📄 k-cmos.asm
字号:
comment $
K-CM擲 VIRUS for Crypt Newsletter 20
In my quest to bring the latest hi-tech computer virus
toys to you, faithful reader, I have researched one of the
relatively untouched-by-viruses parts of an AT computer:
the CMOS.
The CMOS (Complementary Metal Oxide Semiconductor) is a
low power consumption semiconductor where information such as
the current equipment settings, hard drive type, time and
date is stored and maintained using a NiCad battery that is
recharged every time you turn on the computer. (That is why
it's a good idea to turn on the computer every once in a while
if you are not using it for long periods. This prevents
battery discharge and loss of CMOS settings.)
The CMOS in your computer is changed and set every time
you run the Setup program that comes with your BIOS (AMI,
Phoenix), and can be accessed and changed by any program
running from DOS.
The AT CMOS RAM is divided into three areas:
1 - The clock/calendar bytes
2 - The control registers
3 - General purpose RAM.
The following table describes the CMOS RAM location and what
each byte is used for:
OFFSET byte DESCRIPTION
Real Clock Data
00 Current second in BCD
01 Alarm second in BCD
02 Current minute in BCD
03 Alarm minute in BCD
04 Current Hour in BCD
05 Alarm Hour in BCD
06 Current day of week in BCD
07 Current day in BCD
08 Current month in BCD
09 Current year in BCD
Status Registers
0A Status Register A
0B Status Register B
0C Status Register C
0D Status Register D
Configuration Data
0E Diagnostic Status
Bit 7 - Clock Lost Power
Bit 6 - Bad CMOS checksum
Bit 5 - invalid config info at POST
Bit 4 - memory Size compare error at POST
Bit 3 - Fixed disk or adapter failed initialization
Bit 2 - Invalid CMOS time
Bits 1-0 - Reserved
0F Reason for Shutdown
00 - Power on or reset
01 - Memory Size pass
02 - Memory test pass
03 - memory test fail
04 - POST end: boot system
05 - jmp doubleword pointer with EOI
06 - Protected tests pass
07 - Protected tests fail
08 - Memory size fail
09 - INT 15h Block move
0A - JMP double word pointer without EOI
10 Diskette Drive Types
Bits 7-4 - Diskette drive 0 type
Bits 3-0 - Diskette drive 1 type
0000b - no drive
0001b - 360K drive
0010b - 1.2MB drive
0011b - 720K drive
0100b - 1.44 MB drive
0101b - 2.88 MB drive
11 Reserved
12 Fixed Disk Drive Types
Bits 7-4 - Fixed Disk drive 0 type
Bits 3-0 - Fixed Disk drive 1 type
0000b - no drive
(Note: These drives do not necessarily
correspond with the values stored at
locations 19h and 1Ah)
13 Reserved
14 Equipment Installed
Bits 7-6 - # of Diskette drives
00b - 1 diskette drive
01b - 2 diskette drives
Bits 5-4 - Primary Display
00b - reserved
01b - 40 X 25 color
10b - 80 X 25 color
11b - 80 X 25 monochrome
Bits 3-0 - Reserved
15 Base Memory in 1K low byte
16 Base Memory in 1K high byte
17 Expansion Memory size low byte
18 Expansion Memory size high byte
19 Fixed Disk Drive Type 0
1A Fixed Disk Drive Type 1
1B-2D Reserved
2E Configuration Data checksum high byte
2F Configuration Data checksum low byte
30 Actual Expansion Memory size low byte
31 Actual Expansion Memory size high byte
32 Century in BCD
33 Information Flag
Bit 7 - 128 Kbyte expanded
Bit 6 - Setup Flag
Bits 5-0 - Reserved
34-3F Reserved
As you can see, there are a total of 63 (3F hex) bytes of
CMOS RAM, with 33 bytes used as 'reserved' memory in the
three areas; these locations are not currently defined by
the AT BIOS and might be used to store data that will be
restored after power is shut down.
The 4 status registers (A through D) located, appropriately, at
locations 0Ah through 0Dh define the chips operating
parameters and provide information about interrupts and the
state of the real time clock chip (RTC).
With very few restrictions all CMOS RAM locations may be
directly accessed by an application.
Program locations 11h, 13h, and 1Bh through 2Dh are used
in calculating the CMOS checksum that the BIOS stores at
locations 2Eh and 2Fh.
Note: If a program changes ANY bytes at locations 10h
through 2Dh it must also recalculate the checksum and store
the new value. Changing these bytes (10h -> 2Dh) without
correcting the checksum results in a 'CMOS checksum error'
forcing you to run the BIOS setup and reenter all of the CMOS
information.
The reserved memory locations 34h through 3Fh are not used in
checksum calculations and may be changed with extreme caution
since different BIOS versions, manufacturers and hardware
configurations use this reserved CMOS RAM locations for
extended system setup information including BIOS passwords
and DMA settings.
To access and change a computer's CMOS RAM is very simple:
Access is done through ports 70 hex (CMOS control/address)
and port 71 hex (CMOS data).
The process is thus:
1 - We specify the CMOS RAM address of the byte we want to
read or write using port 70h
EXAMPLE:
mov al,XX where XX = byte specifying the address (00h->3Fh)
out 70h,al
2 - We read or write a byte to the address specified in step
1.
READ EXAMPLE:
in al,71h byte at location XX goes into AL
WRITE EXAMPLE:
out 71h,al byte in AL goes to location XX in the CMOS RAM
There is one little problem: if we are writing to any of the
locations that are checksummed (10h through 2Dh), we must
change the checksum value as well; so we follow steps 1 and 2
with the checksum values at locations 2Eh and 2Fh, combine
the bytes into one register and subtract the current byte
value from the register containing the checksum. Then we add
the value of the new byte to be put in the CMOS RAM to the
register that has the checksum, and we write the checksum,
and the new byte to the CMOS.
While all of this might seem too complicated, I have
written a mini-CM擲 toolkit, a routine that takes the address
and the new value of the byte to be put in the CMOS, and does
the dirty work of putting the values and of changing the
checksum for you.
Read the code carefully. It will make everything become
clearer.
;==============================================================================
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -