Principle analysis of hard drive protection card
Doskey Lee
The following is just a personal analysis result (imagination), if there is a situation that does not meet the fact, please don't ~ Baish ~ I ~! Since I have no hard drive protection card, I have used it several times in the Internet cafe, so ... :)
In a very simple sentence, the operating mechanism of hard drive protection is similar to guided viruses. It modifies the boot area, automatically loads your driver when boot, which may be placed in some hidden sectors or in the file (Driver under DOS, similar to the CD-ROM driver) . If it is placed in a hidden sector, you can effectively improve your secretory and security, and put it in the file to reduce complexity. You may doubt, is it safe to put it in a document? Will it be deleted by others? And slow, please listen to me slowly.
The load is very similar to the DOS virus. It takes over the INT13 interrupt and int18, saves the FAT, the boot area, the CMOS information, the interrupt vector table, and the like to the temporary storage unit in the card. In addition, additional FAT information is further stored in a temporary storage unit to cope with our modification of our data within the hard disk. The protection card may be part of the continuous empty disk space in the hard disk and then save the data we modified to it.
Whenever we write data to a hard drive, it is actually written to the hard disk, but does not really modify the FAT in the hard disk. Since the protective card takes over INT13, when the card is written, the original data destination address redirects the previous continuous empty disk space, and the modified relevant data in the second favorite data of the previous back is directed to this space. When we read data, the write operation is reversed, when a program accesses a file, the protection card looks for related files in the FAT of the second back, if it is modified after starting, the space is reorganized Read, otherwise look up and read the related files in the FAT of the first back. Deleting and write data is the same, that is, delete the FAT record of the file in the FAT of the second part.
When the hard disk protection card receives INT18, or receives the restart of the reset (Reset), the original FAT, boot area, CMOS, interrupt vector and other information are first restored from the cardinal temporary storage unit to the system. When you find that the last modified data is lost from the new start. The previous part is used to save the space for modifying the data, because there is no FAT of the hard disk, so it is empty disk space.
In addition, the user is impossible to format the true hard disk or because of the touched INT13. The function of INT13 is formatted in 05H and 06H. If the user is fast formatting (Format Drive / Q), the protection card must only empty the FAT of the associated drive into the method after formatting (of course, the second FAT saved in the card). If it is ordinary formatting (each sector is emptied), the protection card will also work to convert it to fast format, or only change the FAT.
For other disk access mechanisms, because I don't know (low? Low!), This is no longer elaborated, if you have any views on my Huè, you also have a study on the hard drive card, please email
Doskey_lee@hotmail.com. I will try to answer your questions. In addition, there is a feeling after reading this article, it seems that this hard disk protection card can be implemented with software methods? I think so, I am looking for relevant information, develop a hard disk protection software, everyone make money together ~!
This article is welcome to reprint, but do not delete any part of these and this information.
