A study of code-vulnerabilities that can penetrate the recovery card and restore software

A code that can penetrate the restore card and restore the software
CVC/GB, the wind-like man
Restore cards and restore software are widely used in a variety of public places, such as school rooms and internet cafes. These restore cards and restore software (hereinafter referred to as virtual restore technology) can record all the write operations on the hard disk, whether you copy the hard disk or move the deletion or even the format of the partition, and so on, as soon as a reboot, everything will revert to this operation before the situation, As a result, some virtual restoration companies will also add a phrase in the advertising word "can prevent all computer viruses." This kind of virtual restore method in most of the time does have a good protective effect on the computer of the public computer room, is there really no way to penetrate this protection mechanism? The answer is no, please listen to me below one by one.
The principle of virtual reduction technology
This article is a commonly used in the reduction of cards or software to restore the technology, of course, different brands of different manufacturers may not produce the same, but the principle is interlinked.
First, the restore card and the restore software will preempt the boot and save the original 0 0 1 fans in a different sector, (a specific backup to that sector is not necessarily the case), write its own code to 0 first 0 1 fan, so that the operating system before the execution of power, which is similar to a boot-type virus; Let's take a look at what virtual restore technology does before the operating system:
1. Preserving the entry address of the INT13h in the interrupt vector table;
2. Write your own code in place of INT13h to memory, and remember the entry address, of course, this "write memory" is not a common "write", but a kind of what we call "resident" method, the implementation of the "resident program" We do not have another space to describe, if you do not understand the words, please find the relevant information, can also go to www.hackart.org or www.lsky.net to find the wind-like man communication;
3. Change the entry address of the INT13h in the interrupt vector table to the entry address of the resident program. Add that the virtual restore program after modifying the entrance of the INT13h will often modify a number of other interrupt entry, of course, through the resident program to implement, these interrupts to implement the interrupt vector table INT13h entry address monitoring, once found to be modified, immediately change it back, Doing so is also used to prevent being cracked by the conscientious.
Well, as you can see, this is used to replace the BIOS provided by the INT13h code is the key to virtual restore technology, then this code to achieve something, the following is my humble understanding of this:
1. Block all INT13h 0-head 0 1-fan operations
These include read and write operations, replace all 0-0 1-fan operations with the one that was backed up by the virtual restore program to protect the virtual restore code from being corrupted and not read out to crack, even if you use sector editing to view the main boot area, What you actually see is the primary boot area for this backup.
2. Block write hard drive operations in all INT13h
This includes write operations on hard disks that are common through the head, track, sector location, and INT13h in the INT13h, and extend the write operations on large hard disks based on sector addresses in the 8G, even in extended INT13h for some non-IDE interfaces.
As to what to do after interception is the key to the implementation of virtual restore technology, in the early DOS system can "do nothing", that is, when the user writes the hard disk is actually nothing to do, but now the operating system to the hard disk to do some necessary write operations, such as the virtual memory of the write operation. As we all know, virtual memory is actually a hard disk, and if the operating system is forbidden to write hard disk, the consequences are unthinkable. So the way most virtual restore vendors use is to take up some hard disk space, the hard drive of the write operation to do a record, such as the system restart after the restoration of this record, but how to record the hard drive of the write operation, is I have not figured out the problem, this "science" should be reflected in the time and the amount of hard disk space occupied, In other words, how to use the least time and the least hard disk space to record the hard drive write operation is the key to achieve, if there is this idea of friends welcome and I exchange;
3. The contents of the backup port 70h,71h and compare the contents of the port 70h,71h with the contents of the backup at the last execution time, not the same as prompting the BIOS to be modified, restoring, and verifying the validity of the BIOS by password.

Second, the PC machine interrupt mechanism
Interrupts provide the most basic hardware and software interface, which allows programmers to not understand the details of the hardware system, as long as the system provides a direct call to interrupt Service subroutine, you can complete the corresponding functions, which makes the program design more convenient. The implementation mechanism is as follows: When an interrupt source issues a interrupt request, the CPU can decide whether to respond to this interrupt request (when the CPU is performing more important work, can not respond), if allowed to ring should be interrupted, the CPU after the current instruction execution, Put the breakpoint at the next instruction address and the contents of each register and the status of the flag bit, push the stack to protect, then go to the Interrupt Source service program entry, interrupt processing, when the interrupt processing completed, then restore the reserved registers, flag bit status and instruction pointer, so that the CPU back to the breakpoint, continue to execute the next instruction.
To distinguish between interrupts, the CPC system assigns an interrupt number n to each interrupt, such as int 3H is a breakpoint interrupt, int 10H is a display interrupt, and today we are going to talk about int 13H disk read and write interrupts.
To be clear about the interrupt mechanism on the PC, with this space is not enough, here I say is only a probably, if you are not clear, please consult some information or communicate with me, what we are important to say today is to take INT13h as an example to see what the interruption of the BIOS provides us is doing? The so-called BIOS interrupt is simply that the BIOS on your machine provides interrupts, then in the BIOS after the interruption, what exactly is it? In fact, some of the input and output operations on the port, each of the PC's ports to achieve a specific function, we can not invoke the BIOS provided by the interruption of the direct use of the input and output instructions to operate these ports, so as to achieve the same function as calling BIOS interrupts, But one prerequisite is that you have to have a detailed understanding of these ports. Conversely, one of the great benefits of a PC's interrupt system is that it enables programmers to program without having to understand the hardware knowledge at the bottom of the system, from this point of view, the interruption is a bit like our usual "encapsulation", I do not know whether this is right, but the interruption for us to "encapsulate" many of the details of the underlying system.

Third, the hard disk read-write port specific meaning
The common port that operates on the hard disk is the 1f0h~1f7h number port, and the ports have the following meanings:
Port number read or write a specific meaning
1F0H read/write to transmit read/write data (whose content is a byte of data being transmitted)
1F1H read to read error codes
1F2H read/write to put in the number of sectors to be read and write
1F3H read/write to put in the sector number to be read and write
1F4H read/write low 8-bit bytes for reading and writing cylinders
1F5H read/write high 2-bit bytes (6-bit constant 0) for reading and writing cylinders
1F6H read/write to store the disk number and the number of magnets to read/write
The 7th digit constant is 1
The 6th digit constant is 0
The 5th digit constant is 1
The 4th digit is 0 for the first hard drive and 1 for the second hard drive.
The 3rd to No. 0 digit is used to store the number of magnets to read/write.
1F7H read to hold the state after the read operation
7th-bit Controller busy
6th-bit disk drive ready.
5th-bit Write error
4th-bit Search complete
The 3rd bit is 1 o'clock sector buffer is not ready
2nd bit read disk data correctly
The 1th-bit disk sets this bit to 1 per week,
The command before No. 0 has ended with an error
Write this bit port as a command port to emit the specified command
is a 50H formatted track
Try to read a sector for 20h
21h no need to verify sector is ready and read sector directly
A 22h attempt to read a long sector (for an earlier hard drive, each may not be 512 bytes, but a value between 128 bytes to 1024)
23h do not need to verify that the sector is ready and read a long sector directly.
Try to write a sector for 30h
31h no need to verify sector is ready and write sector directly
Try to write a long sector for 32h
33H no need to verify that the sector is ready to write a long sector directly.
Note: Of course, after reading this table you will find that this method is based on the head, cylinder, sector of hard disk read and write methods, but more than 8G hard disk reading and writing method is also through the port 1f0h~1f7h to achieve the ^_^


四、一个 an instance of a hard drive by using a hard drive input output port operation
Let's look at an example of a INT13h read and write hard drive program. In the example, the port used in the read-write operation of the hard disk is described in detail, and the data obtained from the primary boot area read by INT13h is compared with the data obtained through the input-output reading of the main boot area, which confirms that the two operation functions are the same.

MOV dx,1f6h; Disk number and number of magnets to read
MOV al,0a0h Disk 0, head 0
Out Dx,al

MOV dx,1f2h; number of sectors to read
MOV al,1; read a Sector
Out Dx,al

MOV dx,1f3h; the sector area code to read
mov al,1 fan area code is 1
Out Dx,al

MOV dx,1f4h; the lower 8 bits of the cylinder to be read
MOV al,0; Cylinder low 8 digits to 0
Out Dx,al

MOV dx,1f5h; 2-bit height of cylindrical surface
MOV al,0; The cylinder height is 2 bits 0 (through 1f4h and 1f5h ports we can determine
; The column number used for reading is 0)
Out Dx,al

mov dx,1f7h; command port
MOV al,20h; Attempt to read sector
Out Dx,al
Still_going:
In AL,DX
Test al,8; sector buffering is ready
JZ still_going, if the sector buffer is not ready to jump, until ready to execute downward.

mov CX,512/2; set cycle times (512/2 times)
MOV Di,offset buffer
mov dx,1f0h; a byte of data to be transmitted
Rep INSW; Transfer data

; ------

MOV ax,201h; The following is a 0-head, 0-cylinder, 1-sector with INT13h read hard disk
MOV dx,80h
MOV cx,1
MOV Bx,offset buffer2
int 13h

MOV cx,512; The following sections are used to compare hard disk data read out in 2 different ways
MOV Si,offset buffer
MOV Di,offset buffer2
Repe CMPSB
Jne failure
MOV ah,9
MOV Dx,offset readmsg
int 21h
JMP Good_exit
Failure:
MOV ah,9
MOV Dx,offset failmsg
int 21h
Good_exit:; The following sections are used to end the program
MOV ax,4c00h; Exit program
int 21h

Readmsg DB ' the buffers match. Hard disk read using ports.