Summary of the invention
Technical matters to be solved by this invention provides a kind of method of file unlock, with the antagonism of enhancing and the attacking and defending of driving stage rogue program.
The present invention also provides a kind of device of file unlock, in order to guarantee said method application and realization in practice.
In order to address the above problem, the embodiment of the invention discloses a kind of method of file unlock, comprising:
Trial is carried out deletion action or write operation for file destination;
If described file destination can't be carried out deletion or write operation, then obtain the attribute of described file destination;
If the attribute of described file destination is read-only, then call the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination.
Preferably, describedly call the step that self-defining application programming interfaces for file attribute change remove the file destination read only attribute and comprise:
Obtain the attribute changes request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag;
By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
Preferably, the described step of obtaining the attribute of file destination comprises:
Call the attribute that self-defining application programming interfaces be used to obtaining file attribute obtain described file destination, specifically comprise:
Obtain the attribute query request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag;
By the described target file attributes query manipulation information of described file system lower floor's equipment foundation, the attribute of query aim file.
Preferably, the described step of obtaining the attribute of file destination comprises:
The application programming interfaces API of call operation system obtains the attribute of described file destination, specifically comprises:
Call the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
Be positioned at the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude by described GetFileAttributes routine call;
ZwQueryInformationFile routine call by described user's attitude is positioned at the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
Preferably, behind the read only attribute of removing described file destination, also comprise:
Call operation system application interface API deletes described file destination, specifically comprises:
Call the operating system application programming interfaces API:DeleteFile of the file deletion routine that is positioned at user's attitude;
Be positioned at the operating system native applications routine interface Native API:ZwDeleteFile of the file deletion routine of user's attitude by described DeleteFile routine call;
ZwDeleteFile routine call by described user's attitude is positioned at the file deletion routine ZwDeleteFile of kernel state, by the ZwDeleteFile routine deletion file destination of described kernel state.
Preferably, behind the read only attribute of removing described file destination, also comprise:
Call self-defining application programming interfaces for deleted file and delete described file destination, specifically comprise:
Obtain the removal request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
The described caller input parameter of verification if verification is passed through, is then searched corresponding file object according to described file destination path and is resolved routine in Object Manager;
Resolve routine if find corresponding file object, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag;
By the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
Preferably, describedly in Object Manager, search corresponding file object according to file path and resolve the step of routine and specifically comprise following substep;
Substep S1, judge that whether file path has been disassembled completely, if not, then carries out substep S2; If then carry out substep S4;
Substep S2, disassemble in the outfile path route segment next to be disassembled according to path separators;
Substep S3, the current route segment of disassembling out of employing are searched in Object Manager, judge whether to exist corresponding file object routine; If then return substep S1; If not, then carry out substep S5;
Substep S4, the file object that the described file path of acquisition is corresponding are resolved routine.
Substep S5, return the information that does not find respective file analysis of object routine.
The embodiment of the invention also discloses a kind of device of file unlock, comprising:
Operational module is used for attempting carrying out deletion action or write operation for file destination;
The attribute acquisition module is used for obtaining the attribute of described file destination when described file destination can't be carried out deletion or write operation;
Read only attribute is removed module, is used for when being read-only, calling the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination at the attribute of described file destination.
Preferably, described read only attribute removal module comprises:
Attribute changes acquisition request submodule is used for obtaining the attribute changes request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The one IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets; By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
Preferably, described attribute acquisition module comprises:
Attribute query acquisition request submodule is used for obtaining the attribute query request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 2nd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag; And described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by described file system lower floor equipment according to described target file attributes query manipulation information, the attribute of query aim file.
Preferably, described attribute acquisition module comprises:
User's attitude file attribute obtains the API Calls submodule, is used for calling the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
User's attitude file attribute obtains Native API Calls submodule, is used for being positioned at by described GetFileAttributes routine call the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude;
The kernel state file attribute obtains Native API Calls submodule, be used for being positioned at by the ZwQueryInformationFile routine call of described user's attitude the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
Preferably, described device also comprises:
The first removing module is used for behind the read only attribute of removing described file destination, and call operation system application interface API deletes described file destination, specifically comprises:
User's attitude file deletion API Calls submodule is used for calling the file that is positioned at user's attitude and deletes the operating system application programming interfaces API:DeleteFile of routine;
User's attitude file deletion Native API Calls submodule is for the operating system native applications routine interface NativeAPI:ZwDeleteFile of the file deletion routine that is positioned at user's attitude by described DeleteFile routine call;
Kernel state file deletion Native API Calls submodule, the file that is positioned at kernel state for the ZwDeleteFile routine call by described user's attitude is deleted routine ZwDeleteFile, by the ZwDeleteFile routine deletion file destination of described kernel state.
Preferably, described device also comprises:
The second removing module is used for calling self-defining application programming interfaces for deleted file and deleting described file destination behind the read only attribute of removing described file destination, specifically comprises:
File deletion requests is obtained submodule, is used for obtaining the removal request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 3rd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
Compared with prior art, the present invention has the following advantages:
The present invention carries out deletion action or write operation by trial for file destination, and when described file destination can't be carried out deletion or write operation, then obtains the attribute of described file destination; If the attribute of described file destination is read-only, then call the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination, then the file destination of removing read only attribute is carried out the operation of release and pulverizing.File unlock provided by the present invention, pulverizing mechanism not only safety, reliable, success ratio is high; and the file self-shield behavior that can identify rogue program in the client environment of complexity is also resisted, and has strengthened the antagonism with the attacking and defending of driving stage rogue program.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
With reference to figure 1, show the flow chart of steps of the embodiment of the method for a kind of file unlock of the present invention, specifically can may further comprise the steps:
Step 101, trial are carried out deletion action or write operation for file destination;
In Windows operating system user attitude, can use function DeleteFile, ZwDeleteFile to attempt the deletion file destination; In Windows operating system nucleus attitude, can use function ZwDeleteFile to attempt the deletion file destination.Particularly, namely by calling the operating system application programming interfaces API:DeleteFile of the file deletion routine that is positioned at user's attitude; Then be positioned at the operating system native applications routine interface Native API:ZwDeleteFile of the file deletion routine of user's attitude by described DeleteFile routine call; Be positioned at again the file deletion routine ZwDeleteFile of kernel state by the ZwDeleteFile routine call of described user's attitude, attempt the deletion file destination by the ZwDeleteFile routine of described kernel state.More specifically, the ZwDeleteFile routine of the inner meeting of the DeleteFile routine of described user's attitude invoke user attitude, after the ZwDeleteFile routine of the ZwDeleteFile routine call kernel state of user's attitude, the operation of the inner meeting of the ZwDeleteFile routine of kernel state performance objective file deletion.
In Windows operating system user attitude, can use function WriteFile, ZwWriteFile to attempt writing content to file destination; In Windows operating system nucleus attitude, can use function ZwWriteFile to attempt writing content to file destination.Particularly, namely write the operating system application programming interfaces API:WriteFile of routine by calling the file that is positioned at user's attitude; Then the file that is positioned at user's attitude by described WriteFile routine call writes the operating system native applications routine interface Native API:ZwWriteFile of routine; ZwWriteFile routine call by the described user's attitude file that is positioned at kernel state writes routine ZwWriteFile again, attempts writing content to file destination by the ZwWriteFile routine of described kernel state.More specifically, the ZwWriteFile routine of the inner meeting of the WriteFile routine of described user's attitude invoke user attitude, after the ZwWriteFile routine of the ZwWriteFile routine call kernel state of user's attitude, the ZwWriteFile routine of kernel state is inner can carry out the operation that writes content to file destination.
Need to prove that above-mentioned deletion action and write operation all are to carry out in situation about opening file.In embodiments of the present invention, described file comprises the file of the type of supporting in the WINDOWS operating system, and described File Open does not refer to by double-clicking mouse or by the triggering modes such as enter key open file (such as the file of the types such as * .exe, * .doc); And refer to (use the present invention with operating system API or self-defining application programming interfaces BAPI of the present invention, can call the storehouse in the complete realization of operating system user attitude interface one cover file operation) CreateFile () function etc. open file, obtain the operation of file handle just can further operate this document because only obtain behind the file handle.
From the function calling method angle, the indication file " is opened " and is mainly comprised following several situation in the embodiment of the invention:
1, use Windows standard A PI CreateFile function to open file destination;
2, use Windows Native API ZwCreateFile/NtCreateFile function to open file destination;
3, use Windows Native API ZwOpenFile/NtOpenFile function to open file destination.
Wherein, the parameter d wCreationDisposition of CreateFile can the control function behavior be " creating new file " or " opening the file that has existed ".
If the described file destination of step 102 can't be carried out deletion or write operation, then obtain the attribute of described file destination;
In practice, if receive the call error code of above-mentioned file destination deletion or write operation, then obtain the attribute information of this file destination.For example, if file destination has read only attribute, then above-mentioned calling can be returned error code, with reference to being described as among the MSDN of Microsoft: " If the file is aread-only file; the function fails with ERROR_ACCESS_DENIED (if file is read-only file, then because the ERROR_ACCESS_DENIED malloc failure malloc) "; Wherein, ERROR_ACCESS_DENIED is a numerical value, and value is 5.Its definition is arranged in the WINERROR.H of Microsoft header file, and is as follows:
In Windows operating system user attitude, can use the attribute (this process is initiatively to initiate, and namely caller initiatively calls the GetFileAttributes function) of function G etFileAttributes, ZwQueryInformationFile query aim file; In Windows operating system nucleus attitude, can use function ZwQueryInformationFile inquiry file attribute.
Namely in a preferred embodiment of the present invention, the attribute of described file destination can obtain by the application programming interfaces API of call operation system, specifically can comprise following substep:
Substep S11, call the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
Substep S 12, be positioned at the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude by described GetFileAttributes routine call;
Substep S 13, the ZwQueryInformationFile routine call by described user's attitude are positioned at the fileinfo inquiry routine ZwQueryInformationFile of kernel state, by the attribute of the ZwQueryInformationFile routine query aim file of described kernel state.
More specifically, the ZwQueryInformationFile routine of the inner meeting of the GetFileAttributes routine of described user's attitude invoke user attitude, after the ZwQueryInformationFile routine of the ZwQueryInformationFile routine call kernel state of user's attitude, the inner operation that can carry out the query aim file attribute of the ZwQueryInformationFile routine of kernel state.
In practice, the rreturn value of GetFileAttributes function is a numerical value (set), " positions " different in the numerical value (Bit) represent different implications, and wherein macro-variable FILE_ATTRIBUTE_READONLY (value is 0x01) expression is read-only.The principle of ZwQueryInformationFile and GetFileAttributes function is similar, it can be filled in file attribute information in the FileAttributes territory of return structure FILE_BASIC_INFORMATION, and wherein FILE_ATTRIBUTE_READONLY represents read-only.
In another kind of preferred embodiment of the present invention, the attribute of described file destination can obtain by calling self-defining application programming interfaces be used to obtaining file attribute, specifically can comprise following substep:
Substep S21, obtain the attribute query request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
Substep S22, the described caller input parameter of verification if verification is passed through, are then searched corresponding file object according to described file destination path and are resolved routine in Object Manager;
If substep S23 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag;
Substep S24, by described file system lower floor equipment according to described target file attributes query manipulation information, the attribute of query aim file.
In an embodiment of the present invention, searching corresponding file object according to file path in Object Manager among the described substep S22 resolves the step of routine and specifically comprises following substep;
Substep S221, judge that whether file path has been disassembled completely, if not, then carries out substep S222; If then carry out substep S224;
Substep S222, disassemble in the outfile path route segment next to be disassembled according to path separators;
Substep S223, the current route segment of disassembling out of employing are searched in Object Manager, judge whether to exist corresponding file object routine; If then return substep S221; If not, then carry out substep S225;
Substep S224, the file object that the described file path of acquisition is corresponding are resolved routine.
Substep S225, return the information that does not find respective file analysis of object routine.
In specific implementation, can make up in advance the OpenPacket structure of Object Manager inquiry, based on path separators " " circulation disassembles file path, for example, file path is: c: a b.txt, the route segment of then disassembling out for the first time is c:, the route segment of disassembling out for the second time is: c: a, the route segment of disassembling out for the third time is: c: a b.txt, namely in the embodiment of the invention, the mode that is based on recursive call is disassembled file path.
Safeguard in the Object Manager zippered object Hash table is arranged, based on the route segment object search manager of disassembling out at every turn, if can find corresponding analysis of object routine ParseProcedure, the file path that then continues is next time disassembled, and based on the route segment of disassembling out and the route segment object search manager disassembled out before next time, if it is complete that current file path is disassembled fully through the circulation parsing, it is that file object corresponding to current file path resolved routine that the file object that then finds through the object search manager is resolved routine ParseRoutine.
In practice, the caller process can be obtained request by calling self-defining FSGetFileAttributes routine initiation file attribute in user's attitude, the operating system nucleus attitude drives to be obtained and the described request from user's attitude of verification, make up the circulation of data query structure and resolve the file path that imports into, finally find the object type of safeguarding in the Object Manager, this process has effectively been resisted the interior danger of abduction of kernel state.After this, the operating system nucleus attitude drives and makes up and fill the IRP request data package, be sent to the original address place of predetermined file system lower floor equipment, third party's filtration drive (other fail-safe softwares, driving stage rogue program) on this moment file system call stack penetrated (bypass, bypass).In brief, i.e. the present invention has effectively avoided the risk that exists on the file execution route of legacy operating system by setting up new, believable, as can to penetrate a filtration drive file operation execution route.
If the attribute of the described file destination of step 103 is read-only, then remove the read only attribute of described file destination.
If file has read only attribute, then file will not allow to be written into and to delete, and in this case, then can only could continue file operation by removing read only attribute.
In Windows operating system user attitude, can use function SetFileAttributes, ZwSetInformationFile that the attribute (this process also is initiatively to initiate) of a file is set; In Windows operating system nucleus attitude, can use function ZwSetInformationFile that file attribute is set.If the function such as SetFileAttributes, ZwSetInformationFile arranges the file attribute success, function can return " non-zero " (relatively " zero ", generally be 1), the failure function that sets a property returns " zero ", and this point has description in the MSDN document:
Return?Values:
Nonzero?indicates?success.Zero?indicates?failure.
Yet, in practice, calling above-mentioned API the risk that file attribute exists great data stream to be tampered is set, the layering method of calling of operating system has brought many chances for the rogue program of driving stage.
Thereby in a preferred embodiment of the present invention, the read only attribute of described file destination need to be removed by calling self-defining application programming interfaces for the file attribute change, specifically can comprise following substep:
Substep S31, obtain the attribute changes request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
Substep S32, the described caller input parameter of verification if verification is passed through, are then searched corresponding file object according to described file destination path and are resolved routine in Object Manager;
If substep S33 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag;
Substep S34, by described file system lower floor equipment according to described target file attributes change operation information, remove the read only attribute of file destination.
More specifically, the caller process can be initiated in user's attitude the change request of file attribute by calling self-defining FSSetFileAttributes routine, wherein, comprise the caller input parameter in the described request, comprise file path and user's attitude address in the described input parameter; The FSSetFileAttributes routine of user's attitude can be converted to the UNICODE type with the ANSI correlation parameter in the caller input parameter, and calls corresponding file operation interface wide character FSSetFileAttributes routine; Then the type according to system platform makes up the kernel state structural parameters, generates corresponding file operation control code according to described kernel state structural parameters, and is sent to the operating system nucleus attitude; The operating system nucleus attitude drives the file attribute change request of obtaining, verification caller input parameter, and the described user's attitude of reconstruct (Captured) address is to the kernel state memory headroom; The kernel state of FSSetFileAttributes routine is partly understood the verified users attitude and is imported parameter into, makes up the OpenPacket structure, and the zip mode object Hash table of file path form and the maintenance of object search manager is resolved in circulation.Specifically can adopt path separators " " disassemble the file path of input, the zip mode object Hash table that the path part object search manager of disassembling out is safeguarded finds out corresponding ParseProcedure.Resolve when complete in circulation, just think the ParseRoutine routine that has found object.The inner original address place that can make up and fill the IRP request data package and be sent to file system lower floor equipment of Parse Routine finishes the constructive process that file penetrates.At this moment, the third party's filtration drive on the file system call stack (other fail-safe softwares, driving stage rogue program) is bypassed.Then carry out concrete file attribute change operation by file system lower floor equipment.
In specific implementation, described file attribute change operation comprises at least the operation of removing read only attribute can also comprise the operation of being arranged to other attribute according to actual conditions, as hiding attribute etc. is set, and the present invention is not restricted this.
For the application of file unlock and pulverizing, the embodiment of the invention can also comprise the steps:
Behind the read only attribute of removing described file destination, call operation system application interface API or self-defining application programming interfaces for deleted file are deleted described file destination.
If call operation system application interface API deletes described file destination, then specifically can comprise following substep:
Substep S41, call the operating system application programming interfaces API:DeleteFile of the file deletion routine that is positioned at user's attitude;
Substep S42, be positioned at the operating system native applications routine interface Native API:ZwDeleteFile of the file deletion routine of user's attitude by described DeleteFile routine call;
Substep S43, the ZwDeleteFile routine call by described user's attitude are positioned at the file deletion routine ZwDeleteFile of kernel state, by the ZwDeleteFile routine deletion file destination of described kernel state.
Delete described file destination if call self-defining application programming interfaces for deleted file, then specifically can comprise following substep:
Substep S51, obtain the removal request for file destination, comprise the caller input parameter in the described request, comprise the path of file destination in the described input parameter;
Substep S52, the described caller input parameter of verification if verification is passed through, are then searched corresponding file object according to described file destination path and are resolved routine in Object Manager;
If substep S53 finds corresponding file object and resolves routine, then resolve routine according to described file object and generate I/O request bag, and be sent to the original address of the file system lower floor equipment that presets; Wherein, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag;
Substep S54, by described file system lower floor equipment according to described file destination deletion action information, delete described file destination.
Need to prove, for embodiment of the method, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not subjected to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the instructions all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.In addition, identical similar part is mutually referring to getting final product in above-described embodiment, and the present invention does not repeat them here.
With reference to figure 2, show the structured flowchart of the device embodiment of a kind of file unlock of the present invention, specifically can comprise with lower module:
Operational module 21 is used for attempting carrying out deletion action or write operation for file destination;
Attribute acquisition module 22 is used for obtaining the attribute of described file destination when described file destination can't be carried out deletion or write operation;
Read only attribute is removed module 23, is used for when being read-only, calling the read only attribute that self-defining application programming interfaces for the file attribute change are removed described file destination at the attribute of described file destination.
In a preferred embodiment of the present invention, described read only attribute is removed module 23 can comprise following submodule:
Attribute changes acquisition request submodule is used for obtaining the attribute changes request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The one IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes change operation information that generates according to described attribute changes request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets; By the described target file attributes change of described file system lower floor's equipment foundation operation information, remove the read only attribute of file destination.
In a preferred embodiment of the present invention, described attribute acquisition module 22 can comprise following submodule:
Attribute query acquisition request submodule is used for obtaining the attribute query request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 2nd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the target file attributes query manipulation information that generates according to described attribute query request in the described I/O request bag; And described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by described file system lower floor equipment according to described target file attributes query manipulation information, the attribute of query aim file.
In another kind of preferred embodiment of the present invention, described attribute acquisition module 22 specifically can comprise following submodule:
User's attitude file attribute obtains the API Calls submodule, is used for calling the operating system application programming interfaces API:GetFileAttributes of the file attribute acquisition routine that is positioned at user's attitude;
User's attitude file attribute obtains Native API Calls submodule, is used for being positioned at by described GetFileAttributes routine call the operating system native applications routine interface Native API:ZwQueryInformationFile of the fileinfo inquiry routine of user's attitude;
The kernel state file attribute obtains Native API Calls submodule, be used for being positioned at by the ZwQueryInformationFi1e routine call of described user's attitude the fileinfo inquiry routine ZwQueryInformationFi1e of kernel state, by the attribute of the ZwQueryInformationFi1e routine query aim file of described kernel state.
In the example of a kind of concrete application of file unlock and pulverizing, the embodiment of the invention can also comprise with lower module:
The first removing module is used for behind the read only attribute of removing described file destination, and call operation system application interface API deletes described file destination, specifically comprises:
User's attitude file deletion API Calls submodule is used for calling the file that is positioned at user's attitude and deletes the operating system application programming interfaces API:DeleteFile of routine;
User's attitude file deletion Native API Calls submodule is for the operating system native applications routine interface NativeAPI:ZwDeleteFile of the file deletion routine that is positioned at user's attitude by described DeleteFile routine call;
Kernel state file deletion Native API Calls submodule, the file that is positioned at kernel state for the ZwDeleteFile routine call by described user's attitude is deleted routine ZwDeleteFile, by the ZwDeleteFile routine deletion file destination of described kernel state.
In the another kind of concrete example of using of file unlock and pulverizing, the embodiment of the invention can also comprise with lower module:
The second removing module is used for calling self-defining application programming interfaces for deleted file and deleting described file destination behind the read only attribute of removing described file destination, specifically comprises:
File deletion requests is obtained submodule, is used for obtaining the removal request for file destination, comprises the caller input parameter in the described request, comprises the path of file destination in the described input parameter;
The parameter verification submodule is used for the described caller input parameter of verification, if verification is passed through, then triggers object and searches submodule;
Object is searched submodule, is used for searching corresponding file object according to described file destination path at Object Manager and resolves routine;
The 3rd IRP bag sends submodule, be used for when finding corresponding file object parsing routine, resolve routine according to described file object and generate I/O request bag, comprise the file destination deletion action information that generates according to described removal request in the described I/O request bag, and described I/O request bag is sent to the original address of the file system lower floor equipment that presets, by the described file destination deletion action information of described file system lower floor's equipment foundation, delete described file destination.
Because described device embodiment is substantially corresponding to preceding method embodiment, so not detailed part in the description of present embodiment can referring to the related description in the previous embodiment, just not given unnecessary details at this.
The present invention can be used in numerous general or special purpose computingasystem environment or the configuration.For example: personal computer, server computer, handheld device or portable set, plate equipment, multicomputer system, the system based on microprocessor, set top box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, comprise distributed computing environment of above any system or equipment etc.
The present invention can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract data type, program, object, assembly, data structure etc.Also can in distributed computing environment, put into practice the present invention, in these distributed computing environment, be executed the task by the teleprocessing equipment that is connected by communication network.In distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium that comprises memory device.
More than the method for a kind of file unlock provided by the present invention and a kind of device of file unlock are described in detail, used specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.