[go: up one dir, main page]

CN1121012C - How to protect BIOS from being damaged by viruses - Google Patents

How to protect BIOS from being damaged by viruses Download PDF

Info

Publication number
CN1121012C
CN1121012C CN 00103400 CN00103400A CN1121012C CN 1121012 C CN1121012 C CN 1121012C CN 00103400 CN00103400 CN 00103400 CN 00103400 A CN00103400 A CN 00103400A CN 1121012 C CN1121012 C CN 1121012C
Authority
CN
China
Prior art keywords
bios
virus
smi
flash memory
writes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 00103400
Other languages
Chinese (zh)
Other versions
CN1311478A (en
Inventor
李永富
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inventec Corp
Original Assignee
Inventec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inventec Corp filed Critical Inventec Corp
Priority to CN 00103400 priority Critical patent/CN1121012C/en
Publication of CN1311478A publication Critical patent/CN1311478A/en
Application granted granted Critical
Publication of CN1121012C publication Critical patent/CN1121012C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Techniques For Improving Reliability Of Storages (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及一种保护BIOS免被病毒破坏的方法。它主要是利用快闪存储器被写入时的必要信号产生系统管理中断(SMI),因此当存于快闪存储器的BIOS有写入动作时,利用BIOS的SMI处理程序(handler routine)即可防止病毒。该方法首先是使快闪存储器发出的必要信号接到电脑芯片组的SMI事件来源(SMI event source)输入管脚,使芯片组能产生对应的SMI#至电脑的CPU,当CPU接收到SMI#时,便能通过BIOS的SMI处理程序检查存于快闪存储器的BIOS是否有写入,经判断结果为病毒侵入时即禁止其写入。

Figure 00103400

The present invention relates to a method for protecting BIOS from being damaged by viruses. It mainly utilizes the necessary signal when a flash memory is written to generate a system management interrupt (SMI). Therefore, when the BIOS stored in the flash memory has a writing action, the SMI handler routine of the BIOS can prevent viruses. The method first connects the necessary signal sent by the flash memory to the SMI event source input pin of the computer chipset, so that the chipset can generate the corresponding SMI# to the CPU of the computer. When the CPU receives SMI#, it can check whether the BIOS stored in the flash memory has been written through the SMI handler routine of the BIOS. If the judgment result is that the virus has invaded, the writing is prohibited.

Figure 00103400

Description

保护BIOS免于被病毒破坏的方法How to protect BIOS from being damaged by viruses

本发明涉及一种电脑固件(firmware)防护的方法,尤其是涉及一种防止电脑BIOS(basic input/output system,基本输入输出系统)被病毒破坏的方法。The invention relates to a method for protecting computer firmware, in particular to a method for preventing computer BIOS (basic input/output system) from being damaged by viruses.

电脑系统中最为关键的元件之一为引导(booting)用的固件,即BIOS,一般将其存于非易失性(non-volatile)的存储器中。BIOS为一种可执行代码(executable code),使得CPU能利用执行如初始化(initialization)、由主存储器载入操作系统的核心(kernel)以及例行I/O(input/output,输入/输出)功能等工作。One of the most critical components in a computer system is firmware for booting, namely the BIOS, which is generally stored in a non-volatile memory. BIOS is an executable code (executable code) that enables the CPU to perform operations such as initialization (initialization), loading the kernel (kernel) of the operating system from the main memory, and routine I/O (input/output, input/output) function etc.

当电源打开时,CPU利用取出(fetch)存于BIOS中的指令码以启动电脑。BIOS的必须同时兼具两种互为冲突的要求,即(I)BIOS必须被完好保护,原因是如果BIOS被修改或破坏则整个系统便无法开机;(2)BIOS必须能被轻易修改,以准许版本加入改进功能或经除错后的更新(update)动作。When the power is turned on, the CPU uses the instruction codes stored in the BIOS to start the computer. The BIOS must have two conflicting requirements at the same time, that is, (1) the BIOS must be well protected, because if the BIOS is modified or destroyed, the entire system will not be able to boot; (2) the BIOS must be easily modified, so that Allows the version to add improved features or bug-fixed update (update) actions.

通常BIOS可写在EPPOM(erasable programmable read-only memory,可擦可编程化只读存储器)中,EPPOM具有用电流无法修改的好处,要修改EPPOM存储的内容,必须先将EPPOM从插槽移出,然后以紫外线常时间照射才能实现。因此写在EPPOM中的BIOS可免于电脑病毒的侵害。但是反过来说,存于EPPOM的BIOS就不能随时地升级更新。近来,由于电脑系统结构不断的推陈出新,BIOS是否能随时更新变得相当重要,因此现在的BIOS固件便多采用快闪存储器(flash memory)。然而,由于易于修改,BIOS快闪存储器就容易受电脑病毒的破壤,一旦受到病毒的感染便会造成相当严重的后果。典型的电脑病毒侵入,病毒码将执行一代码序列(code sequence)以修改BIOS内容,一旦BISO被不当修改,受感染的可执行代码将进一步散播至BIOS码的其它区域或操作系统的核心。而且,由于BIOS是电脑系统开机后第一个被执行的程序,先于任何系统或网络扫毒软件启动之前,使得检测与扫除以侵犯BIOS为主的病毒工作更加困难,尤其这种病毒常常能够躲过扫毒软件的扫描,而变得无法获知其是否存在。Usually BIOS can be written in EPPOM (erasable programmable read-only memory, erasable programmable read-only memory). EPPOM has the advantage that it cannot be modified by current. To modify the content stored in EPPOM, EPPOM must be removed from the slot first. Then it can be realized by ultraviolet radiation for a long time. Therefore, the BIOS written in the EPPOM can be free from computer viruses. But on the other hand, the BIOS stored in the EPPOM cannot be updated at any time. Recently, due to the continuous innovation of the computer system structure, whether the BIOS can be updated at any time has become very important. Therefore, the current BIOS firmware mostly uses flash memory (flash memory). However, because it is easy to modify, the BIOS flash memory is easily damaged by computer viruses, and once it is infected by viruses, it will cause quite serious consequences. In a typical computer virus invasion, the virus code will execute a code sequence (code sequence) to modify the BIOS content. Once the BIOS is improperly modified, the infected executable code will further spread to other areas of the BIOS code or the core of the operating system. Moreover, because the BIOS is the first program executed after the computer system is turned on, before any system or network anti-virus software is started, it is more difficult to detect and remove viruses that mainly infringe on the BIOS. Evade scanning by antivirus software, making it impossible to know its existence.

现有对BIOS的保护大致上可分成两种方式:(1)采用硬件(H/W)保护,即利用jumper(跨接线)或GPIO(General Purpose I/O,通用型输入/输出)控制快闪存储器Vcc 12V的输入信号,以防止快闪存储器被写入。这种方法虽然有不错的保护效果,但操作并不方便,缺点是对病毒的防范及反应略嫌消极;(2)采用软件(S/W)保护,一般常见方式即为S/W的保护,对于有些快闪存储器不支持上述的H/W保护,会直接用对快闪存储器下一组命令(command)的方式进行防毒。然而这种方法的缺点是这组命令为快闪存储器制订的规格之一,因此很容易被病毒以软件的方式解除保护,如CIH病毒便可破解这种软件保护。The existing protection of BIOS can be roughly divided into two methods: (1) using hardware (H/W) protection, that is, using jumper (jump wire) or GPIO (General Purpose I/O, general-purpose input/output) to control the fast The input signal of the flash memory Vcc 12V to prevent the flash memory from being written. Although this method has a good protection effect, it is not convenient to operate. The disadvantage is that the prevention and response to viruses is a bit negative; (2) software (S/W) protection is used, and the common method is S/W protection. , do not support above-mentioned H/W protection for some flash memory, can directly carry out anti-virus with the mode of next group of order (command) to flash memory. However, the disadvantage of this method is that this group of commands is one of the specifications made by the flash memory, so it is easy to be deprotected by viruses in software, such as CIH virus, which can break this software protection.

因此,本发明的目的在于提出一种保护BIOS免于被病毒破坏的方法,其利用快闪存储器被写入时的必要信号产生SMI(system managementinterrupt,系统管理中断),因此当存于快闪存储器的BIOS有写入动作时,便能利用BIOS的SMI处理程序(handler routine)来防止病毒。Therefore, the object of the present invention is to propose a method for protecting BIOS from being damaged by viruses, which utilizes the necessary signal to generate SMI (system management interrupt, system management interrupt) when the flash memory is written, so when stored in the flash memory When there is a write action in the BIOS, the SMI handler routine (handler routine) of the BIOS can be used to prevent viruses.

根据上述发明目的提供的保护BIOS免于被病毒破坏的方法,其通过存有BIOS的快闪存储器与芯片组的SMI事件来源输入管脚形成连通,实现防止病毒写入快闪快储器,其步聚至少包括:(a)执行相关BIOS设定以匹配来自快闪存储器的必要信号WE#;(b)电脑CPU接收由芯片组发出的SMI信号;(c)至BIOS的SMI handler routine检查SMI来源;(d)判定SMI来源为快闪存储器被病毒写入;以及(e)禁止病毒的写入。其中步骤(a)还包括:(a1)执行BIOS启动时的POST;(a2)初始化SMIhandler routine;(a3)对芯片组执行相关设定,使快闪存储器被写入时芯片组能产生SMI信号;(a4)设定I/O trap SMI功能以防止病毒失能SMI以及(a5)载入操作系统。According to the method for protecting BIOS from being damaged by viruses provided by the purpose of the above invention, it forms communication with the SMI event source input pin of the chipset by storing the flash memory of the BIOS, so as to prevent viruses from being written into the flash memory. The steps at least include: (a) execute the relevant BIOS settings to match the necessary signal WE# from the flash memory; (b) the computer CPU receives the SMI signal sent by the chipset; (c) check the SMI to the SMI handler routine of the BIOS source; (d) determining that the source of the SMI is that the flash memory is written by a virus; and (e) prohibiting the writing of the virus. Wherein the step (a) also includes: (a1) executing the POST when the BIOS starts; (a2) initializing the SMIhandler routine; (a3) performing related settings on the chipset, so that the chipset can generate an SMI signal when the flash memory is written. ; (a4) setting the I/O trap SMI function to prevent the virus from incapacitating the SMI and (a5) loading the operating system.

为使本发明的上述和其它目的、特征和优点能更简单易懂,故举一较佳实施例,并结合附图,进一步详细说明如下。In order to make the above and other objects, features and advantages of the present invention more comprehensible, a preferred embodiment will be described in detail as follows in conjunction with the accompanying drawings.

图1给出本发明电脑系统硬件电路结构示意图;Fig. 1 provides the computer system hardware circuit structural representation of the present invention;

图2本发明保护BIOS免于被病毒破坏的方法的硬件设定示意图;Fig. 2 is a schematic diagram of the hardware setting of the method for protecting the BIOS of the present invention from being destroyed by viruses;

图3给出本发明保护BIOS免于被病毒破坏的方法的软件设定流程图;以及Fig. 3 provides the software setting flowchart of the method that the present invention protects BIOS from being destroyed by virus; And

图4给出本发明保护BIOS免于被病毒破坏的方法的实施流程图。Fig. 4 shows the implementation flowchart of the method for protecting BIOS from being damaged by viruses in the present invention.

在本发明中所述及的电脑病毒为一段可执行的程序码,以其在开机时感染操作系统为例,将会对存有BIOS程序码的快闪存储器有写入的动作,造成BIOS被修改而无法开机。如果无法及时发现病毒的侵入,即无中毒警告功能通知使用者及早处理,则病毒便会继续破坏其它装置如磁盘或存储器等,使得存于这些存储单元内的数据被修改或删除而造成严重的损失。The computer virus described in the present invention is a section of executable program code. Taking it as an example to infect the operating system when starting up, it will have the action of writing to the flash memory that stores the BIOS program code, causing the BIOS to be blocked. Modified and unable to boot. If the intrusion of the virus cannot be detected in time, that is, there is no poisoning warning function to notify the user to deal with it as soon as possible, the virus will continue to destroy other devices such as disks or memories, and cause the data stored in these storage units to be modified or deleted, causing serious damage. loss.

因此本发明所述的方法主要是保护存有BIOS的快闪存储器不被病毒侵害,即通过BIOS快闪存储器有写入产生时,判断此写入动作是否为不正常的写入,若经判定结果为病毒便由电脑发出中毒警告,紧接着便采取避免电脑系统受感染的防范措施。具体的实施流程如下文所述。Therefore the method described in the present invention mainly is to protect the flash memory that has BIOS not to be encroached on by virus, promptly when there is write-in generation by BIOS flash memory, judge whether this write-in action is abnormal write-in, if judged The result is a virus, and the computer issues a poisoning warning, followed by preventive measures to prevent the computer system from being infected. The specific implementation process is described below.

在此之前,请参照图1所示的电脑硬件电路图,以了解电脑系统大致的结构。一般目前所广为使用的计算机系统,其CPU10通过CPU总线20与北桥NB(north bridge)30相连接,而北桥30除了与存储器(可以是SDRAM、EDORAM等存储器)40相接之外,还通过AGP总线50与AGP VGA卡60相连。此外,北桥30则经由PCI总线70与南桥80相接,用以传递数据与信息。而南桥80除了与硬盘(HDD)90、光盘机(CD ROM或DVD ROM)100、USB(Universal Serial Bus,通用串联式总线)110、输入装置(例如鼠标、键盘等)120相接,用以存取或输入数据之外,还分别通过XD总线130及ISA总线140,以分别与BIOS 150及声频装置(Audio,例如声卡)160相接。其中北桥30与南桥80都为主机板上的控制芯片组(chipset),在CPU10附近的北桥芯片30又称为系统主机芯片,在总线附近的南桥芯片是负责外围设备的外围设备芯片。Before that, please refer to the computer hardware circuit diagram shown in Figure 1 to understand the general structure of the computer system. Generally present widely used computer system, its CPU10 is connected with North Bridge NB (north bridge) 30 by CPU bus 20, and North Bridge 30 is connected with memory (can be memory such as SDRAM, EDORAM) 40, also through AGP bus 50 links to each other with AGP VGA card 60. In addition, the north bridge 30 is connected to the south bridge 80 via the PCI bus 70 for transferring data and information. And south bridge 80 is connected with hard disk (HDD) 90, optical disc drive (CD ROM or DVD ROM) 100, USB (Universal Serial Bus, universal serial bus) 110, input device (such as mouse, keyboard etc.) 120, uses In addition to accessing or inputting data, it also passes through the XD bus 130 and the ISA bus 140 to connect with the BIOS 150 and the audio device (Audio, such as a sound card) 160 respectively. Wherein the north bridge 30 and the south bridge 80 are both control chipsets (chipsets) on the motherboard, the north bridge chip 30 near the CPU 10 is also called the system host chip, and the south bridge chip near the bus is a peripheral device chip responsible for peripheral devices.

首先探讨电脑系统如何得知BIOS快闪存储器被写入。本发明实现的方式是利用快闪存储器被写入时必要信号可产生SMI的特性,据以获知BIOS快闪存储器有写入的动作。这要从硬件设定及BIOS设定两部分着手。请参照图2,其给出本发明的硬件设定中,连通BIOS快闪存储器与芯片组的SMI事件来源输入管脚(event source input pin)的示意图。在此较佳实施例中,BIOS快闪存储器16利用转接单元14连接至系统芯片组12,例如为上述的南桥芯片30,芯片组12则连至CPU10。其中,转接单元14可利用逻辑电路(logic circuit)或利用SIO(super I/O,输入/输出控制器)实现,主要是芯片组12所需接收的SMI来源(cause)相当多,而芯片组12的SMI事件来源输入管脚却有限,因此最好是通过转接单元14的集成与控制,使芯片组12能获知由BIOS快闪存储器的SMI来源。不过,如果芯片组12有空出的管脚,也可省去通过转接单元14,直接将BIOS快闪存储器16连接至芯片组12。这一硬件设定方式是在主机板布线(layout)时完成,利用电路设计使BIOS快闪存储器16发出必要信号,如为WE#(write enable信号)的输出,通过逻辑电路或SIO的转接单元14或直接传送到芯片组12,使芯片组12得知SMI来源而发出SMI#至CPU10。Firstly, it is discussed how the computer system knows that the BIOS flash memory is written. The method of the present invention is to use the characteristic that the necessary signal can generate SMI when the flash memory is written, so as to know that the BIOS flash memory has a writing action. This starts with two parts: hardware settings and BIOS settings. Please refer to FIG. 2 , which shows a schematic diagram of an SMI event source input pin (event source input pin) connecting the BIOS flash memory and the chipset in the hardware setting of the present invention. In this preferred embodiment, the BIOS flash memory 16 is connected to the system chipset 12 through the adapter unit 14 , such as the above-mentioned south bridge chip 30 , and the chipset 12 is connected to the CPU 10 . Wherein, switching unit 14 can utilize logic circuit (logic circuit) or utilize SIO (super I/O, input/output controller) to realize, mainly because the SMI source (cause) that chipset 12 needs to receive is quite a lot, and chip The SMI event source input pins of the group 12 are limited, so it is better to integrate and control the switching unit 14 so that the chipset 12 can know the SMI source from the BIOS flash memory. However, if the chipset 12 has vacant pins, the adapter unit 14 can also be omitted, and the BIOS flash memory 16 can be directly connected to the chipset 12 . This hardware setting method is completed when the motherboard is wired (layout), and the circuit design is used to make the BIOS flash memory 16 send necessary signals, such as the output of WE# (write enable signal), through the transfer of logic circuits or SIO The unit 14 or directly transmits to the chipset 12, so that the chipset 12 knows the source of the SMI and sends SMI# to the CPU 10.

完成硬件设定之后,接下来需再结合BIOS的设定,请参照图3,其给出经修改BIOS程序码后启动BIOS的流程。由于一般电脑系统中,BIOS快闪存储器可产生SMI信号的功能并未被打开。也就是说,就算是上述硬件设定都完成了,仍需结合BIOS程序码的修改,系统才能得知对应的SMI#来源为来自BIOS快闪存储器16被写入所产生。首先,如步骤101,当电脑开机时,便会开始启动“引导程序(booting)”,在启动BIOS的过程中首先会执行POST(Power-On Self-Test,加电自检),其包括启动各种测试以确定电脑功能为正确,以及初始化一定硬件装置内的寄存器,且大部分POST执行时也包括载入BIOS程序码(code)到存储器中。在POST开始后,如步骤102,需将BIOS快闪存储器发出SMI信号的功能打开,因此进行初始化SMI处理程序的程序。接着,如步骤103,由BIOS对芯片组12执行相关的设定,以匹配来自于BIOS快闪存储器或逻辑电路或SIO的输入信号。并且,如步骤104的防范措施,设定I/O trap SMI功能以防止病毒使SMI功能失效(disable)。最后,如步骤105,POST执行完之后,电脑便载入一如微软的MS-DOS或Windows的操作系统。After the hardware setting is completed, the BIOS setting needs to be combined next. Please refer to FIG. 3 , which shows the process of starting the BIOS after modifying the BIOS program code. In general computer systems, the function of the BIOS flash memory to generate the SMI signal is not enabled. That is to say, even if the above-mentioned hardware settings are completed, the system still needs to modify the BIOS program code, so that the system can know that the source of the corresponding SMI# is generated by writing into the BIOS flash memory 16 . First, as in step 101, when the computer is turned on, it will begin to start the "booting program". Various tests are performed to confirm that the computer functions are correct, and to initialize registers in certain hardware devices, and most POST executions also include loading BIOS program code (code) into the memory. After the POST starts, as in step 102, the function of sending the SMI signal from the BIOS flash memory needs to be enabled, so the procedure of initializing the SMI processing program is performed. Next, as in step 103 , the BIOS executes related settings on the chipset 12 to match the input signal from the BIOS flash memory or logic circuit or SIO. And, as the preventive measure of step 104, the I/O trap SMI function is set to prevent the virus from disabling the SMI function. Finally, as in step 105, after the POST is executed, the computer is loaded with an operating system such as Microsoft's MS-DOS or Windows.

完成相关的硬件及软件设定后,接下来以图4所示的流程步骤说明本发明处置病毒侵入的方法。如步骤201,当CPU10接到一SMI#后便会至BIOS的SMI处理程序中,以检查SMI来源为何(步骤202)。如步骤203,当判定为BIOS快闪存储器的写入而引发此SMI#,且写入的动作并非BIOS或BIOS更新工具程序所造成,也就是说写入为病毒不正常修改BIOS(步骤204),则系统便发出警报信号(步骤205),如发出哗哗声或具有特殊音节的声音,以提醒使用者病毒正欲破坏BIOS。并且如步骤207,系统将采取禁止病毒写入的相关措施。此外,在步骤203中判定SMI#产生来源并非是由BIOS快闪存储器的写入所造成,系统便会继续进行其它的SMI处理程序内容(步骤208),最后再回到OS或AP(applicationprogram,应用程序)中(步骤209)。而步骤204中,若判定出BIOS快闪存储器的写入为BIOS或BIOS更新程序或其它非不正常写入的原因,则也会回到OS或AP的步骤209。至于步骤207中,采用的禁止写入方式不同会有不同的处理方式,详细内容请见以下说明。After the relevant hardware and software settings are completed, the method for dealing with virus intrusion of the present invention will be described with the flow steps shown in FIG. 4 . As in step 201, when the CPU 10 receives an SMI#, it will go to the SMI processing program of the BIOS to check the source of the SMI (step 202). As in step 203, when it is determined that the writing of the BIOS flash memory causes this SMI#, and the action of writing is not caused by the BIOS or the BIOS update tool program, that is to say, the writing is abnormally modified BIOS by a virus (step 204) , then the system will send an alarm signal (step 205), such as sending a beeping sound or a sound with a special syllable, to remind the user that the virus is just trying to destroy the BIOS. And as in step 207, the system will take related measures to prohibit virus writing. In addition, in step 203, it is determined that the source of SMI# is not caused by the writing of BIOS flash memory, the system will continue to perform other SMI processing program contents (step 208), and finally get back to OS or AP (applicationprogram, application) (step 209). And in step 204, if it is determined that the writing of the BIOS flash memory is the reason of BIOS or BIOS update program or other non-normal writing, then also return to step 209 of OS or AP. As for step 207, different methods of prohibiting writing are used, and different processing methods are used. Please refer to the following description for details.

先说明步骤204中如何判断BIOS快闪存储器被写入产生SMI#是为病毒程序所造成的方法,提出三种较佳实施例如下:First explain how to judge in step 204 that BIOS flash memory is written and produces the method that SMI# is caused by virus program, proposes three kinds of preferred embodiments as follows:

(1)使BIOS或者BIOS更新程序要写入BIOS快闪存储器之前,先在存储器中某一特定位置写入某一特定值,即为设定flash写入标记(flag),做完再将之清除。因此当BIOS的SMI处理程序判断SMI发生原因是否为BIOS快闪存储器被写入时,检查上述flash写入标记是否存在。若是,则是BIOS或者BIOS更新程序所为;若flash标记不存在,则判定为病毒程序破坏BIOS快闪存储器。(1) Before the BIOS or BIOS update program is written into the BIOS flash memory, first write a specific value in a specific location in the memory, which is to set the flash write flag (flag), and then write it clear. Therefore, when the SMI processing program of the BIOS judges whether the cause of the SMI is that the BIOS flash memory is written, check whether the above-mentioned flash write flag exists. If so, it is caused by the BIOS or the BIOS update program; if the flash mark does not exist, it is determined that the virus program has damaged the BIOS flash memory.

(2)使BIOS或BIOS更新程序写入BIOS快闪存储器时一律呼叫BIOS服务程序来完成,而BIOS服务程序一定放在存储器000E0000h至000FFFFF ROM的地址中。而当SMI发生,CPU进入SMM(system managementmode)时,会把中断前正在执行程序的地址,以CS(code segment,程序码区段)或EIP(expanded instruction pointer,扩充指令指针)等寄存器存储于SMRAM中。因此当BIOS快闪存储器被写入而产生SMI时,SMI处理程序检查中断前正在执行程序的地址是否在存储器000E0000h至000FFFFF的地址中。若是,则是BIOS或者BIOS更新程序所为;若不是,则认定为病毒所为。(2) When BIOS or BIOS update program is written into the BIOS flash memory, the BIOS service program is called to complete, and the BIOS service program must be placed in the address of memory 000E0000h to 000FFFFF ROM. When SMI occurs and the CPU enters SMM (system management mode), it will store the address of the program being executed before the interrupt in registers such as CS (code segment, program code segment) or EIP (expanded instruction pointer, expanded instruction pointer) SMRAM. Therefore, when the BIOS flash memory is written and an SMI is generated, the SMI handler checks whether the address of the program being executed before the interruption is in the address of the memory 000E0000h to 000FFFFF. If so, it is caused by BIOS or a BIOS update program; if not, it is determined to be caused by a virus.

(3)使BIOS或BIOS更新程序要写入BIOS快闪存储器之前,先将BIOS快闪存储器被写入产生SMI#的开关关闭,等写完后再重新打开。这样,写入过程中不会产生SMI#。因为病毒程序不知道或无法关闭上述SMI#的开关,所以当SMI处理程序发现因BIOS快闪存储器被写入而产生SMI时,则认定为病毒程序所为。(3) Before the BIOS or the BIOS update program is written into the BIOS flash memory, the switch that the BIOS flash memory is written into and generates SMI# is turned off, and then reopened after writing. In this way, no SMI# will be generated during the write process. Because the virus program does not know or cannot close the switch of the above-mentioned SMI#, so when the SMI processing program finds that the SMI is generated because the BIOS flash memory is written, it is determined to be the virus program.

至于步骤207禁止病毒写入的方法,即SMI处理程序处理病毒破坏BIOS快闪存储器的方法,提出两种较佳实施例如下:As for the method for prohibiting virus writing in step 207, that is, the method for the SMI handler to deal with the virus destroying the BIOS flash memory, two preferred embodiments are proposed as follows:

(1)利用系统扬声器(speaker)不断发出特殊声音以警告使用者。CPU就不断执行此声音程序,不再离开SMI处理程序以免CPU回到病毒程序破坏BIOS快闪存储器,或者避免其进一步破坏硬盘等其它装置。由于此时系统呈现当机状态,使用者可根据声音查询使用者手册或者询问电脑公司,可以得知电脑已经中毒。(1) Use the system speaker (speaker) to continuously emit special sounds to warn the user. CPU just constantly carries out this sound program, no longer leaves SMI processing program in order to avoid that CPU returns to virus program and destroys BIOS flash memory, or prevents it from further destroying other devices such as hard disks. Since the system is in a down state at this time, the user can inquire the user manual or inquire the computer company according to the voice, and can know that the computer has been poisoned.

(2)利用SMI处理程序在存储器中特定位置写入特定值,即为设定中毒标记。因为BIOS快闪存储器数据被写入前必须先对其特定地址写入一连串的命令码,故SMI处理程序可于SMRAM的CPU寄存器值中破坏病毒的写入命令码,使其写入命令失效,无法破坏BIOS快闪存储器。因此,本方法最后会进行上述步骤208而回到OS,此时再对应写程序于OS下执行,定期检查存储器中的中毒标记,或发现中毒标记被设立,则立即于屏幕上显示信息以警告使用者。(2) Using the SMI processing program to write a specific value in a specific location in the memory is to set the poisoning flag. Because the BIOS flash memory data must be written into a series of command codes to its specific address before the data is written, the SMI processing program can destroy the write command code of the virus in the CPU register value of the SMRAM, making the write command invalid. BIOS flash memory cannot be corrupted. Therefore, this method will carry out above-mentioned step 208 at last and return to OS, and at this moment, corresponding writing program is carried out under OS again, regularly checks the poisoning flag in memory, or finds that poisoning flag is set up, then immediately displays information on the screen to warn user.

虽然本发明已以较佳实施例公开如上,但它并非用以限定本发明。任何本领域的技术人员,在不脱离本发明的精神和范围内,可作适当的更改与润饰,因此本发明的保护范围应当以权利要求所界定的范围为准。Although the present invention has been disclosed above with preferred embodiments, it is not intended to limit the present invention. Any person skilled in the art can make appropriate changes and modifications without departing from the spirit and scope of the present invention. Therefore, the scope of protection of the present invention should be based on the scope defined in the claims.

Claims (7)

1. protect BIOS to avoid by the method for virus damage for one kind, it forms with the SMI Event origin input pin of a chipset by a flash memory that has BIOS and is communicated with, and realizes preventing that virus from writing this flash memory that its step comprises at least:
Carrying out relevant BIOS sets with coupling and can write signal WE# from of this flash memory;
Computer CPU receives a SMI signal that is sent by this chipset;
Check that to the SMI handling procedure of BIOS SMI originates;
Judge this SMI source, if judge that this flash memory is write by virus, then forbid writing of this virus, otherwise handle by normal mode;
Wherein the step of the relevant BIOS setting of this execution further comprises:
POST when carrying out the BIOS startup;
This SMI handling procedure of initialization;
This chipset is carried out related setting, this chipset when this flash memory is written into
Can produce a smi signal;
Set I/O trap SMI function and close SMI to prevent virus; And
Be written into operating system;
2. protection BIOS as claimed in claim 1 avoids by the method for virus damage, judges that wherein this flash memory also comprises for the step that virus writes:
Set one when authoring program writes this flash memory, write a flash earlier and write and be marked on a storer; And
The SMI handling procedure checks that this mark does not exist to this storer, assert the Virus behavior that is written as, if this mark exists, assert that then writing not is the Virus behavior.
3. protection BIOS as claimed in claim 1 avoids by the method for virus damage, judges that wherein this flash memory also comprises for the step that virus writes:
Set one when authoring program writes this flash memory, will call out the BIOS service routine; And the program address that just is being performed before the SMI handling procedure inspection interruption is not in the address of storer 000E0000h to 000FFFFF, assert the Virus behavior that is written as, program address as execution is in the address of storer 000E0000h to 000FFFFF, assert that writing not is the Virus behavior.
4. protection BIOS as claimed in claim 1 avoids by the method for virus damage, judge that wherein this flash memory also comprises for the step that virus writes, set one when authoring program writes this BIOS flash memory, to close the generation smi signal, so the SMI handling procedure is checked when the SMI source is caused by this flash memory is written into, is assert the Virus behavior that is written as; Otherwise,, think that then writing not is the Virus behavior if smi signal is pent when requiring to write.
5. avoid by the method for virus damage as each described protection BIOS in the claim 2 to 4, wherein should comprise in BIOS or the BIOS refresh routine any one through authoring program.
6. protection BIOS as claimed in claim 1 avoids by the method for virus damage, forbids that wherein the step that writes of this virus also comprises:
Send alert news sound; And
Make execution not leave the SMI handling procedure.
7. protection BIOS as claimed in claim 1 avoids by the method for virus damage, forbids that wherein the step that writes of this virus also comprises:
The SMI handling procedure writes a poisoning mark in a storer;
SMI handling procedure break virus writes a command sequence of an address, and this write command was lost efficacy;
Get back to operating system; And
Check that this storer has this poisoning mark, show a warning message, there is no the poisoning mark, then do not show this warning message as inspection.
CN 00103400 2000-03-03 2000-03-03 How to protect BIOS from being damaged by viruses Expired - Fee Related CN1121012C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 00103400 CN1121012C (en) 2000-03-03 2000-03-03 How to protect BIOS from being damaged by viruses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 00103400 CN1121012C (en) 2000-03-03 2000-03-03 How to protect BIOS from being damaged by viruses

Publications (2)

Publication Number Publication Date
CN1311478A CN1311478A (en) 2001-09-05
CN1121012C true CN1121012C (en) 2003-09-10

Family

ID=4576956

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 00103400 Expired - Fee Related CN1121012C (en) 2000-03-03 2000-03-03 How to protect BIOS from being damaged by viruses

Country Status (1)

Country Link
CN (1) CN1121012C (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100385421C (en) * 2000-06-12 2008-04-30 华硕电脑股份有限公司 Method for preventing writing protection of programmable chip software
CN103679020A (en) * 2012-09-14 2014-03-26 纬创资通股份有限公司 Virus warning device and virus warning method
CN107886005B (en) * 2017-11-24 2019-11-08 广东虹勤通讯技术有限公司 Encryption processing method and system for system management interrupt

Also Published As

Publication number Publication date
CN1311478A (en) 2001-09-05

Similar Documents

Publication Publication Date Title
TW452733B (en) Method for preventing BIOS from viruses infection
US5367682A (en) Data processing virus protection circuitry including a permanent memory for storing a redundant partition table
US5511184A (en) Method and apparatus for protecting a computer system from computer viruses
US7367062B2 (en) Method for BIOS security of computer system
CN102867141B (en) The method that Main Boot Record rogue program is processed and device
JP2000215065A (en) Computer with bootable program
CN102930201B (en) The method that Main Boot Record rogue program is processed and device
US9323933B2 (en) Apparatus and method for selecting and booting an operating system based on path information
US7793347B2 (en) Method and system for validating a computer system
CN111226215B (en) Transparent attached flash memory security
JP2010033576A (en) Electronic device and method for updating bios
US8510501B2 (en) Write-protection system and method thereof
US7430683B2 (en) Method and apparatus for enabling run-time recovery of a failed platform
US8069309B1 (en) Servicing memory in response to system failure
US20170262341A1 (en) Flash memory-hosted local and remote out-of-service platform manageability
US20030154392A1 (en) Secure system firmware using interrupt generation on attempts to modify shadow RAM attributes
CN1121012C (en) How to protect BIOS from being damaged by viruses
TW201305842A (en) Method and apparatus for securing storage devices by real-time monitoring file system
US8572742B1 (en) Detecting and repairing master boot record infections
KR101013419B1 (en) System protection devices and methods
TW461997B (en) Write protection method of programmable chipset software
KR920010973B1 (en) Circuitry and protection methods to protect hard and floppy disks from computer viruses
JPH0816420A (en) Error processing method for small information processing device
TWI478003B (en) Computer system data protection device and method
US20230013428A1 (en) Function execution in system management modes

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20030910

Termination date: 20170303

CF01 Termination of patent right due to non-payment of annual fee