Martin 开发的ROMOS(http://rayer.ic.cz/romos/romos.htm)是一个非常优秀的BIOS项目,它能在BIOS中以ISA模块形式嵌入数据并完成从BIOS启动FreeDOS的功能。并且这个项目是开源的(感谢作者)。我们将在这个基础上设计我们的IVT Hook检测程序。
程序使用NASM编写,采用标准ISA模块格式,显示IVT程序如下:
;----------------------------- 打印16进制(字节)------------------
whexb:
push ax
push dx
pushf
mov dh,dl
and dl,00fh
and dh,0f0h
ror dh,4
call @whb1
mov dh,dl
call @whb1
popf
pop dx
pop ax
ret
@whb1:
cmp dh,0ah
jc @whb2
add dh,7
@whb2:
add dh,'0'
mov ah,0eh
mov al,dh
int 10h
ret
;----------------------------- 打印字符串 ------------------------
write:
pusha
pushf
push bx
call wherexy
mov ah,9
xor cx,cx
xchg cl,bh
and cl,7fh
@wri1:
mov al,[cs:si]
cmp al,0
je @wri2
int 10h
inc si
inc dl
call gotoxy
jmp short @wri1
@wri2:
pop bx
cmp bh,80h
js @wri3
popf
popa
wcrlf:
pusha
pushf
mov ax,0e0dh
xor bl,bl
int 10h
mov al,0ah
int 10h
@wri3:
popf
popa
ret
;----------------------------- 调整光标位置-----------------------
wherexy:
push ax
push bx
push cx
mov ah,3
mov bh,0
int 10h
pop cx
pop bx
pop ax
ret
;----------------------------- 调整光标位置-----------------------
gotoxy:
push ax
push bx
mov ah,2
mov bh,0
int 10h
pop bx
pop ax
ret
;----------------------------- 延迟函数 -----------------------
delay:
sti
push ax
push es
pushf
push byte 0
pop es
mov al,[es:046ch]
add ah,al
@dly1:
mov al,[es:046ch]
cmp ah,al
jne @dly1
popf
pop es
pop ax
ret
mov dx,[ds:(di+2)]
call whexw
mov al,':'
INT 10h
mov dx,[ds:di]
call whexw ; show info segment:offset
mov al,' '
INT 10h ; show space
add di,4
add si,8
pop dx
inc dx
cmp dx,4
jz @prINTenter
jmp @go
@prINTenter:
call wcrlf
xor dx,dx ; return to another line if print 5 'INT' strings
@go:
loop @wmem1
call wcrlf
popf
popa
ret
memstr
db 'INT 00h',0
db 'INT 01h',0
db 'INT 02h',0
db 'INT 03h',0
db 'INT 04h',0
db 'INT 05h',0
db 'INT 06h',0
db 'INT 07h',0
db 'INT 08h',0
db 'INT 09h',0
db 'INT 0ah',0
db 'INT 0bh',0
db 'INT 0ch',0
db 'INT 0dh',0
db 'INT 0eh',0
db 'INT 0fh',0
db 'INT 10h',0
db 'INT 11h',0
db 'INT 12h',0
db 'INT 13h',0
db 'INT 14h',0
db 'INT 15h',0
db 'INT 16h',0
db 'INT 17h',0
db 'INT 18h',0
db 'INT 19h',0
;----------------------------------------------------------------
#-------------------------------------------------------------------
加载IceLord后的Bochs配置信息
#-------------------------------------------------------------------
# filename of ROM images
romimage: file=../BIOS-bochs-latest
optromimage1: file=leaving.bin, address=0xd0000
optromimage2: file=showivt.bin, address=0xd8000
vgaromimage: file=../VGABIOS-lgpl-latest
#-------------------------------------------------------------------
这里使用两个optromimage选项,加载两个ISA模块。leaving.bin为IceLord的ISA模块,showivt.bin为我们的检测模块。在3.3.2节,我们分析过leaving.bin。它控制CPU流程的核心技术就是Hook IVT。leaving.bin通过hook int 19h来取得系统的控制权。程序运行后,BIOS会首先加载leaving.bin运行,然后加载检测程序showivt.bin。这样,在我们的检测结果中就能体现出被leaving.bin修改过的IVT的情况。Bochs运行后的情况如下:
这时的int 13h和int 19h的中断向量值为:
-------------------------------------------------------------------
加载IceLord后的结果显示
-------------------------------------------------------------------
INT 19H = 97C0:00A2
-------------------------------------------------------------------
综合比较加载BIOS Rootkit核心文件leaving.bin前后的结果如下:
-------------------------------------------------------------------
结果比较
-------------------------------------------------------------------
加载leaving.bin之前 INT 19H = F000:E6F2
加载leaving.bin之后 INT 19H = 97C0:00A2
-------------------------------------------------------------------