CN100428260C - Minimum invading data hidding method of computer network - Google Patents

Minimum invading data hidding method of computer network Download PDF

Info

Publication number
CN100428260C
CN100428260C CNB2006101163020A CN200610116302A CN100428260C CN 100428260 C CN100428260 C CN 100428260C CN B2006101163020 A CNB2006101163020 A CN B2006101163020A CN 200610116302 A CN200610116302 A CN 200610116302A CN 100428260 C CN100428260 C CN 100428260C
Authority
CN
China
Prior art keywords
file
hidden
bunch
directory entry
directory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2006101163020A
Other languages
Chinese (zh)
Other versions
CN1940950A (en
Inventor
邹恒明
陆毅明
黄兴华
史茜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CNB2006101163020A priority Critical patent/CN100428260C/en
Publication of CN1940950A publication Critical patent/CN1940950A/en
Application granted granted Critical
Publication of CN100428260C publication Critical patent/CN100428260C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A method for hiding minimum inrush data of computer network includes making user and operation system be not viewed and hiding control information required to restore file in it by revising FAT32 file system and file catalogue list, revising primary cluster address of FAT list file to cut off cluster chain of file in FAT list for avoiding attack of virus and evil program; finding out said control information in file catalogue list and restoring FDT and FAT for finalizing file restoration.

Description

The method of the minimum intrusive mood data hidden of computer network
Technical field
What the present invention relates to is a kind of method that is used for network information technology field, the method for the minimum intrusive mood data hidden of specifically a kind of computer network.
Background technology
Data hiding technique is that some significant datas of user are hidden, thereby reaches the destruction that prevents virus and rogue program to a certain extent, the purpose of protection user data.
Through the literature search of prior art is found: China's application (patent) number is the technology of CN02115105.9, be to treat that hidden file merges in another file, for example, redundancy according to image file, the content for the treatment of hidden file is added wherein, or be attached to thereafter, though reach visible scarcely effect, in case but its host's document change or destroyed, may cause the data of hidden file irrecoverable, and the disabled user obtain host's file, and the information that cracks is also than being easier to, and safety of data is not high; China application (patent) number is the technology of CN03118544.4, be to change in the FAT32 file system, treat hidden file directory entry attribute, in File Directory Table, find out the directory entry of file to be hidden, change its attribute into label, operating system then can not show this document, and only reads first label file of each volume, and ignore thereafter label file, this method has certain confusion that may cause operating system; And rogue program still can obtain first bunch of information of hidden file by scanning document catalogue listing item by item, thereby obtains the content of hidden file; China application (patent) number be the technology of CN02155511.7, is to treat that hiding data puts into hidden hard disc sector, in Windows operating system, to create HPA on hard disk that the need hiding data is saved in the characteristic of utilizing HPA among the HPA, and realization is to its protection.The HPA that this method is created, its size can not change, big or small restricted to hidden file; And need avoid operating system and safeguard extra file system, more loaded down with trivial details.
Summary of the invention
The present invention is directed to the deficiencies in the prior art and defective, the method of the minimum intrusive mood data hidden of a kind of computer network is provided, make system under the preservation to the destruction of original file and control information all is very small-scale situation, hide the file in the FAT32 file system, make it inaccessible and invisible, the hidden file size is unrestricted, and it is fast to hide speed, has reached very high security.
The present invention is achieved by the following technical solutions, the present invention includes the hidden file method, recover hidden file method two parts, during hidden file, it is by revising the File Directory Table of FAT32 file system, make it invisible for user and operating system, and file is recovered required control information hide wherein, this all is very small-scale to the destruction of original file and the preservation of control information, so be referred to as " minimum intrusive mood data hiding technique "; First bunch of address of revised file allocation table file cuts off bunch chain of file in file allocation table, can prevent the most virus and the attack of rogue program.When recovering hidden file, only need the comspec of original, can in File Directory Table, find control information, recovery file catalogue listing and file allocation table, file recovers to finish.
Described hidden file method, performing step is as follows:
1) revise the filename for the treatment of hidden file, in the end add 13 characters of native system acquiescence, as " hidefileinfat ", this will add a long filenames directory entry in File Directory Table;
2), isolate the title and the file name of its path, place each layer catalogue according to the full filename for the treatment of hidden file;
3) read the BPB information that roll up at the file place, find logic cluster position of root directory;
4) in the File Directory Table of file system, successively search for the directory entry of each layer catalogue;
5) in the end in one deck catalogue, find the directory entry for the treatment of hidden file;
6) read first bunch number that treats hidden file in the file directory item, attribute, length;
7) in file allocation table, find the relevant position according to first bunch number;
8) from file allocation table, read the content for the treatment of in first bunch of the hidden file;
9), calculate the 1st according to the length of filename) character length put in the long filenames directory entry that adds of step;
10) the 1st) go on foot in the long filenames directory entry that adds and preserve the 6th) go on foot first bunch of content in the file allocation table, attribute, length, the character length of putting in the long filenames directory entry first bunch number that is read;
11) revised file directory entry, attribute are composed and to be 0x0FH (long filenames directory entry), are designated as 0x00000000H first bunch number, and length is 0x00000000H;
12) in file allocation table, find the position for the treatment of first bunch of hidden file;
13) first bunch content is changed into 0xFFFFFFF7H (bad bunch);
14) the full filename of record hidden file.
Described recovery hidden file method, performing step is as follows:
1), isolates the title and the file name of its path, place each layer catalogue according to the full filename of hidden file;
2) read the BPB information that roll up at the file place, find logic cluster position of root directory;
3) successively search for the directory entry of each layer catalogue;
4) in the end in one deck catalogue, find the directory entry of hidden file;
5) the long filenames directory entry that adds when hiding, read hidden file first bunch number, first bunch of content in the file allocation table, attribute, length;
6) incite somebody to action the directory entry attribute of hidden file, first bunch number, length is recovered;
7) in file allocation table, find the position for the treatment of first bunch of hidden file;
8) first bunch content recovery is the value before hiding;
9) revise cryptic filename, remove 13 characters that add at last at filename when hiding, make the destination file catalogue listing remove the long filenames directory entry of artificial increase and decrease.
In the File Directory Table of FAT32 file system, each file all has the directory entry of one 32 byte to be used to describe its title and various attribute.And the realization of long filenames in FAT32 is when creating a long filenames file, and system can add corresponding short filename automatically, and preceding 6 characters of getting long filenames add that " ~ 1 " forms short filename, and extension name is constant.And file directory item skew be the attribute byte of 0xB, and when its value was 0FH, DOS and WIN32 can think that it is illegal and ignore its existence that the present invention makes the file entry attribute into 0x0FH, will can not show like this in operating system.
The file allocation table record storage chained list of data in magnetic disk file, for the reading of data, be extremely important.The present invention has changed first bunch that treats hidden file, cuts off bunch chain of file, makes the scanning document allocation table can not obtain the data of hidden file.
During hidden file of the present invention: add 13 characters of native system acquiescence at the end for the treatment of cryptic filename; To treat the full filename of hidden file, separate by the title and the file name of each layer catalogue; Successively search for the directory entry of each layer catalogue; Finally find the directory entry for the treatment of hidden file; Read attribute, length first bunch number that treats hidden file in the file directory item; Read the content for the treatment of in first bunch of the hidden file; In File Directory Table, hide control information; In the revised file allocation table, treat the value of first bunch of hidden file.
When recovering hidden file:, isolate the title and the file name of its path, place each layer catalogue according to the full filename of hidden file; Successively search for the directory entry of each layer catalogue; Finally find the directory entry of hidden file; Therefrom read control information; The recovery file directory entry; The value of first bunch of file in the recovery file allocation table; 13 last characters of cryptic filename are removed.
The invention has the beneficial effects as follows, the vital document of user's arbitrary format is hidden, and hiding speed is not influenced by file size, and hidden file is all invisible and can not visit to operating system, user and rogue program, concealment effect has permanent, has ensured the safety of user data.The present invention is for the characteristics of hiding data:
1) existing most data hiding technique, the process of hiding is relevant with file size to be hidden, big file hiding efficient is very low, first bunch of file in the process of a file hiding revised file catalogue listing and the file allocation table among the present invention, irrelevant with file size, operating system is not had change, and it is fast to hide speed;
2) to recover needed quantity of information very little for file of the present invention, and part is hidden in the File Directory Table, only need preserve the full filename of hidden file, can recover, easy to maintenance;
3) treat the directory entry of hidden file except that revising, revised first bunch of content of file in the file allocation table again,,, further guaranteed the safety of the content of file even rogue program scanning document catalogue listing can not be found hidden file from first bunch of cut-out document cluster chain;
4) operation of hidden file has permanently, even close the process of the present invention of using, even operating system changes, and also can not cause hiding and lose efficacy.
Description of drawings
Fig. 1 file hiding process flow diagram
Fig. 2 recovers hidden file process flow diagram
Embodiment
Application example of the present invention below is provided:
With file " d: dir1 dir2 example.txt " file hiding.Step is as follows:
1) adds 13 characters " HIDEFILEINFAT " at the end of filename example, former full filename is modified to " d: dir1 dir2 exampleHIDEFILEINFAT.doc ", makes the directory entry of original increase a long filenames directory entry;
2) the full text spare of separate file " d: ", " dir1 " by name, " dir2 ", " exampleHIDEFILEINFAT.doc ";
3) read the BPB information that roll up at the file place, find logic cluster position of root directory;
4) successively search for the directory entry of each layer catalogue;
5) in the end in one deck catalogue, finding the directory entry logic sector number for the treatment of hidden file is 55307312, and side-play amount is 160;
6) read sector, directory entry place, in side-play amount is that the 160+11 place reads file attribute 0x20, read high four 0x0006 of file first bunch number at 160+20,160+21 place, read low four 0x BA60 of file first bunch number at 160+26,160+27 place, reading file size at 160+28,160+29,160+30,160+31 place is 0x0000FB7D;
7) in file allocation table, find the relevant position according to first bunch of number 0x0006BA60;
8) content that reads in first bunch is 0x0006BA61;
9) according to length 20 characters of filename " exampleHIDEFILEINFAT ", obtaining the 1st) the partial document name length put in the long filenames directory entry that adds of step is 0x07;
10) calculate the 1st according to filename length) the long filenames directory entry skew added of step is 160-64=96;
11) at this long filenames write control information, in side-play amount is that 96+2,96+3,96+4,96+5 place write file size 0x0000FB7D, write first bunch of number 0x0006BA60 at 96+6,96+7,96+8,96+9 place, write the partial document name length 0x07 that puts in the long filenames directory entry at the 96+10 place, write file attribute 0x20 at the 96+11 place, write the content 0x0006BA61 in first bunch at 96+15,96+16,96+17,96+18 place;
12) skew of revised file directory entry writes 0x0F (long filenames directory entry) for the 160+11 place, and the relevant position is designated as 0x00000000 for first bunch, and length is 0x00000000;
13) in file allocation table, find the relevant position according to first bunch of number 0x0006BA60;
14) its content is changed into 0xFFFFFFF7 (bad bunch);
15) the full filename of record hidden file.
At this moment, file " d: dir1 dir2 exampleHIDEFILEINFAT.doc " hidden and finished, user and system are all invisible, and other program search File Directory Table and FAT also can't obtain first bunch of information of file, therefore also can't obtain file content.
With hidden file " d: dir1 dir2 example.txt " recover.Step is as follows:
1) separates full text spare " d: ", " dir1 " by name, " dir2 ", " exampleHIDEFILEINFAT.doc " of hidden file;
2) read the BPB information that roll up at the file place, find logic cluster position of root directory;
3) successively search for the directory entry of each layer catalogue;
4) in the end in one deck catalogue, finding the directory entry logic sector number for the treatment of hidden file is 55307312, and side-play amount is 160;
5) read sector, directory entry place, calculate last long filenames directory entry skew according to filename length and be 160-64=96;
6) from this long filenames directory entry, read control information, in side-play amount is that 96+2,96+3,96+4,96+5 place read file size 0x0000FB7D, read first bunch of number 0x0006BA60 at 96+6,96+7,96+8,96+9 place, read the partial document name length 0x07 that puts in the long filenames directory entry at the 96+10 place, read file attribute 0x20 at the 96+11 place, read the content 0x0006BA61 in first bunch at 96+15,96+16,96+17,96+18 place;
7) recovery file attribute, in side-play amount is that the 160+11 place writes file attribute 0x20, write high four 0x0006 of file first bunch number at 160+20,160+21 place, write low four 0x BA60 of file first bunch number at 160+26,160+27 place, writing file size at 160+28,160+29,160+30,160+31 place is 0x0000FB7D;
8) in file allocation table, find the relevant position according to first bunch of number 0x0006BA60;
9) content that writes in first bunch is 0x0006BA61;
10) be 0x07 according to the partial document name length of putting in the long filenames directory entry, " LEINFAT " write;
11) 13 characters " HIDEFILEINFAT " deletion of filename example end being added, former full filename is resumed and is " d: dir1 dir2 example.doc ", makes the long filenames directory entry of the original catalogue of adding when hiding deleted.
At this moment, be hidden file " d: dir1 dir2 example.doc " state before having recovered to hide.
The present invention can hide the file in the FAT32 file system easily, makes it invisible for user and operating system, and can prevent the most virus and the attack of rogue program.To subtract in the process latent retarded velocity uncorrelated with the hidden file size latent, guaranteed very high hiding efficient.

Claims (2)

1, the method for the minimum intrusive mood data hidden of a kind of computer network, it is characterized in that: by the revised file bibliographic structure, and file attribute information is stored in the amended bibliographic structure, reach with little space and run out of into the purpose that file security is hidden.Performing step is as follows:
1) revise the filename for the treatment of hidden file, in the end add 13 characters of native system acquiescence, this will add a long filenames directory entry in File Directory Table;
2), isolate the title and the file name of its path, place each layer catalogue according to the full filename for the treatment of hidden file;
3) read the BPB information that roll up at the file place, find logic cluster position of root directory;
4) in the File Directory Table of file system, successively search for the directory entry of each layer catalogue;
5) in the end in one deck catalogue, find the directory entry for the treatment of hidden file;
6) read first bunch number that treats hidden file in the file directory item, attribute, length;
7) in file allocation table, find the relevant position according to first bunch number;
8) from file allocation table, read the content for the treatment of in first bunch of the hidden file;
9) the 1st) go on foot in the long filenames directory entry that adds and preserve the 6th) go on foot the first bunch of content that from file allocation table, reads, attribute, length first bunch number that is read;
10) revised file directory entry, attribute are composed and to be 0x0FH, are designated as 0x00000000H first bunch number, and length is 0x00000000H;
11) in file allocation table, find the position for the treatment of first bunch of hidden file;
12) change first bunch content into 0xFFFFFFF7H.
2, the method for the minimum intrusive mood data hidden of computer network according to claim 1, it is as follows that it recovers hidden file method performing step:
1), isolates the title and the file name of its path, place each layer catalogue according to the full filename of hidden file;
2) read the BPB information that roll up at the file place, find logic cluster position of root directory;
3) in the File Directory Table of file system, successively search for the directory entry of each layer catalogue;
4) in the end in one deck catalogue, find the directory entry of hidden file;
5) the long filenames directory entry that adds when hiding, read first bunch number, first bunch content, attribute, the length of hidden file, so that recover hidden file;
6) incite somebody to action the directory entry attribute of hidden file, first bunch number, length is recovered;
7) in file allocation table, find the position of first bunch of hidden file;
8) first bunch content recovery is the value before hiding;
9) revise cryptic filename, remove 13 characters that add at last at filename when hiding, make the destination file catalogue listing remove the long filenames directory entry of artificial increase.
CNB2006101163020A 2006-09-21 2006-09-21 Minimum invading data hidding method of computer network Expired - Fee Related CN100428260C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101163020A CN100428260C (en) 2006-09-21 2006-09-21 Minimum invading data hidding method of computer network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101163020A CN100428260C (en) 2006-09-21 2006-09-21 Minimum invading data hidding method of computer network

Publications (2)

Publication Number Publication Date
CN1940950A CN1940950A (en) 2007-04-04
CN100428260C true CN100428260C (en) 2008-10-22

Family

ID=37959124

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101163020A Expired - Fee Related CN100428260C (en) 2006-09-21 2006-09-21 Minimum invading data hidding method of computer network

Country Status (1)

Country Link
CN (1) CN100428260C (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107908967A (en) * 2017-10-30 2018-04-13 上海威固信息技术股份有限公司 A kind of file hiding and restoration methods of Exfat file system
CN113220953B (en) * 2021-05-24 2022-08-23 北京安盟信息技术股份有限公司 Data filtering method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1434450A (en) * 2003-01-25 2003-08-06 华中科技大学 Files hiding method based on FAT32 disk files system structure
WO2003083670A1 (en) * 2002-04-03 2003-10-09 Invisicom, Inc. Protection of data by hiding the data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003083670A1 (en) * 2002-04-03 2003-10-09 Invisicom, Inc. Protection of data by hiding the data
CN1434450A (en) * 2003-01-25 2003-08-06 华中科技大学 Files hiding method based on FAT32 disk files system structure

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
利用文件目录表和文件分配表进行文件隐藏加密. 冯伟,颜峥嵘,韩军.微型机与应用,第1999卷第5期. 1999
利用文件目录表和文件分配表进行文件隐藏加密. 冯伟,颜峥嵘,韩军.微型机与应用,第1999卷第5期. 1999 *

Also Published As

Publication number Publication date
CN1940950A (en) 2007-04-04

Similar Documents

Publication Publication Date Title
US7979404B2 (en) Extracting data changes and storing data history to allow for instantaneous access to and reconstruction of any point-in-time data
KR100550288B1 (en) Method for recovering data in ext2 file system, and computer-readable storage medium recorded with data-recover program
ES2445966T3 (en) System and procedure for storing redundant information
WO2013027231A1 (en) Backup deduplication storage apparatus and additional data writing method
CN1498363A (en) System and method for restoring computer systems damaged by mallcious computer program
WO2002019110B1 (en) Manipulation of zombie files and evil-twin files
US9063664B1 (en) Method and system for processing checksum of a data stream to optimize deduplication
KR20060050742A (en) Method and system for synthetic backup and restore
WO2007021435A2 (en) Archiving data in a virtual application environment
CN101777018A (en) Copying and snapshot combined Windows system protection method
CA2633350A1 (en) Permanent storage appliance
US20090248954A1 (en) Storage system
CN102053879A (en) Self-recovery real-time file system based on FLASH
US9087086B1 (en) Method and system for handling object boundaries of a data stream to optimize deduplication
CN100428260C (en) Minimum invading data hidding method of computer network
US8996586B2 (en) Virtual storage of portable media files
IL284409B1 (en) Modified Representation of Backup Copy on Restore
US20130046741A1 (en) Methods and systems for creating and saving multiple versions of a computer file
CN101349980B (en) Hard disk data backup and protection method
KR101258387B1 (en) The digital aging system and the management method
US7865472B1 (en) Methods and systems for restoring file systems
CN107562898A (en) A kind of method that recycle bin is created based on KUX operating systems
KR100987320B1 (en) Data processing apparatus and Data procssing method, using FAT file system capable of fast file recovery
Berghel et al. Data hiding tactics for windows and unix file systems
Craiger Recovering digital evidence from Linux systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081022

Termination date: 20110921