1.53k likes | 1.55k Views
Learn about computer viruses, their types, and how to protect against them. This tutorial provides an introduction to famous malware and descriptions of viruses in the wild.
E N D
The Attack and Defense of Computers Dr.許 富 皓
Virus Tutorial • Computer Virus Resources • Introduction of Famous Malware • Virus descriptions of viruses in the wild
Virus • A sequence of code that is inserted into other programs. • A virus can create a copy of itself to inserted in one or more other programs. • Virus cannot run on their own, and need to have some host program. • e.g. Melissa virus, ILOVEYOU virus.
Virus • Boot sector viruses • Master boot record viruses • File infector viruses • Multi-partite viruses • Macro viruses (infect data files)
Disk Structures • Units used in Floppy Disks and Hard Disks: • Sectors • E.g. A 3 ½ inch high-density disk • 512 bytes/sector • 18 sectors/track • 40 tracks/side • Cluster • Disk space allocation unit • Each cluster contains one or more sectors. • Tracks • Heads • Cylinder (for HDs)
Disk Sectors Magnetic Disk Sector
Areas of a Disk [1][2] • Under DOS, A disk is divided into the following four areas: • The boot record. • The file allocation table (FAT). • The root directory. • The data area. • A hard drive has a fifth area: • The partition table.
Boot Record • Boot Record: • Location: • sector 1, track 0, head 0. • Contents: • the bootstrap routine(a machine language program designed to load the operating system from other part of the disk.) • the BIOS Parameter Block (BPB), which identifies the floppy disk’s operating parameters, including the number of bytes per sector, sectors per cluster and track, and tracks per disk. • The BPB allows an operating system to understand the format of a disk.
The Bootstrap Program • In a PC, when a machine is turned on, a routine called “The Power-On Self Test (POST)” verifies all hardware components are working properly. • After everything is confirmed working well, POST loads up the boot record from the disk and checks for two signature bytes inside it. • If the boot record signature is present, the execution control is transferred to the bootstrap program inside the boot record. • Under DOS, the bootstrap program in turn loads the OS into the RAM from the disk and eventually transfers control toCOMMAND.COM, the command interpreter. On board On disk
Hard Disk Partition and Master Boot Record • A single physical hard drive can be divided into several differentpartitions. • The user can specify one of the partitions as the active partition (the one from which the user wants to boot.) • The Master Boot Record (MBR) is a structure stored on the first track, sector and head of the hard drive. • The MBR contains a partition table, which denotes the allocation of all sectors and their respective partitions. • Programs require the partition table on the hard disk to understand the disk’s characteristics.
Interrupt [Gerhard Roehrl] • The 8086/88 microprocessors allow normal program execution to be interrupted by external events or by special instructions embedded in the program code. • When the microprocessor is interrupted, it stops executing the current program and callsa procedure which services the interrupt. • At the end of the interrupt service routine, the code execution sequence is returned to the original, interrupted program.
Interrupt Sources • An interrupt can be generated by one of three sources: • Internal interrupts • Hardware interrupt • Software interrupt
Internal Interrupts • An interrupt can be generated as a result of a processor state violation, called an exception. • An example would be a divide-by-zero interrupt produced when the div instruction is interpreted to have a zero divisor. • Program execution is automatically interrupted and control transferred to an interrupt handler. • Conditional interrupts such as this are referred to as internal interrupts.
Hardware Interrupt • An interrupt can also be generated by an external device requesting service. This happens when a device signals its request on either the non-maskable interrupt (NMI) or on the INTR interrupt input lines of the processor. • The NMI interrupt is generally used to signal the occurrence of a catastrophic event, such as the immanent loss of power. • The INTR interrupt is used by all other devices. • An interrupt caused by a signal applied to either the NMI or INTR input pin of a CPU is referred to as a hardware interrupt.
Software Interrupt • Interrupts may be generated as a result of executing the int instruction. This is referred to as a software interrupt.
Functions of Software Interrupts (Only Apply to Real Mode) • Software interrupts produced by the INT assembler instruction have many uses. For example, • test various interrupt service routines • You could use an INT 2 instruction to start the execution of an NMI interrupt service procedure. This would allow you to test the NMI procedure without needing to apply an external signal to the processors NMI input line. • call commonly used procedures from many different programs • The Basic Input/Output System(BIOS) procedures of an IBM computer or compatible are a good example of this use of the INT instruction.
