CN102855433B - A kind of method of file unlock and device - Google Patents
A kind of method of file unlock and device Download PDFInfo
- Publication number
- CN102855433B CN102855433B CN201110175399.3A CN201110175399A CN102855433B CN 102855433 B CN102855433 B CN 102855433B CN 201110175399 A CN201110175399 A CN 201110175399A CN 102855433 B CN102855433 B CN 102855433B
- Authority
- CN
- China
- Prior art keywords
- file
- destination
- routine
- path
- described file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active - Reinstated
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000009471 action Effects 0.000 claims description 15
- 238000012217 deletion Methods 0.000 claims description 15
- 230000037430 deletion Effects 0.000 claims description 15
- 238000004458 analytical method Methods 0.000 claims description 14
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000008485 antagonism Effects 0.000 abstract description 9
- 230000006399 behavior Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 25
- 230000006870 function Effects 0.000 description 20
- 238000001914 filtration Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 241000700605 Viruses Species 0.000 description 9
- 230000003139 buffering effect Effects 0.000 description 7
- 238000011109 contamination Methods 0.000 description 7
- 238000012795 verification Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000010298 pulverizing process Methods 0.000 description 2
- 206010011968 Decreased immune responsiveness Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000003253 viricidal effect Effects 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a kind of method and device of file unlock, wherein said method comprises: call operation system application interface API opens file destination; If described file destination cannot be opened, then judge whether its rreturn value meets preset kind; If so, then call the self-defining application programming interfaces for File Open to operate described file destination, specifically comprise: obtain file operation requests, described request comprises caller input parameter, and described input parameter comprises file path; In Object Manager, search corresponding file object according to described file path and resolve routine; If find corresponding file object to resolve routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of preset file system infrastructure devices.The present invention can identify the file self-shield behavior of rogue program and be resisted, to strengthen the antagonism with the attacking and defending of driving stage rogue program in the client environment of complexity.
Description
Technical field
The present invention relates to the technical field of computer security, particularly relate to a kind of method of file unlock and a kind of device of file unlock.
Background technology
Computer virus refers to, and " the destruction computer function that organizer inserts in computer program or destroy data affect computing machine use and can one group of computer instruction of self-replacation or program code.Computing machine is once catch virus, computing machine is usually expressed as under its file is increased, deletes out, changes title or attribute, moves to other catalogue, virus, to these operations of computer documents, may cause a series of problems such as normal program cannot be run, computer operating system collapse, computing machine is remotely controlled, user profile is stolen.
In order to ensure the safe operation of computing machine, the file to infecting virus in computing machine is needed to carry out checking and killing virus, to prevent and to remove the destruction of virus.In fail-safe software field, " deletion " and " instead deleting " for contamination computer documents is one of eternal theme of resisting of fail-safe software and rogue program (computer virus).
Virus of the prior art, add encryption lock to contamination file often through means such as file permission, owner's restriction and file-sharing attribute are exclusive, adopt conventional means cannot crack encryption lock and namely cannot delete contamination file, these means stop antivirus software killing contamination file.Fail-safe software looks into viricidal process, can be understood as and unlocks contamination file and pulverize.Existing fail-safe software, to contamination file unblock and pulverize means single, cannot abolish contamination file arrange protection layer by layer, antagonism is not strong.Conventional security software vendor solve only part and " instead deletes " problem, and the attacking and defending of operating system nucleus state often embodies certain anergy, and driving stage rogue program (Rootkit) antagonism is on the weak side.
Therefore; the technical matters needing those skilled in the art urgently to solve at present is exactly: the treatment mechanism proposing a kind of file unlock; the attacking and defending of operating system User space is not only provided; the attacking and defending of operating system nucleus state is also provided further; in the client environment of complexity, identify the file self-shield behavior of rogue program and resisted, to strengthen the antagonism with the attacking and defending of driving stage rogue program.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of method of file unlock, to strengthen the antagonism with the attacking and defending of driving stage rogue program.
Present invention also offers a kind of device of file unlock, in order to ensure said method application in practice and realization.
In order to solve the problem, the embodiment of the invention discloses a kind of method of file unlock, comprising:
Call operation system application interface API opens file destination;
If described file destination cannot be opened, then judge whether its rreturn value meets preset kind;
If so, then call the self-defining application programming interfaces for File Open to operate described file destination, specifically comprise:
Obtain file operation requests, described request comprises caller input parameter, and described input parameter comprises file path;
In Object Manager, search corresponding file object according to described file path and resolve routine;
If find corresponding file object to resolve routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of preset file system infrastructure devices.
Preferably, described I/O request comprises the file operation information extracted from file operation requests, send I/O request bag to preset file system infrastructure devices original address after, described in call the self-defining application programming interfaces for File Open the step that described file destination operates also comprised:
By described file system infrastructure devices according to file operation corresponding to described file operation information and executing.
Preferably, described file operation requests comprises file destination and opens request, and described file operation information comprises file destination opening operation, and described file system infrastructure devices opens the operation of described file destination according to described file operation information and executing.
Preferably, described file operation requests also comprises file destination removal request, described file operation information also comprises file destination deletion action, and described file system infrastructure devices after opening described file destination, performs the deletion action of described file destination according to described file operation information.
Preferably, described preset kind comprises file-sharing attribute and monopolizes type.
Preferably, described preset kind also comprises the type of file permission, owner's restriction.
Preferably, described step of searching the file object parsing routine of correspondence according to file path in Object Manager specifically comprises following sub-step;
Sub-step S1, judge whether file path has been disassembled complete, if not, then perform sub-step S2; If so, then sub-step S4 is performed;
Sub-step S2, to disassemble out in file path route segment next to be dismantled according to path separators;
Sub-step S3, adopt the current route segment disassembled out to search in Object Manager, judge whether to there is corresponding file object routine; If so, then sub-step S1 is returned; If not, then sub-step S5 is performed;
Sub-step S4, obtain file object corresponding to described file path and resolve routine.
Sub-step S5, return the information not finding respective file analysis of object routine.
The embodiment of the invention also discloses a kind of device of file unlock, comprising:
API Calls module, opens file destination for call operation system application interface API;
Return code judge module, for when described file destination cannot be opened, judges whether its rreturn value meets preset kind; If so, then call file and penetrate operational module;
File penetrates operational module, operating, specifically comprising for calling the self-defining application programming interfaces for File Open to described file destination:
Kernel state acquisition request submodule, for obtaining file operation requests, described request comprises caller input parameter, and described input parameter comprises file path;
Kernel state analysis of object submodule, resolves routine for searching corresponding file object in Object Manager according to described file path; If find corresponding file object to resolve routine, then call kernel state IRP and generate transmission submodule;
Kernel state IRP generates and sends submodule, generates I/O request bag, and be sent to the original address of preset file system infrastructure devices for resolving routine according to described file object.
Preferably, described I/O request comprises the file operation information extracted from file operation requests, and described file system infrastructure devices is used for according to file operation corresponding to described file operation information and executing.
Preferably, described file operation requests comprises file destination and opens request, and described file operation information comprises file destination opening operation, and described file system infrastructure devices opens the operation of described file destination according to described file operation information and executing.
Preferably, described file operation requests also comprises file destination removal request, described file operation information also comprises file destination deletion action, and described file system infrastructure devices after opening described file destination, performs the deletion action of described file destination according to described file operation information.
Preferably, described preset kind comprises file-sharing attribute and monopolizes type.
Preferably, described preset kind also comprises the type of file permission, owner's restriction.
Preferably, described kernel state analysis of object submodule specifically comprises with lower unit;
File path disassembles unit, for disassembling out the route segment in file path step by step according to path separators;
Object Manager search unit, for adopting the current route segment disassembled out to search in Object Manager, searches corresponding file object routine.
Compared with prior art, the present invention has the following advantages:
The present invention is by realizing a set of file operation and call storehouse operating system User space interface being complete, when call operation system application interface API cannot open file destination, its rreturn value be file-sharing attribute monopolize, or, when file permission, owner's restriction, the self-defined application programming interfaces BAPI calling the present invention's realization carries out the operation of file unlock and pulverizing to described file destination.The present invention provide not only the attacking and defending of operating system User space; still further provides the attacking and defending of operating system nucleus state; in the client environment of complexity, identify the file self-shield behavior of rogue program and resisted, enhancing the antagonism with the attacking and defending of driving stage rogue program.
In the present invention, caller process initiates file operation requests, call corresponding user-defined file operation-interface routine, operating system nucleus state drives and obtains and verify the described request from User space, build data query structured loop and resolve the file path imported into, finally find the object type safeguarded in Object Manager, this process effectively be counteracted that the interior danger of the abduction of kernel state.After this, operating system nucleus state drives and builds and fill IRP request data package, be sent to the original address place of predetermined file system infrastructure devices, third party's filtration drive now on file system call stack, comprise other fail-safe softwares and driving stage rogue program can be penetrated, thus both can effectively avoid causing because file operation interference and between other fail-safe softwares, producing incompatible Potential feasibility; Can strengthen again and the antagonism during attacking and defending of driving stage rogue program.
The file path analytic method adopted in the embodiment of the present invention can also dynamic analysis file destination path, such as, for the network disk drive of dynamic mapping, DOS-Style file path form, alignment processing relation between drive and file system infrastructure devices object is obtained with regard to dynamic by object search manager, thus the embodiment of the present invention is applied widely in addition, is suitable for the advantage that scene is many.
Accompanying drawing explanation
Fig. 1 is the flow chart of steps of the embodiment of the method for a kind of file unlock of the present invention;
Fig. 2 is in a preferred embodiment of the present invention, described flow chart of steps of searching corresponding file object parsing routine according to file path in Object Manager;
Fig. 3 is the first schematic diagram carrying out in a kind of concrete example of the present invention searching in Object Manager;
Fig. 4 is the second schematic diagram carrying out in a kind of concrete example of the present invention searching in Object Manager;
Fig. 5 is the 3rd schematic diagram carrying out in a kind of concrete example of the present invention searching in Object Manager;
Fig. 6 is the 4th schematic diagram carrying out in another concrete example of the present invention searching in Object Manager;
Fig. 7 is the 5th schematic diagram carrying out in another concrete example of the present invention searching in Object Manager;
Fig. 8 is the 6th schematic diagram carrying out in another concrete example of the present invention searching in Object Manager;
Fig. 9 is the flow chart of steps of the embodiment of the method 2 of a kind of file unlock of the present invention;
Figure 10 is the schematic diagram that operating system file operation performs stream;
Figure 11 is that the file operation that the application embodiment of the present invention realizes performs flow diagram;
Figure 12 is the structured flowchart of the device embodiment of a kind of file unlock of the present invention.
Embodiment
For enabling above-mentioned purpose of the present invention, feature and advantage become apparent more, and below in conjunction with the drawings and specific embodiments, the present invention is further detailed explanation.
One of core idea of the embodiment of the present invention is, realize a set of file operation and call storehouse operating system User space interface is complete, when call operation system application interface API cannot open file destination, its rreturn value be file-sharing attribute monopolize, or, when file permission, owner's restriction, the self-defined application programming interfaces BAPI calling the present invention's realization carries out the operation of file unlock and pulverizing to described file destination.
With reference to figure 1, show the flow chart of steps of the embodiment of the method for a kind of file unlock of the present invention, specifically can comprise the following steps:
Step 101, call operation system application interface API open file destination;
Such as, the API:CreateFile function calling microsoft operation system opens the file destination of specified file path and filename, as C: test.txt.
It should be noted that, in embodiments of the present invention, described File Open does not refer to by double click or by triggering modes such as enter keys and opens file (file as the type such as * .exe, * .doc); And refer to operating system API or self-defined BAPI of the present invention (application the present invention, a set of file operation can be realized call storehouse operating system User space interface is complete) the operation of the file handle that opens file, obtains such as CreateFile () function because just this file can be operated further after only obtaining file handle.
From function calling method angle, in the embodiment of the present invention, indication file " is opened " and is mainly comprised following several situation:
1, Windows standard A PICreateFile function is used to open file destination;
2, WindowsNativeAPIZwCreateFile/NtCreateFile function is used to open file destination;
3, WindowsNativeAPIZwOpenFile/NtOpenFile function is used to open file destination
Wherein, the parameter d wCreationDisposition of CreateFile can control function behavior be " creating new file " or " opening the file existed ".
In specific implementation, need the file destination pulverized all to need first to carry out unblock and open.Such as, call the API:DeleteFile function of microsoft operation system, this function comprises input parameter a: lpFileName, the i.e. path of file destination, this path will first be opened (call CreateFile routine and obtain corresponding file handle), then could be deleted.
If the described file destination of step 102 cannot be opened, then judge whether its rreturn value meets preset kind;
In one preferred embodiment of the invention, described preset kind comprises file-sharing attribute and monopolizes type.
Specifically, if file is kidnapped by driving stage rogue program, then the process of File Open may trigger the problem of sharing conflict.In this case, the API of operating system feedback file can share the exclusive wrong rreturn value of attribute.
Such as, if file destination C: test.txt file opened that (exclusive method is when calling CreateFile function by process A is exclusive, dwShareMode parameter field passes empty---Theobjectcannotbeshared), so, (call CreateFile function) time other any process reattempts and opens this file and all will obtain wrong rreturn value: ERROR_SHARING_VIOLATION.Wherein, ERROR_SHARING_VIOLATION is a numerical value, is 32.Its definition is arranged in Microsoft WINERROR.H header file, as follows:
In one of the present invention more preferred embodiment, described preset kind can also comprise the type of file permission, owner's restriction.
Specifically, if file is kidnapped by driving stage rogue program, then the process of File Open may the problem of trigger action lack of competence.In this case, the API meeting feedback file authority of operating system, the wrong rreturn value of owner's restriction.
A kind of fine-granularity access control mechanism when " authority restriction " is Microsoft's design operation system, Windows operating system nucleus has special functional module (to be abbreviated as Se, full name is Security), the principle of design will meet the safety standard of U.S. C2 level operating system.In current microsoft operation system, authority restriction is fine-grained is embodied in following aspect:
(1) control completely;
(2) traverse folder/operating file;
(3) files listed folder/service data;
(4) reading attributes;
(5) extended attribute is read;
(6) file/write data are created;
(7) file/additional data is created;
(8) attribute is write;
(9) extended attribute is write;
(10) delete;
(11) authority is read;
(12) authority is changed;
(13) acquire.
Windows operating system is derived the API of one group of limiting operation, as GetNamedSecurityInfo function, AccessCheck function etc.Wherein, GetNamedSecurityInfo function is mainly used for obtaining the security descriptor of target (as specified file), and (SecurityDescriptor is called for short SD, this is the Data Structures that operating system authority is relevant), AccessCheck function is mainly used for based on security descriptor query aim authority limited case.For caller, successfully rreturn value will be obtained: ERROR_SUCCESS, ERROR_SUCCESS are a numerical value, are 0, represent successfully; Failure will obtain wrong rreturn value: ERROR_ACCESS_DENIED, ERROR_ACCESS_DENIED are a numerical value, are 5.Its definition is arranged in Microsoft WINERROR.H header file, as follows:
Step 103, if so, then call the self-defining application programming interfaces for File Open described file destination is operated.
In one preferred embodiment of the invention, monopolize the type of type or file permission, owner's restriction if the operation rreturn value of above-mentioned call operation system API is file-sharing attribute, then call the self-defining application programming interfaces for File Open in the present invention and described file destination is operated.
The described BAPI of calling specifically can comprise following sub-step to the step that file destination operates:
Sub-step S11, acquisition file operation requests, described request comprises caller input parameter, and described input parameter comprises file path;
Sub-step S12, in Object Manager, search corresponding file object according to described file path and resolve routine;
If sub-step S13 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of preset file system infrastructure devices.
In embodiments of the present invention, described file to comprise in WINDOWS operating system support the file of type, described file operation refers to the combination of atomic operation for file or atomic operation, described atomic operation comprises: document creation, file reads, file writes, file attribute is arranged, file attribute obtains, file pointer is arranged, file size obtains, file erase, catalogue removes, handle is closed, first ff, next ff, ff is closed, judge whether path is catalogue, judge whether file destination exists, long path obtains, short path obtains, path searching, file copy, file moves.Such as, the virus killing operation of file is the combination of the atomic operations such as file reads, first ff, next ff, ff are closed, file moves.
In specific implementation, the file operation information extracted from file operation requests can be comprised in described I/O request bag, send I/O request bag to preset file system infrastructure devices original address after, described in call the self-defining application programming interfaces for File Open and can also comprise following sub-step to the step that described file destination operates:
Sub-step S14, by described file system infrastructure devices according to file operation corresponding to described file operation information and executing.
As a kind of example of file unlock application of the present invention, described file operation requests can comprise file destination and open request, correspondingly, described file operation information can comprise file destination opening operation, in this case, described file system infrastructure devices then can open the operation of described file destination according to described file operation information and executing.
As a kind of example of file erase application of the present invention, described file operation requests can also comprise file destination removal request, correspondingly, described file operation information can also comprise file destination deletion action, in this case, described file system infrastructure devices then according to described file operation information after opening described file destination, can perform the deletion action of described file destination.
In specific implementation, caller process initiates file operation requests by calling BAPI, call corresponding file operation interface program, operating system nucleus state drives and obtains and verify the described request from User space, build data query structured loop and resolve the file path imported into, finally find the object type safeguarded in Object Manager, this process effectively be counteracted that the interior danger of the abduction of kernel state.After this, operating system nucleus state drives and builds and fill IRP request data package, be sent to the original address place of predetermined file system infrastructure devices, third party's filtration drive (other fail-safe softwares, driving stage rogue program) now on file system call stack is penetrated (bypass, bypass).In brief, namely the present invention is by setting up new, believable, can to penetrate a filtration drive file operation execution route, effectively prevent the risk that the file execution route of legacy operating system exists.
In specific implementation, kernel state drives according to described file operation requests verification caller input parameter, if verification is passed through, just can be searched corresponding file object according to described file path and resolves routine in Object Manager.
With reference to figure 2, in one preferred embodiment of the invention, described step of searching the file object parsing routine of correspondence according to file path in Object Manager may further include following sub-step;
Sub-step S121, judge whether file path has been disassembled complete, if not, then perform sub-step S2; If so, then sub-step S4 is performed;
Sub-step S122, to disassemble out in file path route segment next to be dismantled according to path separators;
Sub-step S123, adopt the current route segment disassembled out to search in Object Manager, judge whether to there is corresponding file object routine; If so, then sub-step S121 is returned; If not, then sub-step S125 is performed;
Sub-step S124, obtain file object corresponding to described file path and resolve routine.
Sub-step S125, return the information not finding respective file analysis of object routine.
In specific implementation, the OpenPacket structure of Object Manager inquiry can be built in advance, based on path separators " " circulation disassemble file path, such as, file path is: c: a b.txt, then the route segment disassembled out is c first time:, the route segment disassembled out of second time is: c: a, third time, the route segment disassembled out was: c: a b.txt, namely in the embodiment of the present invention, be disassemble file path based on the mode of recursive call.Object Manager (ObjectManager) is a basic module of WindowsNT kernel.WindowsNT is when design, and the design philosophy of " object-oriented " is propagated its belief on a large scale, be about to originally to be scattered in abstract in operating system resource set everywhere, be encapsulated, and then provide consistent access approach for various internal services.Object Manager is mainly used in realizing following functions: (1) provides a kind of public, unified mechanism to use system resource; (2) object protection is isolated in the uniform areas of operating system, thus C2 safe class can be accomplished; (3) provide a kind of mechanism to carry out the quantity of record the process use object, thus restriction can be added to the use of system resource; (4) set up a set of object naming scheme, existing object can be merged more easily.Object Manager maintains tens kinds of object types altogether, and (Windows2000 is 27 kinds of object types; WindowsXP is 29 kinds of object types), common as Symbolic Links (SymbolicLink), process (Process), thread (Thread), operation (Job), file (File), event (Event), timer (Timer) etc.
Safeguarding in Object Manager has zippered object Hash to show, based on the route segment object search manager disassembled out at every turn, if corresponding analysis of object routine ParseProcedure can be found, the file path then continued next time is disassembled, and based on the route segment disassembled out and the route segment object search manager disassembled out before next time, disassembled complete completely if current file path is resolved through circulation, then it is that file object corresponding to current file path resolves routine that the file object found through object search manager resolves routine ParseRoutine.
Be well known that, routine is the set of the functional interface that provides of certain system external or service.The API, service etc. of such as operating system are exactly routine.
The present invention is understood better for making those skilled in the art, below in conjunction with the Object Manager search schematic diagram shown in Fig. 3, Fig. 4, Fig. 5, Fig. 6, Fig. 7 and Fig. 8, describe by an object lesson operation that the present invention disassembles file path object search manager in detail.
Such as, file path is: c: test test.txt, c: be exactly a Symbolic Links (SymbolicLink), Object Manager search is in fact the query script of Symbolic Links.
(1) with reference to figure 3, from " root " of Object Manager (i.e. “ " is searched for);
(2) find " " under GLOBAL? catalogue;
(3) according to GLOBAL? catalogue finds " " under GLOBAL? file; After this, continue at GLOBAL? in find c:(and note C: belong to SymbolicLink in the drawings)
(4) with reference to figure 4, from GLOBAL? C is found in file:;
(5) according to C: corresponding type (Type): SymbolicLink and additional information (AdditionalInformation): Device HarddiskVolume1 find Device file; If necessary, can continue to resolve Device harddiskVolume1 Symbolic Links etc., till directly cannot disassembling.
(6) with reference to figure 5, from Device file, HarddiskVolume1 is found.
And for example, file path be " SystemRoot System32 Drivers ntfs.sys ", " SystemRoot " also is-symbol link;
(1) with reference to figure 6, first SystemRoot is found;
(2) according to type (Type) corresponding to SystemRoot: SymbolicLink and additional information (AdditionalInformation): Device Harddisk0 Partitionl WINDOWS find Device file;
(3) with reference to figure 7, Harddisk0 under Device file is found;
(4) find Partitionl under Harddisk0, the type (Type) according to corresponding to Partitionl: SymbolicLink and additional information (AdditionalInformation): Device HarddiskVolume1 find Device file;
(5) with reference to figure 8, the HarddiskVolume1 under Device file is found.
In this example, path disassemble according to be path separators " ", often find a separator, just think and find one section " factor ", then removal search Object Manager, remerges path if necessary, again object search manager.In the present embodiment, it is a function that the file object that searches out resolves routine, this function when registration just and certain factor pair answer, it knows how to go correctly to process these factors.
The file path analytic method dynamic adopted in the embodiment of the present invention resolves file destination path, such as, for the network disk drive of dynamic mapping, DOS-Style file path form, alignment processing relation between drive and file system infrastructure devices object is obtained with regard to dynamic by object search manager, thus the embodiment of the present invention is applied widely in addition, is suitable for the advantage that scene is many.
In specific implementation, the realization of file object parsing ParseRoutine is similar to the IoParseDevice routine (simulated implementation) of Microsoft, its inside can build and fill I/O request and wraps (I/ORequestPacket, IRP) and be sent to the original address place of file system infrastructure devices.In the Windows operating system family of Microsoft, all carry out the communication with driver by sending IRP.Be used for encapsulating the data structure of IRP and be not only used for the content of request of a description I/O operation itself, the related status information in the process that also will be used for safeguarding that this request is transmitted in a series of driver.That is IRP can be defined as: be I/O system is used for storing necessary information place in order to process an I/O request.When a thread dispatching I/O service time, I/O manager structure IRP, for representing this request in the process of this request of I/O system process.
In specific implementation, the original address of described file system infrastructure devices can be arranged when system initialization.Through this step, third party's filtration drive (other fail-safe softwares, driving stage rogue program) on file system call stack can be penetrated, thus can effectively avoid causing because of file operation interference and producing incompatible Potential feasibility between other fail-safe softwares; Can also strengthen and the antagonism during attacking and defending of driving stage rogue program.
After IRP sends to the device object of file system, until write hard disk, also will through the processing procedure of series of complex, generally speaking, this request also will through volume shadow copy (Volsnap.sys), volume manager (Ftdisk.sys), zone manager (Partmgr.sys), disk sort drives (disk.sys), disk port driver (be atapi.sys for IDE system), the a series of transmission such as Miniport Driver (be Ahal54x.sys for Adaptec1540SCSI), the respective offsets of write disk or magnetic tape station is finally determined by Miniport Driver.Volume management (comprising snapshot) introduces dynamic concept, make windows can create multi partition volume (such as mirrored volume mirrors, roll of strip stripes, RAID-5 etc.), request can be navigated to certain skew of target volume by this assembly according to actual conditions.Zone manager is responsible for notice plug and play manager is current for which subregion, and their state (establishment, deletion etc.).Disk sort drives and achieves for the total function of all disks, and such as, SCSI (SmallComputerSystemInterface, small computer system interface) Port is for the disk characteristics in SCSI bus.Last Miniport Driver is for the peculiar products characteristics of some manufacturer, and this kind of driving is often provided by manufacturer oneself.Generally speaking, be exactly that often one deck is according to the interface of oneself, receive the request that upper layer transfers is come, " view " seen with oneself, finds certain sector offset of target device, establishment, write, deletion data.
With reference to figure 9, show a kind of flow chart of steps described file destination operated with self-defining application programming interfaces of the present invention, specifically can comprise:
Step 401, load document operation-interface routine, the original address of initialization files system infrastructure devices;
As a kind of example of embody rule, described file operation interface program comprises: document creation routine FSCreateFile, file reads routine FSReadFile, file write routine FSWriteFile, file attribute arranges routine FSSetFileAttributes, file attribute acquisition routine FSGetFileAttributes, file pointer arranges routine FSSetFilePointer, strengthen file pointer and routine FSSetFilePointerEx is set, file size acquisition routine FSGetFileSize, file erase routine FSDeleteFile, catalogue removes routine FSRemoveDirectory, handle closes routine FSCloseHandle, first ff routine FSFindFirstFile, next ff routine FSFindNextFile, ff closes routine FSFindClose, increase file attribute acquisition routine FSGetFileAttributesEx, judge that whether path is the routine FSPathIsDirectory of catalogue, judge the routine FSPathFileExists whether file destination exists, long path acquisition routine FSGetLongPathName, short path acquisition routine FSGetShortPathName, path searching routine FSSearchPath, strengthen file size acquisition routine FSGetFileSizeEx, file copy routine FSCopyFile, file moves routine FSMoveFile and/or strengthens file and moves routine FSMoveFileEx.The setting of described file operation interface program, as consistent with the WINDOWS standard A PI of correspondence in calling convention, call parameters.Above-mentioned each routine includes narrow character routine and wide character routine, such as, for FSCreateFile, comprises narrow character routine FSCreateFileA and wide character routine FSCreateFileW.
Step 402, caller initiate file operation requests, call corresponding file operation interface program; Wherein, described request comprises caller input parameter, and described input parameter comprises file path and User space address;
Such as, caller process initiates the document creation request of FSCreateFileA.
ANSI correlation parameter in caller input parameter is converted to UNICODE type by the User space part of step 403, described file operation interface program, and calls corresponding file operation interface wide character routine;
Be well known that, the character in ANSI adopts 8bit, and the character in UNICODE adopts 16bit.(with byte, English character is deposited for ANSI character, deposits the characters such as Chinese with double byte, and under Unicode, character that is English and Chinese is all deposited with double byte).
For file creation process, for ensureing platform applicability, the ANSI correlation parameter in caller input parameter can be converted to UNICODE type by FSCreateFileA, and calls corresponding file operation interface wide character routine FSCreateFileW.
Certainly, if what directly call in practice is wide character routine, then without the need to performing this step.
The type of step 404, foundation system platform builds kernel state structural parameters, generates corresponding file operation control code, and be sent to operating system nucleus state according to described kernel state structural parameters;
The type of described system platform comprises 32,64 and 32 compatibility modes.As the example of a kind of embody rule of the present invention, the control code corresponding with described file operation interface program comprises: file creation operation control code FILE_IO_CREATE_FILE, File read operation control code FILE_IO_READ_FILE, file write operations control code FILE_IO_WRITE_FILE, file polling operate control code FILE_IO_QUERY_FILE, file setting operation control code FILE_IO_SET_FILE and/or closing of a file beamhouse operation control code FILE_IO_PREPARE_CLOSE.Described control code defines unifying identifier when operating system User space communicates with kernel state driving.
For file creation process, FSCreateFileW is by judging that system platform type (32,64 or 32 compatibility modes) builds structural parameters, and transmission control code FILE_IO_CREATE_FILE is also synchronous etc. to be returned.
In practice, FSCreateFileW can also process lopsided filename, file path, and the actual operation completing Parameter Switch.Input when operating system User space and kernel state drive and communicate, output buffer can adopt METHOD_BUFFERED mode to transmit.METHOD_BUFFERED mode is: first distributing buffer, then from these buffering copy data, and buffer size is input buffering and exports larger that in space between buffering.Read buffering by copy to new buffering.Before returning, just copy rreturn value is to identical buffering.Rreturn value is placed to IO_STATUS_BLOCK, and IO manager copy data are to output buffering.
Step 405, operating system nucleus state drive and obtain file operation requests, verification caller input parameter, and reconstruct (Captured) described User space address to kernel state memory headroom;
For file creation process, will step be performed by FSCreateFileW routine kernel portion, and at the corresponding caller input parameter of kernel state memory headroom process.
If the verification of step 406 input parameter is passed through, then in Object Manager, search corresponding file object according to described file path and resolve routine;
If step 407 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of preset file system infrastructure devices.
For file creation process, the kernel portion of FSCreateFileW verified users state can import parameter into, builds OpenPacket structure, and file path form is resolved in circulation and the zip mode object Hash that object search manager is safeguarded shows.Specifically can adopt path separators " " disassemble the file path of input, the zip mode object Hash that the path sections object search manager disassembled out is safeguarded show, finds out the ParseProcedure of correspondence.Circulate resolve complete time, just think the ParseRoutine routine that have found object.ParseRoutine inside can build and fills IRP request data package and be sent to the original address place of file system infrastructure devices, completes the constructive process that file penetrates.Now, the third party's filtration drive (other fail-safe softwares, driving stage rogue program) on file system call stack is bypassed.
In specific implementation, can also be inserted in the Hash structure of Object Manager by ObInsertObject routine for the object newly created out, and obtain the file handle that returns.Further, kernel synchronization call can also return User space handle information and calls result.If malloc failure malloc, User space interface can arrange corresponding error code, and like this, caller thread can obtain detailed error message by GetLastError routine.
Perform the schematic diagram of stream below in conjunction with operating system file operation in the prior art shown in Figure 10, and the file operation that the application embodiment of the present invention shown in Figure 11 realizes performs flow diagram, illustrates further principle of work of the present invention.
In prior art as shown in Figure 10, operating system file operation performs the schematic diagram of stream, the mode that prior art is called as lower leaf in execute file operation employing:
Caller 101 calls kernel interface layer 102, kernel interface layer 102 calls kernel execution level 103, kernel execution level 103 calls file object and resolves routine 104, file object is resolved routine 104 and is called filtration drive a105, top layer filtration drive is successively called until call bottom filtration drive N106, and bottom filtration drive N106 calls file system infrastructure devices 107.Wherein, caller 101 and kernel interface layer 102 belong to operating system User space, and kernel execution level 103, file object are resolved routine 104, top layer filtration drive a105, bottom filtration drive N106 and file system infrastructure devices 107 and belonged to operating system nucleus state.
The file operation that the application embodiment of the present invention as shown in figure 11 realizes performs flow diagram, and the present invention adopts in execute file operation the mode called as follows:
Caller 111 calls the driving interface layer 112 realized in the present embodiment, but not calls kernel interface layer 113 of the prior art;
Interface layer 112 is driven to call simulation kernel execution level verification caller input parameter 114;
After caller input parameter is verified, performs object search manager circulation parsing file path 115 and obtain analysis of object routine 116, and, build the operation that IRP is sent to file system infrastructure devices original address 117;
In the process, file object parsing routine 118 of the prior art, top layer filtration drive a119, bottom filtration drive N120 are penetrated.
After IRP is sent to file system infrastructure devices 121, perform by file system infrastructure devices 121 operation that IRP asks.
Can find out, the application embodiment of the present invention, third party's filtration drive on file system call stack, comprise other fail-safe softwares and driving stage rogue program can be penetrated, thus both can effectively avoid causing because file operation interference and between other fail-safe softwares, producing incompatible Potential feasibility; Can strengthen again and the antagonism during attacking and defending of driving stage rogue program.
It should be noted that, for embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.
With reference to Figure 12, show the structured flowchart of the device embodiment of a kind of file unlock of the present invention, specifically can comprise with lower module:
API Calls module 121, opens file destination for call operation system application interface API;
Return code judge module 122, for when described file destination cannot be opened, judges whether its rreturn value meets preset kind; If so, then call file and penetrate operational module 123;
File penetrates operational module 123, operating, specifically comprising for calling self-defining application programming interfaces to described file destination:
Kernel state acquisition request submodule 1231, for obtaining file operation requests, described request comprises caller input parameter, and described input parameter comprises file path;
Kernel state analysis of object submodule 1232, resolves routine for searching corresponding file object in Object Manager according to described file path; If find corresponding file object to resolve routine, then call kernel state IRP and generate transmission submodule 1233;
Kernel state IRP generates and sends submodule 1233, generates I/O request bag, and be sent to the original address of preset file system infrastructure devices for resolving routine according to described file object.
In specific implementation, can comprise the file operation information extracted from file operation requests in described I/O request bag, in this case, described file system infrastructure devices is used for according to file operation corresponding to described file operation information and executing.
As a kind of example of file unlock application of the present invention, described file operation requests can comprise file destination and open request, correspondingly, described file operation information can comprise file destination opening operation, in this case, described file system infrastructure devices then can open the operation of described file destination according to described file operation information and executing.
As a kind of example of file erase application of the present invention, described file operation requests can also comprise file destination removal request, correspondingly, described file operation information can also comprise file destination deletion action, in this case, described file system infrastructure devices then according to described file operation information after opening described file destination, can perform the deletion action of described file destination.
In one preferred embodiment of the invention, the preset kind of described rreturn value can comprise the type that file-sharing attribute monopolizes type or file permission, owner's restriction.That is, the application embodiment of the present invention, monopolize the type of type or file permission, owner's restriction if the operation rreturn value of call operation system API is file-sharing attribute, then call self-defining application programming interfaces in the present invention and described file destination is operated.
In one preferred embodiment of the invention, described kernel state analysis of object submodule specifically can comprise with lower unit;
File path disassembles unit, for disassembling out the route segment in file path step by step according to path separators;
Object Manager search unit, for adopting the current route segment disassembled out to search in Object Manager, searches corresponding file object routine.
In specific implementation, described caller input parameter has User space address; Described file penetrates operational module and can also comprise:
Kernel address reconstruct submodule, for reconstructing described User space address to kernel state memory headroom.
In one preferred embodiment of the invention, described file penetrates operational module and can also comprise:
User space request sends submodule, for initiating file operation requests by caller, calls corresponding file operation interface program; Wherein, described request comprises caller input parameter, and described input parameter comprises file path;
User space control code sends submodule, builds kernel state structural parameters, generate corresponding file operation control code, and be sent to operating system nucleus state according to described kernel state structural parameters for the type according to system platform.
In specific implementation, described file penetrates operational module and can also comprise:
Wide character routine call submodule, for the ANSI correlation parameter in caller input parameter is converted to UNICODE type, and calls corresponding file operation interface wide character routine.
As the example of a kind of embody rule of the embodiment of the present invention, described file operation interface program can comprise document creation routine FSCreateFile, and described file penetrates operational module and can also comprise:
Handle acquiring submodule, for inserting the new file object created to Object Manager, and obtains the file handle that returns.
Because described device embodiment is substantially corresponding to preceding method embodiment, therefore not detailed part in the description of the present embodiment, see the related description in previous embodiment, just can not repeat at this.
The present invention can be used in numerous general or special purpose computing system environment or configuration.Such as: personal computer, server computer, handheld device or portable set, laptop device, multicomputer system, system, set top box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, the distributed computing environment comprising above any system or equipment etc. based on microprocessor.
The present invention can describe in the general context of computer executable instructions, such as program module.Usually, program module comprises the routine, program, object, assembly, data structure etc. that perform particular task or realize particular abstract data type.Also can put into practice the present invention in a distributed computing environment, in these distributed computing environment, be executed the task by the remote processing devices be connected by communication network.In a distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium comprising memory device.
Above the method for a kind of file unlock provided by the present invention and a kind of device of file unlock are described in detail, apply specific case herein to set forth principle of the present invention and embodiment, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (12)
1. a method for file unlock, is characterized in that, comprising:
Call operation system application interface API opens file destination;
If described file destination cannot be opened, then judge whether its rreturn value meets preset kind;
If so, then call the self-defining application programming interfaces for File Open to operate described file destination, specifically comprise:
Obtain file operation requests, described request comprises caller input parameter, and described input parameter comprises file path;
In Object Manager, search corresponding file object according to described file path and resolve routine; If find corresponding file object to resolve routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of preset file system infrastructure devices;
Wherein, described I/O request comprises the file operation information extracted from file operation requests, send I/O request bag to preset file system infrastructure devices original address after, described in call the self-defining application programming interfaces for File Open the step that described file destination operates also comprised:
By described file system infrastructure devices according to file operation corresponding to described file operation information and executing.
2. the method for claim 1, it is characterized in that, described file operation requests comprises file destination and opens request, and described file operation information comprises file destination opening operation, and described file system infrastructure devices opens the operation of described file destination according to described file operation information and executing.
3. method as claimed in claim 2, it is characterized in that, described file operation requests also comprises file destination removal request, described file operation information also comprises file destination deletion action, described file system infrastructure devices after opening described file destination, performs the deletion action of described file destination according to described file operation information.
4. the method as described in claim 1 or 2 or 3, is characterized in that, described preset kind comprises file-sharing attribute and monopolizes type.
5. method as claimed in claim 4, is characterized in that, described preset kind also comprises the type of file permission, owner's restriction.
6. the method as described in claim 1 or 2 or 3, is characterized in that, described step of searching the file object parsing routine of correspondence according to file path in Object Manager specifically comprises following sub-step;
Sub-step S1, judge whether file path has been disassembled complete, if not, then perform sub-step S2; If so, then sub-step S4 is performed;
Sub-step S2, to disassemble out in file path route segment next to be dismantled according to path separators;
Sub-step S3, adopt the current route segment disassembled out to search in Object Manager, judge whether that there is corresponding file object resolves routine; If so, then sub-step S1 is returned; If not, then sub-step S5 is performed;
Sub-step S4, obtain file object corresponding to described file path and resolve routine;
Sub-step S5, return the information not finding respective file analysis of object routine.
7. a device for file unlock, is characterized in that, comprising:
API Calls module, opens file destination for call operation system application interface API;
Return code judge module, for when described file destination cannot be opened, judges whether its rreturn value meets preset kind; If so, then call file and penetrate operational module;
File penetrates operational module, operating, specifically comprising for calling the self-defining application programming interfaces for File Open to described file destination:
Kernel state acquisition request submodule, for obtaining file operation requests, described request comprises caller input parameter, and described input parameter comprises file path;
Kernel state analysis of object submodule, resolves routine for searching corresponding file object in Object Manager according to described file path; If find corresponding file object to resolve routine, then call kernel state IRP and generate transmission submodule;
Kernel state IRP generates and sends submodule, generates I/O request bag, and be sent to the original address of preset file system infrastructure devices for resolving routine according to described file object;
Wherein, described I/O request comprises the file operation information extracted from file operation requests, and described file system infrastructure devices is used for according to file operation corresponding to described file operation information and executing.
8. device as claimed in claim 7, it is characterized in that, described file operation requests comprises file destination and opens request, and described file operation information comprises file destination opening operation, and described file system infrastructure devices opens the operation of described file destination according to described file operation information and executing.
9. device as claimed in claim 8, it is characterized in that, described file operation requests also comprises file destination removal request, described file operation information also comprises file destination deletion action, described file system infrastructure devices after opening described file destination, performs the deletion action of described file destination according to described file operation information.
10. the device as described in claim 7 or 8 or 9, is characterized in that, described preset kind comprises file-sharing attribute and monopolizes type.
11. devices as claimed in claim 10, is characterized in that, described preset kind also comprises the type of file permission, owner's restriction.
12. devices as described in claim 7 or 8 or 9, it is characterized in that, described kernel state analysis of object submodule specifically comprises with lower unit;
File path disassembles unit, for disassembling out the route segment in file path step by step according to path separators;
Object Manager search unit, for adopting the current route segment disassembled out to search in Object Manager, searching corresponding file object and resolving routine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110175399.3A CN102855433B (en) | 2011-06-27 | 2011-06-27 | A kind of method of file unlock and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110175399.3A CN102855433B (en) | 2011-06-27 | 2011-06-27 | A kind of method of file unlock and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102855433A CN102855433A (en) | 2013-01-02 |
| CN102855433B true CN102855433B (en) | 2016-03-30 |
Family
ID=47402016
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110175399.3A Active - Reinstated CN102855433B (en) | 2011-06-27 | 2011-06-27 | A kind of method of file unlock and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102855433B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657268B (en) * | 2015-02-13 | 2018-03-30 | 厦门美图之家科技有限公司 | A kind of double verification method and apparatus of API compatibility |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1542611A (en) * | 2003-04-30 | 2004-11-03 | 联想(北京)有限公司 | Method for realizing monitoring of document change area |
| CN101414329A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method for deleting in-service virus |
| CN101634992A (en) * | 2009-06-11 | 2010-01-27 | 上海交通大学 | Light-weight file encryption and decrypting and recovering method in NTFS file system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1933248A1 (en) * | 2006-12-12 | 2008-06-18 | secunet Security Networks Aktiengesellschaft | Method for secure data processing on a computer system |
-
2011
- 2011-06-27 CN CN201110175399.3A patent/CN102855433B/en active Active - Reinstated
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1542611A (en) * | 2003-04-30 | 2004-11-03 | 联想(北京)有限公司 | Method for realizing monitoring of document change area |
| CN101414329A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method for deleting in-service virus |
| CN101634992A (en) * | 2009-06-11 | 2010-01-27 | 上海交通大学 | Light-weight file encryption and decrypting and recovering method in NTFS file system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102855433A (en) | 2013-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102779244B (en) | Method and device for carrying out file operation | |
| KR102347562B1 (en) | Security Control Methods and Computer Systems | |
| RU2408070C2 (en) | Detectability and listing mechanism in hierarchically protected data storage system | |
| JP4757873B2 (en) | Computer device having multiple process architecture for executing plug-in code modules | |
| AU2018201934B2 (en) | Network based management of protected data sets | |
| US9275238B2 (en) | Method and apparatus for data security reading | |
| CN106687971A (en) | Automated code lockdown to reduce attack surface for software | |
| JP2009521020A (en) | A practical platform for high-risk applications | |
| US20160350530A1 (en) | Data blackhole processing method based on mobile storage device, and mobile storage device | |
| JP2008502066A6 (en) | Computer device having multiple process architecture for executing plug-in code modules | |
| CN102855435B (en) | A kind of method of file unlock, pulverizing and device | |
| CN107885748A (en) | Virtualize the document layered access method and device of example | |
| US9330266B2 (en) | Safe data storage method and device | |
| CN102855436B (en) | File unlocking method and file unlocking device | |
| CN102855437B (en) | A kind of method of file unlock and device | |
| CN102855433B (en) | A kind of method of file unlock and device | |
| Grunzweig et al. | New wekby attacks use dns requests as command and control mechanism | |
| Guimarães | Advanced SQL injection to operating system full control | |
| US7634521B1 (en) | Technique for scanning stealthed, locked, and encrypted files | |
| US11983272B2 (en) | Method and system for detecting and preventing application privilege escalation attacks | |
| CN104732142A (en) | Method and device for unlocking file | |
| CN102855438B (en) | File unlocking method and device | |
| CN102855431B (en) | A kind of method of file unlock, pulverizing and device | |
| TWI831067B (en) | Method and device of handling security of an operating system | |
| CN102855434B (en) | File unlocking method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20151104 Address after: 100015, D, room 112, block 28, Xinjie Avenue, Xinjie street, Beijing, Xicheng District Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160330 Termination date: 20190627 |
|
| RR01 | Reinstatement of patent right | ||
| RR01 | Reinstatement of patent right |
Former decision: Patent right to terminate Former decision publication date: 20200623 |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220830 Address after: No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000 Patentee after: 3600 Technology Group Co.,Ltd. Address before: Room 112, block D, No. 28, Xinjiekou Wai Street, Xicheng District, Beijing 100015 (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |