技术领域technical field
本发明涉及计算机技术领域,特别是涉及一种修复基本输入输出系统BIOS恶意程序的方法和装置。The invention relates to the technical field of computers, in particular to a method and a device for repairing a BIOS malicious program of a basic input and output system.
背景技术Background technique
随着恶意程序的技术发展,其所处的位置也越来越底层,从应用层,发展到驱动层,进而进化到从MBR(Master Boot Record,主引导记录)启动的BOOTKIT,即使重装系统也无法解决问题,但还是可以通过在DOS或WINPE下恢复MBR来解决,导致后者又进一步的进化成进驻到主板BIOS(BasicInput Output System,基本输入输出系统)中的恶意程序。除非用户重刷BIOS或更新主板,否则无法清除病毒,最为著名的就是在2012年发现的BMW BIOS病毒。With the technological development of malicious programs, their position is becoming more and more low-level, from the application layer to the driver layer, and then evolved to the BOOTKIT started from MBR (Master Boot Record, Master Boot Record), even if the system is reinstalled It can't solve the problem, but it can still be solved by restoring the MBR under DOS or WINPE, causing the latter to further evolve into a malicious program that enters the motherboard BIOS (Basic Input Output System, Basic Input Output System). Unless the user reflashes the BIOS or updates the motherboard, the virus cannot be removed. The most famous one is the BMW BIOS virus discovered in 2012.
这种病毒能够连环感染BIOS、MBR和Windows系统文件,使受害电脑无论重装系统、格式化硬盘,还是换掉硬盘都无法彻底清除病毒。This virus can serially infect BIOS, MBR, and Windows system files, so that the victim computer cannot completely remove the virus no matter whether it reinstalls the system, formats the hard disk, or replaces the hard disk.
现有技术能够提供的方法是重新刷新主板的BIOS来清除恶意程序或更换主板,但是一般用户无法实现,必须由特定的商家来进行处理,同时由于BIOS版本的多样化导致要找到原始版本的BIOS数据也存在着一定的难度,如更换主板,成本又较高。The method that the prior art can provide is to re-refresh the BIOS of the mainboard to remove malicious programs or replace the mainboard, but this cannot be achieved by general users and must be handled by specific merchants. Data also has certain difficulties, such as replacing the motherboard, and the cost is relatively high.
发明内容Contents of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的修复基本输入输出系统BIOS恶意程序的方法和相应地装置。In view of the above problems, the present invention is proposed to provide a method and a corresponding device for repairing a BIOS malicious program that overcomes the above problems or at least partially solves the above problems.
依据本发明的一个方面,提供一种修复基本输入输出系统BIOS恶意程序的方法,包括:According to one aspect of the present invention, a kind of method for repairing basic input output system BIOS malicious program is provided, comprising:
在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件;Read the current BIOS information under the operating system, and combine the read BIOS information to generate a complete BIOS file;
检测BIOS文件中是否存在恶意程序特征模块;Detect whether there is a malicious program characteristic module in the BIOS file;
当存在恶意程序特征模块时,按如下步骤对BIOS文件进行修复:When there is a malicious program characteristic module, the BIOS file is repaired according to the following steps:
在BIOS文件中移除恶意程序特征模块;Remove the malicious program signature module in the BIOS file;
将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。The BIOS file after removing the malicious program feature module will overwrite the original BIOS file in the motherboard.
可选地,在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件,包括:Optionally, read the current BIOS information under the operating system, and combine the read BIOS information to generate a complete BIOS file, including:
通过操作系统提供的用于读取BIOS信息的函数,在内存的预设地址处读出BIOS信息;Read the BIOS information at the preset address of the memory through the function provided by the operating system for reading the BIOS information;
将所读出的全部BIOS信息组合成完整的BIOS文件。Combine all the read BIOS information into a complete BIOS file.
可选地,用于读取BIOS信息的函数为MmMapIoSpace函数,预设地址为物理地址0xf0000。Optionally, the function for reading BIOS information is the MmMapIoSpace function, and the preset address is physical address 0xf0000.
可选地,检测BIOS文件中是否存在恶意程序特征模块,包括:Optionally, detect whether there is a malicious program characteristic module in the BIOS file, including:
获取BIOS的型号;Obtain the model of the BIOS;
根据BIOS的型号,检测BIOS文件中指定模块的模块信息中是否包含预设字符,其中,在本地存储有BIOS型号与预设字符的对应关系;According to the model of the BIOS, whether the module information of the specified module in the BIOS file contains preset characters is detected, wherein the corresponding relationship between the BIOS model and the preset characters is stored locally;
如果包含预设字符,则确认该指定模块中存在恶意程序特征模块;If it contains preset characters, it is confirmed that there is a malicious program characteristic module in the specified module;
如果不包含预设字符,则确认该指定模块中不存在恶意程序特征模块。If the preset characters are not included, it is confirmed that there is no malicious program characteristic module in the specified module.
可选地,在BIOS文件中移除恶意程序特征模块,包括:Optionally, remove malicious program signature modules in the BIOS file, including:
通过与BIOS的型号对应的BIOS工具提供的删除指令,删除BIOS文件中的恶意程序特征模块。The malicious program feature module in the BIOS file is deleted through the deletion instruction provided by the BIOS tool corresponding to the BIOS model.
可选地,删除指令为release指令。Optionally, the delete command is a release command.
可选地,在将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件之前,还包括:Optionally, before overwriting the original BIOS file in the motherboard with the BIOS file after the malicious program feature module is removed, it also includes:
对移除恶意程序特征模块后的BIOS文件进行校验;Verify the BIOS file after removing the malicious program feature module;
将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件,包括:Overwrite the original BIOS file on the motherboard with the BIOS file after removing the malicious program feature module, including:
如果移除恶意程序特征模块后的BIOS文件校验通过,则将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。If the BIOS file verification after removing the malicious program feature module is passed, the BIOS file after the malicious program feature module is removed will overwrite the original BIOS file in the motherboard.
可选地,将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件,包括:Optionally, the original BIOS file in the motherboard will be covered by the BIOS file after the malicious program feature module is removed, including:
在BIOS文件中获得用于写入BIOS文件的指定端口,通过该指定端口将移除恶意程序特征模块后的BIOS文件写入到主板中;Obtain the specified port for writing the BIOS file in the BIOS file, and write the BIOS file after removing the malicious program characteristic module into the motherboard through the specified port;
其中,指定端口为SMI PORT端口。Among them, the specified port is the SMI PORT port.
依据本发明的一个方面,还提供了一种修复基本输入输出系统BIOS恶意程序的装置,包括:According to an aspect of the present invention, also provide a kind of device of repairing basic input output system BIOS malicious program, comprising:
文件生成模块,配置为在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件;A file generation module configured to read current BIOS information under the operating system, and combine the read BIOS information to generate a complete BIOS file;
检测模块,配置为检测BIOS文件中是否存在恶意程序特征模块;A detection module configured to detect whether there is a malicious program characteristic module in the BIOS file;
删除模块,配置为当检测模块检测到存在恶意程序特征模块时,在BIOS文件中移除恶意程序特征模块;The deletion module is configured to remove the malicious program characteristic module in the BIOS file when the detection module detects that there is a malicious program characteristic module;
文件写入模块,配置为将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。The file writing module is configured to overwrite the original BIOS file in the motherboard with the BIOS file after the malicious program feature module is removed.
可选地,文件生成模块包括:Optionally, the file generation module includes:
信息读取单元,配置为通过操作系统提供的用于读取BIOS信息的函数,在内存的预设地址处读出BIOS信息;The information reading unit is configured to read the BIOS information at the preset address of the memory through the function provided by the operating system for reading the BIOS information;
文件组合单元,配置为将所读出的全部BIOS信息组合成完整的BIOS文件。The file combination unit is configured to combine all the read BIOS information into a complete BIOS file.
可选地,信息读取单元中用于读取BIOS信息的函数为MmMapIoSpace函数,预设地址为物理地址0xf0000。Optionally, the function used to read the BIOS information in the information reading unit is the MmMapIoSpace function, and the preset address is the physical address 0xf0000.
可选地,检测模块包括:Optionally, the detection module includes:
型号获取单元,配置为获取BIOS的型号;A model obtaining unit configured to obtain the model of the BIOS;
检测单元,配置为根据BIOS的型号,检测BIOS文件中指定模块的模块信息中是否包含预设字符,其中,在本地存储有BIOS型号与预设字符的对应关系;The detection unit is configured to detect whether the module information of the specified module in the BIOS file contains preset characters according to the model of the BIOS, wherein the corresponding relationship between the BIOS model and the preset characters is stored locally;
如果包含预设字符,则确认该指定模块中存在恶意程序特征模块;If it contains preset characters, it is confirmed that there is a malicious program characteristic module in the specified module;
如果不包含预设字符,则确认该指定模块中不存在恶意程序特征模块。If the preset characters are not included, it is confirmed that there is no malicious program characteristic module in the specified module.
可选地,删除模块还配置为通过与BIOS的型号对应的BIOS工具提供的删除指令,删除BIOS文件中的恶意程序特征模块。Optionally, the deletion module is further configured to delete the malicious program characteristic module in the BIOS file through a deletion command provided by the BIOS tool corresponding to the BIOS model.
可选地,删除指令为release指令。Optionally, the delete command is a release command.
可选地,该装置还包括:Optionally, the device also includes:
校验模块,配置为对移除恶意程序特征模块后的BIOS文件进行校验;A verification module configured to verify the BIOS file after removing the malicious program feature module;
相应地,文件写入模块还配置为如果校验模块校验通过,则将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。Correspondingly, the file writing module is also configured to overwrite the original BIOS file in the motherboard with the BIOS file after the malicious program feature module has been removed if the verification module passes the verification.
可选地,文件写入模块还配置为在BIOS文件中获得用于写入BIOS文件的指定端口,通过该指定端口将移除恶意程序特征模块后的BIOS文件写入到主板中;Optionally, the file writing module is also configured to obtain a designated port for writing the BIOS file in the BIOS file, and write the BIOS file after the malicious program feature module is removed into the motherboard through the designated port;
其中,指定端口为SMI PORT端口。Among them, the specified port is the SMI PORT port.
本发明提供了一种修复BIOS恶意程序的方法和装置,通过本发明,能够在操作系统下读取当前的BIOS信息,并生成完整的BIOS文件,检测BIOS文件中的木马特征模块,删除木马特征模块后,将BIOS文件覆盖原BIOS文件,可使得用户轻松的清除BIOS中的木马程序,且不需要通过寻找原BIOS文件进行重刷BIOS。The present invention provides a method and device for repairing BIOS malicious programs. Through the present invention, the current BIOS information can be read under the operating system, and a complete BIOS file can be generated to detect the Trojan horse feature module in the BIOS file and delete the Trojan horse feature. After the module, the BIOS file is overwritten with the original BIOS file, which allows the user to easily clear the Trojan horse program in the BIOS, and does not need to re-flash the BIOS by looking for the original BIOS file.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.
附图说明Description of drawings
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:
图1是根据本发明一个实施例的一种修复BIOS恶意程序的方法流程图;Fig. 1 is a kind of method flowchart of repairing BIOS malicious program according to one embodiment of the present invention;
图2是根据本发明一个实施例的一种修复BIOS恶意程序的具体方法流程图;Fig. 2 is a kind of specific method flowchart of repairing BIOS malicious program according to an embodiment of the present invention;
图3是根据本发明一个实施例的一种查找木马模块的界面示意图;Fig. 3 is a kind of interface schematic diagram of finding Trojan horse module according to an embodiment of the present invention;
图4是根据本发明一个实施例的一种修复BIOS恶意程序的装置结构框图。Fig. 4 is a structural block diagram of a device for repairing a BIOS malicious program according to an embodiment of the present invention.
具体实施方式detailed description
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应该被这里阐述的实施例所限制。相反,提供这些实施例是为了能够透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure can be thoroughly understood, and will fully convey the scope of this disclosure to those skilled in the art.
实施例一Embodiment one
本发明实施例提供了一种修复BIOS恶意程序的方法。该方法对修复BIOS恶意程序的装置进行了改进。例如,本实施例中修复BIOS恶意程序的装置可以为安装在客户端上的恶意程序查杀工具,其中,客户端可以为PC(PersonalComputer,个人计算机),手机,手持电脑等用户终端。The embodiment of the present invention provides a method for repairing a BIOS malicious program. The method improves the device for repairing BIOS malicious programs. For example, the device for repairing a BIOS malicious program in this embodiment may be a malicious program checking and killing tool installed on a client, wherein the client may be a user terminal such as a PC (Personal Computer, personal computer), a mobile phone, or a handheld computer.
图1是根据本发明一个实施例的一种修复BIOS恶意程序的方法流程图,该方法包括步骤S102至S106。Fig. 1 is a flow chart of a method for repairing a BIOS malicious program according to an embodiment of the present invention, the method includes steps S102 to S106.
S102,在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件。S102, read current BIOS information under the operating system, and combine the read BIOS information to generate a complete BIOS file.
S104,检测BIOS文件中是否存在恶意程序特征模块,当存在恶意程序特征模块时,在BIOS文件中移除恶意程序特征模块。S104. Detect whether there is a malicious program characteristic module in the BIOS file, and remove the malicious program characteristic module from the BIOS file if there is a malicious program characteristic module.
S106,将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。S106, overwrite the original BIOS file in the motherboard with the BIOS file after the malicious program feature module is removed.
本发明实施例提供了一种修复BIOS恶意程序的方法,通过该方法,能够在操作系统下读取当前的BIOS信息,并生成完整的BIOS文件,检测BIOS文件中的恶意程序特征模块,删除恶意程序特征模块后,将BIOS文件覆盖原BIOS文件,可使得用户轻松的清除BIOS中的恶意程序程序,且不需要通过寻找原BIOS文件进行重刷BIOS。The embodiment of the present invention provides a method for repairing a BIOS malicious program. By this method, the current BIOS information can be read under the operating system, and a complete BIOS file can be generated to detect the malicious program feature module in the BIOS file and delete the malicious program. After the program feature module, the BIOS file is overwritten with the original BIOS file, so that the user can easily clear the malicious program in the BIOS, and does not need to re-flash the BIOS by searching for the original BIOS file.
实施例二Embodiment two
本实施例为上述实施例一的一种具体应用场景,通过本实施例,能够更加清楚、具体地阐述本发明所提供的方法。This embodiment is a specific application scenario of the first embodiment above. Through this embodiment, the method provided by the present invention can be described more clearly and specifically.
图2是根据本发明一个实施例的一种修复BIOS恶意程序的具体方法流程图,该方法包括步骤S201至S207。在实现本实施例提供的方法时,可以通来恶意程序查杀工具来修复BIOS中的恶意程序。Fig. 2 is a flow chart of a specific method for repairing a BIOS malicious program according to an embodiment of the present invention, the method includes steps S201 to S207. When implementing the method provided in this embodiment, the malicious program in the BIOS can be repaired by using a malicious program checking and killing tool.
其中,恶意程序包括多种,包括感染性病毒、后门程序、键盘记录器、密码盗取者、Word和Excel宏病毒、引导区病毒、脚本病毒(batch、windows shell、java等)、木马、犯罪软件、广告软件等。木马可以包括比如病毒、特洛伊木马、蠕虫、rootkit、BMW BIOS木马、间谍软件及其他类型的恶意软件。Among them, malicious programs include many kinds, including infectious viruses, backdoor programs, keyloggers, password stealers, Word and Excel macro viruses, boot sector viruses, script viruses (batch, windows shell, java, etc.), Trojan horses, criminal software, adware, etc. Trojans may include, for example, viruses, Trojans, worms, rootkits, BMW BIOS Trojans, spyware, and other types of malware.
本实施例中,仅以恶意程序为木马为例进行具体介绍,本实施例只是示例性的,并不限制本发明实施例所保护的范围,In this embodiment, only the malicious program is a Trojan horse as an example for specific introduction. This embodiment is only exemplary and does not limit the scope of protection of the embodiments of the present invention.
首先,恶意程序查杀工具执行步骤S201,在操作系统下读取当前的BIOS信息。First, the tool for detecting and killing malicious programs executes step S201 to read current BIOS information under the operating system.
需要说明的是,当用户的主机上电后,首先会将主板中的BOIS信息加载到内存中,通过BIOS启动操作系统,因此,可以在操作系统启动后,即可通过操作系统提供的对内存的读写功能将全部BIOS信息读取出来。It should be noted that when the user's host is powered on, it will first load the BOIS information in the motherboard into the memory, and start the operating system through the BIOS. Therefore, after the operating system is started, the memory Read and write function to read all BIOS information.
为了更好的对实施例进行说明,这里说明计算机的引导过程,通常可将其分为两个阶段:初始引导和操作系统引导。In order to better describe the embodiment, the booting process of the computer is described here, which can generally be divided into two stages: initial booting and operating system booting.
初始引导包括:在计算机开启之后,电源测试所有的必要电压电平;如果所有电压电平均相当于正常电平,则母板接收PowerGood信号。在初始状态,处理器的输入接收RESET信号,该信号保持处理器在复位状态。但在从电源接收到PowerGood信号后,RESET信号将被移除,并且处理器将开始执行它的第一指令。因此,在电源测试后,处理器始于下述状态:命令寄存器CS包含0xFFFF、命令指针(IP寄存器)包含0、数据和堆栈段寄存器包含0。在RESET被移除后,处理器执行位于0xFFFF0地址的指令,在实模式(realmode)下ROM BIOS区域位于该地址。其大小为16字节,直到在实模式下最大的可访问地址区域的末端---0xFFFFF。用于转换至实模式可执行BIOS代码的指令位于该地址。通过执行BIOS代码,计算机经历了POST(开机自检)诊断阶段。处理器、存储器和输入/输出资源被测试;Initial booting involves: After the computer is turned on, the power supply tests all necessary voltage levels; if all voltage levels are equivalent to normal levels, the motherboard receives a PowerGood signal. In the initial state, the processor's input receives a RESET signal, which keeps the processor in reset. But after receiving a PowerGood signal from the power supply, the RESET signal will be removed and the processor will start executing its first instruction. Therefore, after the power test, the processor starts in the following state: the command register CS contains 0xFFFF, the command pointer (IP register) contains 0, and the data and stack segment registers contain 0. After RESET is removed, the processor executes the instruction at address 0xFFFF0, which is the ROM BIOS area in real mode. Its size is 16 bytes until the end of the largest accessible address area in real mode --- 0xFFFFF. Instructions for transitioning to real-mode executable BIOS code are located at this address. By executing the BIOS code, the computer goes through the POST (Power On Self Test) diagnostic phase. Processor, memory and input/output resources are tested;
接下来是系统的引导过程:Next is the boot process of the system:
以Windows7系统为例,正常情况下,计算机系统的开机过程是:Taking the Windows7 system as an example, under normal circumstances, the boot process of the computer system is:
开机通电自检-->主板BIOS根据用户指定的启动顺序从软盘、硬盘或光驱进行启动-->系统BIOS将主引导记录MBR读入内存-->控制权交给主引导程序-->主引导程序检查分区表状态,寻找活动的分区-->主引导程序将控制权交给活动分区的引导记录,由引导记录加载操作系统启动文件。Power-on self-test --> Motherboard BIOS starts from floppy disk, hard disk or CD-ROM drive according to the startup sequence specified by the user --> System BIOS reads the master boot record MBR into memory --> Hands over control to the main boot program --> Main The boot program checks the state of the partition table and looks for the active partition --> the main boot program hands over the control right to the boot record of the active partition, and the boot record loads the operating system startup file.
由上可知,MBR是电脑通电开机,系统自检完成后,被第一个读取到的位置,位于硬盘的0磁头0磁道1扇区,它的大小是512字节,不属于任何一个操作系统,也不能用操作系统提供的磁盘操作命令来读取。It can be seen from the above that MBR is the first read position after the computer is powered on and the system self-test is completed. It is located in the 0 head 0 track 1 sector of the hard disk. Its size is 512 bytes and does not belong to any operation. system, and cannot be read with the disk operation commands provided by the operating system.
当计算机加电后,首先是启动BIOS程序,BIOS自检完毕后,找到硬盘上的主引导记录MBR,通过MBR读取DPT(Disk Partition Table,硬盘分区表),从中找出活动的主分区,然后读取活动主分区的PBR(Partition Boot Record,分区引导记录),通过PBR再搜寻分区内的启动管理器文件BOOTMGR,在BOOTMGR被找到后,控制权就交给了BOOTMGR。通过BOOTMGR读取\BOOT\BCD文件(BCD=Boot Configuration Data,启动配置数据),如果存在着多个操作系统并且选择操作系统的等待时间不为0,这时就会在显示器上显示操作系统的选择界面。When the computer is powered on, the BIOS program is first started. After the BIOS self-test is completed, the master boot record MBR on the hard disk is found, and the DPT (Disk Partition Table, hard disk partition table) is read through the MBR to find out the active primary partition. Then read the PBR (Partition Boot Record) of the active primary partition, and then search for the boot manager file BOOTMGR in the partition through PBR. After BOOTMGR is found, the control is handed over to BOOTMGR. Read the \BOOT\BCD file (BCD=Boot Configuration Data, boot configuration data) through BOOTMGR. If there are multiple operating systems and the waiting time for selecting the operating system is not 0, the operating system will be displayed on the display. Choose the interface.
如果选择启动Windows7后,BOOTMGR就会去启动盘寻找WINDOWS\system32\winload.exe,然后通过winload.exe加载Windows7内核,从而启动整个Windows7系统。总之,在Windows7操作系统中,可以把这个过程简单地概括为:BIOS-->MBR-->DPT-->PBR-->BOOTMGR-->BCD-->Winload.exe-->内核加载-->整个windows7系统。在内核加载之后,启动整个windows7系统时,需要先对内核进行初始化,然后对硬盘进行初始化,而在本发明实施例中,就是在上述对内核进行初始化的环节中,加载安全驱动程序。If you choose to start Windows7, BOOTMGR will go to the startup disk to find WINDOWS\system32\winload.exe, and then load the Windows7 kernel through winload.exe, thereby starting the entire Windows7 system. In short, in the Windows7 operating system, this process can be simply summarized as: BIOS-->MBR-->DPT-->PBR-->BOOTMGR-->BCD-->Winload.exe-->kernel loading- -> The entire windows7 system. After the kernel is loaded, when starting the whole windows7 system, the kernel needs to be initialized first, and then the hard disk is initialized, and in the embodiment of the present invention, the safety driver is loaded in the above-mentioned link of initializing the kernel.
