CN101388033A - File protection technology based on Windows system file altering event - Google Patents
File protection technology based on Windows system file altering event Download PDFInfo
- Publication number
- CN101388033A CN101388033A CNA2008101584724A CN200810158472A CN101388033A CN 101388033 A CN101388033 A CN 101388033A CN A2008101584724 A CNA2008101584724 A CN A2008101584724A CN 200810158472 A CN200810158472 A CN 200810158472A CN 101388033 A CN101388033 A CN 101388033A
- Authority
- CN
- China
- Prior art keywords
- file
- event
- incident
- windows system
- document change
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a file protection technique based on Windows system file change events, namely a file change monitoring mechanism of an InforGuard with a Middleware based on the event trigger technique. The file protection technique based on Windows system file change events is characterized in that (1) protected files are backed up, (2) monitoring of file change events of a protected catalogue is initiated by invoking an API function of the Windows system, (3) in case of processing file change time, on detecting a file change event, the file is processed correspondingly according to file change types, and (4) dynamic file maintenance is carried out, namely common file maintenance operations are allowed while protecting the files through the file change events. The file protection technique based on Windows system file change events resolves the problems of real time and flexibility for file protection.
Description
Technical field
The present invention relates to a kind of file protection technique based on Windows system file altering event, promptly InforGuard webpage tamper resistant systems middleware is based on the document change monitoring mechanism of Event triggered technology.
Background technology
In the Windows system, there are the needs that specified file is protected, more especially provide the accessed resources file by network.So-called protection will prevent that exactly file from being made amendment by undelegated visitor, comprises the revised file content, named file, deleted file and new files under protected catalogue.
At present more based on the file protection technique of Windows system, brief analysis is as follows:
1. poll check mechanism
This method is by the traversal disk file, one by one each protected file is carried out Content inspection, when finding that file content is illegally modified, file content is recovered to handle.The shortcoming of this method is: real-time poor (polling cycle depends on protected file quantity and byte number), poor stability (having non-safe period in polling cycle), system load height.
2. disk protect card
This method adopts the relevant hardware product, avoids disk file to be illegally modified.The characteristics of this method are: prevented that thoroughly file is illegally modified, but also limited the necessary retouching operation of using file simultaneously, caused using extremely dumb.
3. based on the Windows file protection SFP of (being called for short WFS)
WFP is designed to protect the content of Windows file.The file type that the WFP protection is specific, such as SYS, EXE, DLL, OCX, FON and TTF, rather than prevention is to any modification of whole file.WFP judges by protected file being generated the mode of digital digest whether file content is correct, if incorrect, then replace the incorrect protected file of content from employing backup file, thereby reaches the purpose of protected file.This file protect mode only limits to protect the system file of Windows at present.
Summary of the invention
Purpose of the present invention is exactly at above-mentioned deficiency, and the mechanism that provides a kind of Windows of making full use of system file altering event to carry out file protection has mainly solved real-time and flexibility problem in the file protection.
This programme is realized by following technical measures:
This file protection technique based on Windows system file altering event comprises the steps:
(1) backup protected file;
(2) by calling Windows system api function, start document change action listener to protected catalogue;
(3) the document change time handles, and when detecting the document change incident, makes corresponding processing according to the document change type;
(4) living document is safeguarded, promptly when by the document change incident file being protected, allows normal file maintenance operation.
For (1) step, in order to reach the purpose of protected file, need after file is destroyed, recover, therefore need back up all protected files.
And in (2) step, relevant api function is as follows:
FindFirstChangeNotification
FindCloseChangeNotification
FindNextChangeNotification
ReadDirectoryChangesW
And described step (3) realizes as follows:
Read the source document altering event and add event queue;
Analyze above-mentioned document change incident, determine the document change type, add the document change event queue;
The decision event legitimacy is handled it to illegal event;
Carrying out file protection reports to the police.
Above-mentioned illegal event is handled comprises:
Cover with backup file for the file modification incident;
Recover with backup file for the file delete incident;
For filename being changeed back by Rename file;
Directly delete for new files.
Described step (4) realizes as follows:
The file copy that needs are upgraded to the disk of the same logical partition of file destination on;
Judge then whether file destination exists, if exist then register-file shifts out incident;
After incident is shifted out in registration, it is shifted out, and shifting out the back deletion;
Register-file moves into incident;
Source file is moved into the file destination position.
The file protection technique based on Windows system file altering event that this programme provides has solved the problem of real-time and dirigibility in the file protection.
1. real-time
Realize file protection based on the document change incident, can be when file change, trigger protection is handled immediately, has solved the real-time problem of file protection.
2. dirigibility
In this guard method, introduce the tactful notion of protection, can specify the set of protected file neatly, also can formulate monitored event type, thereby improve application flexibility.
And this programme code is carried out efficient, and the file protection processing is related with system event, directly handles document change each time, does not have redundant the processing; Applied range on each version platform of Windows, all provides corresponding document change incident, and this resist technology can protect the disk file of any kind by unauthorised broken, has using value comparatively widely.
Description of drawings
Fig. 1 is the process flow diagram of the embodiment of the invention;
Fig. 2 is a process flow diagram of realizing the document change event handling in the embodiment of the invention;
Fig. 3 realizes the process flow diagram that living document is safeguarded in the embodiment of the invention;
Fig. 4 is a process flow diagram of realizing the illegal event file is made respective handling among Fig. 2.
Embodiment
To be elaborated to embodiments of the present invention below.
A kind of file protection technique based on Windows system file altering event, as shown in Figure 1, realize as follows:
At first begin step 101, the backup protected file;
At first begin step 101,, need after file is destroyed, recover, therefore need back up all protected files in order to reach the purpose of protected file.
Enter step 102 then, by calling Windows system api function, startup is to the document change action listener of protected catalogue, when the file under the protected catalogue changed (comprise newly-built, deletion, revise, name), api function can return file name and the change type that change takes place; Relevant api function is as follows:
FindFirstChangeNotification
FindCloseChangeNotification
FindNextChangeNotificati?on
ReadDirectoryChangesW
Through step 102 monitoring, enter step 103, as shown in Figure 2:
At first carry out step 201, read the source document altering event and add event queue;
Carry out step 202 then, analyze above-mentioned document change incident, determine the document change type, add the document change event queue;
And then step 203, the decision event legitimacy is handled it to illegal event;
Above-mentioned illegal event is handled as shown in Figure 4, being comprised:
Step 401 covers with backup file for the file modification incident;
Step 402 is recovered with backup file for the file delete incident;
Step 403 is for by Rename file filename being changeed back;
Step 404 is directly deleted for new files.
Also promptly when detecting the document change incident, document change takes place, what will do this moment is exactly according to event information, the file that change takes place is recovered to handle, the processing procedure that different altering events is corresponding different:, it need be deleted (perhaps file) as the illegal operation evidence at new files; At deletion event, need duplicate the position of corresponding backup file to deleted file; At the modification incident, need to be modified file delete (perhaps file) earlier as the illegal operation evidence, duplicate the position of corresponding backup file again to deleted file; For the name incident, need be with the file name original title of called after once more.
When file being protected by the document change incident; also to allow normal file maintenance operation; problem is to cause 4 same class incidents in attended operation; promptly newly-built, deletion, revise, name; therefore need to distinguish the document change incident of legal maintenance initiation and the document change incident that illegal operation causes, by setting up and safeguarding that a legal list of thing solves.File under the protected catalogue is being carried out legitimacy when safeguarding; at first the Action Events with expection is registered in the legal list of thing; carry out corresponding operation then; can trigger the document change incident this moment equally; the event handling flow process can arrive searches corresponding incident in the legal list of thing, if there is corresponding incident, then expression change this time is legal; otherwise think illegal change, carry out rejuvenation immediately.As Fig. 3, i.e. step 104:
At first be step 301, the source file that needs are upgraded copies on the disk with the same logical partition of file destination;
Enter step 302 then, judge whether file destination exists, if exist then register-file shifts out incident;
Enter step 303 then, after incident is shifted out in registration, it is shifted out, and shifting out the back deletion;
And then carry out step 304, register-file moves into incident;
Be step 305 at last, source file is moved into the file destination position.
Claims (4)
1. file protection technique based on Windows system file altering event is characterized in that:
(1) backup protected file;
(2) by calling Windows system api function, start document change action listener to protected catalogue;
(3) document change event handling when detecting the document change incident, is made corresponding file processing according to the document change type;
(4) living document is safeguarded, promptly when by the document change incident file being protected, allows normal file maintenance operation.
2. the file protection technique based on Windows system file altering event according to claim 1 is characterized in that: described step (3) realizes as follows:
Read the source document altering event and add event queue;
Analyze above-mentioned document change incident, determine the document change type, add the document change event queue;
The decision event legitimacy is handled it to illegal event;
Carrying out file protection reports to the police.
3. the file protection technique based on Windows system file altering event according to claim 1 and 2 is characterized in that: above-mentioned illegal event is handled comprises:
Cover with backup file for the file modification incident;
Recover with backup file for the file delete incident;
For filename being changeed back by Rename file;
Directly delete for new files.
4. the file protection technique based on Windows system file altering event according to claim 1 is characterized in that: described step (4) realizes as follows:
The source file that needs are upgraded copies on the disk with the same logical partition of file destination;
Judge then whether file destination exists, if exist then register-file shifts out incident;
After incident is shifted out in registration, it is shifted out, and shifting out the back deletion;
Register-file moves into incident;
Source file is moved into the file destination position.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101584724A CN101388033A (en) | 2008-11-05 | 2008-11-05 | File protection technology based on Windows system file altering event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101584724A CN101388033A (en) | 2008-11-05 | 2008-11-05 | File protection technology based on Windows system file altering event |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101388033A true CN101388033A (en) | 2009-03-18 |
Family
ID=40477454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101584724A Pending CN101388033A (en) | 2008-11-05 | 2008-11-05 | File protection technology based on Windows system file altering event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101388033A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102541986A (en) * | 2011-10-27 | 2012-07-04 | 梁松 | File operation monitoring and auditing method |
| CN102710652A (en) * | 2012-06-12 | 2012-10-03 | 北京星网锐捷网络技术有限公司 | Web application intrusion prevention method and device as well as network equipment and network system |
| CN102799426A (en) * | 2012-06-21 | 2012-11-28 | 华为技术有限公司 | Method, system and equipment for processing service components |
| CN102929732A (en) * | 2012-10-18 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for calling file by application program and client-side equipment |
| CN104239478A (en) * | 2014-09-04 | 2014-12-24 | 上海帝联信息科技股份有限公司 | File monitoring method and device |
| CN104679638A (en) * | 2013-12-02 | 2015-06-03 | 中国银联股份有限公司 | Method and device for monitoring file based on file property matching degree |
| CN104932965A (en) * | 2014-03-18 | 2015-09-23 | 北京奇虎科技有限公司 | Object real-time monitoring method and device |
| CN106446718A (en) * | 2016-09-13 | 2017-02-22 | 郑州云海信息技术有限公司 | File protection method and system based on event-driven mechanism |
| CN109598118A (en) * | 2018-11-30 | 2019-04-09 | 山东中创软件商用中间件股份有限公司 | A kind of subdirectory access control method and relevant apparatus |
| CN110674530A (en) * | 2019-09-29 | 2020-01-10 | 北京神州绿盟信息安全科技股份有限公司 | File access control method, equipment and device based on user mode |
-
2008
- 2008-11-05 CN CNA2008101584724A patent/CN101388033A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102541986A (en) * | 2011-10-27 | 2012-07-04 | 梁松 | File operation monitoring and auditing method |
| CN102710652A (en) * | 2012-06-12 | 2012-10-03 | 北京星网锐捷网络技术有限公司 | Web application intrusion prevention method and device as well as network equipment and network system |
| CN102799426A (en) * | 2012-06-21 | 2012-11-28 | 华为技术有限公司 | Method, system and equipment for processing service components |
| CN102799426B (en) * | 2012-06-21 | 2016-03-09 | 华为技术有限公司 | The disposal route of Service Component and system and equipment |
| CN102929732A (en) * | 2012-10-18 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for calling file by application program and client-side equipment |
| CN104679638A (en) * | 2013-12-02 | 2015-06-03 | 中国银联股份有限公司 | Method and device for monitoring file based on file property matching degree |
| CN104932965A (en) * | 2014-03-18 | 2015-09-23 | 北京奇虎科技有限公司 | Object real-time monitoring method and device |
| CN104932965B (en) * | 2014-03-18 | 2019-05-28 | 北京奇虎科技有限公司 | Object method for real-time monitoring and device |
| CN104239478A (en) * | 2014-09-04 | 2014-12-24 | 上海帝联信息科技股份有限公司 | File monitoring method and device |
| CN104239478B (en) * | 2014-09-04 | 2018-07-27 | 上海帝联信息科技股份有限公司 | File monitor method and device |
| CN106446718A (en) * | 2016-09-13 | 2017-02-22 | 郑州云海信息技术有限公司 | File protection method and system based on event-driven mechanism |
| CN109598118A (en) * | 2018-11-30 | 2019-04-09 | 山东中创软件商用中间件股份有限公司 | A kind of subdirectory access control method and relevant apparatus |
| CN110674530A (en) * | 2019-09-29 | 2020-01-10 | 北京神州绿盟信息安全科技股份有限公司 | File access control method, equipment and device based on user mode |
| CN110674530B (en) * | 2019-09-29 | 2021-06-18 | 绿盟科技集团股份有限公司 | File access control method, equipment and device based on user mode |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101388033A (en) | File protection technology based on Windows system file altering event | |
| US9306956B2 (en) | File system level data protection during potential security breach | |
| EP3568791B1 (en) | Early runtime detection and prevention of ransomware | |
| US7624443B2 (en) | Method and system for a self-heating device | |
| US7765460B2 (en) | Out-of-band change detection | |
| US8868501B2 (en) | Notifying users of file updates on computing devices using content signatures | |
| US10394758B2 (en) | File deletion detection in key value databases for virtual backups | |
| US9129058B2 (en) | Application monitoring through continuous record and replay | |
| CN102999726B (en) | File macro virus immunization method and device | |
| US20120158760A1 (en) | Methods and computer program products for performing computer forensics | |
| US10142109B2 (en) | Instantiating containers | |
| US20080148399A1 (en) | Protection against stack buffer overrun exploitation | |
| US20160142437A1 (en) | Method and system for preventing injection-type attacks in a web based operating system | |
| CN101809566A (en) | File hash identifier calculates efficiently | |
| US10275315B2 (en) | Efficient backup of virtual data | |
| US10783041B2 (en) | Backup and recovery of data files using hard links | |
| KR101977178B1 (en) | Method for file forgery check based on block chain and computer readable recording medium applying the same | |
| CA2674327C (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
| WO2005106618A1 (en) | A method of backing up and restoring data in a computing device | |
| CN102902912A (en) | Mounting-free ActiveX plug-in unit security detection device and method | |
| CN114556346A (en) | Tamper-proofing of event logs | |
| Finnigan et al. | Oracle Incident response and forensics | |
| US20230229589A1 (en) | Monitoring garbage collection cycles to protect storage systems from data loss | |
| CA2501928C (en) | Method, system and software for journaling system objects | |
| US11914882B2 (en) | Data protection against mass deletion based on data storage period |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090318 |