CN102222185B - Method for preventing operating system starting file from being infected - Google Patents
Method for preventing operating system starting file from being infected Download PDFInfo
- Publication number
- CN102222185B CN102222185B CN201110136427.0A CN201110136427A CN102222185B CN 102222185 B CN102222185 B CN 102222185B CN 201110136427 A CN201110136427 A CN 201110136427A CN 102222185 B CN102222185 B CN 102222185B
- Authority
- CN
- China
- Prior art keywords
- file
- protection
- backup
- irp
- windows
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method for preventing an operating system starting file from being infected, which comprises the following steps: 1, initializing a protection environment, using boot to load and install a protection driver in a system, inputting the name of the protection driver by a user, setting up a backup system starting file folder, and setting up a driver configuration file in a system 32 list of the system; 2, intercepting file operation by the protection driver when the system is started, judging the type of a file, if the file is the system starting file of the backup file folder, stopping operation, if the file is the system starting file, carrying out next operation, and if the file is other files, allowing the operation; and 3, judging the type and the process of the file operation, if the operation is the operation process, opening the file in an Executive Image mode, taking over following reading operation by the protection driver, and reading corresponding files in the backup file folder, and if in other conditions, allowing the operation. By the method, viruses can not automatically run along the system starting to obtain the system control right through the mode of infecting the system starting file.
Description
Technical field
The present invention relates to a kind of infected method of os starting file of avoiding, specifically, relate to a kind of allow after virus infections cannot starting up method.
Background technology
Computer virus is the significant problem that present computer utility aspect faces, and it gently affects system performance, destroys system stability, heavy deleted file is stolen the loss that confidential information ,Gei computer user makes troubles even economically.
Use traditionally two kinds of means to solve the virus problems in computing machine use.The first is antivirus software technology, and its principle is when operating system will file reading, or by transmitted data on network time, and antivirus software module will first Study document or data content, judges whether and predefined virus characteristic coupling.If coupling, thinks poisonously, antivirus software can stop the file operation of operating system so.The major defect of antivirus software is, because executable code itself is disposable, if virus itself is compressed, or adds shell and processes, and the feature database of antivirus software has just lost effect completely so.Novel antivirus software can be done behavioural characteristic coupling by the mode that virtual machine simulation is carried out, but this mode False Rate is very high, often can, normal software as V-ALert, cause user's puzzlement.
The second is reducing disk technology, and its principle is on disk, to mark off a reserve area, and all writing disk manipulations of system are all reduced to drive and are directed in reserved area, and sets up the mapping table of guiding sector and actual sector.After system is restarted, abandon reserved area data and the mapping table of last time.What so each start was seen is all the same system, can not leave the vestige of operation last time, does not naturally also have virus after restarting, to remain.The shortcoming of reducing disk is, can only reduce for whole disk volume, can impact whole volume, and the granularity of protection is excessive, and reducing disk need to be tackled and analyze all disk operating of system simultaneously, so can have considerable influence to system performance.If user has other useful datas to need to retain like this, need just can reach by special means, caused the inconvenience of using.
Summary of the invention
For above-mentioned prior art, the technical problem to be solved in the present invention is to provide a kind of infected method of os starting file of avoiding, and virus cannot be moved with system boot automatically by infecting the mode of System startup files, obtains system control.
In order to solve the problems of the technologies described above, the present invention adopts following technical scheme: a kind of infected method of os starting file of avoiding, comprises the following steps:
(1) initialization protection of the environment, comprising:
A. in system, install one and adopt the protection of file system filter driver technology drive and drive name by user's input protection, described protection drives and adopts kernel mode driver(Kernel-mode driver) model, is used boot load mode to install;
B. set up backup file folder, standby system startup file, and under the system32 of system catalogue, set up the drive arrangements file that filename is identical with protection driving name, described configuration file is backup file folder path and unloading password;
(2) when system starts, load protection and drive, protection drives intercepts and captures file operation, judgement file type, if the System startup files in backup file folder, quiescing; If System startup files turns next step (3); If alternative document, the operation of letting pass;
(3) type and the operation process of judgement file operation, if system process, and open in Executive Image mode, by protection, drive and take over subsequent read operations, read the respective file in backup file file; If other situations, the operation of letting pass.
Described system refers to Windows NT, and Windows 2000, Windows XP, and Windows 2003, Windows Vista, the 32-bit operating system of Windows 7; Described System startup files refers to that system boot is to entering desktop, executable file corresponding to all processes starting; Described system process refers to SYSTEM process, smss.exe process and the corresponding process of the current System startup files having started; The IRP_MJ_CREATE that described quiescing is included in file system filter driver processes in routine, returns to STATUS_ACCESS_DENIED; The IRP_MJ_CREATE that described clearance operation is included in file system filter driver processes in routine, the IRP importing into is delivered to lower floor to be driven, and the corresponding FileObject of this file of mark is for the operation of letting pass, to also directly IRP is delivered to lower floor in other routines of filter Driver on FSD; The IRP_MJ_CREATE that described adapter subsequent read operations is included in file system filter driver processes in routine, by file system filter driver, opened the backup file of appointment, then file handle is write in the FsContext territory of FileObject in IRP, simultaneously in follow-up reading in routine, driving is according to the handle information in FsContext territory, by system call, complete actual reading, result is write in IRP corresponding domain, follow-up write operation all will be left in the basket, but to upper strata, be back into merit, guarantee that the file of backup can not be modified.
Compared with prior art; the present invention has the following advantages: the mode protection system startup file that adopts standby system startup file; virus cannot be moved immediately after start in system; thereby virus is lost to be propagated and outbreak ability; because drive arrangements filename is specified by user; unfixing, and forbidden writing double insurance by kernel-driven, the System startup files of backup can guarantee it is correct.Because System startup files quantity is (with respect to the capacity of whole dish) seldom, so it is few a lot, almost negligible compared with reducing disk to back up desired disk space; And, because System startup files only just can be accessed frequently when system starts, so efficiency is also very high during the operation of this method, can affect system performance hardly; This method, in protection system startup file, can not impact user's alternative document.
Accompanying drawing explanation
Fig. 1 is the initialized process flow diagram of protection of the environment of the present invention;
Fig. 2 is the process flow diagram of specific works of the present invention.
Embodiment
Below in conjunction with drawings and Examples, the invention will be further described.
Be illustrated in figure 1 the process flow diagram of initialization context protection, first, initialize routine can protection drive filename change the name of user's input into, and in the system needing protection, will to protect drive installation be boot load mode.This step is in order to prevent the attack for this protection scheme; Then, the name of creating a file drives identical configuration file under the system32 of system catalogue with protection, and content is startup file backup file folder path (program prompts user's input) and unloading password (program prompts user's input).Next, set up startup file backup file folder; Initialization system startup file has 3 kinds of situations: if the System startup files 1. needing protection is determined (such as the computer environment of a centralization, many allocation of computers are identical), can directly System startup files be put into so to backup file folder, first with file manager, open backup file clip directory and exit, user voluntarily copied content to backup file folder; 2. the listed files of the backup that initialize routine is selected according to user, lists the list of common system startup file and current system starting up program listing conventionally, and user makes hook and selects, and program copy selects to need the file of backup to backup file folder.3. be left empty folder, when lower subsystem starts, protection driving meeting is carried out automatic startup file identification and backup according to all processes before winlogon process initiation.
The specific works flow process figure that is this method referring to Fig. 2, the system protection that load document system filtration drive forms when starting drives, protection drives intercepts and captures all file operations, when intercepting File Open operation, first obtain the complete trails opening file, if standby system startup file, return to the error code of denied access, quiescing file; If nonsystematic startup file allows to pass through so, normal running file, directly transmits IrpZhi lower floor equipment; If System startup files, so by all subsequent manipulations of taking over about this FileObject, for example, according to call parameters and calling process, determine whether normally reading of system process, and open in Executive Image mode, if it is from configuration file, obtain backup file clip directory position, read backup startup file, if find that there is the action of the System startup files that writes backup, forbid writing; If to backup file folder and in have the operation of row catalogue, hide backup file folder.If other situations are read in original position file, in the FsContext territory of this FileObject, record relevant corresponding informance, allow upper strata read corresponding standby system startup file content.
If need to upgrade system, first to suspend driving.Suspend and drive and need to input unloading password by initialize routine, and select pause function.Protection drives meeting checking routine md5 code and password, prevents that malice from suspending and unloading.Suspend after driving, system can freely be upgraded.Starting protection need to be opened in initialize routine again, and initialize routine can first be upgraded the System startup files of backup change, and then starting protection drives.
Claims (1)
1. avoid the infected method of os starting file, it is characterized in that comprising the following steps:
(1) initialization protection of the environment, comprising:
A. in system, install one and adopt the protection of file system filter driver technology drive and drive name by user's input protection, described protection drives and adopts Kernel-mode driver kernel mode driver model, uses boot load mode to install;
B. set up backup file folder, standby system startup file, and under the system32 of system catalogue, set up the drive arrangements file that filename is identical with protection driving name, described configuration file is backup file folder path and unloading password;
(2) when system starts, load protection and drive, protection drives intercepts and captures file operation, judgement file type, if the System startup files in backup file folder, quiescing; If System startup files turns next step (3); If alternative document, the operation of letting pass;
(3) type and the operation process of judgement file operation, if system process, and open in Executive Image mode, by protection, drive and take over subsequent read operations, read the respective file in backup file file; If other situations, the operation of letting pass;
Described system refers to Windows NT, and Windows 2000, Windows XP, and Windows 2003, Windows Vista, the 32-bit operating system of Windows 7; Described System startup files refers to that system boot is to entering desktop, executable file corresponding to all processes starting; Described system process refers to SYSTEM process, smss.exe process and the corresponding process of the current System startup files having started; The IRP_MJ_CREATE that described quiescing is included in file system filter driver processes in routine, returns to STATUS_ACCESS_DENIED; The IRP_MJ_CREATE that described clearance operation is included in file system filter driver processes in routine, the IRP importing into is delivered to lower floor to be driven, and the corresponding FileObject of this file of mark is for the operation of letting pass, to also directly IRP is delivered to lower floor in other routines of filter Driver on FSD; The IRP_MJ_CREATE that described adapter subsequent read operations is included in file system filter driver processes in routine, by file system filter driver, opened the backup file of appointment, then file handle is write in the FsContext territory of FileObject in IRP, simultaneously in follow-up reading in routine, driving is according to the handle information in FsContext territory, by system call, complete actual reading, result is write in IRP corresponding domain, follow-up write operation all will be left in the basket, but to upper strata, be back into merit, guarantee that the file of backup can not be modified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110136427.0A CN102222185B (en) | 2011-05-25 | 2011-05-25 | Method for preventing operating system starting file from being infected |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110136427.0A CN102222185B (en) | 2011-05-25 | 2011-05-25 | Method for preventing operating system starting file from being infected |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102222185A CN102222185A (en) | 2011-10-19 |
| CN102222185B true CN102222185B (en) | 2014-02-26 |
Family
ID=44778736
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110136427.0A Expired - Fee Related CN102222185B (en) | 2011-05-25 | 2011-05-25 | Method for preventing operating system starting file from being infected |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102222185B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103778385A (en) * | 2014-02-24 | 2014-05-07 | 联想(北京)有限公司 | Data protection method and device as well as electronic device |
| CN104036191B (en) * | 2014-06-11 | 2016-08-24 | 上海睿海信息技术有限公司 | A kind of based on filter Driver on FSD with the control method of file format condition code |
| US11439911B2 (en) * | 2020-04-07 | 2022-09-13 | Riot Games, Inc. | Systems and methods for anti-cheat detection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1373402A (en) * | 2001-02-28 | 2002-10-09 | 廖瑞民 | Hard disk data preserving and restoring device |
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| CN102012982A (en) * | 2010-11-17 | 2011-04-13 | 许丽涛 | Method and device for protecting safe operation of intelligent device |
-
2011
- 2011-05-25 CN CN201110136427.0A patent/CN102222185B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1373402A (en) * | 2001-02-28 | 2002-10-09 | 廖瑞民 | Hard disk data preserving and restoring device |
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| CN102012982A (en) * | 2010-11-17 | 2011-04-13 | 许丽涛 | Method and device for protecting safe operation of intelligent device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102222185A (en) | 2011-10-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6915420B2 (en) | Method for creating and protecting a back-up operating system within existing storage that is not hidden during operation | |
| US7519806B2 (en) | Virtual partition for recording and restoring computer data files | |
| US6993649B2 (en) | Method of altering a computer operating system to boot and run from protected media | |
| US7979690B1 (en) | System and method for booting a computer from backup | |
| US7814554B1 (en) | Dynamic associative storage security for long-term memory storage devices | |
| US7953948B1 (en) | System and method for data protection on a storage medium | |
| US8856473B2 (en) | Computer system protection based on virtualization | |
| US8381231B2 (en) | Deployment and management of virtual containers | |
| KR101954623B1 (en) | Apparatus and method for updating software on the virtualized environment | |
| CN100389408C (en) | Fixed disk data enciphering back-up and restoring method | |
| EP1022655A2 (en) | Computer with bootable secure program | |
| US20110265076A1 (en) | System and Method for Updating an Offline Virtual Machine | |
| US20180357133A1 (en) | Anti-malware protection using volume filters | |
| JP5335622B2 (en) | Computer program that manages the configuration information database | |
| KR100766863B1 (en) | Software-installation system using movable data storage and method thereof | |
| CN110622163A (en) | Auxiliary storage device with independent recovery area and equipment suitable for auxiliary storage device | |
| CN101246458A (en) | Hard disk data protection method and system | |
| KR100376435B1 (en) | Apparatus and method for protecting data on computer hard-disk and computer readable recording medium having computer readable programs stored therein for causing computer to perform the method | |
| Chubachi et al. | Hypervisor-based prevention of persistent rootkits | |
| CN102222185B (en) | Method for preventing operating system starting file from being infected | |
| CN101373457A (en) | Hard disk write-protection lock based on USB equipment under Windows environment | |
| CN100424652C (en) | Had disk self-recovery protecting method based on embedded operation system | |
| TW200422834A (en) | Recovery method for master boot record of hard disk drive | |
| CN117056965A (en) | File export management and control method and system for mobile storage equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140226 Termination date: 20180525 |