1.22k likes | 1.43k Vues
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓. Virus [ Internet Security Professional Reference ]. Virus. A sequence of code that is inserted into other programs . A virus can create a copy of itself to inserted in one or more other programs.
E N D
電腦攻擊與防禦 The Attack and Defense of Computers Dr.許 富 皓
Virus • A sequence of code that is inserted into other programs. • A virus can create a copy of itself to inserted in one or more other programs. • Virus cannot run on their own, and need to have some host program. • e.g. Melissa virus, ILOVEYOU virus.
Virus • Boot sector viruses • Master boot record viruses • File infector viruses • Multi-partite viruses • Macro viruses (infect data files)
Disk Structures • Units used in Floppy Disks and Hard Disks: • Sectors • E.g. A 3 ½ inch high-density disk • 512 bytes/sector • 18 sectors/track • 40 tracks/side • Cluster • Disk space allocation unit • Each cluster contains one or more sectors. • Tracks • Heads • Cylinder (for HDs)
Disk Sectors Magnetic Disk Sector
Areas of a Disk • Under DOS, A disk is divided into the following four areas: • The boot record. • The file allocation table (FAT). • The root directory. • The data area. • A hard drive has a fifth area: • The partition table.
Boot Record • Boot Record: • Location: • sector 1, track 0, head 0. • Contents: • the bootstrap routine(a machine language program designed to load the operating system from other part of the disk.) • the BIOS Parameter Block (BPB), which identifies the floppy disk’s operating parameters, including the number of bytes per sector, sectors per cluster and track, and tracks per disk. • The BPB allows an operating system to understand the format of a disk.
The Bootstrap Program • In a PC, when a machine is turned on, a routine called “The Power-On Self Test (POST)” verifies all hardware components are working properly. • After everything is confirmed working well, POST loads up the boot record from the disk and checks for two signature bytes inside it. • If the boot record signature is present, the execution control is transferred to the bootstrap program inside the boot record. • Under DOS, the bootstrap program in turn loads the OS into the RAM from the disk and eventually transfers control toCOMMAND.COM, the command interpreter. On board On disk
Hard Disk Partition and Master Boot Record • A single physical hard drive can be divided into several differentpartitions. • The user can specify one of the partitions as the active partition (the one from which the user wants to boot.) • The Master Boot Record (MBR) is a structure stored on the first track, sector and head of the hard drive. • The MBR contains a partition table, which denotes the allocation of all sectors and their respective partitions. • Programs require the partition table on the hard disk to understand the disk’s characteristics.
Interrupt [Gerhard Roehrl] • The 8086/88 microprocessors allow normal program execution to be interrupted by external events or by special instructions embedded in the program code. • When the microprocessor is interrupted, it stops executing the current program and callsa procedure which services the interrupt. • At the end of the interrupt service routine, the code execution sequence is returned to the original, interrupted program.
Interrupt Sources • An interrupt can be generated by one of three sources: • Internal interrupts • Hardware interrupt • Software interrupt
Internal Interrupts • An interrupt can be generated as a result of a processor state violation, called an exception. • An example would be a divide-by-zero interrupt produced when the div instruction is interpreted to have a zero divisor. • Program execution is automatically interrupted and control transferred to an interrupt handler. • Conditional interrupts such as this are referred to as internal interrupts.
Hardware Interrupt • An interrupt can also be generated by an external device requesting service. This happens when a device signals its request on either the non-maskable interrupt (NMI) or on the INTR interrupt input lines of the processor. • The NMI interrupt is generally used to signal the occurrence of a catastrophic event, such as the immanent loss of power. • The INTR interrupt is used by all other devices. • An interrupt caused by a signal applied to either the NMI or INTR input pin of a CPU is referred to as a hardware interrupt.
Software Interrupt • Interrupts may be generated as a result of executing the int instruction. This is referred to as a software interrupt.
Interrupt Vectoring • Two 16 bit data words are used to specify the location of a interrupt service routine. • One word is used to load the CS register and points to the base addressof the code segment containing the service routine. • The second word is used to load the IP with the offset valuefor the desired routine within the specified code segment. • The base and offset words for all interrupt types are grouped together in an interrupt vector table.
BIOS[wikipedia] • BIOS, in computing, stands for Basic Input/Output System or Basic Integrated Operating System. • BIOS refers to the software code run by a computer when first powered on. The primary function of BIOS is to prepare the machine so other software programs stored on various media (such as hard drives, floppies, and CDs) can load, execute, and assume control of the computer. This process is known as booting up. • BIOS can also be said to be a coded program embedded on a chip that recognizes and controls various devices that make up the computer. The term BIOS is specific to personal computer vendors. Among other classes of computers, the generic terms boot monitor, boot loader or boot ROM are commonly used.
BIOS Procedures in ROM Chips • ROM chips accompany most hardware add-ons, such as hard drives, video boards, and so forth. These chips contain machine language programs (routines) that handle most of the common requests that operating systems and applications make. • ROM-based software adheres to a well-known, published standard. • If a program wants to write data to the hard drive, for example, it can call upon the routines on the hard drive ROM chips to perform the operation. Although the circuitry in each brand of hard drive might differ, this well-defined software interface allows programs to efficiently request services from hard drives and other peripherals without having to understand their internals. • ROM-based software is referred to as a BIOSprocedures. If a program needs to request a service from a peripheral, such as reading data from the hard drive, it can call upon the BIOS procedure in the ROM chip to communicate with the specific device and service the request. similar to a device driver in Unix
Physical Memory Layout of a PC 640K 1M
DOS calls • The DOS operating system also offers system services to its applications. DOS installs its own service provider software in memory to service common requests, such as opening a file or writing data to a file. This DOS software works on top of the various BIOS Procedures and simplifies certain basic operations. • The application requests a system service, such as opening a file. The application makes this request with a simple DOS call. DOS may make one or more low-level requests to the ROM service provider. Finally, the ROM service provider may interact with the hardware to service some requests. Because the typical program doesn’t care about how data actually is stored on the hard drive, as long as it can access it, DOS abstracts this for the program and offers a simple way to open files. Similar to a system call in Unix
An Example of System Layering [Raymond Wisman] C++ program: cout << "Hello world"; Machine : Call DOS video function 9 to output Code string "Hello world" DOS: Call BIOS video function by int 10h BIOS: "Hello world" placed in hardware video memory Video hardware: "Hello world" display from video memory
Invoking a BIOS Procedure or DOS Call • Both BIOS procedures or DOS calls are invoked through the int instruction, • e.g. int 20h int 10h
Hook TSRs into DOS System Services • Memory-resident programs, called TSRs, can hook into the system service provider software already resident in the computer’s memory and augment the services offered by the original service provider. • The “hooking” program can service all requests on its own or pass on some or all requests to the original service provider. It also can opt to modify information before passing it to a subservient service provider (one installed before the current service provider).
How Resident File Viruses Hook into the Operating System • Most programs that hook into DOS or ROMservices do so for legitimate reasons. Unfortunately, memory-resident viruses also can hook into these system services to damage data or spread to floppy disks and files.
The Most Common Executable File Formats under Windows • The portable executable file format(PE) is the format of the binary programs (exe, dll, sys, scr) for MSwindowsNT, windows 95 and win32s.
The Most Common Executable File Formats under DOS • The most common executable file formats used under DOS are COM, EXE, and SYS. • COM and EXE files are used for standard DOS programs, and SYS files are used for system device drivers. • Although viruses have targeted each of these file formats, to date, reports of SYS file infections have been rare.
Entry Points of DOS Program Files • A program file consists of data and machine language instructions interpreted directly by the computer’s CPU. • DOS program files contain one or two entry points, which are the locations in the program of the first instruction for the CPU to execute. • You might compare a program to a notepad that contains a list of tasks. The entry point, then, would be the first task on the list. • All COM and EXE files have a single entry point, while SYS files have two entry points. • The CPU’s interpretation of a program’s instruction must always start with the instruction at the entry point. This makes the entry point an area that viruses can modify and thereby gain control of the computer. After the virus completes its dirty work, it can then transfer control to the original program.
COMFiles • The COM executable file has the simplest DOS program file format. The COM file’s simplicity makes it a major target for file infecting viruses. • The contents of the COM file are loaded directly into memory and executed without modification. The operating system transfers control to the first instruction in the memory image of the file. This first instruction is the COM file’s single entry point. • COM files have an upper size limit of approximately 64KB
EXE Files – Component Sections • The EXE executable file format is somewhat more complex than the COM file format. • The EXE file consists of two primary sections. • The first section is a header that tells DOS how to load the program. • The second section of the EXE file, known as the program load image, contains the actual memory image of the program and its data.
EXE Files – the Header Section • The header includes two fields that identify the location of the EXE file’s single entry point in the program: • the Code Segment (CS) and • the Instruction Pointer (IP). • The header also includes two size fields that specify the actual size of the executable program. • When a virus infects an EXE file, it must increase the value in the size fields to equal the total of the executable program file size and the virus program size. • For instance, when a virus that is 2 KB in size appends itself to a 10 KB file, it increases the value in these fields to 12 KB.
How an EXE File Is Loaded into RAM and Executed overlay data
SYSFiles • The SYS executable file format differs from both the COM and EXE file formats in that SYS files have two entry points. • SYS format files are used primarily for device drivers. • Like COM files, all SYS files must be 64 KB or less in size. • The SYS file is composed of three major sections. • The first portion of the SYS file contains the device header. Like the header of an EXE file, the device header contains entry point information and other fields. • The second and third sections of the SYS file contain the two device driver modules, which contain all the machine language code in the program.
Program Files and Viruses • Program files are often targeted by viruses for two primary reasons. • Because each of the executable file types has a simple format, file viruses can piggyback themselves to program files with relative ease. • Executable file types also are common targets for infection because of the frequency of their use. If a virus can infect an executable file, its capability to infect other programs increases.
Macro Facilities • Macro facilities enable a user to record a sequence of operations within the application. • The user then uses a key combination to associate these operations. • Later, pressing this key combination repeats the recorded steps. • A given macro activated using a key combination, for example, might open a file, renumber the items within it, then close the file.
Global Pool of Macros • Macro systems have evolved greatly over the years. • Most old programs that supported macros had a “global pool” of macros that always were available for use, regardless of what file the user happened to be editing. • Individual document or spreadsheet files could not contain their own, local, macros.
New Properties of Modern Macro System • Modern macro systems differ from their predecessors in several key ways. • First, users now can write entire complex programs in a macro language. These programs have access to all the host application’s features, as well as many of the operating system’s features. • Microsoft products, for example, enable users to write macros in a language that resembles Visual Basic. • These macros can perform various tasks for the user, including popping up dialog boxes, altering files on the system, or inserting the date and time in a document. They can also be used to write viruses! • Second, the user can tote specific macros around in a document or spreadsheet data file. A user can create a macro for a specific spreadsheet, for example, and attach it directly to the spreadsheet file. Any time the file is used on a new machine, the accompanying macro is available for use.
Security Concerns of Modern Macro System • An inherent threat exists with modern macro system: just as normal macros can be attached and carried along with a given document or data file, so can macro viruses!