安全驱动程序在监控到磁盘读取/写入操作之后,就可以对读取/写入的数据进行拦截,并进行安全性检测,如果发现读取/写入的数据中包含有恶意代码,就证明可能,例如,MBR区的恶意程序正在读取/写入磁盘中的恶意驱动代码,因此,就可以直接返回磁盘读取失败,使得恶意驱动代码无法被读取/写入到内存中,也就无法运行,进而,就可以阻断MBR中的恶意程序与磁盘分区中的恶意驱动程序之间的联系,这两者之间的联系被阻断之后,MBR中的恶意程序与恶意驱动程序即使依然存在,也不会对用户的计算机产生任何的危害。After the security driver monitors the disk read/write operation, it can intercept the read/write data and perform security checks. If it is found that the read/write data contains malicious code, it will It is possible to prove that, for example, the malicious program in the MBR area is reading/writing the malicious driver code in the disk, therefore, it can directly return the disk read failure, so that the malicious driver code cannot be read/written into the memory, and Just can't run, and then, just can block the connection between the malicious program in the MBR and the malicious driver in the disk partition, after the connection between the two is blocked, even if the malicious program and the malicious driver in the MBR It still exists and will not cause any harm to the user's computer.
可选地,步骤S201具体执行时可以包括如下过程:Optionally, the specific execution of step S201 may include the following process:
通过操作系统提供的用于读取BIOS信息的函数,在内存的预设地址处读出BIOS信息。Read the BIOS information at the preset address of the memory through the function for reading the BIOS information provided by the operating system.
在本实施例中,以用户安装的操作系统为Window系统为例,则用于读取BIOS信息的函数为MmMapIoSpace函数。由于主板中的BOIS信息加载到内存中时,所占用的物理地址从0xf0000开始,所以本实施例中上述提及的读取BIOS的预设地址为内存的物理地址0xf0000处。In this embodiment, taking the operating system installed by the user as the Window system as an example, the function used to read the BIOS information is the MmMapIoSpace function. Since when the BOIS information in the motherboard is loaded into the internal memory, the occupied physical address starts from 0xf0000, so the preset address for reading the BIOS mentioned above in this embodiment is the physical address 0xf0000 of the internal memory.
在读取了当前的BIOS信息之后,继续执行S202。在步骤S202中,将读取的BIOS信息进行组合生成完整的BIOS文件。After reading the current BIOS information, continue to execute S202. In step S202, the read BIOS information is combined to generate a complete BIOS file.
需要说明的是,在主板出厂时,其生产厂商会在主板中写入完整的BIOS文件,以使主板能够正常工作。当主板被加电后,BIOS文件则首先会分解为多个BIOS信息分别被读入到内存中,由于在本实施例中需要对整个BIOS文件进行木马扫描,因此,需将全部BIOS信息读出后组合为完整的BIOS文件,恶意程序查杀工具才能得到当前主板中的BIOS文件。It should be noted that when the motherboard leaves the factory, its manufacturer will write a complete BIOS file in the motherboard so that the motherboard can work normally. When the motherboard is powered on, the BIOS file will first be decomposed into a plurality of BIOS information and read into the memory respectively. In this embodiment, the entire BIOS file needs to be scanned for Trojan horses. Therefore, all BIOS information needs to be read out. After being combined into a complete BIOS file, the malicious program killing tool can obtain the BIOS file in the current motherboard.
在获取到了完整的BIOS文件之后,恶意程序查杀工具开始通过步骤S203和步骤S204来执行木马的检测操作。首先通过执行步骤S203来获取BIOS的型号。After obtaining the complete BIOS file, the malicious program scanning and killing tool starts to perform Trojan detection operations through steps S203 and S204. Firstly, the model of the BIOS is obtained by executing step S203.
需要说明的是,由于全球存在多个主板生产商,因此,存在多种BIOS型号,例如:It should be noted that since there are many mainboard manufacturers in the world, there are various BIOS models, for example:
市面上较流行的BIOS主要有Award BIOS、AMI BIOS、Phoenix BIOS、Insyde BIOS等。The more popular BIOS on the market mainly include Award BIOS, AMI BIOS, Phoenix BIOS, Insyde BIOS and so on.
目前,市面上的主板使用的BIOS并未进行标准统一,其使用的BIOS的型号不同,BIOS文件也不尽相同,相应地,对BIOS的编辑命令也会不同,同时,目前互联网上的木马也有可能只专门针对某个型号的BIOS才会有效。At present, the BIOS used by motherboards on the market has not been standardized. The BIOS models used by them are different, and the BIOS files are also different. Correspondingly, the editing commands for the BIOS will also be different. It may only be effective for the BIOS specific to a certain model.
因此,获取BIOS型号,可在后续的木马特征的扫描过程中,使用与其对应的恶意程序查杀数据库即可,减少扫描工作量,提高查杀效率。同时,进行查杀木马时,也需要使用与其型号对应的BIOS工具。Therefore, to obtain the BIOS model, you can use the corresponding malicious program to scan and kill the database in the subsequent scanning process of Trojan horse characteristics, which reduces the scanning workload and improves the scanning and killing efficiency. At the same time, when scanning and killing Trojan horses, it is also necessary to use the BIOS tool corresponding to its model.
在获取了BIOS的型号之后,触发步骤S204,即根据上述获取到的BIOS的型号,检测BIOS文件中指定模块的模块信息中是否包含预设字符,如果是,则说明存在木马特征模块,执行步骤S205,如果不是,则说明不存在木马特征模块,操作结束。After obtaining the model of the BIOS, step S204 is triggered, namely, according to the model of the above-mentioned obtained BIOS, whether the module information of the specified module in the detection BIOS file contains preset characters, if yes, it means that there is a Trojan horse feature module, and the steps are executed S205, if not, it means that there is no Trojan horse feature module, and the operation ends.
如步骤S203中所述,很多木马并不会针对所有BIOS都有效,因此,对于每种型号的BIOS的木马查杀时使用的方法并不一样,例如,BMW BIOS木马,其只会感染AWARD BIOS,且其会将木马文件置入ISA模块中。因此,我们根据BIOS的型号,只需要查杀其可能会感染的木马。As described in step S203, many Trojan horses are not all valid for all BIOS, therefore, the method used when killing the Trojan horse for each type of BIOS is not the same, for example, BMW BIOS Trojan horse, it can only infect AWARD BIOS , and it will put the Trojan file into the ISA module. Therefore, we only need to check and kill Trojan horses that may be infected according to the model of the BIOS.
本实施例中,以获取到的BIOS型号为AWARD BIOS,且查杀其是否包含BMW BIOS木马为例:In this embodiment, take the obtained BIOS model as AWARD BIOS, and check whether it contains a BMW BIOS trojan as an example:
这时,需要检测BIOS文件中的ISA模块信息中是否包含字符“HOOK.ROM”,如果存在,则说明当前的BIOS已感染BMW BIOS木马。At this time, it is necessary to detect whether the ISA module information in the BIOS file contains the character "HOOK.ROM". If it exists, it means that the current BIOS has been infected with the BMW BIOS Trojan.
本实施例还提供了图3,展示了一种查找木马模块的界面示意图。如图3所示,即为在ISA模块信息中查找字符为“HOOK.ROM”的木马模块。This embodiment also provides FIG. 3 , which shows a schematic interface diagram of a module for finding Trojan horses. As shown in Figure 3, it is to search for the Trojan horse module whose character is "HOOK.ROM" in the ISA module information.
需要说明的是,BMW BIOS木马通常将其伪装为HOOK.ROM模块,并置入到AWARDBIOS的ISA模块下。It should be noted that the BMW BIOS Trojan usually disguises it as the HOOK.ROM module and puts it under the ISA module of AWARDBIOS.
本实施例中,为了减少木马查杀所用的时间,在本地会预先存储一个BIOS型号与预设字符的对应关系,由于木马的名称都是固定的,所以上述的预设名称通常为木马名称。In this embodiment, in order to reduce the time used for checking and killing Trojan horses, a corresponding relationship between a BIOS model and preset characters will be pre-stored locally. Since the names of Trojan horses are all fixed, the above-mentioned preset names are usually Trojan horse names.
进一步地,本实施例中的预设字符除去可以是木马模块的名称之外,还可以是其他信息,例如可以为如下的一种或多种:Further, in addition to the name of the Trojan horse module, the preset characters in this embodiment can also be other information, for example, it can be one or more of the following:
程序文件的摘要、文件大小、签名信息、版本信息等文件的属性信息、文件所在目录、注册表中的启动位置、同目录下或指定目录下其他文件的属性等程序文件的上下文环境属性。The summary of the program file, file size, signature information, version information and other file attribute information, the directory where the file is located, the startup location in the registry, the attributes of other files in the same directory or in the specified directory, and other contextual environment attributes of the program file.
或者,还可以是木马程序的文件名或全文对应的特征值,例如:计算出文件的全文或签名的MD5(Message-Digest Algorithm5,数字摘要算法第五版),或者文件的全文的SHA1(Secure Hash Algorithm1,安全哈希算法第一版)值。Or, it can also be the file name of the Trojan program or the feature value corresponding to the full text, for example: calculate the MD5 (Message-Digest Algorithm5, fifth edition of the digital digest algorithm) of the full text or signature of the file, or the SHA1 (Secure Hash Algorithm1, Secure Hash Algorithm First Edition) value.
进一步地,在扫描得到木马特征模块后,还可以将木马程序的特征上报给云端服务器,或由服务器实时的获取最新的恶意程序查杀数据库,以使得用户可以通过云端服务器提供的强大恶意程序查杀数据库进行木马扫描。Further, after the Trojan horse feature module is obtained by scanning, the feature of the Trojan horse program can also be reported to the cloud server, or the server can obtain the latest malicious program killing database in real time, so that the user can search for the powerful malicious program provided by the cloud server. Kill the database for Trojan scanning.
更进一步地,在用户无法扫描得到木马特征模块时,还可以将BIOS文件上传到云端服务器,以通过云端服务器的强大恶意程序查杀数据库对BIOS进行木马扫描,得到强大的防御支持。Furthermore, when the user cannot scan the Trojan horse characteristic module, the BIOS file can also be uploaded to the cloud server, so as to scan the BIOS for Trojan horse through the powerful malicious program killing database of the cloud server, and obtain strong defense support.
其中,在进行恶意程序的查杀时,查杀模块的至少一部分以及在一些情况下模块的全部都可以在执行操作系统、系统程序和应用程序的一个或多个计算机的处理器上执行,同时也可以使用多任务、多线程、在适当情况下的分布式(例如,云)处理或其他此类技术来实现模块。Wherein, when performing the killing of malicious programs, at least a part of the killing module and in some cases all of the modules can be executed on the processors of one or more computers executing the operating system, system programs and application programs, and at the same time Modules may also be implemented using multitasking, multithreading, distributed (eg, cloud) processing where appropriate, or other such techniques.
例如:云端服务器获得上报的扫描结果之后,根据这个扫描结果在已有的恶意程序查杀数据库中进一步分析比对,并可根据比对信息判断扫描的文件是否为恶意程序,然后将判断结果(如恶意、安全、未知、可疑)、和/或、与该扫描结果匹配的修复逻辑作为第二信息进行下发,使得本地根据第二信息判断否有异常,然后进行病毒报告。这里,云端服务器将根据比对信息与保存的云端鉴别条件来判断扫描的文件是否为恶意程序,而云端服务器保存的云端鉴别条件是可升级更新的,当满足升级条件时,不需要客户端升级文件即可生效,这样,可以立刻全网升级,升级速度较快,对于突发的恶意程序有很好的拦截效果,从而避免客户端用户的损失。具体地,可以在服务器中配置升级条件,服务器定期检测所述云端鉴别条件是否满足升级条件,当满足时,服务器直接获取新的鉴别条件,并用新的鉴别条件替换原有的云端鉴别条件,从而对原有的云端鉴别条件进行升级更新。其中,升级条件可以根据本地鉴别条件的文件版本来判断,比如有更新的版本时则升级,也可以指定当本地版本满足某个条件时升级为一个指定版本,本发明实施例对此并不加以限制。For example: after the cloud server obtains the reported scanning result, it will further analyze and compare it in the existing malicious program killing database according to the scanning result, and can judge whether the scanned file is a malicious program according to the comparison information, and then pass the judgment result ( Such as malicious, safe, unknown, suspicious), and/or, the repair logic matching the scanning result is issued as the second information, so that the local judges whether there is any abnormality according to the second information, and then reports the virus. Here, the cloud server will judge whether the scanned file is a malicious program according to the comparison information and the stored cloud identification conditions, and the cloud identification conditions saved by the cloud server can be updated. When the upgrade conditions are met, the client does not need to be upgraded. The file will take effect immediately. In this way, the entire network can be upgraded immediately, and the upgrade speed is fast. It has a good interception effect on sudden malicious programs, thereby avoiding the loss of client users. Specifically, the upgrade condition can be configured in the server, and the server periodically detects whether the cloud authentication condition meets the upgrade condition. When it is satisfied, the server directly obtains the new authentication condition, and replaces the original cloud authentication condition with the new authentication condition, thereby Upgrade and update the original cloud identification conditions. Wherein, the upgrade condition can be judged according to the file version of the local authentication condition, such as upgrading when there is a newer version, or specifying that when the local version satisfies a certain condition, it will be upgraded to a specified version, which is not imposed in the embodiment of the present invention. limit.
本实施例中,云端服务器也可将比对信息作为第二信息先下发,本地根据第二信息进行判断,进一步根据判断结果确定是否有异常,然后进行病毒报告。In this embodiment, the cloud server may first send the comparison information as the second information, and locally make a judgment based on the second information, further determine whether there is any abnormality according to the judgment result, and then report the virus.
本地和云端服务器不是相互替代的关系。本实施例中,云端服务器中的判断结果包括扫描的文件是恶意、安全、未知、或可疑的文件,因此,需要预置文件的安全等级,其中,所述等级包括安全等级、未知等级、可疑/高度可疑等级、以及恶意等级。对于等级的设置,可以设置等级为10-29时为安全等级(该等级的文件为白文件),等级为30-49时为未知等级(该等级的文件为灰文件),等级为50-69时为可疑/高度可疑等级(该等级的文件为可疑文件),等级大于或等于70时为恶意等级(该等级的文件为恶意文件)。当然,还可以设置等级为其他形式,本发明对此并不加以限制。具体的,可以通过用于查杀PE(Portable Execute,可移植执行体)类型文件的云查杀引擎,或者QVM(Qihoo Virtual Machine,人工智能引擎)对EXE文件和被劫持的DLL文件进行查杀。其中,PE类型文件通常指Windows操作系统上的程序文件,常见的PE类型文件包括EXE、DLL、OCX、SYS、COM等类型文件。Local and cloud servers are not substitutes for each other. In this embodiment, the judgment result in the cloud server includes that the scanned file is malicious, safe, unknown, or suspicious. Therefore, it is necessary to preset the security level of the file, wherein the level includes security level, unknown level, suspicious /Highly Suspicious Level, and Malicious Level. For level setting, you can set level 10-29 as security level (files of this level are white files), level 30-49 as unknown level (files of this level are gray files), level 50-69 Suspicious/highly suspicious level (files with this level are suspicious files), and malicious level (files with this level are malicious files) when the level is greater than or equal to 70. Of course, the levels can also be set in other forms, which is not limited in the present invention. Specifically, you can check and kill EXE files and hijacked DLL files through the cloud scan and kill engine for killing PE (Portable Execute, portable executable) type files, or QVM (Qihoo Virtual Machine, artificial intelligence engine) . Among them, the PE type file usually refers to the program file on the Windows operating system, and common PE type files include EXE, DLL, OCX, SYS, COM and other types of files.
通过上述步骤S203和步骤S204检测到木马模块之后,执行步骤S205来对木马进行修复。在步骤S205中,通过与BIOS的型号对应的BIOS工具提供的删除指令,删除BIOS文件中的木马特征模块。After the Trojan horse module is detected through the above steps S203 and S204, step S205 is executed to repair the Trojan horse. In step S205, delete the Trojan horse feature module in the BIOS file through the delete command provided by the BIOS tool corresponding to the BIOS model.
由于目前存在多种BIOS型号,且由不同的生产商生产,标准未统一,因此,每种信号的BIOS文件都需要生产商提供的对应的BIOS工具才能进行编辑。Since there are multiple BIOS models currently produced by different manufacturers, the standards are not unified. Therefore, the BIOS files of each signal require corresponding BIOS tools provided by the manufacturer to be edited.
在本实施例中,发现木马特征模块后,优选地采用与其对应的BIOS工具提供的删除命令将木马特征模块删除。In this embodiment, after the Trojan horse feature module is found, the Trojan horse feature module is preferably deleted using a delete command provided by the corresponding BIOS tool.
例如,在本实施例中删除命令为release,具体命令格式如下:For example, in this embodiment, the delete command is release, and the specific command format is as follows:
CBROM.EXE(BIOS文件名).BIN/AAA RELEASE。CBROM.EXE(BIOS filename).BIN/AAA RELEASE.
其中,AAA代表需要删除的文件。Among them, AAA represents the file that needs to be deleted.
在删除了木马模块之后,继续执行步骤S206,即对移除木马特征模块后的BIOS文件进行校验,并判断校验是否通过,如果校验通过,则执行步骤S207,如果校验未通过,则返回步骤S204,继续扫描是否存在木马。After deleting the Trojan horse module, continue to perform step S206, promptly check the BIOS file after removing the Trojan horse feature module, and judge whether the check is passed, if the check is passed, then perform step S207, if the check is not passed, Then return to step S204, and continue to scan whether there is a Trojan horse.
在本实施例中,对移除木马特征模块后的BIOS文件进行校验的目的是判断BIOS文件是否恢复到正常的BIOS文件,在主板出厂后,为了防止恶意程序对BIOS的修改,通过携带一个标准的校验值。当BIOS文件被修改后,则重新计算校验值时,会不同于标准的校验值,说明BIOS被修改了。In this embodiment, the purpose of verifying the BIOS file after removing the Trojan horse feature module is to determine whether the BIOS file has recovered to a normal BIOS file. After the motherboard leaves the factory, in order to prevent malicious programs from modifying the BIOS, a Standard checksum. When the BIOS file is modified, when the check value is recalculated, it will be different from the standard check value, indicating that the BIOS has been modified.
可选地,对BIOS的校验可以采用数字摘要算法,例如MD5算法。Optionally, a digital digest algorithm, such as an MD5 algorithm, may be used to check the BIOS.
S207,在BIOS文件中获得用于写入BIOS文件的指定端口,并通过上述指定端口将移除木马特征模块后的BIOS文件写入到主板中。S207. Obtain a designated port for writing the BIOS file in the BIOS file, and write the BIOS file after removing the Trojan feature module into the motherboard through the designated port.
需要说明的是,对于BIOS文件,在进行写入时,必须通过指定的端口,以AWARDBIOS为例,该指定端口可以为SMI PORT端口。It should be noted that, for the BIOS file, when writing, the designated port must be used. Taking AWARDBIOS as an example, the designated port may be the SMI PORT port.
当获取了对于BIOS进行写入操作的指定端口后,即可通过向该端口写入移除木马特征模块后的BIOS文件,完成BIOS文件的修复,使其恢复正常状态。After obtaining the specified port for writing the BIOS, the BIOS file that removes the Trojan horse feature module can be written into the port to complete the repair of the BIOS file and make it return to a normal state.
本发明实施例提供了一种修复BIOS恶意程序的方法,通过该方法,能够在操作系统下读取当前的BIOS信息,并生成完整的BIOS文件,检测BIOS文件中的木马特征模块,删除木马特征模块后,将BIOS文件覆盖原BIOS文件,可使得用户轻松的清除BIOS中的木马程序,且不需要通过寻找原BIOS文件进行重刷BIOS。The embodiment of the present invention provides a method for repairing a BIOS malicious program. By this method, the current BIOS information can be read under the operating system, and a complete BIOS file can be generated to detect the Trojan horse feature module in the BIOS file and delete the Trojan horse feature. After the module, the BIOS file is overwritten with the original BIOS file, which allows the user to easily clear the Trojan horse program in the BIOS, and does not need to re-flash the BIOS by looking for the original BIOS file.
实施例三Embodiment Three
图4是本发明一个实施例提供的一种修复BIOS恶意程序的装置结构框图,该装置400包括:FIG. 4 is a structural block diagram of a device for repairing BIOS malicious programs provided by an embodiment of the present invention. The device 400 includes:
文件生成模块410,配置为在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件;The file generation module 410 is configured to read the current BIOS information under the operating system, and combine the read BIOS information to generate a complete BIOS file;
检测模块420,配置为检测BIOS文件中是否存在恶意程序特征模块;The detection module 420 is configured to detect whether there is a malicious program characteristic module in the BIOS file;
删除模块430,配置为当检测模块420检测到存在恶意程序特征模块时,在BIOS文件中移除恶意程序特征模块;The deletion module 430 is configured to remove the malicious program characteristic module in the BIOS file when the detection module 420 detects that there is a malicious program characteristic module;
文件写入模块440,配置为将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。The file writing module 440 is configured to overwrite the original BIOS file in the motherboard with the BIOS file after the malicious program feature module is removed.
可选地,文件生成模块410包括:Optionally, the file generation module 410 includes:
信息读取单元411,配置为通过操作系统提供的用于读取BIOS信息的函数,在内存的预设地址处读出BIOS信息;The information reading unit 411 is configured to read the BIOS information at a preset address of the memory through a function provided by the operating system for reading the BIOS information;
文件组合单元412,配置为将所读出的全部BIOS信息组合成完整的BIOS文件。The file combination unit 412 is configured to combine all the read BIOS information into a complete BIOS file.
可选地,信息读取单元411中用于读取BIOS信息的函数为MmMapIoSpace函数,预设地址为物理地址0xf0000。Optionally, the function for reading BIOS information in the information reading unit 411 is the MmMapIoSpace function, and the preset address is the physical address 0xf0000.
可选地,检测模块420包括:Optionally, the detection module 420 includes:
型号获取单元421,配置为获取BIOS的型号;A model obtaining unit 421 configured to obtain the model of the BIOS;
检测单元422,配置为根据BIOS的型号,检测BIOS文件中指定模块的模块信息中是否包含预设字符,其中,在本地存储有BIOS型号与预设字符的对应关系;The detection unit 422 is configured to detect whether the module information of the specified module in the BIOS file contains preset characters according to the model of the BIOS, wherein the corresponding relationship between the BIOS model and the preset characters is stored locally;
如果包含预设字符,则确认该指定模块中存在恶意程序特征模块;If it contains preset characters, it is confirmed that there is a malicious program characteristic module in the specified module;
如果不包含预设字符,则确认该指定模块中不存在恶意程序特征模块。If the preset characters are not included, it is confirmed that there is no malicious program characteristic module in the specified module.
可选地,删除模块430还配置为通过与BIOS的型号对应的BIOS工具提供的删除指令,删除BIOS文件中的恶意程序特征模块。Optionally, the deletion module 430 is further configured to delete the malicious program feature module in the BIOS file through a deletion instruction provided by the BIOS tool corresponding to the BIOS model.
可选地,删除指令为release指令。Optionally, the delete command is a release command.
可选地,该装置还包括:Optionally, the device also includes:
校验模块450,配置为对移除恶意程序特征模块后的BIOS文件进行校验;The verification module 450 is configured to verify the BIOS file after removing the malicious program feature module;
相应地,文件写入模块440还配置为如果校验模块450校验通过,则将移除恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。Correspondingly, the file writing module 440 is further configured to overwrite the original BIOS file in the motherboard with the BIOS file after the malicious program feature module has been removed if the verification module 450 passes the verification.
可选地,文件写入模块440还配置为在BIOS文件中获得用于写入BIOS文件的指定端口,通过该指定端口将移除恶意程序特征模块后的BIOS文件写入到主板中;Optionally, the file writing module 440 is also configured to obtain a designated port for writing the BIOS file in the BIOS file, and write the BIOS file after removing the malicious program feature module into the motherboard through the designated port;
其中,指定端口为SMI PORT端口。Among them, the specified port is the SMI PORT port.
本发明实施例提供了一种修复BIOS恶意程序的装置,通过该装置,能够在操作系统下读取当前的BIOS信息,并生成完整的BIOS文件,检测BIOS文件中的恶意程序特征模块,删除恶意程序特征模块后,将BIOS文件覆盖原BIOS文件,可使得用户轻松的清除BIOS中的恶意程序,且不需要通过寻找原BIOS文件进行重刷BIOS。The embodiment of the present invention provides a device for repairing BIOS malicious programs. Through the device, the current BIOS information can be read under the operating system, and a complete BIOS file can be generated to detect malicious program feature modules in the BIOS file and delete malicious programs. After the program feature module, the BIOS file is overwritten with the original BIOS file, so that the user can easily clear the malicious program in the BIOS, and does not need to re-flash the BIOS by searching for the original BIOS file.
本发明实施例还公开了A1.一种修复基本输入输出系统BIOS恶意程序的方法,包括:The embodiment of the present invention also discloses A1. A method for repairing a basic input output system BIOS malicious program, comprising:
在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件;Read the current BIOS information under the operating system, and combine the read BIOS information to generate a complete BIOS file;
检测所述BIOS文件中是否存在恶意程序特征模块;Detect whether there is a malicious program feature module in the BIOS file;
当存在所述恶意程序特征模块时,在所述BIOS文件中移除所述恶意程序特征模块;When the malicious program feature module exists, remove the malicious program feature module from the BIOS file;
将移除所述恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。The BIOS file after the malicious program feature module is removed will overwrite the original BIOS file in the motherboard.
A2.根据A1所述的方法,其中,所述在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件,包括:A2. according to the method described in A1, wherein, described under operating system, read current BIOS information, and the BIOS information of reading is combined to generate complete BIOS file, comprising:
通过所述操作系统提供的用于读取BIOS信息的函数,在内存的预设地址处读出BIOS信息;Read the BIOS information at the preset address of the memory through the function provided by the operating system for reading the BIOS information;
将所读出的全部BIOS信息组合成完整的BIOS文件。Combine all the read BIOS information into a complete BIOS file.
A3.根据A2所述的方法,其中,所述用于读取BIOS信息的函数为MmMapIoSpace函数,所述预设地址为物理地址0xf0000。A3. The method according to A2, wherein the function for reading BIOS information is the MmMapIoSpace function, and the preset address is the physical address 0xf0000.
A4.根据A1至A3任一项所述的方法,其中,所述检测所述BIOS文件中是否存在恶意程序特征模块,包括:A4. The method according to any one of A1 to A3, wherein said detecting whether there is a malicious program characteristic module in the BIOS file includes:
获取所述BIOS的型号;Obtain the model number of the BIOS;
根据所述BIOS的型号,检测所述BIOS文件中指定模块的模块信息中是否包含预设字符,其中,在本地存储有BIOS型号与预设字符的对应关系;According to the model of the BIOS, detect whether the module information of the specified module in the BIOS file contains preset characters, wherein the corresponding relationship between the BIOS model and the preset characters is stored locally;
如果包含所述预设字符,则确认该指定模块中存在恶意程序特征模块;If the preset characters are included, it is confirmed that there is a malicious program characteristic module in the specified module;
如果不包含所述预设字符,则确认该指定模块中不存在恶意程序特征模块。If the preset characters are not included, it is confirmed that there is no malicious program feature module in the specified module.
A5.根据A4所述的方法,其中,在所述BIOS文件中移除所述恶意程序特征模块,包括:A5. The method according to A4, wherein removing the malicious program feature module in the BIOS file includes:
通过与所述BIOS的型号对应的BIOS工具提供的删除指令,删除所述BIOS文件中的恶意程序特征模块。The malicious program feature module in the BIOS file is deleted through a deletion instruction provided by a BIOS tool corresponding to the BIOS model.
A6.根据A5所述的方法,其中,所述删除指令为release指令。A6. The method according to A5, wherein the deletion instruction is a release instruction.
A7.根据A1至A6任一项所述的方法,其中,在将移除所述恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件之前,还包括:A7. The method according to any one of A1 to A6, wherein, before overwriting the original BIOS file in the motherboard with the BIOS file after removing the malicious program feature module, it also includes:
对移除所述恶意程序特征模块后的BIOS文件进行校验;Verifying the BIOS file after removing the malicious program feature module;
所述将移除所述恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件,包括:Described will remove the BIOS file after the malicious program feature module covers the original BIOS file in the motherboard, including:
如果移除所述恶意程序特征模块后的BIOS文件校验通过,则将移除所述恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。If the BIOS file after removing the malicious program feature module passes the verification, the BIOS file after removing the malicious program feature module will overwrite the original BIOS file in the motherboard.
A8.根据A7所述的方法,其中,所述将移除所述恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件,包括:A8. The method according to A7, wherein, the BIOS file after removing the malicious program feature module covers the original BIOS file in the motherboard, including:
在所述BIOS文件中获得用于写入BIOS文件的指定端口,通过该指定端口将移除所述恶意程序特征模块后的BIOS文件写入到主板中;Obtain the specified port for writing the BIOS file in the BIOS file, and write the BIOS file after the malicious program feature module is removed into the motherboard through the specified port;
其中,所述指定端口为SMI PORT端口。Wherein, the designated port is an SMI PORT port.
本发明实施例还公开了B9.一种修复基本输入输出系统BIOS恶意程序的装置,包括:The embodiment of the present invention also discloses B9. A device for repairing a BIOS malicious program of a basic input output system, comprising:
文件生成模块,配置为在操作系统下读取当前的BIOS信息,并将读取的BIOS信息进行组合生成完整的BIOS文件;A file generation module configured to read current BIOS information under the operating system, and combine the read BIOS information to generate a complete BIOS file;
检测模块,配置为检测所述BIOS文件中是否存在恶意程序特征模块;A detection module configured to detect whether there is a malicious program characteristic module in the BIOS file;
删除模块,配置为当所述检测模块检测到存在所述恶意程序特征模块时,在所述BIOS文件中移除所述恶意程序特征模块;A deletion module configured to remove the malicious program characteristic module from the BIOS file when the detection module detects that the malicious program characteristic module exists;
文件写入模块,配置为将移除所述恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。The file writing module is configured to overwrite the original BIOS file in the motherboard with the BIOS file after the malicious program feature module is removed.
B10.根据B9所述的装置,其中,所述文件生成模块包括:B10. The device according to B9, wherein the file generation module includes:
信息读取单元,配置为通过所述操作系统提供的用于读取BIOS信息的函数,在内存的预设地址处读出BIOS信息;The information reading unit is configured to read the BIOS information at the preset address of the memory through the function provided by the operating system for reading the BIOS information;
文件组合单元,配置为将所读出的全部BIOS信息组合成完整的BIOS文件。The file combination unit is configured to combine all the read BIOS information into a complete BIOS file.
B11.根据B10所述的装置,其中,所述信息读取单元中用于读取BIOS信息的函数为MmMapIoSpace函数,所述预设地址为物理地址0xf0000。B11. The device according to B10, wherein the function for reading BIOS information in the information reading unit is the MmMapIoSpace function, and the preset address is the physical address 0xf0000.
B12.根据B9至B11任一项所述的装置,其中,所述检测模块包括:B12. The device according to any one of B9 to B11, wherein the detection module comprises:
型号获取单元,配置为获取所述BIOS的型号;a model obtaining unit configured to obtain the model of the BIOS;
检测单元,配置为根据所述BIOS的型号,检测所述BIOS文件中指定模块的模块信息中是否包含预设字符,其中,在本地存储有BIOS型号与预设字符的对应关系;The detection unit is configured to detect whether the module information of the specified module in the BIOS file contains preset characters according to the model of the BIOS, wherein the corresponding relationship between the BIOS model and the preset characters is stored locally;
如果包含所述预设字符,则确认该指定模块中存在恶意程序特征模块;If the preset characters are included, it is confirmed that there is a malicious program characteristic module in the specified module;
如果不包含所述预设字符,则确认该指定模块中不存在恶意程序特征模块。If the preset characters are not included, it is confirmed that there is no malicious program feature module in the specified module.
B13.根据B12所述的装置,其中,所述删除模块还配置为通过与所述BIOS的型号对应的BIOS工具提供的删除指令,删除所述BIOS文件中的恶意程序特征模块。B13. The device according to B12, wherein the deletion module is further configured to delete the malicious program feature module in the BIOS file through a deletion instruction provided by a BIOS tool corresponding to the BIOS model.
B14.根据B13所述的装置,其中,所述删除指令为release指令。B14. The device according to B13, wherein the delete instruction is a release instruction.
B15.根据B9至B14任一项所述的装置,其中,所述装置还包括:B15. The device according to any one of B9 to B14, wherein the device further comprises:
校验模块,配置为对移除所述恶意程序特征模块后的BIOS文件进行校验;A verification module configured to verify the BIOS file after removing the malicious program feature module;
相应地,所述文件写入模块还配置为如果所述校验模块校验通过,则将移除所述恶意程序特征模块后的BIOS文件覆盖主板中的原BIOS文件。Correspondingly, the file writing module is further configured to overwrite the original BIOS file in the motherboard with the BIOS file after the malicious program feature module has been removed if the verification module passes the verification.
B16.根据B15所述的装置,其中,所述文件写入模块还配置为在所述BIOS文件中获得用于写入BIOS文件的指定端口,通过该指定端口将移除所述恶意程序特征模块后的BIOS文件写入到主板中;B16. The device according to B15, wherein the file writing module is also configured to obtain a designated port for writing the BIOS file in the BIOS file, through which the malicious program feature module will be removed The final BIOS file is written to the motherboard;
其中,所述指定端口为SMI PORT端口。Wherein, the designated port is an SMI PORT port.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的修复BIOS恶意程序的装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the device for repairing a BIOS malicious program according to an embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.
至此,本领域技术人员应认识到,虽然本文已详尽示出和描述了本发明的多个示例性实施例,但是,在不脱离本发明精神和范围的情况下,仍可根据本发明公开的内容直接确定或推导出符合本发明原理的许多其他变型或修改。因此,本发明的范围应被理解和认定为覆盖了所有这些其他变型或修改。So far, those skilled in the art should appreciate that, although a number of exemplary embodiments of the present invention have been shown and described in detail herein, without departing from the spirit and scope of the present invention, the disclosed embodiments of the present invention can still be used. Many other variations or modifications consistent with the principles of the invention are directly identified or derived from the content. Accordingly, the scope of the present invention should be understood and deemed to cover all such other variations or modifications.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310574966.1ACN103632086B (en) | 2013-11-15 | 2013-11-15 | The method and apparatus for repairing basic input-output system BIOS rogue program |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310574966.1ACN103632086B (en) | 2013-11-15 | 2013-11-15 | The method and apparatus for repairing basic input-output system BIOS rogue program |
| Publication Number | Publication Date |
|---|---|
| CN103632086A CN103632086A (en) | 2014-03-12 |
| CN103632086Btrue CN103632086B (en) | 2017-04-05 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310574966.1AActiveCN103632086B (en) | 2013-11-15 | 2013-11-15 | The method and apparatus for repairing basic input-output system BIOS rogue program |
| Country | Link |
|---|---|
| CN (1) | CN103632086B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104102517B (en)* | 2014-07-22 | 2019-01-04 | 技嘉科技股份有限公司 | Circuit for writing program code of basic input output system and writing method |
| CN105701404B (en)* | 2016-01-04 | 2018-06-05 | 广东欧珀移动通信有限公司 | Virus method, device and the mobile terminal of mobile terminal |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079003A (en)* | 2006-05-23 | 2007-11-28 | 北京金元龙脉信息科技有限公司 | System and method for carrying out safety risk check to computer BIOS firmware |
| CN101667236A (en)* | 2008-09-02 | 2010-03-10 | 北京瑞星国际软件有限公司 | Method and device for controlling driver installation |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9015455B2 (en)* | 2011-07-07 | 2015-04-21 | Intel Corporation | Processsor integral technologies for BIOS flash attack protection and notification |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079003A (en)* | 2006-05-23 | 2007-11-28 | 北京金元龙脉信息科技有限公司 | System and method for carrying out safety risk check to computer BIOS firmware |
| CN101667236A (en)* | 2008-09-02 | 2010-03-10 | 北京瑞星国际软件有限公司 | Method and device for controlling driver installation |
| Publication number | Publication date |
|---|---|
| CN103632086A (en) | 2014-03-12 |
| Publication | Publication Date | Title |
|---|---|---|
| CN104008340B (en) | Virus scanning and killing method and device | |
| CN103718165B (en) | BIOS flash memory attack protection and notice | |
| JP5512610B2 (en) | Method, system, and machine-readable storage medium for permitting or blocking access to memory from non-firmware agent | |
| JP6282305B2 (en) | System and method for safe execution of code in hypervisor mode | |
| Heasman | Implementing and detecting a pci rootkit | |
| Han et al. | A bad dream: Subverting trusted platform module while you are sleeping | |
| CN103390130B (en) | Based on the method for the rogue program killing of cloud security, device and server | |
| CN114817981B (en) | A file access method, computing device and readable storage medium | |
| US20110107423A1 (en) | Providing authenticated anti-virus agents a direct access to scan memory | |
| US8910283B1 (en) | Firmware-level security agent supporting operating system-level security in computer system | |
| US9684518B2 (en) | Option read-only memory use | |
| CN102999720B (en) | Program identification method and system | |
| CN103745158A (en) | Method and device for repairing system bugs | |
| US9245122B1 (en) | Anti-malware support for firmware | |
| EP3029564B1 (en) | System and method for providing access to original routines of boot drivers | |
| EP3731126B1 (en) | Firmware retrieval and analysis | |
| WO2014071867A1 (en) | Program processing method and system, and client and server for program processing | |
| US9330260B1 (en) | Detecting auto-start malware by checking its aggressive load point behaviors | |
| US9448888B2 (en) | Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank | |
| CN102999725B (en) | Malevolence code processing method and system | |
| CN106687979A (en) | Cross View Malware Detection | |
| CN102999721B (en) | A kind of program processing method and system | |
| CN110363011B (en) | Method and apparatus for verifying security of UEFI-based BIOS | |
| US9122872B1 (en) | System and method for treatment of malware using antivirus driver | |
| CN103632086B (en) | The method and apparatus for repairing basic input-output system BIOS rogue program |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | Effective date of registration:20220718 Address after:Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before:100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before:Qizhi software (Beijing) Co.,Ltd. | |
| TR01 | Transfer of patent right |