BIOS Procedures • One part of the BIOS is actually a collection of procedures which provides the fundamental I/O servicesthat are needed for the operation of the computer. • Each procedure performs a specific function such as • reading a character from the keyboard • writing characters to the screen • reading information from disk.
Using BIOS Procedures • System I/O procedures are called with the INT instruction. • There are 12BIOS procedures in all, falling into 5 groups. • For example with INT 10h you can access the video display services. • This interrupt includes 20 subroutines. • Obviously, one of the INT 10h parameters is a data value indicating which one of the twenty subroutines is required. • the AH Register is loaded with the number of the subroutine. • the AL, BX, CX, and DX registers are used to provide the parameters for this subroutines.
The 12 BIOS Service Routines Supported by the IBM PC (and Compatibles) DecHexUse Peripheral Devices Services 16 10 Video-display services 19 13 Diskette services 20 14 Communications services 21 15 Cassette-tape services 22 16 Standard keyboard services 23 17 Printer services Equipment Status Services 17 11 Equipment-list service 18 12 Memory-size service Time/Date Service 26 1A Time and date services Print-Screen Service 5 5 Print-screen service Special Services 24 18 Activate ROM-BASIC language 25 19 Activate bootstrap start-up routine
Files Constituting DOS • When you turn on your PC there are several jobs to do. One is to load the operating system from the system disk. • If you use MS-DOS (MicroSoft - Disk Operating System), three system files are loaded; • IBMBIO.COM • COMMAND.COM • IBMDOS.COM
Comparing DOS and BIOS Services • The file IBMDOS.COM contains DOSservice routines. • The DOSservices, like the BIOS services, can be called by programs through a set of interrupts whose vectors are placed in the interrupt vector table. • The ROM-BIOS routines can be thought of as the lowest-level system software available, performing the most fundamental and primitive input and output operations. • The DOS service routines provide more sophisticated and efficient control over the I/O operations than the BIOS routines do, particularly for disk file operations.
Using DOS Interrupts (a.k.a. DOS Calls) • There are nine DOSinterrupt services. • Five of them, interrupts 20h, 25h, 26h, 27h, and 2Fh are "true" DOSinterrupt services, each one having a specifically-defined task associated with it. • 22h, 23h, and 24h: these three interrupts are used to hold segmented addresses. • INT 21h provides under one "umbrella" a set of universal functions we can use in our programs. • All of the DOS function calls are invoked by INT 21h. • Individual functions are selected in the same way as BIOS functions, placing the function number in the AH-Register.
The Nine DOS Interrupts DecHexDescription 32 20 Program terminate: come tonormal ending 33 21 Function-call umbrella interrupt 34 22 Terminate address 35 23 Break address 36 24 Critical error-handler address 37 25 Absolute disk read 38 26 Absolute disk write 39 27 Terminate-but-stay-resident 47 2F Print spool control (DOS-3 versions only)
Interrupt Vectoring • Two 16 bit data words are used to specify the location of a interrupt service routine. • One word is used to load the CS register and points to the base addressof the code segment containing the service routine. • The second word is used to load the IP with the offset valuefor the desired routine within the specified code segment. • The base and offset words for all interrupt types are grouped together in an interrupt vector table.
BIOS[wikipedia] • BIOS, in computing, stands for Basic Input/Output System or Basic Integrated Operating System. • BIOS refers to the firmware code run by an IBM compatible PC when first powered on. • The primary function of the BIOS is to prepare the machine so other software programs stored on various media (such as hard drives, floppies, and CDs) can load, execute, and assume control of the PC. This process is known as booting up. • Boot is short for bootstrapping. • BIOS can also be said to be a coded program embedded on a chip that recognizes and controls various devices that make up the PC.
BIOS Firmware Chips • A computer system can contain several BIOSfirmware chips. • The motherboard BIOS typically contains code to access fundamental hardware components such as • the keyboard • floppy drives • ATA (IDE) hard disk controllers • USB human interface devices • storage devices. • Plug-in adapter cards such as SCSI, RAID, Network interface cards, and video boards often include their own BIOS, complementing or replacing the system BIOS code for the given component.
BIOS Procedures in ROM Chips • ROM chips accompany most hardware add-ons, such as hard drives, video boards, and so forth. • These chips contain machine language programs (routines) that handle most of the common requests that operating systems and applications make. • ROM-based software adheres to a well-known, published standard. • If a program wants to write data to the hard drive, for example, it can call upon the routines on the hard drive ROM chips to perform the operation. Although the circuitry in each brand of hard drive might differ, this well-defined software interface allows programs to efficiently request services from hard drives and other peripherals without having to understand their internals. • ROM-based software is referred to as a BIOSprocedures. If a program needs to request a service from a peripheral, such as reading data from the hard drive, it can call upon the BIOS procedure in the ROM chip to communicate with the specific device and service the request. similar to a device driver in Unix
DOS Calls • The DOS operating system also offers system services to its applications. • DOS installs its own system service provider software in memory to service common requests, such as opening a file or writing data to a file. • The above DOS software works on top of the various BIOS Procedures and simplifies certain basic operations.
DOS Call Example • Assume an application requests a system service, such as opening a file. • The application makes this request with a simple DOS call. • DOS may make one or more low-level requests to the ROMservice provider. • Finally, the ROM service provider may interact with the hardware to service some requests. • Because the typical program doesn’t care about how data actually is stored on the hard drive, as long as it can access it, DOS abstracts this for the program and offers a simple way to open files. Similar to a system call in Unix
An Example of System Layering [Raymond Wisman] C++ program: cout << "Hello world"; Machine : Call DOS video function 9 to output Code string "Hello world" DOS: Call BIOS video function by int 10h BIOS: "Hello world" placed in hardware video memory Video hardware: "Hello world" display from video memory
Invoking a BIOS Procedure or DOS Call • Both BIOSprocedures or DOScalls are invoked through the int instruction, • e.g. int 20h int 10h
The Rise and Fall of the BIOS • Older operating systems such as DOS relied on the BIOS to carry out most input-output tasks within the PC. • A variety of technical reasons eventually made it inefficient—especially for more recent operating systems written for the Intel 80386 such as Linux and MicrosoftWindows—to invoke the BIOS directly. • Such operating systems instead used their own better-performing native drivers and were also much easier to extend to support new hardware. As such, the BIOS was mostly relegated to bootstrapping to the point where the operating system's own drivers could take control of the hardware.
Hook TSRs into DOS System Services • Memory-resident programs, called TSRs, can hook into the system service provider software (DOS calls) already resident in the computer’s memory and augment the services offered by the original system service provider software. • The “hooking” program can service all requests on its own or pass on some or all requests to the original service provider. It also can opt to modify information before passing it to a subservient service provider (one installed before the current service provider).
How Resident File Viruses Hook into the Operating System • Most programs that hook into DOS or ROMservices do so for legitimate reasons. Unfortunately, memory-resident viruses also can hook into these system services to damage data or spread to floppy disks and files.
The Most Common Executable File Formats under Windows • The portable executable file format(PE) is the format of the binary programs (exe, dll, sys, scr) for • MSWindowsNT • Windows 95 • Win32s
Struct IMAGE_FILE_HEADER typedef struct _IMAGE_FILE_HEADER {WORD Machine;WORD NumberOfSections;DWORD TimeDateStamp;DWORD PointerToSymbolTable;DWORD NumberOfSymbols;WORD SizeOfOptionalHeader;WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
An Example of Structure IMAGE_FILE_HEADER [Danehkar] 24 bytes 24=18h
Struct IMAGE_OPTIONAL_HEADER Struct IMAGE_OPTIONAL_HEADER {WORD Magic;BYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;DWORD AddressOfEntryPoint;DWORD BaseOfCode;DWORD BaseOfData;DWORD ImageBase;DWORD SectionAlignment;DWORD FileAlignment;WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;DWORD SizeOfImage;DWORD SizeOfHeaders;DWORD CheckSum;WORD Subsystem;WORD DllCharacteristics;DWORD SizeOfStackReserve;DWORD SizeOfStackCommit;DWORD SizeOfHeapReserve;DWORD SizeOfHeapCommit;DWORD LoaderFlags;DWORD NumberOfRvaAndSizes;IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; };