CN112506424A - Kernel-based method for preventing hard disk partition from being deleted under window operating system - Google Patents
Kernel-based method for preventing hard disk partition from being deleted under window operating system Download PDFInfo
- Publication number
- CN112506424A CN112506424A CN202011249952.9A CN202011249952A CN112506424A CN 112506424 A CN112506424 A CN 112506424A CN 202011249952 A CN202011249952 A CN 202011249952A CN 112506424 A CN112506424 A CN 112506424A
- Authority
- CN
- China
- Prior art keywords
- hard disk
- operating system
- file
- kernel
- windows operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/0614—Improving the reliability of storage systems
- G06F3/0619—Improving the reliability of storage systems in relation to data integrity, e.g. data losses, bit errors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/0644—Management of space entities, e.g. partitions, extents, pools
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Human Computer Interaction (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for preventing hard disk partitions from being deleted based on a kernel under a window operating system, which is a method executed under the ring0 level of the window operating system and comprises the following steps: creating and setting a minifilter file filter driver to monitor the IRP _ MJ _ VOLUME _ MOUNT message in the system process and the module thereof; and under the condition of receiving the IRP _ MJ _ VOLUME _ MOUNT message, calling a function FltGetVolumeProperties to acquire the device attribute, judging the device attribute, and intercepting the system process and the module thereof to prevent the user from deleting the hard disk partition when and only when the device attribute is file equipment and is a physical hard disk. The method belongs to a ring0 layer, has no processes or DLLs, and is not easy to unload, thereby being safer and more reliable.
Description
Technical Field
The invention belongs to the field of software, and particularly relates to a method for preventing a hard disk partition from being deleted based on a kernel under a window operating system.
Background
The hard disk partition is deleted and simultaneously formatted, which is an important means for clearing data in a computer and has the greatest harm to the data. Once repartitioned, it is often difficult or time and expense to recover the data partially. The threshold for executing the command of deleting the hard disk partition is very low, and a common user can perform the command by a few simple operations. This makes it increasingly important today to prevent data loss due to deletion of hard disk partitions, malicious operations when employees leave the jobs, or malicious operations after hackers enter.
Disclosure of Invention
In order to overcome the problems, the invention provides a method for preventing hard disk partitions from being deleted based on a kernel under a safe and reliable window operating system.
The technical scheme of the invention is to provide a method for preventing a hard disk partition from being deleted based on a kernel under a window operating system, which is a method executed under ring0 level of the window operating system and comprises the following steps:
creating and setting a minifilter file filter driver to monitor the IRP _ MJ _ VOLUME _ MOUNT message in the system process and the module thereof;
and under the condition of receiving the IRP _ MJ _ VOLUME _ MOUNT message, calling a function FltGetVolumeProperties to acquire the device attribute, judging the device attribute, and intercepting the system process and the module thereof to prevent the user from deleting the hard disk partition when and only when the device attribute is file equipment and is a physical hard disk.
Preferably, the method for calling the function fltgotvolumeproperties and judging whether the device attribute is the file device is as follows: and judging whether the member DeviceType in the DEVICE attribute is FILE _ DEVICE _ DISK _ FILE _ SYSTEM, wherein the FILE _ DEVICE _ DISK _ FILE _ SYSTEM is a SYSTEM constant for defining the DISK FILE SYSTEM DEVICE in the Windows operating SYSTEM.
Preferably, the method for calling the function fltgotvolumeproperties and judging whether the device attribute is a physical hard disk is as follows: it is determined whether the member realdevicenname in the device attribute contains the string "\ HarddiskVolume".
Preferably, the method for intercepting the system process and the module thereof returns the STATUS _ ACCESS _ reserved information to the system process and the module thereof to prevent the system process and the module thereof from continuing to run.
Preferably, the method for creating and setting the minifilter file filter driver to monitor the IRP _ MJ _ VOLUME _ MOUNT message in the system process and its module is as follows: a microfilter is registered with the filter manager via the fltresterfilter function, and the IRP _ MJ _ VOLUME _ MOUNT message is filtered in the start function FltStartFiltering of the microfilter.
Preferably, the method starts with the Windows operating system being started.
The method for preventing the hard disk partition from being deleted based on the kernel under the window operating system is realized based on the kernel, belongs to a ring0 layer, and is not easy to unload because no process or DLL exists compared with the technical realization of an application layer (ring 3), so that the method is safer and more reliable.
Drawings
Fig. 1 is a schematic diagram of the principle of the present invention.
Detailed Description
The following describes in further detail embodiments of the present invention.
1. Technical foundation
For the win10 example, the method for deleting the hard disk drive symbol is that the mouse selects the attribute of the computer 'right button', the control panel ', the management tool', the computer management and the disk management, the mouse selects the drive symbol and right button mouse, if the deletion volume is selected, the partition is deleted, and the hard disk data will be lost even if the partition is recovered in the future.
In an information security product, this function needs to be managed. In the system kernel, many behaviors are implemented by sending messages and letting the system execute corresponding message processing functions. By analyzing the system kernel backwards, it is found that whether a new drive is loaded or an existing drive is deleted, it is processed by sending an IRP _ MJ _ VOLUME _ move message. We can take over the processing of this message via the minifilter file filter driver provided by the system. Whether the drive letter is deleted or not and whether the drive letter is a hard disk are analyzed in the process of the user, and if the drive letter is deleted or not, the drive letter is rejected.
Current operating systems, in terms of privilege, are divided into ring3 and ring 0. The former is an application layer with low authority, and the latter is a kernel layer with high authority, which can freely use the resources of the whole system. The level of protection can be made higher by implementing at the kernel layer. How to make the program enter the ring0 for execution is many, and the most common method is to write a driver into the ring 0; and reading and writing the physical memory of the GDT by reading and writing the physical memory of the GDT, and generating a self calling gate on the GDT to freely enter and exit the ring 0. The present invention employs a first method of writing a driver. The details of the implementation are much disclosed and not the focus of the invention.
2. Technical implementation is shown in figure 1
In the interception processing, firstly, a function FltGetVolumeProperties of a system is called to acquire the attribute of the equipment, and whether the equipment is a file equipment is judged. Otherwise, the line is released. And then analyzing whether the device is a hard disk device or not, and if not, releasing. Since e.g. mobile discs or USB discs should allow deletion. By analyzing, only the device of \ HarddiskVolume \ "in the device name can be intercepted, and the operation of deleting the disk character of the mobile disk or the USB disk can be avoided.
3. minifilter file filter driver:
the minifilter file filtering driver is a file management tool provided by microsoft, and related information is very much, and the implementation manner of the minifilter file filtering driver can be found in information disclosed on the internet or microsoft official website. The essence of the method is a set of callback functions, namely filters, and a FltRegisterFilter is required to register a micro filter; the filtering is then started with the function FltStartFiltering, which gets the message with IRP _ MJ _ VOLUME _ MOUNT contained therein.
The above embodiment is only one embodiment of the present invention, and the description thereof is specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (6)
1. A kernel-based method for preventing hard disk partitions from being deleted under a Windows operating system is a method executed under ring0 level of the Windows operating system, and is characterized by comprising the following steps:
creating and setting a minifilter file filter driver to monitor the IRP _ MJ _ VOLUME _ MOUNT message in the system process and the module thereof;
and under the condition of receiving the IRP _ MJ _ VOLUME _ MOUNT message, calling a function FltGetVolumeProperties to acquire the device attribute, judging the device attribute, and intercepting the system process and the module thereof to prevent the user from deleting the hard disk partition when and only when the device attribute is file equipment and is a physical hard disk.
2. The kernel-based method for preventing hard disk partitions from being deleted under a windows operating system according to claim 1, wherein: the method for calling the function FltGetVolumeProperties and judging whether the device attribute is the file device is as follows: and judging whether the member DeviceType in the DEVICE attribute is FILE _ DEVICE _ DISK _ FILE _ SYSTEM, wherein the FILE _ DEVICE _ DISK _ FILE _ SYSTEM is a SYSTEM constant for defining the DISK FILE SYSTEM DEVICE in the Windows operating SYSTEM.
3. The kernel-based method for preventing hard disk partitions from being deleted under a windows operating system according to claim 1, wherein: the method for calling the function FltGetVolumeProperties and judging whether the equipment attribute is a physical hard disk is as follows: it is determined whether the member realdevicenname in the device attribute contains the string "\ HarddiskVolume".
4. The kernel-based method for preventing hard disk partitions from being deleted under a windows operating system according to claim 1, wherein: the method for intercepting the system process and the module thereof is to return the STATUS _ ACCESS _ reserved information to the system process and the module thereof to prevent the system process and the module thereof from continuing to run.
5. The kernel-based method for preventing hard disk partitions from being deleted under a windows operating system according to claim 1, wherein: the method for creating and setting the minifilter file filter driver to monitor the IRP _ MJ _ VOLUME _ MOUNT message in the system process and the module thereof is as follows: a microfilter is registered with the filter manager via the fltresterfilter function, and the IRP _ MJ _ VOLUME _ MOUNT message is filtered in the start function FltStartFiltering of the microfilter.
6. The kernel-based method for preventing hard disk partitions from being deleted under a windows operating system according to claim 1, wherein: the method begins execution as the windows operating system boots.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011249952.9A CN112506424A (en) | 2020-11-11 | 2020-11-11 | Kernel-based method for preventing hard disk partition from being deleted under window operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011249952.9A CN112506424A (en) | 2020-11-11 | 2020-11-11 | Kernel-based method for preventing hard disk partition from being deleted under window operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112506424A true CN112506424A (en) | 2021-03-16 |
Family
ID=74957654
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011249952.9A Pending CN112506424A (en) | 2020-11-11 | 2020-11-11 | Kernel-based method for preventing hard disk partition from being deleted under window operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112506424A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110443033A (en) * | 2018-05-04 | 2019-11-12 | 陕西思科锐迪网络安全技术有限责任公司 | A kind of file backup method based on Minifilter frame |
| CN113448644A (en) * | 2021-06-22 | 2021-09-28 | 苏州浪潮智能科技有限公司 | OC hard disk configuration method, device, terminal and storage medium in ring3 mode of operating system |
-
2020
- 2020-11-11 CN CN202011249952.9A patent/CN112506424A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110443033A (en) * | 2018-05-04 | 2019-11-12 | 陕西思科锐迪网络安全技术有限责任公司 | A kind of file backup method based on Minifilter frame |
| CN113448644A (en) * | 2021-06-22 | 2021-09-28 | 苏州浪潮智能科技有限公司 | OC hard disk configuration method, device, terminal and storage medium in ring3 mode of operating system |
| CN113448644B (en) * | 2021-06-22 | 2023-07-18 | 苏州浪潮智能科技有限公司 | Operating system ring3 mode OC hard disk configuration method, device, terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10169585B1 (en) | System and methods for advanced malware detection through placement of transition events | |
| US9282112B2 (en) | System and method for determining category of trust of applications performing interface overlay | |
| EP1434135B1 (en) | Method for backing up and recovering data in the hard disk of a computer | |
| US8484327B2 (en) | Method and system for generic real time management of devices on computers connected to a network | |
| US20160378988A1 (en) | Anti-ransomware | |
| WO2018196559A1 (en) | Method and apparatus for dealing with abnormality of application program, and storage medium | |
| US20150074405A1 (en) | Securing data using integrated host-based data loss agent with encryption detection | |
| US20110239306A1 (en) | Data leak protection application | |
| EP2216714A1 (en) | Automatic analysis of an application's run-time settings | |
| EP3885951B1 (en) | Method of remediating operations performed by a program and system thereof | |
| US10783041B2 (en) | Backup and recovery of data files using hard links | |
| EP2797021B1 (en) | A method for neutralizing pc blocking malware using a separate device for an antimalware procedure activated by user | |
| US6907524B1 (en) | Extensible firmware interface virus scan | |
| CN112506424A (en) | Kernel-based method for preventing hard disk partition from being deleted under window operating system | |
| US10977364B2 (en) | System and method for monitoring effective control of a machine | |
| CN109800576B (en) | Monitoring method and device for unknown program exception request and electronic device | |
| CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
| WO2021126747A1 (en) | Method for detecting and defeating ransomware | |
| US11113391B2 (en) | Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium | |
| CN112257037B (en) | Process watermarking method, system and electronic equipment | |
| CN109784041B (en) | Event processing method and device, storage medium and electronic device | |
| KR101716690B1 (en) | Unauthorized data access blocking method and computing apparatus having Unauthorized data access blocking function | |
| US20230315855A1 (en) | Exact restoration of a computing system to the state prior to infection | |
| CN112507339A (en) | Kernel-based hard disk formatting prevention method under window operating system | |
| WO2021144978A1 (en) | Attack estimation device, attack estimation method, and attack estimation program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |