(1)DOS的引导流程 (1) DOS boot process
(2)基础的汇编语言和DEBUG的使用 (2) based on the use of assembly language, and DEBUG
声明: Statement:
(1)由于操作不当造成的任何损失,本人盖不负责! (1) As for any losses caused by improper operation, I am not responsible for the cover! ! ! ! !
(2)别拿公共机房的机子做实验品,呵呵! (2) Do not take the machine room to experiment with public goods, Oh! ! !
(3)如转载,请不要做任何修改! (3) If reproduced, please do not make any changes!
硬盘死锁: Hard deadlock:
大家都听过王江民的逻辑炸弹吧,作为一个COMPUTER FAN ,我曾捕获并分析过它的源代码。 Everyone has heard wangjiangmin logic bomb it, as a COMPUTER FAN, I have captured and analyzed its source code. 说到底,它的内核也就是硬盘死锁! After all, it is hard kernel deadlock!
那么什么是死锁呢? So what is the deadlock it? 表现为:在硬盘下选择DOS或WINDOWS启动机器都死机,在软盘下用DOS As follows: select the hard disk boot DOS or WINDOWS machines crash, on a floppy disk with DOS under
启动也死机;在CMOS中将硬盘类型设置为NONE,虽然可以从软盘启动,但启动后没有硬盘,使用软盘上的FDISK命令,想重新分区或格式化都没门。 Start also crashes; hard disk type in CMOS will be set to NONE, although you can boot from a floppy disk, but did not start after hard drive, floppy disk using the FDISK command, did not want to re-partition or format the door.
下面我就对硬盘死锁的原理做一个详细的分析: Now I drive a deadlock on the principle of doing a detailed analysis of:
=========================================================================== ================================================== =========================
硬盘死锁通常是对硬盘的分区表做手脚,因此首先应该了解硬盘的分区表。 Deadlock is usually a hard disk partition table tricks, so should first understand the hard disk partition table. 硬盘的分区表位于0柱面 Hard disk partition table is located in cylinder 0
0磁头1扇区,这个扇区的前面200多个字节是主引导程序,后面从01BEH开始的64个字节是分区表。 0 head 1 sector, the sector in front of more than 200 bytes is the master boot program, starting back from 01BEH 64 bytes is the partition table.
分区表工64个字节,分为4栏,每栏16个字节,用来描述一个分区。 64-byte partition table workers, divided into four columns, each column 16 bytes, used to describe a partition.
分区表一栏的结构与个字节的含义如下: Partition table column structure and bytes have the following meanings:
00H:标志活动字节,活动DOS分区为80H,其他为00H; 01H:本分区开始的磁头号; 02H:本分区开始的扇区号; 00H: flag bytes activities, activities DOS partition for the 80H, the other is 00H; 01H: the beginning of the partition head number; 02H: the partition start sector number;
03H:本分区开始的柱面号; 04H:分区类型标志; 05H:本分区结束的磁头号; 06H:本分区结束的扇区号; 07H:本分区结束的柱面号; 03H: the partition start cylinder number; 04H: partition type identifier; 05H: the end of the head of the partition number; 06H: the end of the partition sector number; 07H: the end of the cylinder number of the partition;
08H~0BH:硬盘上在本分区之前的扇区总数,用双字表示; 0CH~0FH:本分区的扇区总数,从逻辑0扇区开始计数,不含隐藏扇区,用双字表示。 08H ~ 0BH: partition on the hard disk prior to sectors in the total number of double word said; 0CH ~ 0FH: total number of sectors of this partition, the logical sector 0 start counting from, without hidden sector, with a double word said.
(补充说明:实际上扇区号用6位表示,柱面号用10位表示,扇区号所在字节的最高两位实际上是柱面号的最高两位) (Additional information: the number of sectors with 6 actually said, with 10 bits cylinder number, sector number where the highest byte cylinder number two is actually the highest two)
=========================================================================== ================================================== =========================
硬盘分区表链的知识: Knowledge of the hard disk partition bracelet:
分区表位于0柱面0磁头1扇区内,以位移1BEH开始的第一分区表作为链首,由表内的链接 Partition table is located in cylinder 0 head 0 sector 1, the displacement 1BEH to start the first partition table as the first chain, the links from the table
表项指示下一分区表的物理位置(XX柱面0磁头1扇区),在该位置的扇区内同样位移1BEH Table entry indicates the physical location of the next partition table (XX cylinder 0 head 0 sector 1), in the position of sectors within the same displacement 1BEH
处,保存着第二张分区表,依次类推,直至指向最后一张分区表的物理位置(YY柱面0磁头1扇区)。 Department, holds the second partition table, and so on, until the last point to the physical location of a partition table (YY cylinder 0 head 0 sector 1). 因该分区表内不存在链接表项,即作为分区表链的链尾。 Because of the link does not exist in the partition table entries, that is the end of the chain as a bracelet partition.
图示(1): Icon (1):
图示(2): Icon (2):
=========================================================================== ================================================== =========================
DOS引导流程: DOS boot process:
如果是从硬盘启动,则计算机和磁盘最开始打交道是将硬盘0柱面0磁头1扇区的内容 If it is from the hard disk, the computer and the disk is hard to deal with the beginning cylinder 0 head 1 sector of the content
读入内存0000:7C00处并跳转到0000:7C00处执行;如果选择从软盘启动,则计算机 Read into memory at 0000:7 C00 and jump to 0000:7 C00 at implementation; If you choose to boot from a floppy disk, the computer
和磁盘最开始打交道是将A盘0磁道0磁头1扇区的内容读入内存0000:7C00处并跳到0000:7C00处执行。 And the beginning of the disk is deal with the A disk track 0 head 0 sector 1 of the content is read into memory at 0000:7 C00 and jump to 0000:7 C00 at the execution.
然后读入IO.SYS中的模块,并继续执行! Then read into the IO.SYS in the module, and continue! ! ! ! ! (这儿是关键,下面具体分析) (Here is the key, the following specific analysis)
=========================================================================== ================================================== =========================
硬盘被锁死的症结: The crux of the hard disk is locked:
根源在于DOS中IO.SYS文件,它包含LOADER,IO1,IO2,IO3四个模块,其中IO1中 Rooted in DOS, IO.SYS file, which contains LOADER, IO1, IO2, IO3 four modules, which in IO1
包含有一个很关键的程序SysInt_I,它在启动中很固执,非要去读分区表,而且不把分区表 Contains a very critical process SysInt_I, it starts in the very stubborn and have to read the partition table, and not the partition table
读完誓不罢休。 Read dogged. 如果碰上分区表是循环的,它就死机了! If you run into the partition table is circular, it crashed! ! ! ! ! 这就是王江民逻辑炸弹的关键所在。 This is the logic bomb wangjiangmin key.
那么什么是循环的分区表呢? So what is the circulation of the partition table? 从前面对分区表链的介绍中,读者应该可以领会。 From the foregoing partition bracelet presentation, the reader should be able to understand. ( 既然是链,如果尾指针又指向了头,一个循环链不就成了吗?) (Since it is a chain, if the tail pointer which points to his head, a circular chain does not become it?)
=========================================================================== ================================================== =========================
解开死锁的方法: Deadlocks methods:
明白了硬盘死锁的症结,解决自然就简单多了。 Hard to understand the crux of the deadlock, naturally much easier to solve. 具体措施如下: 在DOS启动之前抢先拦截INT 13H,驻留高端内存并监视INT Specific measures are as follows: before starting the first to intercept the DOS INT 13H, INT presence of high memory and monitor
13H,判断是否读硬盘, 如果是读则直接返回,这样就禁止了读硬盘,也就避免了DOS读硬盘循环分区表造成的 13H, determine whether to read the hard disk, if it is read back directly, so that prohibit the reading of hard disk, thus avoiding the DOS partition table read cycle due to the hard disk
死机;同时拦截对软盘的读取,如果是读软盘的0磁道0磁头1扇区,就改成读真正有引导程序和磁盘 Death; while blocking read on a floppy disk, floppy disk if it is read head 0 track 0 sector 1, it is changed to read genuine disk boot program and
参数表的扇区,免得DOS在启动过程中找不到软盘的磁盘参数表而死机。 Parameter list of sectors, so that DOS can not find the startup floppy disk parameter table and crash. 完成这些任务的同时,还要读取软盘真正的引导程序并把控制权交给它。 Accomplish these tasks, we must also read the floppy disk boot program and the real control to it.
=========================================================================== ================================================== =========================
程序及说明: Procedures and instructions:
下面就是写入软盘0磁道0磁头1扇区的原程序KEY.COM The following is written to a floppy disk track 0 head 0 sector 1 of the original program KEY.COM
C:\>DEBUG C: \> DEBUG
-A100 -A100
100 CLI 100 CLI
101 XOR AX,AX 101 XOR AX, AX
103 MOV DS,AX 103 MOV DS, AX
105 MOV ES,AX 105 MOV ES, AX
107 MOV SS,AX 107 MOV SS, AX
109 MOV AX,7C00 109 MOV AX, 7C00
10C MOV SP,AX 10C MOV SP, AX
10E STI 10E STI
10F MOV SI,AX 10F MOV SI, AX
111 MOV DI,7E00 111 MOV DI, 7E00
114 CLD 114 CLD
115 MOV CX,0200 115 MOV CX, 0200
118 REPNZ 118 REPNZ
119 MOVSB ;初始化一些设置,准备读入"真"引导程序 119 MOVSB; initialize some settings, ready to read "real" boot loader
11A JMP 0000:7E1F 11A JMP 0000:7 E1F
11F MOV CX,0003 11F MOV CX, 0003
122 PUSH CX 122 PUSH CX
123 MOV AX,0201 ;读启动软盘的引导扇区(为确保成功,重复3次) 123 MOV AX, 0201; read the boot floppy boot sector (To ensure success, repeat 3 times)
126 MOV BX,7C00 126 MOV BX, 7C00
129 MOV CX,4F01 129 MOV CX, 4F01
12C MOV DX,0100 12C MOV DX, 0100
12F INT 13 12F INT 13
131 POP CX 131 POP CX
132 DEC CX 132 DEC CX
133 JNZ 0122 133 JNZ 0122
135 MOV AX,[004C ;抢先截获INT 13H的位置(并寄存) 135 MOV AX, [004C; the first to capture INT 13H location (and hosting)
138 MOV [7E88],AX 138 MOV [7E88], AX
13B MOV AX,[004E] 13B MOV AX, [004E]
13E MOV [7E8A],AX 13E MOV [7E8A], AX
141 MOV AX,[0413] 141 MOV AX, [0413]
144 DEC AX 144 DEC AX
145 MOV [0413],AX 145 MOV [0413], AX
148 MOV CL,06 ;内存容量减少1K(为什么减掉,请查阅DOS内核) 148 MOV CL, 06; Memory size has decreased 1K (Why lose, see DOS kernel)
14A SHL AX,CL 14A SHL AX, CL
14C MOV ES,AX ;计算高端段址(为设置新的INT 13H准备) 14C MOV ES, AX; calculate the high-end segment address (INT 13H to set up a new preparation)
14E XOR AX,AX 14E XOR AX, AX
150 MOV DS,AX 150 MOV DS, AX
152 MOV SI,7E6D ;复制改写的INT 13H到高端内存 152 MOV SI, 7E6D; copy to rewrite the INT 13H high memory
155 MOV DI,0000 155 MOV DI, 0000
158 MOV CX,0030 158 MOV CX, 0030
15B REPNZ 15B REPNZ
15C MOVSB 15C MOVSB
15D MOV AX,0000 ;将新的INT 13H位置写入中断向量表 15D MOV AX, 0000; will write the new INT 13H interrupt vector location
160 MOV [004C],AX 160 MOV [004C], AX
163 MOV AX,ES 163 MOV AX, ES
165 MOV [004E],AX 165 MOV [004E], AX
168 JMP 0000:7C00 ;返回执行正常的引导程序 168 JMP 0000:7 C00; return to perform the normal boot process
016D PUSHF ;新INT 13H程序 016D PUSHF; new program INT 13H
016E CMP DX,0080 ;是否是硬盘 016E CMP DX, 0080; it is hard
0172 JNZ 0176 ;不是硬盘则继续 0172 JNZ 0176; not the hard drive, continue
0174 POPF 0174 POPF
0175 IRET ;是硬盘则直接返回(也就是不执行任何动作) 0175 IRET; is hard to return directly (that is, do nothing)
0176 CMP DX,+00 ;是否读软盘BOOT区 0176 CMP DX, +00; is read Floppy BOOT area
0179 JNZ 0186 0179 JNZ 0186
017B CMP CX,+01 017B CMP CX, +01
017E JNZ 0186 017E JNZ 0186
0180 MOV CX,4F01 ;是则读79磁道1磁头1扇区(“真”引导程序) 0180 MOV CX, 4F01; is the reading head 1 sector 79 track 1 ("true" boot loader)
0183 MOV DX,0100 0183 MOV DX, 0100
0186 POPF 0186 POPF
0187 JMP 0000:0000 ;跳转执行旧的INT 13,位置有前面程序读出(要自己填写) 0187 JMP 0000:0000; jump perform the old INT 13, the location of the previous program to read out (to fill out)
N key.com N key.com
RCX RCX
200 200
W W
Q Q
=========================================================================== ================================================== =========================
程序的装载: Load the program:
先格式化一张软盘,然后用DEBUG写入下面的装载程序。 Format a floppy disk first, then write the following DEBUG Loader.
C:\>DEBUG KEY.COM C: \> DEBUG KEY.COM
-A400 ;现在已将key.com装入内存100处 -A400; now loaded into memory 100 has key.com
400 MOV CX,0003 ;将A盘引导程序读入内存1000H处 400 MOV CX, 0003; the A disk boot program is read into memory at 1000H
403 PUSH CX ;为确保成功,重复3次 403 PUSH CX; To ensure success, repeated 3 times
404 MOV AX,0201 404 MOV AX, 0201
407 MOV BX,1000 407 MOV BX, 1000
40A MOV CX,0001 40A MOV CX, 0001
40D MOV DX,0000 40D MOV DX, 0000
410 INT 13 410 INT 13
412 POP CX 412 POP CX
413 DEC CX 413 DEC CX
414 JNZ 0403 414 JNZ 0403
416 MOV AX,0301 ;将引导程序写入软盘最后一个磁道的首扇区 416 MOV AX, 0301; will direct the program to write the last track of the first floppy disk sector
419 MOV BX,1000 419 MOV BX, 1000
41C MOV CX,4F01 41C MOV CX, 4F01
41F MOV DX,0100 41F MOV DX, 0100
422 INT 13 422 INT 13
424 MOV AX,0301 ;将KEY.COM程序写入软盘0磁道0磁头1扇区 424 MOV AX, 0301; will KEY.COM procedure into the floppy disk sector 1 head 0 track 0
427 MOV BX,0100 427 MOV BX, 0100
42A MOV CX,0001 42A MOV CX, 0001
42D MOV DX,0000 42D MOV DX, 0000
430 INT 13 430 INT 13
432 INT 3 432 INT 3
Q Q
=========================================================================== ================================================== =========================
说明: Description:
(1)即使用盘启动机器,仍不认硬盘。 (1) that the use of disk to start the machine, still do not recognize the hard disk. 因为内存高端驻留了新的INT 13H中断 Because the presence of a new high-end memory INT 13H interrupt
程序,因此机器启动后应先修改这段程序。 Program, so the machine starts this program should be modified. 现在的机器基本内存都为640KB,这样这段程序就位于9FC0:0000处,在 Now the machine base memory are 640KB, so this program is located 9FC0: 0000 Office, in
DEBUG下,用U9FC0:0000显示这段程序,可以看到9FC0:001A处是一条跳转指令,该跳转指令即转去执行最原始的INT DEBUG, using U9FC0: 0000 show this program, you can see 9FC0: 001A is that a jump instruction, the jump instruction is transferred to the implementation of the most original INT
13H。 13H. 由于BIOS版本不一样,跳转指令指向的位置可能不一样,如笔者机器为:JMP F000:A5D4语句。 Since the BIOS version is not the same, pointing to the location of the jump instruction may not be the same machine as the author of: JMP F000: A5D4 statement. 这时在DEBUG 下写入下面的语句: Then under the DEBUG written the following statement:
A9FC0:0 JMP F000:A5D4 A9FC0: 0 JMP F000: A5D4
这样对硬盘的禁写和禁读就不再起作用了。 This ban on the hard drive write and read on the ban no longer work. 最后用INT 13H的2号子功能读出硬盘分区表 Finally, the No. 2 sub-INT 13H function to read out the hard disk partition table
,修改恢复后再用3号子功能将数据写回分区表。 , And then modify the restore function with 3 sub-write data back to the partition table. ====一切搞定! ==== You're done! ! ! ! !
(2)在正常DOS下,该软盘由于没有BOOT区,也没有磁盘参数表,从而不能使用并回提示:General failing reading (2) in the normal DOS, the absence of the floppy BOOT area, there is no disk parameter table, and thus can not use and return to prompt: General failing reading
dirve A。 dirve A.
(3)王江民的逻辑炸弹,有损硬盘,请谨慎使用。 (3) wangjiangmin logic bombs, damage hard disk, please use caution.
参考资料: References:
(1)西北工业大学418#肖华勇的“解开硬盘逻辑死锁的一种有效方法” (1) Northwestern Polytechnical University 418 # Xiaohua Yong's "unlock the hard disk logic is an effective method of deadlock"
(2)中国大地出版社的〈DOS内核分析与内存管理技术〉 (2) the land of China Press
(3)清华大学出版社的〈操作系统原理DOS篇〉 (3), Tsinghua University Press
(小萝卜工作室) (Radish studio)
Tidak ada komentar:
Posting Komentar