CN102479147A - Method and system for intercepting and capturing port data in WinNT operation system - Google Patents
Method and system for intercepting and capturing port data in WinNT operation system Download PDFInfo
- Publication number
- CN102479147A CN102479147A CN2010105696783A CN201010569678A CN102479147A CN 102479147 A CN102479147 A CN 102479147A CN 2010105696783 A CN2010105696783 A CN 2010105696783A CN 201010569678 A CN201010569678 A CN 201010569678A CN 102479147 A CN102479147 A CN 102479147A
- Authority
- CN
- China
- Prior art keywords
- read
- port
- data
- write
- operation requests
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a method and a system for intercepting and capturing port data in a WinNT operation system. The method comprises the steps of: creating a log file corresponding to a port in a kernel mode; intercepting and capturing each operation request aiming at the port, judging whether the operation requests are reading/writing requests or not according to an IO_STACK_LOCATION data structure correlative to an information resource planning (IRP) data structure of the operation requests, if so, storing data to be read/written by the reading/writing requests to the log file corresponding to the port, and then, executing the read/write requests; and otherwise, executing the operation requests. When the technical scheme of the method and the system is utilized, the cost for intercepting and capturing the port data can be reduced.
Description
Technical field
The present invention relates to data and intercept and capture the field, particularly relate to the method and system of intercepting and capturing port data in a kind of WinNT operating system.
Background technology
The WinNT operating system of Microsoft is based on the 32-bit operating system of NT technology, and it comprises Windows 2000, Windows 2003 and Windows XP system.At present, WinNT operating system has become the mainstream operation system of most of routine office works with computing machine.Usually can preserve some significant datas in the office machine; For example financial data, client's list and all kinds of statisticss etc.; If these data are gone out by leakage, can bring huge risk and loss to unit, therefore; Need carry out the strictness monitoring to the data that these computing machines input or output, thereby guarantee the safety of significant data.Because computing machine input or output data are all carried out through port, therefore, the data that can adopt the mode of supervisory control comuter port to come supervisory control comuter to input or output, this just will intercept and capture the data of port read write inevitably.
Fig. 1 is a system construction drawing of intercepting and capturing port data in the existing WinNT operating system.As shown in Figure 1, prior art be with special hardware capture device 103 be connected between the port one 01 and port read write equipment 102 that will monitor.When port read write equipment 102 when port one 01 sends the request of read data; This read request is intercepted and captured by hardware capture device 103; After this hardware capture device 103 obtains the desired data of this read request from port one 01; At first store in the memory storage of self, and then these data are delivered to port read write equipment 102, thereby realize intercepting and capturing the data that read from port one 01.When port read write equipment 102 to port one 01 send write data request and to write data the time; This writes request and data to be written are are also intercepted and captured by hardware capture device 103; This hardware capture device 103 at first is saved in data to be written in the memory storage of self; Then this is write request and deliver to port one 01, thereby realization is to the intercepting and capturing of the data that write port one 01 with data to be written.
This shows that prior art utilizes hardware to intercept and capture mode, has realized data that read from port one 01 and the intercepting and capturing that write the data of port one 01, guaranteed the data security of the computing machine at port one 01 place effectively.But; Prior art adopts the hardware capture device to intercept and capture port data; The quantity of employed hardware capture device can not be less than the quantity of the port that will monitor, and concerning each will realize the unit of computer data monitoring, number of computers to be monitored in the our unit was many usually; And some computing machine also has a plurality of IO ports to monitor, and this causes, and to adopt prior art to carry out the cost that the computer port data intercept and capture very high.
Summary of the invention
Technical matters to be solved by this invention provides the method and system of intercepting and capturing port data in a kind of WinNT operating system, can reduce the cost that port data is intercepted and captured.
The technical scheme that the present invention solves the problems of the technologies described above is following: intercept and capture the method for port data in a kind of WinNT operating system, this method comprises:
Under kernel mode, create and the corresponding journal file of port;
Intercept and capture each operation requests to port; According to the IO_STACK_LOCATION data structure that is associated with the IRP data structure of said operation requests; Judge whether said operation requests is read; If, then want the data of read/write to be saved in and the corresponding journal file of this port said read, carry out said read then; Otherwise, carry out said operation requests.
The invention has the beneficial effects as follows: among the present invention,, intercepting and capturing to after each operation requests of port owing under kernel mode, created and the corresponding journal file of port; All basis and the IO_STACK_LOCATION data structure that the IRP data structure of this operation requests is associated, whether be read, for read if judging this operation requests; Then want the data of read/write to be saved in and the corresponding journal file of this port it, and then carry out this read, and for other operation requests outside the read; Then do not handle, directly carry out this operation requests and get final product, therefore; The present invention can realize data that read from port and the intercepting and capturing of writing the data of inbound port; Thereby the inputoutput data of supervisory control comuter effectively guarantees the safety of data, simultaneously; The port data method for interception that the present invention adopted is software approach fully; Only need to need not to adopt any special hardware capture device to realize data intercepting and capturing function to each computing machine to be monitored this software loading, therefore, the present invention greatly reduces the cost that port data is intercepted and captured.
On the basis of technique scheme, the present invention can also do following improvement:
Further, after judging that said operation requests is read, this method further comprises: the data of read/write to be saved in buffer zone in proper order said read;
Then want the data of read/write to be saved in and the corresponding journal file of this port said read, for:
Confirm that said read wants the data of read/write to be kept at first address and data length in the said buffer zone;
Want the data of read/write to be kept at first address and data length in the said buffer zone according to said read; With first address is that the first address in the said buffer zone, the data that length is said data length are taken out from said buffer zone, is saved in and the corresponding journal file of this port.
Further, after judging that said operation requests is read, this method further comprises:
To want the data of read/write corresponding with said read according to the time that said read is carried out data read/write, be saved in and the corresponding journal file of this port;
And/or,
Want the data of read/write corresponding read sign and said read, be saved in and the corresponding journal file of this port.
Further, said port is more than one port, then:
The corresponding journal file of said establishment and port is: create and the corresponding journal file of each port;
Said intercepting and capturing to each operation requests of port are: intercept and capture each operation requests to each port.
Further, said port is a serial line interface, and/or said port is a parallel interface.
In addition, the present invention also provides the system that intercepts and captures port data in a kind of WinNT operating system, and said port has port numbering, and this system comprises: log creation and preservation module, filtering module, operation requests execution module, wherein:
Said log creation is used for the preservation module, under kernel mode, creates and the corresponding journal file of port; Port numbering according to the port that said read was directed against; Confirm the port that said read is directed against; Want the data of read/write to be saved in the corresponding journal file of the port that is directed against with said read the read that said filtering module is sent here, said read is sent to said operation requests execution module;
Said filtering module is used for, and intercepts and captures each operation requests to port, according to the IO_STACK_LOCATION data structure that is associated with the IRP data structure of said operation requests, judges whether said operation requests is read; Want the port numbering of the port that data and said read were directed against of read/write to send to said log creation and preservation module read; Other operation requests outside the read are sent to said operation requests execution module;
Said operation requests execution module is used for, and carries out said log creation and preserves the said read that module is sent here; Carry out other operation requests outside the said read that said filtering module sends here.
Further, said filtering module is further used for, and the data of read/write to be saved in buffer zone in proper order said read;
Then said log creation with preserve module and be used for, confirm that said read wants the data of read/write to be kept at first address and data length in the said buffer zone; Want the data of read/write to be kept at first address and data length in the said buffer zone according to said read; With first address is that the first address in the said buffer zone, the data that length is said data length are taken out from said buffer zone, is saved in the corresponding journal file of the port that is directed against with said read.
Further, said log creation is further used for preserving module, will want the data of read/write corresponding with said read according to the time that said read is carried out data read/write, is saved in and the corresponding journal file of this port; And/or, the data of read/write corresponding read sign and said read, be saved in and the corresponding journal file of this port.
Further, said port is more than one port, then:
Said log creation is used for the preservation module, creates and the corresponding journal file of each port;
Said filtering module is used for, and intercepts and captures each operation requests to each port.
Further, said port is a serial line interface, and/or said port is a parallel interface.
Description of drawings
Fig. 1 is a system construction drawing of intercepting and capturing port data in the existing WinNT operating system;
Fig. 2 is a method flow diagram of intercepting and capturing port data in the WinNT operating system provided by the invention;
Fig. 3 is a system construction drawing of intercepting and capturing port data in the WinNT operating system provided by the invention.
Embodiment
Below in conjunction with accompanying drawing principle of the present invention and characteristic are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.
Fig. 2 is a method flow diagram of intercepting and capturing port data in the WinNT operating system provided by the invention.As shown in Figure 2, this method comprises:
Step 201: under kernel mode, create and the corresponding journal file of port.
Here, be different from other operating system, WinNT operating system adopts the hierarchical design thinking and designs, and is about to operating system and is divided into user model and kernel mode.Wherein, The core code of operating system operates under the kernel mode, and these core codes can directly be visited physical port, physical memory etc., but not core code operates under the user model; These non-core codes will be visited physical port; Need file a request to core code, carry out the operation of visit physical port then by core code, after being finished execution result returned to non-core code.Therefore, this step is created under kernel mode and the corresponding journal file of port, and step 202 to step 205 is also carried out under the kernel mode of WinNT operating system, can realize intercepting and capturing the function of port data quickly and easily with software.
Among the present invention, the quantity of the port that monitor can be one, also can be for a plurality of; Each port all has the port numbering of oneself; The port numbering of different port is different, when various operation requests conduct interviews to certain port, need distinguish this operation requests the operation that will carry out to which port carry out; Thereby can comprise port numbering in this operation requests, be used for indicating the port that self is directed against.
Quantity at the port that needs are monitored is under the more than one situation; To each port; The present invention creates one and the corresponding journal file of this port; Be used to store the data of reading or write this port from this port, the data of different port being carried out read/write are to store in the different journal files.
Step 202: intercept and capture each operation requests to port.
Here, varied to the operation requests of port, each operation requests all relates to a kind of operation to port; For example, read request, write request, the request of opening, turn-off request etc., realize respectively writing data, opening functions such as port and close port from the port sense data, to port; Wherein, Only write request and read request and relate to inputoutput data, therefore, the present invention needs and will intercept and capture to all operations request of port; Therefrom tell the request of port being carried out read operation or write operation then, thereby realize intercepting and capturing the data of port read write.
Step 203: according to the IO_STACK_LOCATION data structure that is associated with the IRP data structure of operation requests, judge whether this operation requests is read, if, execution in step 204 and 205 successively then, otherwise, execution in step 205.
Here; When step 202 is intercepted and captured operation requests that is directed against port; Whether can judge this operation requests through this step is read, if read request or write request, and the step of the execution read of the preservation data of execution in step 204 and step 205 successively then; If read request with write other operation requests outside the request; Then direct execution in step 205 is carried out the step of these operation requests, and this mode of operation to the direct execution in step 205 of operation requests is called the Pass-Through mode.
Judge whether this operation requests is the method for read; The IO_STACK_LOCATION data structure that can be basis be associated with IRP (I/O Request Package, the input and output request package) data structure of this operation requests judges whether this operation requests is read.In WinNT operating system; Operation requests is corresponding with the IRP data structure; And every kind of IRP data structure all is associated with a kind of IO_STACK_LOCATION data structure; Be different I RP data structure related IO_STACK_LOCATION data structure be different, like this, the IRP data structure of different operating request related IO_STACK_LOCATION data structure also just different; Therefore, the IO_STACK_LOCATION data structure that can basis be associated with the IRP data structure of operation requests judges whether this operation requests is read.
A plurality of parameters are arranged in the IO_STACK_LOCATION data structure; Can choose one of them special parameter as basis for estimation; This special parameter has following characteristic: read request and the IRP data structure of writing request this special parameter in the related IO_STACK_LOCATION data structure; With the IRP data structure of other operation requests this special parameter in the related IO_STACK_LOCATION data structure be different; Further, read request and the IRP data structure of writing request this special parameter in the related IO_STACK_LOCATION data structure also be different.Like this, in intercepting to after the operation requests of port, utilize this special parameter in the IO_STACK_LOCATION data structure, can judge whether this operation requests is read request or writes request, and then take different processing modes.For example; This special parameter can be chosen the MajorFunction parameter in the IO_STACK_LOCATION data structure; This parameter is used to indicate the function of tonic chord sign indicating number of the IRP data structure related with this IO_STACK_LOCATION data structure; For different IRP data structures, the MajorFunction parameter in its related IO_STACK_LOCATION data structure is different, thereby can use this parameter to be used as judging that an operation requests is whether as read request or write the foundation of request.
Particularly; Read request in the WinNT operating system and the request of writing respectively corresponding IRP_MJ_READ and these two IRP data structures of IRP_MJ_WRITE; These two IRP data structures the MajorFunction parameter in the related IO_STACK_LOCATION data structure be different, therefore, the IO_STACK_LOCATION data structure that this step basis is related with the IRP data structure of this operation requests; Whether be read, thereby determine follow-up step if can judge this operation requests.
Certainly, the present invention can also adopt other modes to judge whether whether this operation requests is read, for example, comprise the read/write data item according to this operation requests and judge.
Step 204: the data of read/write to be saved in and the corresponding journal file of this port read.
Here; The judged result of the operation requests of intercepting and capturing in the step 203 pair step 202 is for being read; So in order to realize monitoring to the port inputoutput data, in this step, this read is wanted that the data of read/write are saved in step 201 establishment with the corresponding journal file of this port.
For will be from the read request of port sense data; The present invention delivers to the specific memory space according to this read request earlier with the data that this read request requires to read, for example the buffer zone in the internal memory; The perhaps specific file in the hard disk; Perhaps other storage spaces, then from this specific memory space with these data send to the corresponding journal file of this port preserve, so just realized intercepting and capturing to the data of reading from this port.Intercept and capture after the completion, can execution in step 205.
For the request of writing that will data be write inbound port; The present invention intercepts and captures the data that this is write request and will write inbound port earlier; After being saved in the data that to write inbound port the corresponding journal file of this port, having realized intercepting and capturing to the data that will write inbound port; Execution in step 205 again, write request according to this data are write inbound port.
After being saved in data in the journal file, under user model, utilizing the application program just can access log file, thereby know the data that this journal file corresponding port institute read/write is crossed, and then judge whether to divulge a secret.
Certainly; Also can create special virtual filter equipment in application layer; Be used to receive the request of the application program of application layer, help these application programs to realize visit, simultaneously journal file; This virtual filter equipment is realized the method for step 201 of the present invention to step 205 as the virtual correspondent entity of method of the present invention under the kernel mode under user model.
Step 205: carry out this operation requests.
Here, this step is according to operation requests port to be carried out corresponding operation, that is, if after execution of step 204 described intercepting and capturing to read/write data, this step is accomplished the read/write of data just according to read; If after judging that in step 203 operation requests of being intercepted and captured is other operation requests outside the read; Directly carry out this step, then carry out corresponding operation, for example according to this operation requests; This operation requests is the request of opening, and then this step is just carried out the operation of opening port.
This shows, among the present invention, owing under kernel mode, created and the corresponding journal file of port; Intercepting and capturing to after each operation requests of port, all basis and the IO_STACK_LOCATION data structure that the IRP data structure of this operation requests is associated judge whether this operation requests is read; For read, then want the data of read/write to be saved in and the corresponding journal file of this port it, and then carry out this read; And for other operation requests outside the read, then do not handle, directly carry out this operation requests to get final product; Therefore, the present invention can realize the data that read from port and the intercepting and capturing of writing the data of inbound port, thus the inputoutput data of supervisory control comuter effectively; Guarantee the safety of data; Simultaneously, the port data method for interception that the present invention adopted is software approach fully, only needs to need not to adopt any special hardware capture device to realize data intercepting and capturing function to each computing machine to be monitored this software loading; Therefore, the present invention greatly reduces the cost that port data is intercepted and captured.
WinNT operating system is improved Win9x operating system; Its port need not to monopolize and can conduct interviews; This means for the computing machine of using WinNT operating system; Equipment or application program need not the right to use of application port before visit when its port of visit, also needn't finish the right to use of back release port in visit.
After step 203 judged that an operation requests is read, this method further comprised: the data of read/write to be saved in buffer zone in proper order read;
Then step 204 is described wants the data of read/write to be saved in and the corresponding journal file of this port read, for: confirm that read wants the data of read/write to be kept at first address and data length in the buffer zone;
Wanting the data of read/write to be kept at first address and data length in the buffer zone according to read, is that the first address in the buffer zone, the data that length is data length are taken out from buffer zone with first address, is saved in and the corresponding journal file of this port.
Here; Because the speed in port reads or write data is different with data transmitting speed in the circuit beyond the port; Therefore; The present invention wants the data of read/write to be saved in buffer zone read, can make the speed of the two reach coupling, simultaneously also can be after step 204 is saved in data in the journal file; Need not again to fetch data and see port off to realize practicing thrift the time of data read/write to from the port sense data or fetch data again and deliver to port to realize writing data to port from computing machine.
Data that will read/write are saved in the mode of buffer zone and preserve for order, like this, and can be after definite these data be kept at the first address and data length in the buffer zone; Take out data easily, otherwise, if data are to be saved in buffer zone with the mode that non-order is preserved; First address and the data length then preserved according to data; Can't all take out data, so just increase the difficulty of taking out data, therefore; The mode that the present invention takes order to preserve data is saved in the buffer zone, greatly facilitates and from buffer zone, takes out data.
After the request of step 203 decision operation was read, this method further comprised:
To want the data of read/write corresponding with read according to the time that read is carried out data read/write, be saved in and the corresponding journal file of this port;
Want the data of read/write corresponding read sign and read, be saved in and the corresponding journal file of this port.
Here, the read sign can be for reading sign, also can be for writing sign, wherein, read to indicate to mean with this and read to indicate the data of corresponding data for reading from port, and write sign and mean that writing the corresponding data of sign with this is the data that write to port.
To want the data of read/write corresponding with read according to the time that read is carried out data read/write; Be saved in and the corresponding journal file of this port; Can further confirm the time of these data of read/write, thereby make the present invention effective more and convenient the monitoring of port inputoutput data.
Equally; Want the data of read/write corresponding read sign and read; Be saved in and the corresponding journal file of this port; Can confirm further that also the data of being preserved are data of reading from port or the data that write to port, thereby make the present invention more effectively and convenient the monitoring of port inputoutput data.
Among the present invention, port can be more than one port, then:
Establishment with the method for the corresponding journal file of port is in the step 201: create and the corresponding journal file of each port;
The method of intercepting and capturing each operation requests that is directed against port in the step 202 is: intercept and capture each operation requests to each port.
Here, utilize the quantity of the port that the present invention monitors to be one, also can be for more than two.If the quantity of port is more than two, then the present invention can monitor these ports simultaneously in real time, certainly, also can simultaneously these ports not monitored.
To each port; The present invention creates the journal file corresponding respectively with each port in step 201; Intercept and capture each operation requests in the step 202 to each port; Like this, the present invention just can realize to one or more port simultaneously or side by side do not carry out data and intercept and capture and monitoring in real time.
Port described in the present invention can be serial line interface, also can be parallel interface, certainly, can also be other ports, for example infrared interface, blue tooth interface, USB interface etc.As long as this port can be realized the input and output of data, just within protection scope of the present invention.
Above-mentioned each method realizes that through software mode the DDK2006 drive development instrument of this software Microsoft capable of using distribution and the DriverStudio kit exploitation of Compuware company exploitation obtain.
Because port can be serial line interface, also can be parallel interface, can also be other interfaces; The driver of these interfaces is different, this means these ports are carried out read/write, and its read/write speed, read form are all different; And therefore the quantity of various port also can, be created before the journal file corresponding with port in step 201 more than one; Can at first write down the parameter of each port, form the configuration file of each port parameter of record, when in step 201, creating then with the corresponding journal file of port; Can obtain the parameter information of corresponding port according to this configuration file, thereby create different journal files to different ports.
Step 202 is intercepted and captured the work to each operation requests of port; Can carry out by the KLowerDevice class and the KFilterDevice class of DriverStudio encapsulation; The present invention utilizes the constructed fuction of KLowerDevice class and the port parameter of configuration file to specify port to be monitored; Utilize the constructed fuction of KFilterDevice class to set up virtual filter equipment then in application layer; After virtual filter equipment was set up, this virtual filter equipment just can be realized the intercepting and capturing to each operation requests in application layer.Wherein, the constructed fuction form of KLowerDevice class is:
KLowerDevice(
PUNICODE_STRING?name,
ACCESS_MASK?access);
Wherein, name is the title of monitored port; Access is the mode of access port, and the mode of common access port comprises: read port, write port, read while write port etc.
The constructed fuction form of KFilterDevice class is:
KFilterDevice(
PCWSTR?NameOfDeviceToFilter,
ULONG?DevType,
ULONG?DevFlags);
Wherein, NameOfDeviceToFilter is the title of virtual filter equipment; DevType is the type of virtual filter equipment, and the type of virtual filter equipment comprises: serial line interface, parallel interface etc.; DevFlags is the sign of virtual filter equipment, and the sign of virtual filter equipment comprises: exclusive access, through buffering visit etc.
When virtual filter equipment after application layer is set up; The title that this virtual filter equipment will in the driving arrangement management of WinNT operating system, occur; Like this, under the user model, the application program of application layer just can be checked the data in the journal file through this virtual filter equipment of direct control.
This port data provided by the present invention is intercepted and captured scheme and under Windows is XPed operating system, has been obtained checking, thereby has proved the feasibility of this software for WinNT operating system.
Fig. 3 is a system construction drawing of intercepting and capturing port data in the WinNT operating system provided by the invention.Port in this system has port numbering, and is as shown in Figure 3, and this system comprises: log creation and preservation module 301, filtering module 302, operation requests execution module 303, wherein:
Log creation is used for preservation module 301, under kernel mode, creates and the corresponding journal file of port; Port numbering according to the port that read was directed against; Confirm the port that read is directed against; Want the data of read/write to be saved in the corresponding journal file of the port that is directed against with read the read that filtering module 302 is sent here, read is sent to operation requests execution module 303;
Operation requests execution module 303 is used for, and execution journal is created and preserved the read that module 301 is sent here; Other operation requests outside the read that execution filtering module 302 is sent here.
Here; Each port all has the port numbering of self; This port numbering can be used to discern this port; Thereby make things convenient for log creation to create with the corresponding journal file of each port, confirm to comprise the port that various operation requests was directed against of read, and realize read-write port with preserving module 301.
In this system, filtering module 302 is used for, and according to the IO_STACK_LOCATION data structure that is associated with the IRP data structure of operation requests, whether the decision operation request is read.
In the WinNT operating system; Because operation requests is corresponding with the IRP data structure; And every kind of IRP data structure all is associated with a kind of IO_STACK_LOCATION data structure, different I RP data structure related IO_STACK_LOCATION data structure also different, therefore; The IRP data structure of different operating request related IO_STACK_LOCATION data structure just different; Be embodied in the special parameter in the IO_STACK_LOCATION data structure, for example the MajorFunction parameter is different; As open request, turn-off request, read request, just respectively corresponding four the IRP data structures of the request of writing, and each IRP data structure the MajorFunction parameter in the related IO_STACK_LOCATION data structure be different.Like this, the IRP data structure IRP_MJ_READ through read request the MajorFunction parameter in the related IO_STACK_LOCATION data structure, can judge this operation requests is read request.Equally, the IRP data structure IRP_MJ_WRITE through writing request the MajorFunction parameter in the related IO_STACK_LOCATION data structure, can judge this operation requests for writing request.What the present invention need carry out is to intercept and capture the raw data of port being carried out read/write; Thereby 302 of filtering modules need be intercepted and captured the related data of read; The operation requests of other types only need adopt the Pass-Through mode, directly handles getting final product according to its corresponding operation requests.
Because the port of computing machine is varied; Can be serial line interface; Also can be parallel interface, can also be infrared interface, blue tooth interface and USB interface etc., the data read/write form of different port, speed difference; Therefore, can operate accordingly to different types of port easily through port numbering.For example, if port numbering Port=1, this port is a serial line interface; Then log creation just needs to create and the corresponding journal file of this serial line interface with preservation module 301; And be 1 read request according to the port numbering that filtering module 302 sends, confirm that the port that this read request is directed against be this serial line interface, then corresponding data are saved in the journal file of this serial line interface correspondence; Carry out this read request by operation requests execution module 303 at last, data are read.
The various parameters about port that comprise port numbering can be recorded in the predefined configuration file; Like this; Through reading this configuration file; Just can understand numbering and other various parameters of each port easily, thereby carry out corresponding read/write port, open port, operation such as close port.
In this system, because log creation has been created under kernel mode and the corresponding journal file of port with preserving module 301, filtering module 302 is being intercepted and captured to after each operation requests of port; Can judge whether the operation requests of being intercepted and captured is read,, then want the data of read/write to be saved in and the corresponding journal file of this port it by log creation and preservation module 301 for read; And then by operation requests execution module 303 these read of execution, and for other operation requests outside the read, then do not handle; Directly carrying out this operation requests by operation requests execution module 303 gets final product; Therefore, the present invention can realize the data that read from port and the intercepting and capturing of writing the data of inbound port, thus the inputoutput data of supervisory control comuter effectively; Guarantee the safety of data; Simultaneously, each module in the port data interception system that the present invention proposes is software module, only needs to need not to adopt any special hardware capture device to realize data intercepting and capturing function to each computing machine to be monitored this software loading; Therefore, the present invention greatly reduces the cost that port data is intercepted and captured.
In this system, filtering module 302 is further used for, and the data of read/write to be saved in buffer zone in proper order read;
Then log creation with preserve module 301 and be used for, confirm that read wants the data of read/write to be kept at first address and data length in the buffer zone; Want the data of read/write to be kept at first address and data length in the buffer zone according to read; With first address is that the first address in the buffer zone, the data that length is data length are taken out from buffer zone, is saved in the corresponding journal file of the port that is directed against with read.
Here, buffer zone can play the matching effect to port read/write speed and circuit transmission speed, simultaneously, also plays the metadata cache effect, has practiced thrift the time of reading and writing data, has improved the speed of computer data monitoring.
Buffer zone can be the buffer zone in the internal memory, also can need not to add in addition hardware storage device for a certain particular memory space in the hard disk, utilizes the original memory device in this computing machine to get final product.
In this system, log creation is further used for preserving module 301, will want the data of read/write corresponding with read according to the time that read is carried out data read/write, is saved in and the corresponding journal file of this port; And/or, the data of read/write corresponding read sign and read, be saved in and the corresponding journal file of this port.
Here; With the time of data read/write corresponding with read/write flag with data; Be kept in the journal file; Further these data are read port and are still write inbound port, and the time of definite institute read/write, so just can make the present invention effective more and convenient to the monitoring of port inputoutput data.
Port in this system can be more than one port, then:
Log creation is used for preservation module 301, creates and the corresponding journal file of each port;
In addition, the port among the present invention can be serial line interface, also can be parallel interface, can also be the port of the input/output function realized of other kinds.
This shows that the present invention has the following advantages:
(1) among the present invention,, intercepting and capturing to after each operation requests of port owing under kernel mode, created and the corresponding journal file of port; All basis and the IO_STACK_LOCATION data structure that the IRP data structure of this operation requests is associated judge whether this operation requests is read, for read; Then want the data of read/write to be saved in and the corresponding journal file of this port it, and then carry out this read, and for other operation requests outside the read; Then do not handle, directly carry out this operation requests and get final product, therefore; The present invention can realize data that read from port and the intercepting and capturing of writing the data of inbound port; Thereby the inputoutput data of supervisory control comuter effectively guarantees the safety of data, simultaneously; The port data method for interception that the present invention adopted is software approach fully; Only need to need not to adopt any special hardware capture device to realize data intercepting and capturing function to each computing machine to be monitored this software loading, therefore, the present invention greatly reduces the cost that port data is intercepted and captured.
(2) among the present invention, the mode of the data of read/write to take order to preserve read is saved in the buffer zone, greatly facilitates and from buffer zone, takes out data.
(3) among the present invention; Want the data of read/write corresponding with read the time and the read sign of read/write data; Be saved in and the corresponding journal file of this port; Can further confirm the time of these data of read/write, thereby make the present invention effective more and convenient the monitoring of port inputoutput data.
(4) the present invention only need install corresponding monitoring software under WinNT operating system, can realize the intercepting and capturing to port data, and therefore, with respect to prior art, the present invention uses simply, safety, convenience.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. intercept and capture the method for port data in the WinNT operating system, it is characterized in that this method comprises:
Under kernel mode, create and the corresponding journal file of port;
Intercept and capture each operation requests to port; According to the IO_STACK_LOCATION data structure that is associated with the IRP data structure of said operation requests; Judge whether said operation requests is read; If, then want the data of read/write to be saved in and the corresponding journal file of this port said read, carry out said read then; Otherwise, carry out said operation requests.
2. method according to claim 1 is characterized in that, after judging that said operation requests is read, this method further comprises: the data of read/write to be saved in buffer zone in proper order said read;
Then want the data of read/write to be saved in and the corresponding journal file of this port said read, for:
Confirm that said read wants the data of read/write to be kept at first address and data length in the said buffer zone;
Want the data of read/write to be kept at first address and data length in the said buffer zone according to said read; With first address is that the first address in the said buffer zone, the data that length is said data length are taken out from said buffer zone, is saved in and the corresponding journal file of this port.
3. method according to claim 1 and 2 is characterized in that, after judging that said operation requests is read, this method further comprises:
To want the data of read/write corresponding with said read according to the time that said read is carried out data read/write, be saved in and the corresponding journal file of this port;
And/or,
Want the data of read/write corresponding read sign and said read, be saved in and the corresponding journal file of this port.
4. method according to claim 1 and 2 is characterized in that, said port is more than one port, then:
The corresponding journal file of said establishment and port is: create and the corresponding journal file of each port;
Said intercepting and capturing to each operation requests of port are: intercept and capture each operation requests to each port.
5. method according to claim 1 and 2 is characterized in that, said port is a serial line interface, and/or said port is a parallel interface.
6. intercept and capture the system of port data in the WinNT operating system, said port has port numbering, it is characterized in that, this system comprises: log creation with preserve module, filtering module, operation requests execution module, wherein:
Said log creation is used for the preservation module, under kernel mode, creates and the corresponding journal file of port; Port numbering according to the port that said read was directed against; Confirm the port that said read is directed against; Want the data of read/write to be saved in the corresponding journal file of the port that is directed against with said read the read that said filtering module is sent here, said read is sent to said operation requests execution module;
Said filtering module is used for, and intercepts and captures each operation requests to port, according to the IO_STACK_LOCATION data structure that is associated with the IRP data structure of said operation requests, judges whether said operation requests is read; Want the port numbering of the port that data and said read were directed against of read/write to send to said log creation and preservation module read; Other operation requests outside the read are sent to said operation requests execution module;
Said operation requests execution module is used for, and carries out said log creation and preserves the said read that module is sent here; Carry out other operation requests outside the said read that said filtering module sends here.
7. system according to claim 6 is characterized in that,
Said filtering module is further used for, and the data of read/write to be saved in buffer zone in proper order said read;
Then said log creation with preserve module and be used for, confirm that said read wants the data of read/write to be kept at first address and data length in the said buffer zone; Want the data of read/write to be kept at first address and data length in the said buffer zone according to said read; With first address is that the first address in the said buffer zone, the data that length is said data length are taken out from said buffer zone, is saved in the corresponding journal file of the port that is directed against with said read.
8. according to claim 6 or 7 described systems; It is characterized in that; Said log creation is further used for the preservation module; To want the data of read/write corresponding with said read according to the time that said read is carried out data read/write, be saved in and the corresponding journal file of this port; And/or, the data of read/write corresponding read sign and said read, be saved in and the corresponding journal file of this port.
9. according to claim 6 or 7 described systems, it is characterized in that said port is more than one port, then:
Said log creation is used for the preservation module, creates and the corresponding journal file of each port;
Said filtering module is used for, and intercepts and captures each operation requests to each port.
10. according to claim 6 or 7 described systems, it is characterized in that said port is a serial line interface, and/or said port is a parallel interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010569678.3A CN102479147B (en) | 2010-11-26 | 2010-11-26 | Method and system for intercepting and capturing port data in WinNT operation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010569678.3A CN102479147B (en) | 2010-11-26 | 2010-11-26 | Method and system for intercepting and capturing port data in WinNT operation system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102479147A true CN102479147A (en) | 2012-05-30 |
| CN102479147B CN102479147B (en) | 2015-06-10 |
Family
ID=46091799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010569678.3A Active CN102479147B (en) | 2010-11-26 | 2010-11-26 | Method and system for intercepting and capturing port data in WinNT operation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102479147B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110532210A (en) * | 2019-08-07 | 2019-12-03 | 北京数衍科技有限公司 | Safety obtains the bridging method of any output equipment data of operating system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001142764A (en) * | 1999-11-12 | 2001-05-25 | Japan Science & Technology Corp | Log file protecting system |
| CN1595352A (en) * | 2003-09-11 | 2005-03-16 | 扬智科技股份有限公司 | Method for processing data of data processing system |
| CN101009699A (en) * | 2006-01-25 | 2007-08-01 | 姜斌斌 | Transparent local security environment system and its implementation method |
-
2010
- 2010-11-26 CN CN201010569678.3A patent/CN102479147B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001142764A (en) * | 1999-11-12 | 2001-05-25 | Japan Science & Technology Corp | Log file protecting system |
| CN1595352A (en) * | 2003-09-11 | 2005-03-16 | 扬智科技股份有限公司 | Method for processing data of data processing system |
| CN101009699A (en) * | 2006-01-25 | 2007-08-01 | 姜斌斌 | Transparent local security environment system and its implementation method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110532210A (en) * | 2019-08-07 | 2019-12-03 | 北京数衍科技有限公司 | Safety obtains the bridging method of any output equipment data of operating system |
| CN110532210B (en) * | 2019-08-07 | 2021-10-22 | 北京数衍科技有限公司 | Bridging method for safely acquiring data of any output device of operating system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102479147B (en) | 2015-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10001929B2 (en) | Method and systems for simulating a workload of a storage system | |
| CN100590614C (en) | Hard disk data protecting method based on virtual technology and protecting system thereof | |
| Ji et al. | Enabling refinable {Cross-Host} attack investigation with efficient data flow tagging and tracking | |
| US10936350B2 (en) | Active drive API | |
| US10572623B2 (en) | Back-pressure in virtual machine interface | |
| CN103593246A (en) | Communication method between virtual machine and host machine, host machine and virtual machine system | |
| CN105074671A (en) | Method and system for detecting concurrency programming errors in kernel modules and device drivers | |
| US11848965B2 (en) | Secure software defined storage | |
| US11231987B1 (en) | Debugging of memory operations | |
| JP2008065433A (en) | Computer system and performance tuning method | |
| CN105210077B (en) | Information processor and information processing method | |
| CN105550582B (en) | Access the method and system of virtual disk | |
| JP6213676B2 (en) | Analysis device, analysis method, and analysis program | |
| US20160092313A1 (en) | Application Copy Counting Using Snapshot Backups For Licensing | |
| CN104598202A (en) | Command line management device and method | |
| CN102479147B (en) | Method and system for intercepting and capturing port data in WinNT operation system | |
| US8656066B2 (en) | Monitoring input/output operations to specific storage locations | |
| CN102479117A (en) | Method and system for intercepting and capturing port data in Win9x operation system | |
| US10572671B2 (en) | Checking method, checking system and checking device for processor security | |
| TWI781464B (en) | Computing devices for encryption and decryption of data | |
| EP2746952B1 (en) | Secured management of traces in a mail processing device | |
| Cui et al. | Towards trustworthy storage using SSDs with proprietary FTL | |
| KR20240054788A (en) | System and method for testing embedded device using dma modeling | |
| JP2013196241A (en) | Information processor and log acquisition method | |
| Liu et al. | Research and Design for USB and Network Cards Encryption Interface Card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |