View the disk storage structure of computer viruses

For the storage structure of computer viruses, the storage structure of different types of viruses on disks is different.
1. Disk Space is divided into formatted disks, including the primary Boot Record area (only available on the hard disk), Boot Record area, File Allocation Table (FAT), directory area, and data area. The primary Boot Record and Boot Record contain information used when the DOS system is started.

The file allocation table (FAT) is a table that reflects the usage of the current disk sector. Each DOS disk contains two identical FAT tables, namely, FAT1 and FAT2. FAT2 is a backup table. FAT is used together with the directory to manage the disk data zone. The directory area stores the existing file directories on the disk and the storage time of filial piety. The file content data corresponding to the file name stored in the data area.

(1) General Division of disk space when a floppy disk is formatted using the DOS external command FORMAT, not only is the disk divided into several tracks, but each track is divided into several sectors, at the same time, the divided sectors are divided into five areas, which are the boot recording area, File Allocation Table 1, File Allocation Table 2, root directory area and data area.

For a floppy disk, there is only one boot area, and the boot area is located in the disk's 0-sided, 0-sector, and 1-sector sectors. It is responsible for the system's two hidden files I/O at startup. SYS and MSDOS. SYS is loaded into the memory and provides the disk I/O parameter table necessary for DOS disk read and write. The file allocation table (FAT table) is a registration form that reflects the sectors occupied by all files on the disk. This table is not very important. Once damaged, the file content cannot be searched. Even if you are proficient in DOS, it is not easy to repair the disk files damaged by the FAT table, which is costly. For this reason, the system retains two identical file allocation tables when Dividing Disk areas. The root directory is a directory registration form that records all files on the disk. It mainly records the file name, expansion name, file attributes, file length, file creation date, creation time, and other important information of each file.

(2) The general division of hard disk space for disks of different types and different media, the DOS Division disk format is different. For a hard disk, because of its large storage space, in order to allow multiple operating systems to share the hard disk space and to enable the system from the disk, the hard disk is divided into the primary Boot Record area and multiple system partitions.

The distribution of hard disk space consists of two parts: the first part is the first sector of the entire hard disk, which is called the Main Boot Program sector of the hard disk. It consists of two parts, the first is the main Bootstrap program, and the second is the partition information table. The main boot program is the first program executed when the hard disk is started. It loads the boot program for executing the active partition (active partition) to further guide the system. The partition information table registers the boot indicator and operating system indicator of each partition, and the location and length of the disk space occupied by the partition. The second part is the system partition. Each system partition is provided to each operating system. Each region can only store one operating system, the system in this region has its own boot records, File Allocation Table area, file directory area, and data area. If the entire hard disk is DOS, the information on the hard disk consists of five sections: the Main Boot Program and partition information table, Partition Boot Program, File Allocation Table area, file root directory area, and file data area.

The primary boot sector of a hard disk is special. It is not in the DOS jurisdiction. Therefore, the FORMAT, FDISK, and DEBUG commands that use DOS cannot touch it. When this sector is damaged, the hard disk cannot be started. FORMAT and FDISK cannot be used to fix it. Neither the debug l command nor the W command can be used for the primary Boot Sector. It can be repaired only when INT 13H or low-level formatting is used in DEBUG.

 

2. disk storage structure of system viruses

System viruses are the Boot Sector of the operating system, and the viruses that infect the primary Boot Sector and DOS Boot Sector of the hard disk. The storage structure of system viruses on disks is as follows. virus programs are divided into two parts: the first part is stored in the boot sector of the disk, and the second part is stored in other sectors of the disk. When a virus program is infected with a disk, it first finds a blank cluster on the disk based on the FAT table (if the second part of the virus program occupies several clusters, you need to find a continuous blank cluster), and then write the second part of the virus program and the content of the original Boot Sector of the disk to the blank cluster, then write the first part of the virus program to the disk Boot Sector.

However, because the disk is different, the location of the blank cluster occupied by the second part of the virus program is different. When the virus program invades the system, it must load all of its programs into the memory, when the system starts, the virus program in the disk Boot Sector is installed. During execution, the program needs to load the second part into the memory, in this way, the first part must know the cluster number or logical sector number of the second part of the cluster. Therefore, when virus programs infect a disk, they not only need to write the first part to the disk Boot Sector, in addition, the cluster ID of the second part of the virus program (or the logical sector ID of the first sector of the cluster) must be recorded at the disk offset 01F9, the logical sector number that stores the first sector of the second part of the cluster.

In addition, each cluster must be associated with a file when DOS allocates disk space. However, the cluster occupied by the second part of the system virus program does not have a corresponding file name, they are accessed through direct disk read/write, so that the cluster they occupy may be allocated to the new disk file by DOS, thus being overwritten. To avoid this situation, the virus program immediately registers the content of these clusters in FAT after writing the second part of the cluster to a blank cluster, forced landmark as bad cluster (FF7H), after such processing, DOS will not allocate these clusters to other new files.

3. File-type virus disk storage structure file-type virus refers to a file that is specially infected with executable files in the system, that is, files with the extension of. COM and. EXE.

For a file-type virus, the virus program is attached to the header, tail, center, or "idle" part of the infected file, and the virus program does not independently occupy the blank cluster on the disk. That is to say, the disk space occupied by virus programs depends on the disk space occupied by the Host Program. However, a virus intrusion will definitely increase the disk space occupied by the Host Program.

Most file viruses are so-called shell viruses. What is a file shell? It is simply a hierarchical structure of computer software. For example, the computer software company has compiled an educational software. After the design and debugging, the software itself has been fully functional and can be provided to users as independent disk files. However, in order to improve the commercialization process of the product, the company decided to add a beautiful cover for the software. For this reason, the designer can attach a piece of program to display the cover on the basis of the completed software. We usually call the software as the kernel, and the additional display cover program is called the shell, loading the Running Relationship.

Although the shell is connected to the kernel in the structure, the running sequence is to display the cover first and then jump to execute the kernel. The shell of the executable file generally has relatively independent functions and structure. Removing the shell will not affect the operation of the kernel. If we use the "virus shell" to replace the "cover shell" in the figure, the basic mechanism of the file virus has been illustrated. Computer viruses generally do not infect data files. This is because data files cannot be executed. If a virus is infected with a data file, the virus itself will not be able to execute the virus itself, so it will not be able to further spread, therefore, computer viruses cannot exist in data files, but may modify or destroy data files.