CN102855436A - File unlocking method and file unlocking device - Google Patents

File unlocking method and file unlocking device Download PDF

Info

Publication number
CN102855436A
CN102855436A CN2011101754144A CN201110175414A CN102855436A CN 102855436 A CN102855436 A CN 102855436A CN 2011101754144 A CN2011101754144 A CN 2011101754144A CN 201110175414 A CN201110175414 A CN 201110175414A CN 102855436 A CN102855436 A CN 102855436A
Authority
CN
China
Prior art keywords
file
routine
attribute
file destination
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011101754144A
Other languages
Chinese (zh)
Other versions
CN102855436B (en
Inventor
王宇
潘剑锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qizhi Software Beijing Co Ltd filed Critical Qizhi Software Beijing Co Ltd
Priority to CN201110175414.4A priority Critical patent/CN102855436B/en
Priority to CN201510145493.2A priority patent/CN104732142B/en
Publication of CN102855436A publication Critical patent/CN102855436A/en
Application granted granted Critical
Publication of CN102855436B publication Critical patent/CN102855436B/en
Active - Reinstated legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a file unlocking method and a file unlocking device. The method includes: attempting to execute a delete operation or a write operation aiming at a target file; if the delete or write operation cannot be executed for the target file, obtaining the attribute of the target file; and if the attribute of the target file is read-only, invoking a user-defined application program interface for file attribute change to remove the read-only attribute of the target file. A file unlocking and shredding mechanism is safe, reliable and high in success rate and is capable of recognizing and confronting file self-protection behaviors of malicious programs in the complex client-side environment, and accordingly the capability of the mechanism in confronting attack and defense of the drive-level malicious programs is enhanced.

Description

A kind of method of file unlock and device
Technical field
The present invention relates to the technical field of computer security, particularly relate to a kind of method of file unlock and a kind of device of file unlock.
Background technology
Computer virus refers to that " the destruction computer function that the organizer inserts or destroy data affect computing machine use and one group of computer instruction or program code that can self-replacation in computer program.In a single day computing machine catches virus, computing machine is usually expressed as its file and is increased, deletes out, changes title or attribute, moves under other catalogue, virus is to these operations of computer documents, may cause that normal program can't be moved, computer operating system collapse, computing machine be by a series of problems such as Long-distance Control, user profile are stolen.
In order to guarantee the safe operation of computing machine, need to carry out checking and killing virus to the file that infects virus in the computing machine, to prevent and to remove the destruction of virus.In the fail-safe software field, be one of eternal theme of resisting of fail-safe software and rogue program (computer virus) for " deletion " and " anti-deletion " of contamination computer documents.
Virus of the prior art has often added encryption lock for the contamination file by means such as file read only attribute restrictions, adopts conventional means can't crack encryption lock and namely can't delete the contamination file, and these means stop antivirus software killing contamination file.Fail-safe software is looked into viricidal process, can be understood as the contamination file is carried out release and pulverizing.Existing fail-safe software, single to release and the pulverizing means of contamination file, can't abolish the layer by layer protection that the contamination file arranges, antagonism is not strong.Conventional security software vendor has only solved part " anti-deletion " problem, often embodies certain anergy in the attacking and defending of operating system nucleus attitude, and driving stage rogue program (Rootkit) antagonism is on the weak side.
Therefore; need at present the urgent technical matters that solves of those skilled in the art to be exactly: the treatment mechanism that proposes a kind of file unlock; file self-shield behavior in order to identification rogue program in the client environment of complexity is also resisted the antagonism of enhancing and the attacking and defending of driving stage rogue program.
Summary of the invention
Technical matters to be solved by this invention provides a kind of method of file unlock, with the antagonism of enhancing and the attacking and defending of driving stage rogue program.
The present invention also provides a kind of device of file unlock, in order to guarantee said method application and realization in practice.
In order to address the above problem, the embodiment of the invention discloses a kind of method of file unlock, comprising:
Trial is carried out deletion action or write operation for file destination;
If described file destination can't be carried out deletion or write operation, then obtain the attribute of described file destination;
If the attribute of described file destination is read-only, then call the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination.
Preferably, describedly call the step that self-defining application programming interfaces for file attribute change remove the file destination read only attribute and comprise:
Obtain the attribute changes request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag;
By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
Preferably, the described step of obtaining the attribute of file destination comprises:
Call the attribute that self-defining application programming interfaces be used to obtaining file attribute obtain described file destination, specifically comprise:
Obtain the attribute query request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag;
By the described target file attributes query manipulation information of described file system lower floor's equipment foundation, the attribute of query aim file.
Preferably, the described step of obtaining the attribute of file destination comprises:
The application programming interfaces API of call operation system obtains the attribute of described file destination, specifically comprises:
Call the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
Be positioned at the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude by described GetFileAttributes routine call;
ZwQueryInformationFile routine call by described user's attitude is positioned at the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
Preferably, behind the read only attribute of removing described file destination, also comprise:
Call operation system application interface API deletes described file destination, specifically comprises:
Call the operating system application programming interfaces API:DeleteFile of the file deletion routine that is positioned at user's attitude;
Be positioned at the operating system native applications routine interface Native API:ZwDeleteFile of the file deletion routine of user's attitude by described DeleteFile routine call;
ZwDeleteFile routine call by described user's attitude is positioned at the file deletion routine ZwDeleteFile of kernel state, by the ZwDeleteFile routine deletion file destination of described kernel state.
Preferably, behind the read only attribute of removing described file destination, also comprise:
Call self-defining application programming interfaces for deleted file and delete described file destination, specifically comprise:
Obtain the removal request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag;
By the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
Preferably, describedly in Object Manager, search corresponding file object according to file path and resolve the step of routine and specifically comprise following substep;
Substep S1, judge that whether file path has been disassembled completely, if not, then carries out substep S2; If then carry out substep S4;
Substep S2, disassemble in the outfile path route segment next to be disassembled according to path separators;
Substep S3, the current route segment of disassembling out of employing are searched in Object Manager, judge whether to exist corresponding file object routine; If then return substep S1; If not, then carry out substep S5;
Substep S4, the file object that the described file path of acquisition is corresponding are resolved routine.
Substep S5, return the information that does not find respective file analysis of object routine.
The embodiment of the invention also discloses a kind of device of file unlock, comprising:
Operational module is used for attempting carrying out deletion action or write operation for file destination;
The attribute acquisition module is used for obtaining the attribute of described file destination when described file destination can't be carried out deletion or write operation;
Read only attribute is removed module, is used for when being read-only, calling the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination at the attribute of described file destination.
Preferably, described read only attribute removal module comprises:
Attribute changes acquisition request submodule is used for obtaining the attribute changes request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The one IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets; By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
Preferably, described attribute acquisition module comprises:
Attribute query acquisition request submodule is used for obtaining the attribute query request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 2nd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag; And described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by described file system lower floor equipment according to described target file attributes query manipulation information, the attribute of query aim file.
Preferably, described attribute acquisition module comprises:
User's attitude file attribute obtains the API Calls submodule, is used for calling the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
User's attitude file attribute obtains Native API Calls submodule, is used for being positioned at by described GetFileAttributes routine call the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude;
The kernel state file attribute obtains Native API Calls submodule, be used for being positioned at by the ZwQueryInformationFile routine call of described user's attitude the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
Preferably, described device also comprises:
The first removing module is used for behind the read only attribute of removing described file destination, and call operation system application interface API deletes described file destination, specifically comprises:
User's attitude file deletion API Calls submodule is used for calling the file that is positioned at user's attitude and deletes the operating system application programming interfaces API:DeleteFile of routine;
User's attitude file deletion Native API Calls submodule is for the operating system native applications routine interface NativeAPI:ZwDeleteFile of the file deletion routine that is positioned at user's attitude by described DeleteFile routine call;
Kernel state file deletion Native API Calls submodule, the file that is positioned at kernel state for the ZwDeleteFile routine call by described user's attitude is deleted routine ZwDeleteFile, by the ZwDeleteFile routine deletion file destination of described kernel state.
Preferably, described device also comprises:
The second removing module is used for calling self-defining application programming interfaces for deleted file and deleting described file destination behind the read only attribute of removing described file destination, specifically comprises:
File deletion requests is obtained submodule, is used for obtaining the removal request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 3rd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
Compared with prior art, the present invention has the following advantages:
The present invention carries out deletion action or write operation by trial for file destination, and when described file destination can't be carried out deletion or write operation, then obtains the attribute of described file destination; If the attribute of described file destination is read-only, then call the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination, then the file destination of removing read only attribute is carried out the operation of release and pulverizing.File unlock provided by the present invention, pulverizing mechanism not only safety, reliable, success ratio is high; and the file self-shield behavior that can identify rogue program in the client environment of complexity is also resisted, and has strengthened the antagonism with the attacking and defending of driving stage rogue program.
Description of drawings
Fig. 1 is the flow chart of steps of the embodiment of the method for a kind of file unlock of the present invention;
Fig. 2 is the structured flowchart of the device embodiment of a kind of file unlock of the present invention.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
With reference to figure 1, show the flow chart of steps of the embodiment of the method for a kind of file unlock of the present invention, specifically can may further comprise the steps:
Step 101, trial are carried out deletion action or write operation for file destination;
In Windows operating system user attitude, can use function DeleteFile, ZwDeleteFile to attempt the deletion file destination; In Windows operating system nucleus attitude, can use function ZwDeleteFile to attempt the deletion file destination.Particularly, namely by calling the operating system application programming interfaces API:DeleteFile of the file deletion routine that is positioned at user's attitude; Then be positioned at the operating system native applications routine interface Native API:ZwDeleteFile of the file deletion routine of user's attitude by described DeleteFile routine call; Be positioned at again the file deletion routine ZwDeleteFile of kernel state by the ZwDeleteFile routine call of described user's attitude, attempt the deletion file destination by the ZwDeleteFile routine of described kernel state.More specifically, the ZwDeleteFile routine of the inner meeting of the DeleteFile routine of described user's attitude invoke user attitude, after the ZwDeleteFile routine of the ZwDeleteFile routine call kernel state of user's attitude, the operation of the inner meeting of the ZwDeleteFile routine of kernel state performance objective file deletion.
In Windows operating system user attitude, can use function WriteFile, ZwWriteFile to attempt writing content to file destination; In Windows operating system nucleus attitude, can use function ZwWriteFile to attempt writing content to file destination.Particularly, namely write the operating system application programming interfaces API:WriteFile of routine by calling the file that is positioned at user's attitude; Then the file that is positioned at user's attitude by described WriteFile routine call writes the operating system native applications routine interface Native API:ZwWriteFile of routine; ZwWriteFile routine call by the described user's attitude file that is positioned at kernel state writes routine ZwWriteFile again, attempts writing content to file destination by the ZwWriteFile routine of described kernel state.More specifically, the ZwWriteFile routine of the inner meeting of the WriteFile routine of described user's attitude invoke user attitude, after the ZwWriteFile routine of the ZwWriteFile routine call kernel state of user's attitude, the ZwWriteFile routine of kernel state is inner can carry out the operation that writes content to file destination.
Need to prove that above-mentioned deletion action and write operation all are to carry out in situation about opening file.In embodiments of the present invention, described file comprises the file of the type of supporting in the WINDOWS operating system, and described File Open does not refer to by double-clicking mouse or by the triggering modes such as enter key open file (such as the file of the types such as * .exe, * .doc); And refer to (use the present invention with operating system API or self-defining application programming interfaces BAPI of the present invention, can call the storehouse in the complete realization of operating system user attitude interface one cover file operation) CreateFile () function etc. open file, obtain the operation of file handle just can further operate this document because only obtain behind the file handle.
From the function calling method angle, the indication file " is opened " and is mainly comprised following several situation in the embodiment of the invention:
1, use Windows standard A PI CreateFile function to open file destination;
2, use Windows Native API ZwCreateFile/NtCreateFile function to open file destination;
3, use Windows Native API ZwOpenFile/NtOpenFile function to open file destination.
Wherein, the parameter d wCreationDisposition of CreateFile can the control function behavior be " creating new file " or " opening the file that has existed ".
If the described file destination of step 102 can't be carried out deletion or write operation, then obtain the attribute of described file destination;
In practice, if receive the call error code of above-mentioned file destination deletion or write operation, then obtain the attribute information of this file destination.For example, if file destination has read only attribute, then above-mentioned calling can be returned error code, with reference to being described as among the MSDN of Microsoft: " If the file is aread-only file; the function fails with ERROR_ACCESS_DENIED (if file is read-only file, then because the ERROR_ACCESS_DENIED malloc failure malloc) "; Wherein, ERROR_ACCESS_DENIED is a numerical value, and value is 5.Its definition is arranged in the WINERROR.H of Microsoft header file, and is as follows:
Figure BDA0000071554830000091
In Windows operating system user attitude, can use the attribute (this process is initiatively to initiate, and namely caller initiatively calls the GetFileAttributes function) of function G etFileAttributes, ZwQueryInformationFile query aim file; In Windows operating system nucleus attitude, can use function ZwQueryInformationFile inquiry file attribute.
Namely in a preferred embodiment of the present invention, the attribute of described file destination can obtain by the application programming interfaces API of call operation system, specifically can comprise following substep:
Substep S11, call the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
Substep S 12, be positioned at the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude by described GetFileAttributes routine call;
Substep S 13, the ZwQueryInformationFile routine call by described user's attitude are positioned at the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
More specifically, the ZwQueryInformationFile routine of the inner meeting of the GetFileAttributes routine of described user's attitude invoke user attitude, after the ZwQueryInformationFile routine of the ZwQueryInformationFile routine call kernel state of user's attitude, the inner operation that can carry out the query aim file attribute of the ZwQueryInformationFile routine of kernel state.
In practice, the rreturn value of GetFileAttributes function is a numerical value (set), " positions " different in the numerical value (Bit) represent different implications, and wherein macro-variable FILE_ATTRIBUTE_READONLY (value is 0x01) expression is read-only.The principle of ZwQueryInformationFile and GetFileAttributes function is similar, it can be filled in file attribute information in the FileAttributes territory of return structure FILE_BASIC_INFORMATION, and wherein FILE_ATTRIBUTE_READONLY represents read-only.
In another kind of preferred embodiment of the present invention, the attribute of described file destination can obtain by calling self-defining application programming interfaces be used to obtaining file attribute, specifically can comprise following substep:
Substep S21, obtain the attribute query request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
Substep S22, the described caller input parameter of verification if verification is passed through, are then searched corresponding file object according to described file destination path and are resolved routine in Object Manager;
If substep S23 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag;
Substep S24, by described file system lower floor equipment according to described target file attributes query manipulation information, the attribute of query aim file.
In an embodiment of the present invention, searching corresponding file object according to file path in Object Manager among the described substep S22 resolves the step of routine and specifically comprises following substep;
Substep S221, judge that whether file path has been disassembled completely, if not, then carries out substep S222; If then carry out substep S224;
Substep S222, disassemble in the outfile path route segment next to be disassembled according to path separators;
Substep S223, the current route segment of disassembling out of employing are searched in Object Manager, judge whether to exist corresponding file object routine; If then return substep S221; If not, then carry out substep S225;
Substep S224, the file object that the described file path of acquisition is corresponding are resolved routine.
Substep S225, return the information that does not find respective file analysis of object routine.
In specific implementation, can make up in advance the OpenPacket structure of Object Manager inquiry, based on path separators " " circulation disassembles file path, for example, file path is: c: a b.txt, the route segment of then disassembling out for the first time is c:, the route segment of disassembling out for the second time is: c: a, the route segment of disassembling out for the third time is: c: a b.txt, namely in the embodiment of the invention, the mode that is based on recursive call is disassembled file path.
Safeguard in the Object Manager zippered object Hash table is arranged, based on the route segment object search manager of disassembling out at every turn, if can find corresponding analysis of object routine ParseProcedure, the file path that then continues is next time disassembled, and based on the route segment of disassembling out and the route segment object search manager disassembled out before next time, if it is complete that current file path is disassembled fully through the circulation parsing, it is that file object corresponding to current file path resolved routine that the file object that then finds through the object search manager is resolved routine ParseRoutine.
In practice, the caller process can be obtained request by calling self-defining FSGetFileAttributes routine initiation file attribute in user's attitude, the operating system nucleus attitude drives to be obtained and the described request from user's attitude of verification, make up the circulation of data query structure and resolve the file path that imports into, finally find the object type of safeguarding in the Object Manager, this process has effectively been resisted the interior danger of abduction of kernel state.After this, the operating system nucleus attitude drives and makes up and fill the IRP request data package, be sent to the original address place of predetermined file system lower floor equipment, third party's filtration drive (other fail-safe softwares, driving stage rogue program) on this moment file system call stack penetrated (bypass, bypass).In brief, i.e. the present invention has effectively avoided the risk that exists on the file execution route of legacy operating system by setting up new, believable, as can to penetrate a filtration drive file operation execution route.
If the attribute of the described file destination of step 103 is read-only, then remove the read only attribute of described file destination.
If file has read only attribute, then file will not allow to be written into and to delete, and in this case, then can only could continue file operation by removing read only attribute.
In Windows operating system user attitude, can use function SetFileAttributes, ZwSetInformationFile that the attribute (this process also is initiatively to initiate) of a file is set; In Windows operating system nucleus attitude, can use function ZwSetInformationFile that file attribute is set.If the function such as SetFileAttributes, ZwSetInformationFile arranges the file attribute success, function can return " non-zero " (relatively " zero ", generally be 1), the failure function that sets a property returns " zero ", and this point has description in the MSDN document:
Return?Values:
Nonzero?indicates?success.Zero?indicates?failure.
Yet, in practice, calling above-mentioned API the risk that file attribute exists great data stream to be tampered is set, the layering method of calling of operating system has brought many chances for the rogue program of driving stage.
Thereby in a preferred embodiment of the present invention, the read only attribute of described file destination need to be removed by calling self-defining application programming interfaces for the file attribute change, specifically can comprise following substep:
Substep S31, obtain the attribute changes request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
Substep S32, the described caller input parameter of verification if verification is passed through, are then searched corresponding file object according to described file destination path and are resolved routine in Object Manager;
If substep S33 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag;
Substep S34, by described file system lower floor equipment according to described target file attributes change operation information, remove the read only attribute of file destination.
More specifically, the caller process can be initiated in user's attitude the change request of file attribute by calling self-defining FSSetFileAttributes routine, wherein, comprise the caller input parameter in the described request, comprise file path and user's attitude address in the described input parameter; The FSSetFileAttributes routine of user's attitude can be converted to the UNICODE type with the ANSI correlation parameter in the caller input parameter, and calls corresponding file operation interface wide character FSSetFileAttributes routine; Then the type according to system platform makes up the kernel state structural parameters, generates corresponding file operation control code according to described kernel state structural parameters, and is sent to the operating system nucleus attitude; The operating system nucleus attitude drives the file attribute change request of obtaining, verification caller input parameter, and the described user's attitude of reconstruct (Captured) address is to the kernel state memory headroom; The kernel state of FSSetFileAttributes routine is partly understood the verified users attitude and is imported parameter into, makes up the OpenPacket structure, and the zip mode object Hash table of file path form and the maintenance of object search manager is resolved in circulation.Specifically can adopt path separators " " disassemble the file path of input, the zip mode object Hash table that the path part object search manager of disassembling out is safeguarded finds out corresponding ParseProcedure.Resolve when complete in circulation, just think the ParseRoutine routine that has found object.The inner original address place that can make up and fill the IRP request data package and be sent to file system lower floor equipment of Parse Routine finishes the constructive process that file penetrates.At this moment, the third party's filtration drive on the file system call stack (other fail-safe softwares, driving stage rogue program) is bypassed.Then carry out concrete file attribute change operation by file system lower floor equipment.
In specific implementation, described file attribute change operation comprises at least the operation of removing read only attribute can also comprise the operation of being arranged to other attribute according to actual conditions, as hiding attribute etc. is set, and the present invention is not restricted this.
For the application of file unlock and pulverizing, the embodiment of the invention can also comprise the steps:
Behind the read only attribute of removing described file destination, call operation system application interface API or self-defining application programming interfaces for deleted file are deleted described file destination.
If call operation system application interface API deletes described file destination, then specifically can comprise following substep:
Substep S41, call the operating system application programming interfaces API:DeleteFile of the file deletion routine that is positioned at user's attitude;
Substep S42, be positioned at the operating system native applications routine interface Native API:ZwDeleteFile of the file deletion routine of user's attitude by described DeleteFile routine call;
Substep S43, the ZwDeleteFile routine call by described user's attitude are positioned at the file deletion routine ZwDeleteFile of kernel state, by the ZwDeleteFile routine deletion file destination of described kernel state.
Delete described file destination if call self-defining application programming interfaces for deleted file, then specifically can comprise following substep:
Substep S51, obtain the removal request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
Substep S52, the described caller input parameter of verification if verification is passed through, are then searched corresponding file object according to described file destination path and are resolved routine in Object Manager;
If substep S53 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag;
Substep S54, by described file system lower floor equipment according to described file destination deletion action information, delete described file destination.
Need to prove, for embodiment of the method, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not subjected to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the instructions all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.In addition, identical similar part is mutually referring to getting final product in above-described embodiment, and the present invention does not repeat them here.
With reference to figure 2, show the structured flowchart of the device embodiment of a kind of file unlock of the present invention, specifically can comprise with lower module:
Operational module 21 is used for attempting carrying out deletion action or write operation for file destination;
Attribute acquisition module 22 is used for obtaining the attribute of described file destination when described file destination can't be carried out deletion or write operation;
Read only attribute is removed module 23, is used for when being read-only, calling the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination at the attribute of described file destination.
In a preferred embodiment of the present invention, described read only attribute is removed module 23 can comprise following submodule:
Attribute changes acquisition request submodule is used for obtaining the attribute changes request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The one IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets; By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
In a preferred embodiment of the present invention, described attribute acquisition module 22 can comprise following submodule:
Attribute query acquisition request submodule is used for obtaining the attribute query request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 2nd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag; And described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by described file system lower floor equipment according to described target file attributes query manipulation information, the attribute of query aim file.
In another kind of preferred embodiment of the present invention, described attribute acquisition module 22 specifically can comprise following submodule:
User's attitude file attribute obtains the API Calls submodule, is used for calling the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
User's attitude file attribute obtains Native API Calls submodule, is used for being positioned at by described GetFileAttributes routine call the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude;
The kernel state file attribute obtains Native API Calls submodule, be used for being positioned at by the ZwQueryInformationFi1e routine call of described user's attitude the fileinfo inquiry routine ZwQueryInformationFi1e of kernel state, by the attribute of the ZwQueryInformationFi1e routine query aim file of described kernel state.
In the example of a kind of concrete application of file unlock and pulverizing, the embodiment of the invention can also comprise with lower module:
The first removing module is used for behind the read only attribute of removing described file destination, and call operation system application interface API deletes described file destination, specifically comprises:
User's attitude file deletion API Calls submodule is used for calling the file that is positioned at user's attitude and deletes the operating system application programming interfaces API:DeleteFile of routine;
User's attitude file deletion Native API Calls submodule is for the operating system native applications routine interface NativeAPI:ZwDeleteFile of the file deletion routine that is positioned at user's attitude by described DeleteFile routine call;
Kernel state file deletion Native API Calls submodule, the file that is positioned at kernel state for the ZwDeleteFile routine call by described user's attitude is deleted routine ZwDeleteFile, by the ZwDeleteFile routine deletion file destination of described kernel state.
In the another kind of concrete example of using of file unlock and pulverizing, the embodiment of the invention can also comprise with lower module:
The second removing module is used for calling self-defining application programming interfaces for deleted file and deleting described file destination behind the read only attribute of removing described file destination, specifically comprises:
File deletion requests is obtained submodule, is used for obtaining the removal request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 3rd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
Because described device embodiment is substantially corresponding to preceding method embodiment, so not detailed part in the description of present embodiment can referring to the related description in the previous embodiment, just not given unnecessary details at this.
The present invention can be used in numerous general or special purpose computingasystem environment or the configuration.For example: personal computer, server computer, handheld device or portable set, plate equipment, multicomputer system, the system based on microprocessor, set top box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, comprise distributed computing environment of above any system or equipment etc.
The present invention can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract data type, program, object, assembly, data structure etc.Also can in distributed computing environment, put into practice the present invention, in these distributed computing environment, be executed the task by the teleprocessing equipment that is connected by communication network.In distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium that comprises memory device.
More than the method for a kind of file unlock provided by the present invention and a kind of device of file unlock are described in detail, used specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (13)

1. the method for a file unlock is characterized in that, comprising:
Trial is carried out deletion action or write operation for file destination;
If described file destination can't be carried out deletion or write operation, then obtain the attribute of described file destination;
If the attribute of described file destination is read-only, then call the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination.
2. the method for claim 1 is characterized in that, describedly calls the step that self-defining application programming interfaces for file attribute change remove the file destination read only attribute and comprises:
Obtain the attribute changes request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag;
By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
3. method as claimed in claim 2 is characterized in that, the described step of obtaining the attribute of file destination comprises:
Call the attribute that self-defining application programming interfaces be used to obtaining file attribute obtain described file destination, specifically comprise:
Obtain the attribute query request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag;
By the described target file attributes query manipulation information of described file system lower floor's equipment foundation, the attribute of query aim file.
4. method as claimed in claim 1 or 2 is characterized in that, the described step of obtaining the attribute of file destination comprises:
The application programming interfaces API of call operation system obtains the attribute of described file destination, specifically comprises:
Call the operating system application programming interfaces API:GetFileAttribute s of the file attribute acquisition routine that is positioned at user's attitude;
Be positioned at the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude by described GetFileAttributes routine call;
ZwQueryInformationFile routine call by described user's attitude is positioned at the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
5. such as claim 1,2 or 3 described methods, it is characterized in that, behind the read only attribute of removing described file destination, also comprise:
Call operation system application interface API deletes described file destination, specifically comprises:
Call the operating system application programming interfaces API:DeleteFile of the file deletion routine that is positioned at user's attitude;
Be positioned at the operating system native applications routine interface Native API:ZwDeleteFile of the file deletion routine of user's attitude by described DeleteFile routine call;
ZwDeleteFile routine call by described user's attitude is positioned at the file deletion routine ZwDeleteFile of kernel state, by the ZwDeleteFile routine deletion file destination of described kernel state.
6. such as claim 1,2 or 3 described methods, it is characterized in that, behind the read only attribute of removing described file destination, also comprise:
Call self-defining application programming interfaces for deleted file and delete described file destination, specifically comprise:
Obtain the removal request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag;
By the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
7. such as claim 2,3 or 6 described methods, it is characterized in that, describedly in Object Manager, search corresponding file object according to file path and resolve the step of routine and specifically comprise following substep;
Substep S1, judge that whether file path has been disassembled completely, if not, then carries out substep S2; If then carry out substep S4;
Substep S2, disassemble in the outfile path route segment next to be disassembled according to path separators;
Substep S3, the current route segment of disassembling out of employing are searched in Object Manager, judge whether to exist corresponding file object routine; If then return substep S1; If not, then carry out substep S5;
Substep S4, the file object that the described file path of acquisition is corresponding are resolved routine.
Substep S5, return the information that does not find respective file analysis of object routine.
8. the device of a file unlock is characterized in that, comprising:
Operational module is used for attempting carrying out deletion action or write operation for file destination;
The attribute acquisition module is used for obtaining the attribute of described file destination when described file destination can't be carried out deletion or write operation;
Read only attribute is removed module, is used for when being read-only, calling the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination at the attribute of described file destination.
9. device as claimed in claim 8 is characterized in that, described read only attribute is removed module and comprised:
Attribute changes acquisition request submodule is used for obtaining the attribute changes request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The one IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets; By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
10. device as claimed in claim 9 is characterized in that, described attribute acquisition module comprises:
Attribute query acquisition request submodule is used for obtaining the attribute query request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 2nd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag; And described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by described file system lower floor equipment according to described target file attributes query manipulation information, the attribute of query aim file.
11. install as claimed in claim 8 or 9, it is characterized in that described attribute acquisition module comprises:
User's attitude file attribute obtains the API Calls submodule, is used for calling the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
User's attitude file attribute obtains Native API Calls submodule, is used for being positioned at by described GetFileAttributes routine call the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude;
The kernel state file attribute obtains Native API Calls submodule, be used for being positioned at by the ZwQueryInformationFile routine call of described user's attitude the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
12. such as claim 8,9 or 10 described devices, it is characterized in that, also comprise:
The first removing module is used for behind the read only attribute of removing described file destination, and call operation system application interface API deletes described file destination, specifically comprises:
User's attitude file deletion API Calls submodule is used for calling the file that is positioned at user's attitude and deletes the operating system application programming interfaces API:DeleteFile of routine;
User's attitude file deletion Native API Calls submodule is for the operating system native applications routine interface NativeAPI:ZwDeleteFile of the file deletion routine that is positioned at user's attitude by described DeleteFile routine call;
Kernel state file deletion Native API Calls submodule, the file that is positioned at kernel state for the ZwDeleteFile routine call by described user's attitude is deleted routine ZwDeleteFile, by the ZwDeleteFile routine deletion file destination of described kernel state.
13. such as claim 8,9 or 10 described devices, it is characterized in that, also comprise:
The second removing module is used for calling self-defining application programming interfaces for deleted file and deleting described file destination behind the read only attribute of removing described file destination, specifically comprises:
File deletion requests is obtained submodule, is used for obtaining the removal request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 3rd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
CN201110175414.4A 2011-06-27 2011-06-27 File unlocking method and file unlocking device Active - Reinstated CN102855436B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110175414.4A CN102855436B (en) 2011-06-27 2011-06-27 File unlocking method and file unlocking device
CN201510145493.2A CN104732142B (en) 2011-06-27 2011-06-27 A kind of method and device of file unblock

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110175414.4A CN102855436B (en) 2011-06-27 2011-06-27 File unlocking method and file unlocking device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN201510145493.2A Division CN104732142B (en) 2011-06-27 2011-06-27 A kind of method and device of file unblock

Publications (2)

Publication Number Publication Date
CN102855436A true CN102855436A (en) 2013-01-02
CN102855436B CN102855436B (en) 2015-06-24

Family

ID=47402019

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110175414.4A Active - Reinstated CN102855436B (en) 2011-06-27 2011-06-27 File unlocking method and file unlocking device

Country Status (1)

Country Link
CN (1) CN102855436B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105205109A (en) * 2015-08-27 2015-12-30 浪潮(北京)电子信息产业有限公司 File management method, device and system
CN108038035A (en) * 2017-12-08 2018-05-15 郑州云海信息技术有限公司 A kind of detection method and relevant apparatus of flash reading and writing state
CN109121015A (en) * 2018-10-17 2019-01-01 武汉斗鱼网络科技有限公司 A kind of method and relevant apparatus for converting barrage format
CN111078647A (en) * 2019-11-22 2020-04-28 北京安兔兔科技有限公司 Method and device for creating uncompressed file, method and device for testing magnetic disk and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373505A (en) * 2008-06-17 2009-02-25 华为技术有限公司 Method and apparatus for releasing handle and file deleting system
CN101452454A (en) * 2007-11-30 2009-06-10 华为技术有限公司 File set sharing method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101452454A (en) * 2007-11-30 2009-06-10 华为技术有限公司 File set sharing method and device
CN101373505A (en) * 2008-06-17 2009-02-25 华为技术有限公司 Method and apparatus for releasing handle and file deleting system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
开采: ""另类方法赶走无法删除的病毒"", 《网络与信息》, vol. 2008, no. 4, 30 April 2008 (2008-04-30) *
无: ""清除电脑中‘无法删除的病毒’"", 《计算机与网络》, vol. 2007, no. 19, 15 October 2007 (2007-10-15) *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105205109A (en) * 2015-08-27 2015-12-30 浪潮(北京)电子信息产业有限公司 File management method, device and system
CN108038035A (en) * 2017-12-08 2018-05-15 郑州云海信息技术有限公司 A kind of detection method and relevant apparatus of flash reading and writing state
CN109121015A (en) * 2018-10-17 2019-01-01 武汉斗鱼网络科技有限公司 A kind of method and relevant apparatus for converting barrage format
CN111078647A (en) * 2019-11-22 2020-04-28 北京安兔兔科技有限公司 Method and device for creating uncompressed file, method and device for testing magnetic disk and electronic equipment
CN111078647B (en) * 2019-11-22 2023-09-22 北京安兔兔科技有限公司 Method and device for creating uncompressed file and testing magnetic disk and electronic equipment

Also Published As

Publication number Publication date
CN102855436B (en) 2015-06-24

Similar Documents

Publication Publication Date Title
US11716349B2 (en) Machine learning detection of database injection attacks
CN103020524B (en) Computer virus supervisory system
US8397292B2 (en) Method and device for online secure logging-on
Lanzi et al. Accessminer: using system-centric models for malware protection
CN103049695B (en) A kind of method for supervising of computer virus and device
CN103473501B (en) A kind of Malware method for tracing based on cloud security
CN102855435B (en) A kind of method of file unlock, pulverizing and device
CN103294950A (en) High-power secret information stealing malicious code detection method and system based on backward tracing
CN103246849A (en) Safe running method based on ROST under Windows
CN102855436B (en) File unlocking method and file unlocking device
Dalai et al. Neutralizing SQL injection attack using server side code modification in web applications
Hannousse et al. Handling webshell attacks: A systematic mapping and survey
CN103218561A (en) Tamper-proof method and device for protecting browser
CN103473353B (en) Web safety-oriented database security protection method and system
CN102855437B (en) A kind of method of file unlock and device
CN104732142A (en) Method and device for unlocking file
Zhang et al. SQL injections through back-end of RFID system
CN113114609A (en) Webshell detection evidence obtaining method and system
CN102855431B (en) A kind of method of file unlock, pulverizing and device
CN103246734A (en) Browser homepage locking method
TW202240404A (en) Data processing system and method capable of separating application processes
CN102855438B (en) File unlocking method and device
CN102855433B (en) A kind of method of file unlock and device
CN102855434B (en) File unlocking method and device
CN104732143B (en) A kind of method and device of file unlock

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20151023

Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Qizhi software (Beijing) Co.,Ltd.

Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150624

Termination date: 20190627

CF01 Termination of patent right due to non-payment of annual fee
RR01 Reinstatement of patent right

Former decision: Patent right to terminate

Former decision publication date: 20200623

RR01 Reinstatement of patent right
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20220318

Address after: 1773, floor 17, floor 15, building 3, No. 10, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.

TR01 Transfer of patent right