。 该病毒寄存于磁盘的主引导记录中, 能够在计算机开机后先于操作系 统启动, 并且能够使受感染的计算机在系统启动时加载经过精心隐藏 的另一个恶意驱动程序 B, 恶意驱动程序 B成功加载后, 会实施关闭杀 毒软件、 下载其他恶意程序等操作, 以实现窃取用户信息、 破坏用户 计算机等不法行为。 由于该病毒寄存于磁盘主引导记录中, 在其成功 运行后, 在操作系统中通常找不到任何异常, 同时由于磁盘的主引导 记录通常不会因重新安装而重写, 导致该病毒甚至能够在用户重新安 装操作系统后依然存在, 并且在计算机启动后仍然能发挥作用, 可见 该病毒的顽固程度。 因此, 迫切需要本领域技术人员解决的技术问题 就在于, 如何有效的阻止此类恶意程序对计算机系统的破坏。 发明内容 Because of the independence of the main boot program in the MBR relative to the operating system, the MBR area has become the object of some malicious programs, and the "ghost" virus is the representative. The virus is hosted in the master boot record of the disk, can be booted before the computer is booted, and can cause the infected computer to load another malicious driver B that has been carefully hidden at system startup. The malicious driver B succeeds. After loading, it will implement operations such as shutting down anti-virus software and downloading other malicious programs to achieve theft of user information and damage to the user's computer. Since the virus is hosted in the disk master boot record, after the successful operation, usually no exception is found in the operating system, and since the disk's master boot record is usually not rewritten due to reinstallation, the virus can even Still exists after the user reinstalls the operating system, and still works after the computer is started, visible The degree of stubbornness of the virus. Therefore, the technical problem that is urgently needed by those skilled in the art is how to effectively prevent such malicious programs from damaging the computer system. Summary of the invention
鉴于上述问题, 提出了本发明以便提供一种克服上述问题或者至 少部分地解决上述问题的对主引导记录恶意程序进行处理的方法和相 应的对主引导记录恶意程序进行处理的装置。  In view of the above problems, the present invention has been made in order to provide a method for processing a master boot record malicious program that overcomes the above problems or at least partially solves the above problems, and a corresponding apparatus for processing a master boot record malicious program.
依据本发明的一个方面, 提供了一种对主引导记录恶意程序进行 处理的方法, 包括:  According to an aspect of the present invention, a method for processing a master boot record malicious program is provided, including:
在启动操作系统的过程中, 进行内核初始化时, 加载安全驱动程 序;  During the startup of the operating system, when the kernel is initialized, the secure driver is loaded;
在硬盘初始化结束后调用所述安全驱动程序;  Calling the secure driver after the hard disk initialization is completed;
通过所述安全驱动程序对磁盘的读取操作进行监控;  Monitoring the read operation of the disk by the secure driver;
当监控到磁盘的读取 /写入操作发生时, 对读取 /写入的数据进行 检测, 如果检测出所述读取 /写入的数据中包含恶意代码, 返回磁盘读 取失败, 以阻断主引导记录中的恶意程序与磁盘分区中的恶意驱动程 序之间的联系。  When the read/write operation to the disk is detected, the read/write data is detected. If it is detected that the read/write data contains malicious code, the return disk read fails to block The link between a malicious program in the master boot record and a malicious driver in the disk partition.
可选地, 所述在启动操作系统的过程中, 进行内核初始化时, 加 载安全驱动程序包括:  Optionally, when the kernel is initialized during the startup of the operating system, loading the security driver includes:
在操作系统的注册表中将安全驱动程序注册为系统预留类型, 以 便操作系统在启动过程中, 进行内核初始化时, 加载安全驱动程序。  The security driver is registered as a system reservation type in the operating system's registry so that the operating system loads the security driver during kernel initialization during startup.
可选地, 所述在硬盘初始化结束后调用所述安全驱动程序包括: 在所述安全驱动程序被加载时, 向系统注册回调函数, 以便在硬 盘初始化结束之后所述安全驱动程序被操作系统调用。  Optionally, the invoking the secure driver after the hard disk initialization is completed includes: when the secure driver is loaded, registering a callback function with the system, so that the secure driver is invoked by the operating system after the hard disk initialization ends .
可选地, 还包括:  Optionally, the method further includes:
对所述主引导记录中的恶意程序进行清除。  Clearing malicious programs in the master boot record.
可选地, 所述对所述主引导记录中的恶意程序进行清除包括: 重建主引导记录。  Optionally, the clearing the malicious program in the master boot record comprises: reconstructing a master boot record.
可选地, 还包括:  Optionally, the method further includes:
对所述磁盘分区中的恶意驱动程序进行删除。  Delete the malicious driver in the disk partition.
根据本发明的另一方面, 提供了一种对主引导记录恶意程序进行 处理的装置, 包括: 加载单元, 用于在启动操作系统的过程中, 进行内核初始化时, 加载安全驱动程序; According to another aspect of the present invention, an apparatus for processing a master boot record malicious program is provided, including: a loading unit, configured to load a security driver during kernel initialization during startup of the operating system;
调用单元, 用于在硬盘初始化结束后调用所述安全驱动程序; 监控单元, 用于通过所述安全驱动程序对磁盘的读取操作进行监 控;  a calling unit, configured to invoke the secure driver after the hard disk initialization is completed; and a monitoring unit, configured to monitor, by the secure driver, a read operation of the disk;
检测单元, 用于当监控到磁盘的读取 /写入操作发生时, 对读取 / 写入的数据进行检测, 如果检测出所述读取 /写入的数据中包含恶意代 码, 返回磁盘读取失败, 以阻断主引导记录中的恶意程序与磁盘分区 中的恶意驱动程序之间的联系。  a detecting unit, configured to detect read/write data when a read/write operation to the disk is detected, and if the detected read/write data includes malicious code, return to the disk to read Failed to block the connection between the malicious program in the master boot record and the malicious driver in the disk partition.
可选地, 所述加载单元包括:  Optionally, the loading unit includes:
注册表写入单元, 用于在操作系统的注册表中将安全驱动程序注 册为系统预留类型, 以便操作系统在启动过程中, 进行内核初始化时, 加载安全驱动程序。  A registry write unit that registers a secure driver as a system reservation type in the operating system's registry so that the operating system loads the secure driver during kernel initialization during startup.
可选地, 所述调用单元包括:  Optionally, the calling unit includes:
回调函数注册单元, 用于在所述安全驱动程序被加载时, 向系统 注册回调函数, 以便在硬盘初始化结束之后所述安全驱动程序被操作 系统调用。  A callback function registration unit is configured to register a callback function with the system when the secure driver is loaded, so that the secure driver is called by the operating system after the hard disk initialization is completed.
可选地, 还包括:  Optionally, the method further includes:
清除单元, 用于对所述主引导记录中的恶意程序进行清除。  A clearing unit, configured to clear a malicious program in the master boot record.
可选地, 所述清除单元包括:  Optionally, the clearing unit includes:
重建子单元, 用于重建主引导记录。  Rebuild subunit for rebuilding the master boot record.
可选地, 还包括:  Optionally, the method further includes:
删除单元, 用于对所述磁盘分区中的恶意驱动程序进行删除。  A delete unit is used to delete a malicious driver in the disk partition.
根据本发明的另一方面, 提供了一种对主引导记录恶意程序进行 处理的设备, 包括前述任一项所述的对主引导记录恶意程序进行处理 的装置。  According to another aspect of the present invention, there is provided an apparatus for processing a master boot record malicious program, comprising the apparatus for processing a master boot record malicious program according to any of the preceding claims.
根据本发明提供的具体实施例, 本发明公开了以下技术效果: 根据本发明的对主引导记录恶意程序进行处理的方法及装置, 可 以能够在系统启动的早期阶段, MBR、 B00TL0ADER、 B00TMGR等初始化 好后, 系统在初始化内核的时候, 加载安全驱动程序, 然后 H00K系统 读写磁盘的操作, 当读取的扇区内包含恶意代码的时候, 返回失败, 从而让恶意驱动无法被加载, 完全切断了 MBR和与恶意驱动之间的联 系, 使 MBR恶意程序完全失效, 进而可以轻易的处理残留的 MBR病毒 体, 有效的阻止此类恶意程序对计算机系统的破坏。 According to a specific embodiment provided by the present invention, the present invention discloses the following technical effects: The method and apparatus for processing a master boot record malicious program according to the present invention may be capable of initializing MBR, B00TL0ADER, B00TMGR, etc. in an early stage of system startup After that, when the system initializes the kernel, the security driver is loaded, and then the H00K system reads and writes the disk. When the read sector contains malicious code, the return fails, so that the malicious driver cannot be loaded, completely cut off. MBR and the connection with the malicious driver System, the MBR malicious program is completely invalid, and then the residual MBR virion can be easily handled, effectively preventing the damage of such malicious programs to the computer system.
上述说明仅是本发明技术方案的概述, 为了能够更清楚了解本发 明的技术手段, 而可依照说明书的内容予以实施, 并且为了让本发明 的上述和其它目的、 特征和优点能够更明显易懂, 以下特举本发明的 具体实施方式。 附图说明  The above description is only an overview of the technical solutions of the present invention, and the technical means of the present invention can be more clearly understood, and can be implemented in accordance with the contents of the specification, and the above and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below. DRAWINGS
通过阅读下文优选实施方式的详细描述, 各种其他的优点和益处 对于本领域普通技术人员将变得清楚明了。 附图仅用于示出优选实施 方式的目的, 而并不认为是对本发明的限制。 而且在整个附图中, 用 相同的参考符号表示相同的部件。 在附图中:  Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not intended to limit the invention. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图 1示出了根据本发明一个实施例的方法的流程图; 以及 图 2示出了根据本发明一个实施例的装置的示意图。 具体实施方式  1 shows a flow chart of a method in accordance with one embodiment of the present invention; and FIG. 2 shows a schematic diagram of an apparatus in accordance with one embodiment of the present invention. detailed description
下面将参照附图更详细地描述本公开的示例性实施例。 虽然附图 中显示了本公开的示例性实施例, 然而应当理解, 可以以各种形式实 现本公开而不应被这里阐述的实施例所限制。 相反, 提供这些实施例 是为了能够更透彻地理解本公开, 并且能够将本公开的范围完整的传 达给本领域的技术人员。  Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the exemplary embodiments of the present invention are shown in the drawings, it is understood that the present invention may be embodied in various forms and not limited by the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be more fully understood, and the scope of the disclosure can be fully disclosed to those skilled in the art.
参见图 1,本发明实施例提供的对主引导记录恶意程序进行处理的 方法包括以下步骤:  Referring to FIG. 1, a method for processing a master boot record malicious program according to an embodiment of the present invention includes the following steps:
S101 : 在启动操作系统的过程中, 进行内核初始化时, 加载安全 驱动程序;  S101: When the kernel is initialized during the startup of the operating system, the security driver is loaded;
在现代操作系统中, 应用程序不能直接访问硬件, 而是通过调用 操作系统提供的接口来使用硬件, 而操作系统依赖内核空间来管理和 调度这些应用。 内核空间由四大部分组成, 分别是: 进程管理 (负责 分配 CPU 时间) 、 文件访问 (把设备调配成文件系统, 并提供一个一 致的接口供上层程序调用) 、 安全控制 (负责强制规定各个进程的具 体的权限和单独的内存范围, 避免各进程之间发生冲突) 和内存管理 (负责进程运行时对内存资源的分配、 使用、 释放和回收) 。 内核是 一种数据结构, Rootki t技术通过修改内核的数据结构来隐藏其他程序 的进程、 文件、 网络通讯和其它相关信息 (比如注册表和可能因修改 而产生的系统日志等) 。 In modern operating systems, applications do not have direct access to the hardware, but rather use hardware by calling interfaces provided by the operating system, which rely on kernel space to manage and schedule these applications. The kernel space consists of four major parts: process management (responsible for allocating CPU time), file access (provisioning the device into a file system, and providing a consistent interface for upper-level program calls), security control (responsible for mandatory processes) Specific permissions and separate memory ranges to avoid conflicts between processes) and memory management (responsible for the allocation, use, release, and reclamation of memory resources while the process is running). The kernel is A data structure, Rootki t technology hides the process, files, network communication and other related information of other programs (such as the registry and system logs that may be generated by modification) by modifying the data structure of the kernel.
Bootki t是更高级的 Rootki t , Bootki t通过感染 MBR (Master Boot Record , 磁盘主引导记录) 的方式, 实现绕过内核检查和启动隐身, 即 Bootki t是一种基于 MBR的 Rootki t。 可以认为, 所有在开机时比 Windows内核更早加载、实现内核劫持的技术,都可以称之为 Bootki t , 例如后来的 BIOS Rootki t 、 VBootki t、 SMM Rootki t等。 由于 MBR病 毒 (MBR BOOTKIT ) 寄生在 MBR中, 病毒释放的驱动程序, 能够破坏大 多数安全工具和系统辅助工具, 当系统再次重启时, 该病毒程序会早 于操作系统内核先行加载。  Bootki t is a more advanced Rootki t. Bootki t bypasses kernel checking and starts stealth by infecting MBR (Master Boot Record). Bootki t is an MBR-based Rootki t. It can be considered that all technologies that load and implement kernel hijacking earlier than the Windows kernel at startup can be called Bootki t, such as later BIOS Rootki t, VBootki t, SMM Rootki t and so on. Since the MBR virus (MBR BOOTKIT) is parasitic in the MBR, the virus release driver can destroy most security tools and system aids. When the system restarts again, the virus program will load earlier than the operating system kernel.
为了能够对抗这种 MBR病毒, 就需要在 MBR病毒加载恶意驱动之 前, 加载安全驱动程序。 为了达到该目的, 在本发明实施例中, 就可 以在硬盘驱动初始化之前加载安全驱动程序,具体实现时,可以在 MBR、 BOOTLOADER, BOOTMGR等初始化好后,系统在初始化 NT KERNEL的时候, 就对安全驱动程序进行加载, 以期赶在 MBR 区的恶意驱动程序加载之 前获得执行。  In order to be able to combat this MBR virus, it is necessary to load the security driver before the MBR virus loads the malicious driver. In order to achieve the goal, in the embodiment of the present invention, the security driver can be loaded before the hard disk drive is initialized. When the MBR, BOOTLOADER, BOOTMGR, etc. are initialized, the system initializes the NT KERNEL. The secure driver is loaded in order to get executed before the malicious driver in the MBR area is loaded.
其中, BOOTLOADER就是在操作系统内核运行之前运行的一段系统 引导程序。 通过这段系统引导程序, 可以初始化硬件设备、 建立内存 空间映射图, 从而将系统的软硬件环境带到一个合适状态, 以便为最 终调用操作系统内核准备好正确的环境。 在嵌入式系统中, 通常并没 有像 BIOS ( Bas ic Input Output System, 基本输入输出系统) 那样的 固件程序 (有的嵌入式 CPU也会内嵌一段短小的启动程序) , 因此整 个系统的加载启动任务就完全由 BootLoader来完成。 BOOTMGR是 Boot Manager的缩写, 是在 Windows Vi sta和 Windows 7中使用的启动管理 器, 类似功能的, 还有 Windows xp 中的启动管理器一 NTLDR, 等等。 NT KERNEL是系统内核。  Among them, BOOTLOADER is a system boot program that runs before the operating system kernel runs. Through this system boot program, you can initialize the hardware device and establish a memory space map to bring the system's hardware and software environment to a suitable state, in order to prepare the correct environment for the final call of the operating system kernel. In an embedded system, there is usually no firmware program like the BIOS (Basic Input Output System) (some embedded CPUs also embed a short startup program), so the entire system is loaded and started. The task is completely done by the BootLoader. BOOTMGR is an acronym for Boot Manager. It is a boot manager used in Windows Vi sta and Windows 7, similar functions, as well as a boot manager in Windows XP, NTLDR, and so on. NT KERNEL is the system kernel.
以 Windows系统为例, 正常情况下, 计算机系统的开机过程是: 开机通电自检一〉主板 BIOS 根据用户指定的启动顺序从软盘、 硬 盘或光驱进行启动一〉系统 BIOS将主引导记录 MBR读入内存一〉控制权 交给主引导程序一〉主引导程序检查分区表状态, 寻找活动的分区一〉 主引导程序将控制权交给活动分区的引导记录, 由引导记录加载操作 系统启动文件。 Take the Windows system as an example. Under normal circumstances, the boot process of the computer system is: Power on self-test 1. The motherboard BIOS starts from the floppy disk, hard disk or CD-ROM drive according to the boot sequence specified by the user. The system BIOS reads the master boot record MBR. Memory> Control is given to the main boot program.> The main boot program checks the status of the partition table, looking for the active partition.> The main boot program passes control to the boot record of the active partition, and the boot record is loaded. System startup file.
由上可知, MBR是电脑通电开机, 主板自检完成后, 被第一个读取 到的位置, 位于硬盘的 0磁头 0磁道 1扇区, 它的大小是 512字节, 不属于任何一个操作系统, 也不能用操作系统提供的磁盘操作命令来 读取。  It can be seen from the above that the MBR is powered on by the computer. After the self-test of the motherboard is completed, the first read position is located at the 0 head of the hard disk, and the size of the disk is 512 bytes. It does not belong to any operation. The system cannot be read by the disk operation commands provided by the operating system.
当电脑加电后, 首先是启动 BIOS程序, BIOS自检完毕后, 找到硬 盘上的主引导记录 MBR, MBR读取 DPT ( Disk Partition Table , 硬盘 分区表) , 从中找出活动的主分区, 然后读取活动主分区的 PBR ( Partition Boot Record, 分区引导记录) , PBR再搜寻分区内的启 动管理器文件 B00TMGR , 在 BOOTMGR 被找到后, 控制权就交给了 BOOTMGR。 BOOTMGR 读取 \B00T\BCD 文件 ( BCD=Boot Configuration Data , 启动配置数据) , 如果存在着多个操作系统并且选择操作系统 的等待时间不为 0, 这时就会在显示器上显示操作系统的选择界面。如 果选择启 动 Windows 7 后 , BOOTMGR 就会去启 动盘寻找 WIND0WS\system32\winload. exe,然后通过 winload. exe力口载 Windows7 内核, 从而启动整个 Windows7系统。 总之, 在 Windows7操作系统中, 可以把这个过程简单地概括为: BIOS- -〉 MBR- -〉 DPT- -〉 PBR- -〉 BOOTMGR- -〉 BCD- -〉 Winload. exe- -〉内核加载 --〉整个 windows7系统。 在内核加载之后, 启动整个 Windows7系统时, 需要先对内核进行初始 化, 然后对硬盘进行初始化, 而在本发明实施例中, 就是在上述对内 核进行初始化的环节中, 加载安全驱动程序。 When the computer is powered on, the BIOS program is first started. After the BIOS self-test is completed, the main boot record MBR on the hard disk is found. The MBR reads the DPT (Disk Partition Table), finds the active primary partition, and then finds the active primary partition. Read the PBR (Partition Boot Record) of the active primary partition, and the PBR searches for the boot manager file B00TMGR in the partition. After the BOOTMGR is found, the control is given to the BOOTMGR. BOOTMGR reads the \B00T\BCD file (BCD=Boot Configuration Data, startup configuration data). If there are multiple operating systems and the waiting time for selecting the operating system is not 0, then the operating system selection will be displayed on the display. interface. If you choose to start Windows 7, BOOTMGR will go to the boot disk to find WIND0WS\system32\winload.exe, and then use the winload.exe to load the Windows7 kernel, thus booting the entire Windows7 system. In short, in the Windows 7 operating system, this process can be summarized as follows: BIOS-->MBR-->DPT-->PBR-->BOOTMGR-->BCD--> Winload. exe--> kernel loading- -> The entire windows7 system. After the kernel is loaded, the entire W indows7 system boot, the kernel needs to be initialized, and initializes the hard disk, while in the embodiment of the present invention, that is part of the kernel initialization, the driver is loaded safety.
具体实现时, 为了能够保证启动操作系统的过程中, 进行内核初 始化时, 加载安全驱动程序, 可以在操作系统的注册表中将安全驱动 程序注册为系统预留类型 (也即注册为 system reserved ) , 这样可以 使得系统能够最早加载该安全驱动程序。 另外, 系统内部自带的简单 的文件读写的系统, 在实模式下就已经通过 INT13读取文件到内存中, 然后在保护模式下访问。 所以系统会自动加载注册表中 BOOT TYPE为 0 的驱动到内存中, 而无需通过磁盘驱动和文件驱动。  In the specific implementation, in order to ensure that during the process of starting the operating system, when the kernel is initialized, the security driver is loaded, and the security driver can be registered as the system reservation type in the registry of the operating system (that is, registered as system reserved). This allows the system to load the secure driver as early as possible. In addition, the system that comes with the simple file reading and writing system inside the system has already read the file into the memory through INT13 in real mode, and then accesses it in protected mode. So the system will automatically load the driver with BOOT TYPE 0 in the registry into memory without having to go through disk drive and file drive.
S102 : 在硬盘初始化结束后调用所述安全驱动程序;  S102: calling the security driver after the hard disk initialization ends;
安全驱动程序被加载之后, 需要由操作程序来调用该安全驱动程 序, 才能执行相关的操作, 发挥出真正的作用。 为此, 具体实现时, 可以在安全驱动程序被加载时, 向系统注册回调函数, 这样就能够在 硬盘驱动初始化结束之后, 操作系统马上调用安全驱动程序, 使得安 全驱动程序立即得以运行。 After the secure driver is loaded, the security driver needs to be called by the operating program to perform the related operations and play a real role. For this reason, when the security driver is loaded, the callback function can be registered with the system, so that After the hard drive initialization is complete, the operating system immediately calls the secure driver, allowing the secure driver to run immediately.
之所以要向系统注册回调函数, 是因为, 安全驱动程序需要挂钩 硬盘驱动的操作, 但该操作也要等硬盘驱动初始化好以后才能执行, 所以需要向系统注册一个回调函数, 以便硬盘驱动初始化后, 安全驱 动程序能及时获得执行操作。  The reason why the callback function is registered with the system is because the secure driver needs to hook up the operation of the hard disk drive, but the operation must be performed after the hard disk drive is initialized, so it is necessary to register a callback function to the system so that the hard disk drive is initialized. , the security driver can get the execution in time.
S 103 : 在所述安全驱动程序被调用后, 通过所述安全驱动程序对 磁盘的读取 /写入操作进行监控;  S103: monitoring, by the secure driver, a read/write operation of the disk after the secure driver is called;
安全驱动程序在获得执行之后, 就可以对磁盘的读取操作进行监 控。 由于 MBR 区的恶意程序要想与磁盘分区中的恶意驱动程序取得联 系, 就需要将磁盘分区中的恶意驱动代码读入内存, 从而加载运行恶 意驱动程序, 而在将磁盘分区中的恶意驱动代码读入内存的过程中, 就需要对磁盘进行读取; 另一方面, 本发明实施例中的安全驱动程序 又是早于恶意驱动程序加载的, 因此, 恶意程序读取及写入磁盘的操 作就能被安全驱动程序监控到。 具体实现时, 可以通过 H00K磁盘驱动 的读写的相关操作, 来实现对磁盘读写操作的监控。  Once the secure driver is executed, it can monitor the read operation of the disk. Since the malicious program in the MBR area wants to contact the malicious driver in the disk partition, it needs to read the malicious driver code in the disk partition into the memory, thereby loading the malicious driver in the disk partition. In the process of reading into the memory, the disk needs to be read. On the other hand, the security driver in the embodiment of the present invention is loaded earlier than the malicious driver, and therefore, the malicious program reads and writes to the disk. It can be monitored by the secure driver. In the specific implementation, the H00K disk drive read and write related operations can be used to monitor the disk read and write operations.
S 104 : 当监控到磁盘的读取 /写入操作发生时, 对读取 /写入的数 据进行检测, 如果检测出所述读取 /写入的数据中包含恶意代码, 返回 磁盘读取失败, 以阻断主引导记录中的恶意程序与磁盘分区中的恶意 驱动程序之间的联系。  S104: When the read/write operation to the disk is detected, the read/write data is detected, and if the read/write data is detected to contain malicious code, the returning disk fails to be read. To block the connection between a malicious program in the master boot record and a malicious driver in the disk partition.
安全驱动程序在监控到磁盘读取操作之后, 就可以对读取的数据 进行拦截, 并进行安全性检测, 如果发现读取的数据中包含有恶意代 码, 就证明可能是 MBR区的恶意程序正在读取磁盘中的恶意驱动代码, 因此, 就可以直接返回磁盘读取失败, 使得恶意驱动代码无法被读取 到内存中, 也就无法运行, 进而, 就可以阻断 MBR 中的恶意程序与磁 盘分区中的恶意驱动程序之间的联系, 这两者之间的联系被阻断之后, MBR中的恶意程序与恶意驱动程序即使依然存在,也不会对用户的计算 机产生任何的危害。 比如鬼影 5, 在读取磁盘扇区时候, 会验证某特征 码, 如果符合, 则认为读到恶意驱动的代码, 从而会执行该代码, 通 过修改这些, 让其认为没有读到, 即可跳过, 避免运行恶意代码。 其 中, 检测被读取的数据中是否存在恶意代码的相关实现可以参见已有 技术中的方法, 这里不再赘述。 当然, 为了进一步保证用户计算机的安全, 在阻断 MBR 中的恶意 程序与磁盘中的恶意驱动程序之间的联系之后, 还可以将 MBR 中的恶 意程序清除, 此外, 还可以将磁盘分区中的恶意驱动程序删除。 其中, 恶意驱动程序就在保存在磁盘上, 因此直接通过磁盘操作命令进行删 除即可。 但 MBR中的恶意程序是位于 MBR中, 由于 MBR位于硬盘的 0 磁头 0磁道 1扇区, 它的大小是 512字节, 不属于任何一个操作系统, 也不能用操作系统提供的磁盘操作命令来读取, 因此, 在对 MBR 中的 恶意程序进行清除时, 可以通过重建 MBR等方式来实现。 其中, 关于 如何进行 MBR的重建, 可以调用已有的用于进行 MBR重建的应用程序。 具体实现时, 可以通过本发明实施例中的程序, 将系统默认的 MBR 写 入 MBR区, 或系统的命令 FDISK /MBRo 来恢复 MBR区。 After monitoring the disk read operation, the security driver can intercept the read data and perform security detection. If it finds that the read data contains malicious code, it proves that the malicious program in the MBR area may be Read the malicious driver code on the disk, so you can directly return to the disk to read the failure, so that the malicious driver code can not be read into the memory, it can not run, and then, can block malicious programs and disks in the MBR The connection between the malicious drivers in the partition, after the connection between the two is blocked, the malicious programs and malicious drivers in the MBR will not cause any harm to the user's computer even if they still exist. For example, ghost 5, when reading a disk sector, will verify a certain feature code. If it matches, it will think that the code of the malicious driver is read, so that the code will be executed. By modifying these, let it think that it has not been read. Skip, avoid running malicious code. For the related implementation of detecting whether there is a malicious code in the data to be read, refer to the method in the prior art, and details are not described herein again. Of course, in order to further ensure the security of the user's computer, after blocking the connection between the malicious program in the MBR and the malicious driver on the disk, the malicious program in the MBR can also be cleared, and in addition, the disk partition can be Malicious driver removed. Among them, the malicious driver is saved on the disk, so it can be deleted directly through the disk operation command. However, the malicious program in the MBR is located in the MBR. Since the MBR is located on the 0 head of the hard disk, the sector 1 is 512 bytes. It does not belong to any operating system, nor can it use the disk operation commands provided by the operating system. Read, therefore, when the malicious program in the MBR is cleared, it can be implemented by rebuilding the MBR or the like. Among them, regarding how to perform MBR reconstruction, an existing application for MBR reconstruction can be called. In a specific implementation, the default MBR of the system can be written into the MBR area or the system command FDISK /MBRo to restore the MBR area by using the program in the embodiment of the present invention.
总之, 由于 MBR中的恶意程序在 MBR获得执行后, 会挂接 INT13 , 在加载 B00TMGR的时候, 进行 H00K, 并在加载 NT KERNEL的时候, 进 行 H00K ,然后加载自己的恶意驱动代码, 从而实现完整的自我保护。 例如, MBR中的恶意程序会挂接系统底层驱动 ATAPI. SYS和文件系统驱 动 NTFS. SYS , 这导致安全程序根本无法获得原始磁盘文件的信息, 也 无法获得原始 MBR 的信息, 获得的都是被重定向的虚假信息, 也就是 说恶意驱动加载后, 安全程序就很难再对其进行检测和清除。  In short, since the malicious program in the MBR is executed after the MBR is executed, it will mount INT13, when loading B00TMGR, perform H00K, and when loading NT KERNEL, perform H00K, and then load its own malicious driver code to complete Self-protection. For example, a malicious program in the MBR will mount the underlying driver ATAPI.SYS and the file system driver NTFS.SYS, which causes the security program to fail to obtain the information of the original disk file or obtain the original MBR information. The false information redirected, that is, after the malicious driver is loaded, it is difficult for the security program to detect and clear it.
因此, 本发明实施例所要做的就是在系统启动的早期阶段, MBR、 B00TL0ADER、 B00TMGR等初始化好后,系统在初始化 NT KERNEL的时候, 加载安全驱动程序, 然后 H00K系统读写磁盘的操作, 当读取的扇区内 包含恶意代码的时候, 返回失败, 从而让恶意驱动无法被加载, 完全 切断了 MBR和与恶意驱动之间的联系, 使 MBR恶意程序完全失效, 进 而可以轻易的处理残留的 MBR病毒体。  Therefore, in the early stage of system startup, after the initialization of the MBR, B00TL0ADER, B00TMGR, etc., the system loads the security driver when the NT KERNEL is initialized, and then the H00K system reads and writes the disk operation. When the read sector contains malicious code, the return fails, so that the malicious driver can not be loaded, completely cut off the connection between the MBR and the malicious driver, completely invalidating the MBR malicious program, and thus can easily handle the residual MBR virion.
与本发明实施例提供的对主引导记录恶意程序进行处理的方法相 对应, 本发明实施例还提供了一种对主引导记录恶意程序进行处理的 装置, 参见图 2, 该装置具体可以包括:  The device for processing the malicious program of the master boot record is provided in the embodiment of the present invention. The embodiment of the present invention further provides a device for processing the malicious program of the master boot record. Referring to FIG. 2, the device may specifically include:
加载单元 201,用于在启动操作系统的过程中,进行内核初始化时, 加载安全驱动程序;  The loading unit 201 is configured to load a security driver when the kernel is initialized during the startup of the operating system;
调用单元 202, 用于在硬盘初始化结束后调用所述安全驱动程序; 监控单元 203, 用于在所述安全驱动程序被调用后, 通过所述安全 驱动程序对磁盘的读取 /写入操作进行监控; 检测单元 204, 用于当监控到磁盘的读取 /写入操作发生时, 对读 取 /写入的数据进行检测, 如果检测出所述读取 /写入的数据中包含恶 意代码, 返回磁盘读取失败, 以阻断主引导记录中的恶意程序与磁盘 分区中的恶意驱动程序之间的联系。 The calling unit 202 is configured to invoke the secure driver after the hard disk initialization is completed; and the monitoring unit 203 is configured to perform a read/write operation on the disk by the secure driver after the secure driver is called. monitor; The detecting unit 204 is configured to detect read/write data when the read/write operation of the disk is detected, and return to the disk if it is detected that the read/write data contains malicious code The read failed to block the connection between the malicious program in the master boot record and the malicious driver in the disk partition.
具体实现时, 加载单元 201可以包括:  In a specific implementation, the loading unit 201 may include:
注册表写入单元, 用于在操作系统的注册表中将安全驱动程序注 册为系统预留类型, 以便操作系统在启动过程中, 进行内核初始化时, 加载安全驱动程序。  A registry write unit that registers a secure driver as a system reservation type in the operating system's registry so that the operating system loads the secure driver during kernel initialization during startup.
调用单元 202可以包括:  The calling unit 202 can include:
回调函数注册单元, 用于在所述安全驱动程序被加载时, 向系统 注册回调函数, 以便在硬盘初始化结束之后所述安全驱动程序被操作 系统调用。  A callback function registration unit is configured to register a callback function with the system when the secure driver is loaded, so that the secure driver is called by the operating system after the hard disk initialization is completed.
为了进一步保证用户计算机的安全, 在阻断 MBR 中的恶意程序与 磁盘中的恶意驱动程序之间的联系之后, 还可以将 MBR 中的恶意程序 清除, 此时, 该装置还可以包括:  In order to further ensure the security of the user's computer, after blocking the connection between the malicious program in the MBR and the malicious driver on the disk, the malicious program in the MBR can also be cleared. In this case, the device may further include:
清除单元, 用于对所述主引导记录中的恶意程序进行清除。  A clearing unit, configured to clear a malicious program in the master boot record.
由于 MBR位于硬盘的 0磁头 0磁道 1扇区, 它的大小是 512字节, 不属于任何一个操作系统, 也不能用操作系统提供的磁盘操作命令来 读取, 因此, 在对 MBR 中的恶意程序进行清除时, 可以通过重建 MBR 等方式来实现, 相应的, 所述清除单元包括:  Since the MBR is located on the hard disk's 0 head 0 track 1 sector, its size is 512 bytes, it does not belong to any operating system, and it cannot be read by the disk operation command provided by the operating system. Therefore, the malicious in the MBR When the program is cleared, it can be implemented by rebuilding the MBR, etc., correspondingly, the clearing unit includes:
重建子单元, 用于重建主引导记录。  Rebuild subunit for rebuilding the master boot record.
另外, 为了进一步保证用户计算机的安全, 该装置还可以包括: 删除单元, 用于对所述磁盘分区中的恶意驱动程序进行删除。  In addition, in order to further ensure the security of the user computer, the device may further include: a deleting unit, configured to delete the malicious driver in the disk partition.
由于恶意驱动程序就保存在磁盘分区中, 因此, 可以使用磁盘操 作命令对磁盘分区中的恶意驱动程序代码删除。  Since the malicious driver is saved in the disk partition, the malicious driver code in the disk partition can be deleted using the disk operation command.
总之, 在本发明实施例提供的上述装置中, 能够在系统启动的早 期阶段, MBR、 B00TL0ADER、 B00TMGR等初始化好后, 系统在初始化内 核的时候, 加载安全驱动程序, 然后 H00K系统读写磁盘的操作, 当读 取的扇区内包含恶意代码的时候, 返回失败, 从而让恶意驱动无法被 加载, 完全切断了 MBR和与恶意驱动之间的联系, 使 MBR恶意程序完 全失效, 进而可以轻易的处理残留的 MBR病毒体。  In summary, in the foregoing apparatus provided by the embodiment of the present invention, after the MBR, B00TL0ADER, B00TMGR, etc. are initialized in the early stage of system startup, the system loads the security driver when the kernel is initialized, and then the H00K system reads and writes the disk. Operation, when the read sector contains malicious code, the return fails, so that the malicious driver can not be loaded, completely cut off the connection between the MBR and the malicious driver, completely invalidating the MBR malicious program, and thus can be easily The residual MBR virion is treated.
此外, 本发明实施例还提供了一种对主引导记录恶意程序进行处 理的设备, 需要说明的是, 在具体实现时, 针对上述对主引导记录恶 意程序进行处理的设备, , 所述设备通过 CPU、 内存、 硬盘以及其他相 关部分, BIOS等, 可以有效的阻止 MBR区域中出现的恶意程序对计算 机系统的破坏。 In addition, the embodiment of the present invention further provides a method for performing a master boot record malicious program. The device needs to be described. In the specific implementation, for the device that processes the malicious program of the master boot record, the device can effectively block the MBR through the CPU, the memory, the hard disk, and other related parts, the BIOS, and the like. The destruction of computer systems by malicious programs in the area.
在此提供的算法和显示不与任何特定计算机、 虚拟系统或者其它 设备固有相关。 各种通用系统也可以与基于在此的示教一起使用。 根 据上面的描述, 构造这类系统所要求的结构是显而易见的。 此外, 本 发明也不针对任何特定编程语言。 应当明白, 可以利用各种编程语言 实现在此描述的本发明的内容, 并且上面对特定语言所做的描述是为 了披露本发明的最佳实施方式。  The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. The structure required to construct such a system is apparent from the above description. Moreover, the invention is not directed to any particular programming language. It is to be understood that the present invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.
在此处所提供的说明书中, 说明了大量具体细节。 然而, 能够理 解, 本发明的实施例可以在没有这些具体细节的情况下实践。 在一些 实例中, 并未详细示出公知的方法、 结构和技术, 以便不模糊对本说 明书的理解。  Numerous specific details are set forth in the description provided herein. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of the specification.
类似地, 应当理解, 为了精简本公开并帮助理解各个发明方面中 的一个或多个, 在上面对本发明的示例性实施例的描述中, 本发明的 各个特征有时被一起分组到单个实施例、 图、 或者对其的描述中。 然 而, 并不应将该公开的方法解释成反映如下意图: 即所要求保护的本 发明要求比在每个权利要求中所明确记载的特征更多的特征。 更确切 地说, 如下面的权利要求书所反映的那样, 发明方面在于少于前面公 开的单个实施例的所有特征。 因此, 遵循具体实施方式的权利要求书 由此明确地并入该具体实施方式, 其中每个权利要求本身都作为本发 明的单独实施例。  Similarly, the various features of the present invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. The method disclosed is not to be interpreted as reflecting the invention as claimed. The claimed invention is claimed to have more features than those specifically recited in the appended claims. Rather, as the following claims reflect, inventive aspects lie in less than all features of the single embodiments disclosed above. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, and each of the claims as a separate embodiment of the invention.
本领域那些技术人员可以理解, 可以对实施例中的设备中的模块 进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个 设备中。 可以把实施例中的模块或单元或组件组合成一个模块或单元 或组件, 以及此外可以把它们分成多个子模块或子单元或子组件。 除 了这样的特征和 /或过程或者单元中的至少一些是相互排斥之外, 可以 采用任何组合对本说明书 (包括伴随的权利要求、 摘要和附图) 中公 开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进 行组合。 除非另外明确陈述, 本说明书 (包括伴随的权利要求、 摘要 和附图) 中公开的每个特征可以由提供相同、 等同或相似目的的替代 特征来代替。 Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by the same, equivalent or similar purpose, unless stated otherwise. Features instead.
此外, 本领域的技术人员能够理解, 尽管在此所述的一些实施例 包括其它实施例中所包括的某些特征而不是其它特征, 但是不同实施 例的特征的组合意味着处于本发明的范围之内并且形成不同的实施 例。 例如, 在下面的权利要求书中, 所要求保护的实施例的任意之一 都可以以任意的组合方式来使用。  In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are not included in other embodiments, and other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现, 或者以在一个或者多 个处理器上运行的软件模块实现, 或者以它们的组合实现。 本领域的 技术人员应当理解, 可以在实践中使用微处理器或者数字信号处理器 ( DSP )来实现根据本发明实施例的对主引导记录恶意程序进行处理的 设备中的一些或者全部部件的一些或者全部功能。 本发明还可以实现 为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序 (例如, 计算机程序和计算机程序产品) 。 这样的实现本发明的程序 可以存储在计算机可读介质上, 或者可以具有一个或者多个信号的形 式。 这样的信号可以从因特网网站上下载得到, 或者在载体信号上提 供, 或者以任何其他形式提供。  The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some of some or all of the components of the device for processing a master boot record malicious program in accordance with an embodiment of the present invention. Or all features. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the present invention may be stored on a computer readable medium or may have the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行 限制, 并且本领域技术人员在不脱离所附权利要求的范围的情况下可 设计出替换实施例。 在权利要求中, 不应将位于括号之间的任何参考 符号构造成对权利要求的限制。 单词 "包含" 不排除存在未列在权利 要求中的元件或步骤。 位于元件之前的单词 "一" 或 "一个" 不排除 存在多个这样的元件。 本发明可以借助于包括有若干不同元件的硬件 以及借助于适当编程的计算机来实现。 在列举了若干装置的单元权利 要求中, 这些装置中的若干个可以是通过同一个硬件项来具体体现。 单词第一、 第二、 以及第三等的使用不表示任何顺序。 可将这些单词 解释为名称。  It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to limit the invention, and that alternative embodiments can be devised by those skilled in the art without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of elements or steps that are not listed in the claims. The word "a" or "an" preceding a component does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Claims

权 利 要 求 Rights request
1、 一种对主引导记录恶意程序进行处理的方法, 包括: 1. A method for processing malicious programs in the master boot record, including:
在启动操作系统的过程中, 进行内核初始化时, 加载安全驱动程 序; During the process of starting the operating system, the security driver is loaded during kernel initialization;
在硬盘初始化结束后调用所述安全驱动程序; Call the security driver after the hard disk initialization is completed;
通过所述安全驱动程序对磁盘的读取操作进行监控; Monitor disk read operations through the security driver;
当监控到磁盘的读取 /写入操作发生时, 对读取 /写入的数据进行 检测, 如果检测出所述读取 /写入的数据中包含恶意代码, 返回磁盘读 取失败, 以阻断主引导记录中的恶意程序与磁盘分区中的恶意驱动程 序之间的联系。 When it is monitored that the read/write operation of the disk occurs, the read/written data is detected. If it is detected that the read/written data contains malicious code, a disk read failure is returned to prevent Break the link between malicious programs in the master boot record and malicious drivers in disk partitions.
2、 根据权利要求 1所述的方法, 所述在启动操作系统的过程中, 进行内核初始化时, 加载安全驱动程序包括: 2. The method according to claim 1, wherein during kernel initialization during the booting of the operating system, loading the security driver includes:
在操作系统的注册表中将安全驱动程序注册为系统预留类型, 以 便操作系统在启动过程中, 进行内核初始化时, 加载安全驱动程序。 Register the security driver as a system reserved type in the operating system's registry so that the operating system can load the security driver during kernel initialization during startup.
3、 根据权利要求 1或 2所述的方法, 所述在硬盘初始化结束后调 用所述安全驱动程序包括: 3. The method according to claim 1 or 2, wherein calling the security driver after hard disk initialization includes:
在所述安全驱动程序被加载时, 向系统注册回调函数, 以便在硬 盘初始化结束之后所述安全驱动程序被操作系统调用。 When the security driver is loaded, a callback function is registered with the system so that the security driver is called by the operating system after the hard disk initialization is completed.
4、 根据权利要求 1或 2所述的方法, 还包括: 4. The method according to claim 1 or 2, further comprising:
对所述主引导记录中的恶意程序进行清除。 Remove malicious programs from the master boot record.
5、 根据权利要求 4所述的方法, 所述对所述主引导记录中的恶意 程序进行清除包括: 5. The method of claim 4, wherein removing malicious programs in the master boot record includes:
重建主引导记录。 Rebuild the master boot record.
6、 根据权利要求 1或 2所述的方法, 还包括: 6. The method according to claim 1 or 2, further comprising:
对所述磁盘分区中的恶意驱动程序进行删除。 Delete malicious drivers from the disk partition.
7、 一种对主引导记录恶意程序进行处理的装置, 包括: 7. A device for processing master boot record malicious programs, including:
加载单元, 用于在启动操作系统的过程中, 进行内核初始化时, 加载安全驱动程序; The loading unit is used to load the security driver during kernel initialization during the startup of the operating system;
调用单元, 用于在硬盘初始化结束后调用所述安全驱动程序; 监控单元, 用于通过所述安全驱动程序对磁盘的读取操作进行监 控; 检测单元, 用于当监控到磁盘的读取 /写入操作发生时, 对读取 / 写入的数据进行检测, 如果检测出所述读取 /写入的数据中包含恶意代 码, 返回磁盘读取失败, 以阻断主引导记录中的恶意程序与磁盘分区 中的恶意驱动程序之间的联系。 The calling unit is used to call the security driver after the hard disk initialization is completed; the monitoring unit is used to monitor the reading operation of the disk through the security driver; The detection unit is used to detect the read/write data when the read/write operation of the disk is monitored. If it is detected that the read/written data contains malicious code, return to the disk read operation. to block the connection between a malicious program in the master boot record and a malicious driver in a disk partition.
8、 根据权利要求 7所述的装置, 所述加载单元包括: 8. The device according to claim 7, the loading unit includes:
注册表写入单元, 用于在操作系统的注册表中将安全驱动程序注 册为系统预留类型, 以便操作系统在启动过程中, 进行内核初始化时, 加载安全驱动程序。 The registry writing unit is used to register the security driver as a system reserved type in the operating system's registry, so that the operating system can load the security driver during kernel initialization during startup.
9、 根据权利要求 7或 8所述的装置, 所述调用单元包括: 回调函数注册单元, 用于在所述安全驱动程序被加载时, 向系统 注册回调函数, 以便在硬盘初始化结束之后所述安全驱动程序被操作 系统调用。 9. The device according to claim 7 or 8, the calling unit includes: a callback function registration unit, configured to register a callback function with the system when the security driver is loaded, so that after the hard disk initialization is completed, the The security driver is called by the operating system.
10、 根据权利要求 7或 8所述的装置, 还包括: 10. The device according to claim 7 or 8, further comprising:
清除单元, 用于对所述主引导记录中的恶意程序进行清除。 A cleaning unit, configured to clear malicious programs in the master boot record.
11、 根据权利要求 10所述的装置, 所述清除单元包括: 11. The device according to claim 10, the cleaning unit includes:
重建子单元, 用于重建主引导记录。 Rebuild subunit, used to rebuild the master boot record.
12、 根据权利要求 7或 8所述的装置, 还包括: 12. The device according to claim 7 or 8, further comprising:
删除单元, 用于对所述磁盘分区中的恶意驱动程序进行删除。 The deletion unit is used to delete malicious drivers in the disk partition.
13、 一种对主引导记录恶意程序进行处理的设备, 包括权利要求 7 至 12任一项所述的对主引导记录恶意程序进行处理的装置。 13. A device for processing a master boot record malicious program, including the device for processing a master boot record malicious program according to any one of claims 7 to 12.
14、 一种计算机程序, 包括计算机可读代码, 当所述计算机可读 代码在服务器上运行时, 导致所述服务器执行根据权利要求 1-6 中的 任一个所述的对主引导记录恶意程序进行处理的方法。 14. A computer program, comprising computer readable code, when the computer readable code is run on a server, causing the server to execute the master boot record malicious program according to any one of claims 1-6 The method of processing.
15、 一种计算机可读介质, 其中存储了如权利要求 1-6 中任一项 所述的对主引导记录恶意程序进行处理的方法。 15. A computer-readable medium in which the method for processing a master boot record malicious program as described in any one of claims 1-6 is stored.
PCT/CN2013/084467 2012-09-29 2013-09-27 Method and apparatus for processing malicious program in master boot record WO2014048367A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201210380353.X 2012-09-29
CN201210380353.XA CN102867141B (en) 2012-09-29 2012-09-29 The method that Main Boot Record rogue program is processed and device
CN201210375717.5A CN102930201B (en) 2012-09-29 2012-09-29 The method that Main Boot Record rogue program is processed and device
CN201210375717.5 2012-09-29

Publications (1)

Publication Number Publication Date
WO2014048367A1 true WO2014048367A1 (en) 2014-04-03

Family

ID=50387012

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/084467 WO2014048367A1 (en) 2012-09-29 2013-09-27 Method and apparatus for processing malicious program in master boot record

Country Status (1)

Country Link
WO (1) WO2014048367A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101477600A (en) * 2009-01-20 2009-07-08 中国人民解放军保密委员会技术安全研究所 Software automatic protection system and security card based on firmware
CN102332070A (en) * 2011-09-30 2012-01-25 中国人民解放军海军计算技术研究所 Trust chain transfer method for trusted computing platform
CN102867141A (en) * 2012-09-29 2013-01-09 北京奇虎科技有限公司 Method and device for processing master boot record malicious programs
CN102930201A (en) * 2012-09-29 2013-02-13 北京奇虎科技有限公司 Method and device for processing rogue program of master boot record

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101477600A (en) * 2009-01-20 2009-07-08 中国人民解放军保密委员会技术安全研究所 Software automatic protection system and security card based on firmware
CN102332070A (en) * 2011-09-30 2012-01-25 中国人民解放军海军计算技术研究所 Trust chain transfer method for trusted computing platform
CN102867141A (en) * 2012-09-29 2013-01-09 北京奇虎科技有限公司 Method and device for processing master boot record malicious programs
CN102930201A (en) * 2012-09-29 2013-02-13 北京奇虎科技有限公司 Method and device for processing rogue program of master boot record

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LUO, XIAOYONG ET AL.: "Analysis of the Worm Virus", GANSU SCIENCE AND TECHNOLOGY, vol. 24, no. 16, August 2008 (2008-08-01), pages 48 - 51 *

Similar Documents

Publication Publication Date Title
US10032024B2 (en) System and method for virtual partition monitoring
US7886190B2 (en) System and method for enabling seamless boot recovery
US10146938B2 (en) Method, apparatus and virtual machine for detecting malicious program
CN104205045B (en) Method, device and system for providing operating system payload
CN102867141B (en) The method that Main Boot Record rogue program is processed and device
EP2317454A2 (en) Providing authenticated anti-virus agents a direct access to scan memory
US20020166059A1 (en) Methods and apparatus for protecting against viruses on partitionable media
JP5307196B2 (en) Providing a system integrated with silicon code
CN102930201B (en) The method that Main Boot Record rogue program is processed and device
US8533445B2 (en) Disabling a feature that prevents access to persistent secondary storage
CN103718165A (en) BIOS flash attack protection and notification
WO2021158359A1 (en) Firmware update patch
JP2017507431A (en) Compute device initialization trace
EP3627368A1 (en) Auxiliary memory having independent recovery area, and device applied with same
US20090138969A1 (en) Device and method for blocking autorun of malicious code
RU2586576C1 (en) Method of accessing procedures of loading driver
US9448888B2 (en) Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank
US20090013167A1 (en) Computer device, method for booting the same, and booting module for the same
US11500787B2 (en) Enforcing code integrity using a trusted computing base
US20170262341A1 (en) Flash memory-hosted local and remote out-of-service platform manageability
US8572742B1 (en) Detecting and repairing master boot record infections
WO2007022687A1 (en) System and method for security control of operating system
KR101013419B1 (en) Guarding apparatus and method for system
US9342694B2 (en) Security method and apparatus
WO2014048367A1 (en) Method and apparatus for processing malicious program in master boot record

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13840349

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13840349

Country of ref document: EP

Kind code of ref document: A1