CN102194079B - File access filtering method - Google Patents
File access filtering method Download PDFInfo
- Publication number
- CN102194079B CN102194079B CN2011100666875A CN201110066687A CN102194079B CN 102194079 B CN102194079 B CN 102194079B CN 2011100666875 A CN2011100666875 A CN 2011100666875A CN 201110066687 A CN201110066687 A CN 201110066687A CN 102194079 B CN102194079 B CN 102194079B
- Authority
- CN
- China
- Prior art keywords
- file
- path
- function
- layer
- irp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a file access filtering method which belongs to the technical field of network safety. The file access filtering method comprises the following steps: S1) processing an IRP (input/output request package) request category and a request of withdrawing from drive, and mounting a corresponding dispatch function; S2) processing calling of a user layer, and emitting a calling command to an inner nuclear layer; S3) getting an afferent Handle through a parameter when calling a Windows inner nuclear function in user-defined functions, and inquiring whether a path corresponding to the Handle is a file folder path or not by calling the inner nuclear function of a system, if the path is the file holder path and does not contain a magnetic disk drive, not performing contrast, if the path is a file path, comparing in a white list; and S4) notifying an application program of the user layer of retrieving illegal access file information recorded in a BackList through a shared event created between the user layer and the inner nuclear layer, and using the application program of the user layer to write the illegal access file information into a log file. By adopting the file access filtering method, a user can conveniently further adopt measures for protecting personal files.
Description
Technical field
The present invention relates to the network security technology field, particularly a kind of file access filter method.
Background technology
Along with computer and internet more and more become an indispensable part in people's life, personal document's safety problem more and more comes into one's own.A lot of rogue programs or wooden horse stealthily scan user's file under the ignorant situation of user, even file is uploaded on the specified server.
Under windows platform, operating system is divided into two parts: client layer (also being called the Ring3 layer) and inner nuclear layer (also being called the Ring0 layer).The api interface that Windows provides all calls Ring0 layer kernel function from the Ring3 layer and realizes function.Can say like this, if reach protection computer, protected file, take measures to be absolutely necessary at the Ring0 layer.
Kai Fa file protection product in the market, one of technology of employing are exactly by Windows kernel function ZwCreateFile function is linked up with (HOOK), reach the purpose of control documents operation, protected file.
As everyone knows, the visit of file at first will be called the handle that ZwCreateFile takes file under the Windows, by the handle further operations such as the reading and writing of operation file, deletion again of file.If in the ZwCreateFile function, add the interception code, just can obtain the action of all operations file, parameters such as file path, authority, process.The specific implementation process of hook: SSDT (System Services Descriptor Table, the system service description list) table by the windows kernel searches the ZwCreateFile function address.Replace to self-defining MyCreateFile function address, in MyCreateFile, call primal system ZwCreateFile function, so just reach the entire flow of hook windows function.The specific implementation process of monitoring: in self-defining function MyCreateFile function, at first obtain the user and want parameters such as the file path of operation file and current process.According to permission process and file path, the tabulation of the white list of file type compares, and looks at whether allow to pass through.If eligible being present in the white list, will continue calling system function ZwCreateFile function.Ineligible or do not exist in the white list, will never call the ZwCreateFile function, directly return failure.So just arrive the purpose of monitoring file access.
The defective of above implementation method is: 1, efficient is lower: because the visit of file and file all will be passed through the ZwCreateFile function, so the contrast in a lot of paths all is the contrast at equipment and folder path in fact.Because white list is long, contrast an efficient fully and can descend naturally a lot, and these contrasts can bring the consumption of unnecessary internal memory and cpu resource, increased the risk of instability of system.2, do not record those files once by illegal operation: user's file is by illegal operation; utilize product that it is protected; but the user does not also know those files by that process illegal operation, like this this process operation file again of also can having an opportunity.
Summary of the invention
(1) technical matters that will solve
The technical problem to be solved in the present invention is: how to provide a kind of and carry out the efficient height, make things convenient for the user further to take measures to protect personal document's file access filter method.
(2) technical scheme
For solving the problems of the technologies described above, the invention provides a kind of file access filter method, may further comprise the steps:
S1, processing I/O request bag IRP ask classification and withdraw from driving request, and the corresponding function of sending is installed;
S2, process user layer call, and send call instruction to inner nuclear layer;
S3, take the handle Handle that imports into by parameter when calling described Windows kernel function in described self-defining function, whether the path of inquiring about this Handle correspondence by the kernel function of calling system is folder path; If folder path, and do not comprise the disk drive, then do not compare; If file path, then in described white list, compare, if this document path is not allowing then will be recorded to current unauthorized access fileinfo among the return-list BackList within the scope of visit in explanation this document path within the white list scope of claimed file path;
S4, the shared event by creating between client layer and the inner nuclear layer, the application program of notice client layer is fetched the unauthorized access fileinfo that records among the BackList, and the client layer application program is written to this unauthorized access fileinfo in the journal file.
Wherein, step S2 is specially: when client layer sent initiation command, inner nuclear layer began to search the address of a kind of Windows kernel function among the system service description list SSDT, and this address translation is become a kind of address of self-defining function, thereby finished the hook action.
Wherein, among the step S1, described IRP request classification comprises IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_CLOSE and IRP_MJ_DEVICE_CONTROL.
Wherein, described Windows kernel function is the ZwCreateFile function.
(3) beneficial effect
The present invention has distinguished file path and folder path by when HOOK kernel function ZwCreateFile makes protected file not by unauthorized access.Improved folder path speed relatively, accelerated comparison efficiency.Lay the foundation for further file being carried out extended operation.The user can see the circumstances of protected file by checking daily record (log) file, when understands, which process, has visited illegal operation such as which file, is next step checking and killing Trojan of user, and rogue programs such as virus provide help.
Description of drawings
Fig. 1 is method flow diagram of the present invention.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used for explanation the present invention, but are not used for limiting the scope of the invention.
As shown in Figure 1, file access filter method of the present invention may further comprise the steps:
S1, processing I/O request bag IRP ask classification and withdraw from driving request DriverUnload, and the corresponding function of sending is installed;
S2, process user layer call, and send call instruction to inner nuclear layer, for example: when client layer sends initiation command, inner nuclear layer begins to search the address of Windows kernel function ZwCreateFile among the system service description list SSDT, and this address translation become the address of self-defining function MyCreateFile, thereby finish hook HOOK action;
S3, take the handle Handle that imports into by parameter when calling described Windows kernel function in described self-defining function, whether the path of inquiring about this Handle correspondence by the kernel function of calling system is folder path; If folder path, and do not comprise the disk drive, for example: C: do not compare because this situation not within the list scope of needs contrast, is directly returned; If file path, then in described white list, compare, if this document path is not allowing then will be recorded to current unauthorized access fileinfo among the return-list BackList within the scope of visit in explanation this document path within the white list scope of claimed file path;
S4, the shared event Event by creating between client layer and the inner nuclear layer, the application program of notice client layer is fetched the unauthorized access fileinfo that records among the BackList, and the client layer application program is written to this unauthorized access fileinfo in the journal file.
Wherein, among the step S1, described IRP request classification comprises IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_CLOSE and IRP_MJ_DEVICE_CONTROL.
Above embodiment only is used for explanation the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; under the situation that does not break away from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (2)
1. a file access filter method is characterized in that, may further comprise the steps:
S1, processing IRP ask classification and withdraw from driving request, and the corresponding function of sending is installed;
S2, process user layer call, and send call instruction to inner nuclear layer; When client layer sends initiation command, inner nuclear layer begins to search the address of a kind of Windows kernel function among the system service description list SSDT, and this address translation become a kind of address of self-defining function, thus finish the hook action, described Windows kernel function is the ZwCreateFile function;
S3, take the handle Handle that imports into by parameter when calling described Windows kernel function in described self-defining function, whether the path of inquiring about this Handle correspondence by the kernel function of calling system is folder path; If folder path, and do not comprise the disk drive, then do not compare; If file path, then in white list, compare, if this document path is not allowing then will be recorded to current unauthorized access fileinfo among the return-list BackList within the scope of visit in explanation this document path within the white list scope of claimed file path;
S4, the shared event by creating between client layer and the inner nuclear layer, the application program of notice client layer is fetched the unauthorized access fileinfo that records among the BackList, and the client layer application program is written to this unauthorized access fileinfo in the journal file.
2. file access filter method as claimed in claim 1 is characterized in that, among the step S1, described IRP request classification comprises IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_CLOSE and IRP_MJ_DEVICE_CONTROL.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100666875A CN102194079B (en) | 2011-03-18 | 2011-03-18 | File access filtering method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100666875A CN102194079B (en) | 2011-03-18 | 2011-03-18 | File access filtering method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102194079A CN102194079A (en) | 2011-09-21 |
| CN102194079B true CN102194079B (en) | 2013-09-11 |
Family
ID=44602137
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100666875A Active CN102194079B (en) | 2011-03-18 | 2011-03-18 | File access filtering method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102194079B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102609495B (en) * | 2012-01-29 | 2014-06-25 | 北京奇虎科技有限公司 | Method for deleting file and system |
| CN103077354B (en) * | 2013-02-19 | 2015-03-25 | 成都索贝数码科技股份有限公司 | Method for controlling Windows file system access permissions |
| CN104881291B (en) * | 2015-06-03 | 2018-05-25 | 北京金山安全软件有限公司 | Control method and device of default browser and terminal |
| CN107544811B (en) * | 2017-09-08 | 2020-07-31 | 武汉斗鱼网络科技有限公司 | Method, storage medium, electronic device and system for hiding dylib file in IOS platform |
| CN109271341B (en) * | 2018-08-31 | 2021-10-26 | 黄疆 | Mirror image disk file filtering method |
| CN109522274A (en) * | 2019-01-22 | 2019-03-26 | 成都神州数码索贝科技有限公司 | A kind of file access method |
| CN115859274B (en) * | 2022-12-12 | 2023-11-21 | 安芯网盾(北京)科技有限公司 | Method and system for monitoring event log behavior of Windows process emptying system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7278158B2 (en) * | 2001-03-16 | 2007-10-02 | Securewave S.A. | Method and system for shadowing accesses to removable medium storage devices |
| US7444317B2 (en) * | 2002-06-28 | 2008-10-28 | Microsoft Corporation | System and method for managing file names for file system filter drivers |
| US6993603B2 (en) * | 2002-12-09 | 2006-01-31 | Microsoft Corporation | Managed file system filter model and architecture |
| EP1684151A1 (en) * | 2005-01-20 | 2006-07-26 | Grant Rothwell William | Computer protection against malware affection |
| CN101916349A (en) * | 2010-07-30 | 2010-12-15 | 中山大学 | File access control method based on filter driving, system and filer manager |
-
2011
- 2011-03-18 CN CN2011100666875A patent/CN102194079B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN102194079A (en) | 2011-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102194079B (en) | File access filtering method | |
| CN101359355B (en) | Method for raising user's authority for limitation account under Windows system | |
| US8224796B1 (en) | Systems and methods for preventing data loss on external devices | |
| CN109388538B (en) | Kernel-based file operation behavior monitoring method and device | |
| CN102202062B (en) | Method and apparatus for realizing access control | |
| CN103065092A (en) | Method for intercepting operating of suspicious programs | |
| KR102534334B1 (en) | Detection of software attacks on processes in computing devices | |
| CN103246849A (en) | Safe running method based on ROST under Windows | |
| CN1808325A (en) | API for access authorization | |
| CN105740046A (en) | Virtual machine process behavior monitoring method and system based on dynamic library | |
| CN110135151B (en) | Trusted computing implementation system and method based on matching of LSM and system call interception | |
| CN105320884A (en) | Security protection method and system for virtual machine | |
| CN106228078A (en) | Method for safe operation based on enhancement mode ROST under a kind of Linux | |
| KR20090031393A (en) | Web shell monitoring system and method based on pattern detection | |
| CN106326733A (en) | Method and apparatus for managing applications in mobile terminal | |
| CN102693232B (en) | Method and device for cancelling files | |
| CN105550573B (en) | The method and apparatus for intercepting bundled software | |
| CN105550582B (en) | Access the method and system of virtual disk | |
| JP2015052950A (en) | Data storage device, secure io device | |
| CN103440465B (en) | A kind of mobile memory medium method of controlling security | |
| CN105630636A (en) | Dynamical recovery method and device for operating system of intelligent electronic device | |
| CN102737198B (en) | Object protection method and device | |
| CN102521547B (en) | Protecting system for access control system in virtual domain | |
| CN103051608B (en) | A kind of method and apparatus of movable equipment access monitoring | |
| CN110221991B (en) | Control method and system for computer peripheral equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: File access filtering method Effective date of registration: 20131226 Granted publication date: 20130911 Pledgee: Bank of Communications Ltd Beijing Zhongguancun Park sub branch Pledgor: Strong Union Technology Co., Ltd. Registration number: 2013990001026 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20150203 Granted publication date: 20130911 Pledgee: Bank of Communications Ltd Beijing Zhongguancun Park sub branch Pledgor: Strong Union Technology Co., Ltd. Registration number: 2013990001026 |