CN102855437A - File unlocking method and device - Google Patents
File unlocking method and device Download PDFInfo
- Publication number
- CN102855437A CN102855437A CN2011101755490A CN201110175549A CN102855437A CN 102855437 A CN102855437 A CN 102855437A CN 2011101755490 A CN2011101755490 A CN 2011101755490A CN 201110175549 A CN201110175549 A CN 201110175549A CN 102855437 A CN102855437 A CN 102855437A
- Authority
- CN
- China
- Prior art keywords
- handle
- file
- destination
- file destination
- file handle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 104
- 230000008569 process Effects 0.000 claims abstract description 78
- 230000000977 initiatory effect Effects 0.000 claims abstract description 14
- 241000239290 Araneae Species 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 abstract description 6
- 230000006399 behavior Effects 0.000 abstract description 4
- 230000002708 enhancing effect Effects 0.000 abstract description 3
- 241000700605 Viruses Species 0.000 description 8
- 238000012217 deletion Methods 0.000 description 8
- 238000011109 contamination Methods 0.000 description 7
- 230000037430 deletion Effects 0.000 description 6
- 238000010298 pulverizing process Methods 0.000 description 6
- 230000008485 antagonism Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000002147 killing effect Effects 0.000 description 2
- 206010011968 Decreased immune responsiveness Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000003253 viricidal effect Effects 0.000 description 1
Images
Abstract
The invention provides a file unlocking method and device. The method comprises the following steps of: judging whether an object file has the condition of handle occupation; if so, traversing a handle table of an operating system to obtain a file handle corresponding to the object file and obtain the process to which the file handle belongs; and switching to the process and initiating close operation of the object file handle based on the process. The file unlocking and shredding mechanism provided by the invention not only is safe and reliable and has high success rate but also can distinguish and counter the self-protection behaviors of the files with malicious programs in the complex client environments, thus enhancing the counterforce of attacking and defending the drive stage malicious programs.
Description
Technical field
The present invention relates to the technical field of computer security, particularly relate to a kind of method of file unlock and a kind of device of file unlock.
Background technology
Computer virus refers to that " the destruction computer function that the organizer inserts or destroy data affect computing machine use and one group of computer instruction or program code that can self-replacation in computer program.In a single day computing machine catches virus, computing machine is usually expressed as its file and is increased, deletes out, changes title or attribute, moves under other catalogue, virus is to these operations of computer documents, may cause that normal program can't be moved, computer operating system collapse, computing machine be by a series of problems such as Long-distance Control, user profile are stolen.
In order to guarantee the safe operation of computing machine, need to carry out checking and killing virus to the file that infects virus in the computing machine, to prevent and to remove the destruction of virus.In the fail-safe software field, be one of eternal theme of resisting of fail-safe software and rogue program (computer virus) for " deletion " and " anti-deletion " of contamination computer documents.
Virus of the prior art often the means such as is held by file handle and has been added encryption lock to the contamination file, adopts conventional means can't crack encryption lock and namely can't delete the contamination file, and these means stop antivirus software killings contamination files.Fail-safe software is looked into viricidal process, can be understood as the contamination file is carried out release and pulverizing.Existing fail-safe software, single to release and the pulverizing means of contamination file, can't abolish the layer by layer protection that the contamination file arranges, antagonism is not strong.Conventional security software vendor has only solved part " anti-deletion " problem, often embodies certain anergy in the attacking and defending of operating system nucleus attitude, and driving stage rogue program (Rootkit) antagonism is on the weak side.
Therefore; need at present the urgent technical matters that solves of those skilled in the art to be exactly: the treatment mechanism that proposes a kind of file unlock; file self-shield behavior in order to identification rogue program in the client environment of complexity is also resisted the antagonism of enhancing and the attacking and defending of driving stage rogue program.
Summary of the invention
Technical matters to be solved by this invention provides a kind of method of file unlock, with the antagonism of enhancing and the attacking and defending of driving stage rogue program.
The present invention also provides a kind of device of file unlock, in order to guarantee said method application and realization in practice.
In order to address the above problem, the embodiment of the invention discloses a kind of method of file unlock, comprising:
Judge the situation whether file destination exists handle to take;
If then the handle table of traversing operation system obtains file handle File Handle corresponding to file destination, and obtain the process under the described file handle File Handle;
Switch to described process, initiate the shutoff operation of file destination handle based on described process.
Preferably, before judging whether file destination exists the situation that handle takies, also comprise:
File destination is opened or is deleted in trial;
If can't open or delete file destination, then read the error code information of returning;
The situation whether described file destination exists handle to take is judged according to described error code information.
Preferably, if described error code information is STATUS_DELETE_PENDING, numerical value is 0xC0000056L; Or be that ERROR_ACCESS_DENIED, numerical value are 5, then judge the situation that described file destination exists handle to take.
Preferably, described method also comprises:
After the shutoff operation of described file destination handle was finished, described file destination was eliminated.
Preferably, described file destination has corresponding complete trails; Described handle epi-position is in operating system nucleus, wherein safeguard the handle information that has all processes to open, the information that comprises file handle File Handle in the described handle information, the complete trails that comprises the file that each file handle File Handle is corresponding in the information of described file handle File Handle, the handle table of described traversing operation system, the step that obtains file handle File Handle corresponding to file destination comprises:
The complete trails of the file that the complete trails of file destination is corresponding with each file handle File Handle compares, if find consistent file complete trails, then extracting file handle File Handle corresponding to this document complete trails is file handle File Handle corresponding to described file destination.
Preferably, described method also comprises:
Judge whether the process under the described file handle File Handle can be switched, if in the time switching, carry out the described step that switches to process.
Preferably, the described operation that switches to described process is that storehouse connection process routine KeStackAttachProcess by call operation system application interface API carries out; The operation of the handle table of described traversing operation system is to carry out by the function of the handle infosystem SystemHandleInformation among the system information inquiry routine ZwQuerySystemInformation of call operation system application interface API.
Preferably, the step of the shutoff operation of described processed-based initiation file destination handle comprises:
Initiate the request of file handle shutoff operation with the name of described process;
Call the handle of Windows operating system nucleus attitude according to described request and close routine ZwClose, described ZwClose routine execute file handle shutoff operation.
The embodiment of the invention also discloses a kind of device of file unlock, comprising:
Judge module is used for judging the situation whether file destination exists handle to take; If then call handle table spider module;
Handle table spider module for the handle table of traversing operation system, obtains file handle File Handle corresponding to file destination;
The process acquisition module is used for obtaining the affiliated process of described file handle File Handle;
The process switching module is used for switching to described process;
Handle shutoff operation initiation module is used for the shutoff operation based on described process initiation file destination handle.
Preferably, the described error code information judgement of the situation foundation whether described file destination exists handle to take, described device also comprises:
The file operation module is used for attempting opening or deleting file destination;
The error code read module is used for reading the error code information of returning in the time can't opening or delete file destination.
Preferably, described file destination has corresponding complete trails; Described handle epi-position is in operating system nucleus, wherein safeguard the handle information that has all processes to open, the information that comprises file handle File Handle in the described handle information, the complete trails that comprises the file that each file handle File Handle is corresponding in the information of described file handle File Handle, the file handle File Handle that described file destination is corresponding obtains by described complete trails contrast.
Preferably, described device also comprises:
The switching judging module is used for judging whether the process under the described file handle File Handle can be switched, and, calling process handover module in the time switching.
Preferably, described handle shutoff operation initiation module comprises:
Submodule is initiated in request, is used for initiating the request of file handle shutoff operation with the name of described process;
The routine call submodule is closed routine ZwClose, described ZwClose routine execute file handle shutoff operation for the handle that calls Windows operating system nucleus attitude according to described request.
Compared with prior art, the present invention has the following advantages:
During the situation of the embodiment of the invention by having handle at file destination and take, the handle table of traversing operation system obtains file handle File Handle corresponding to file destination, and obtains the process under the described file handle File Handle; Then switch to described process, initiate the shutoff operation of file destination handle with the name of this process, thereby realize file unlock and crushing process.File unlock provided by the present invention, pulverizing, pulverizing mechanism are not only safely, reliable, success ratio is high; and the file self-shield behavior that can identify rogue program in the client environment of complexity is also resisted, and has strengthened the antagonism with the attacking and defending of driving stage rogue program.
Description of drawings
Fig. 1 is the flow chart of steps of the embodiment of the method for a kind of file unlock of the present invention;
Fig. 2 is the structured flowchart of the device embodiment of a kind of file unlock of the present invention.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
With reference to figure 1, show the flow chart of steps of the embodiment of the method for a kind of file unlock of the present invention, specifically can may further comprise the steps:
File destination is opened or is deleted in step 101, trial;
Need to prove, in embodiments of the present invention, described file comprises the file of the type of supporting in the WINDOWS operating system.Described File Open does not refer to by double-clicking mouse or by the triggering modes such as enter key open file (such as the file of the types such as * .exe, * .doc); And refer to (use the present invention with operating system API or self-defining application programming interfaces BAPI of the present invention, can call the storehouse in the complete realization of operating system user attitude interface one cover file operation) CreateFile () function etc. open file, obtain the operation of file handle just can further operate this document because only obtain behind the file handle.
From the function calling method angle, the indication file " is opened " and is mainly comprised following several situation in the embodiment of the invention:
1, use Windows standard A PI CreateFile function to open file destination;
2, use Windows Native API ZwCreateFile/NtCreateFile function to open file destination;
3, use Windows Native API ZwOpenFile/NtOpenFile function to open file destination.
Wherein, the parameter d wCreationDisposition of CreateFile can the control function behavior be " creating new file " or " opening the file that has existed ".
Document creation routine CreateFile or the file deletion routine DeleteFile of the application programming interfaces (API) that in embodiments of the present invention, described operation of opening or deleting file destination can be by calling microsoft operation system carry out; Also can carry out by document creation routine FSCreateFile or the file deletion routine FSDeleteFile that calls self-defining application programming interfaces (BAPI); The present invention is not restricted this.
If file destination can't be opened or delete to step 102, then read the error code information of returning, judge the situation whether described file destination exists handle to take according to described error code information;
For example, suppose to be opened or the deletion file destination name (path) be C: test.txt, if can't open or delete the file under this path, and the error code information that the operating system nucleus attitude is returned is: STATUS_DELETE_PENDING, numerical value are 0xC0000056L; And/or the error code information that operating system user's attitude is returned is: denied access: ERROR_ACCESS_DENIED, numerical value are 5.Then can judge the situation that described file destination exists handle to take.More specifically, STATUS_DELETE_PENDING (time-delay deletion) is a state (error code) of microsoft operation system kernel definition, it represents that certain file is opened, but it also is required deletion simultaneously, just also has at present process to hold documentary handle (hold and mean in addition reference count).When last file holder closed handle, file system driver can be removed this file from disk automatically." last file holder close handle before ", any process all can't be opened this file again.Because kernel thinks that file all wants deleted, just need not be opened again.
Wherein, the concept of described " error code information that the operating system nucleus attitude is returned " and " error code information that operating system user's attitude is returned " is two cover error code mechanism of microsoft operation system definition, wherein the kernel state error code can convert user's attitude error code to by function RtlNtStatusToDosError, the reason that Microsoft so designs is the output for " isolation " kernel, in addition also for backward compatible.
If the situation that the described file destination of step 103 exists handle to take, then the handle table of traversing operation system obtains file handle File Handle corresponding to file destination, and obtains the process under the described file handle File Handle;
In specific implementation, described file destination has corresponding complete trails; Described handle epi-position is in operating system nucleus, wherein safeguard the handle information that has all processes to open, the information that comprises file handle File Handle in the described handle information comprises the complete trails (be file handle when creating corresponding disk path) of the file that each file handle File Handle is corresponding in the information of described file handle File Handle.Thereby, as the concrete a kind of example used of the embodiment of the invention, the handle table of described traversing operation system, the step that obtains file handle File Handle corresponding to file destination is specifically as follows:
The complete trails of the file that the complete trails of file destination is corresponding with each file handle File Handle compares, if find consistent file complete trails, then extracting file handle File Handle corresponding to this document complete trails is file handle File Handle corresponding to described file destination.
In practice, Windows operating system can be examined the handle information of safeguarding that all processes are opened within it, and the structure of maintenance is known as " handle table ".Handle is the Distinguish storage, and simultaneously, each handle belongs to a specific process, and common handle type comprises: File (file), Process (process), Thread (thread), Key (key assignments) etc.The embodiment of the invention mainly is for file handle (File Handle), use the present embodiment, by enumerating the corresponding file complete trails of each file handle, and and the complete trails of file to be deleted compare, found target if equate just to think.And the affiliated process of target handle this moment has also obtained clearly (each handle belongs to a specific process), switches to that process, initiates the request of file destination unlocking operation with its name (context) and gets final product.
Be well known that, the structure of Microsoft's handle table is covert, each large paper edition of Windows operating system can change the design proposal of handle table, so how safely, stable traversal handle table is that those skilled in the art need problems of concern, for example, need to consider cross-platform and the problem such as traversal is synchronous in when traversal.As the preferred exemplary of a kind of concrete application of the embodiment of the invention, the operation of the handle table of described traversing operation system can be carried out by the function of the handle infosystem SystemHandleInformation among the system information inquiry routine ZwQuerySystemInformation of call operation system application interface API.
Certainly, only as example, it all is feasible that those skilled in the art adopt any mode to travel through the handle table according to actual conditions to said method, and the present invention is not restricted this.
In a preferred embodiment of the present invention, the described operation that switches to described process can be carried out by the storehouse connection process routine KeStackAttachProcess of call operation system application interface API.The affiliated process of file handle File Handle that switches to described file destination can be understood as and switches to " handle holder " process space, then (process context context) is initiated the request of file destination unlocking operation with the name of this process.
In specific implementation, need before the process switching to further consider whether target process really can be for switching; For example, target process is being moved to end and can not switching often, so will introduce certain synchronization mechanism (lock mechanism) etc.; Therefore, as a kind of example of the embodiment of the invention in specific implementation, can also judge whether the process under the described file handle File Handle can be switched, and in the time switching, just carry out the described step that switches to process.
In a preferred embodiment of the present invention, the step that described processed-based is initiated the shutoff operation of file destination handle specifically can comprise following substep:
Substep S11, initiate the request of file handle shutoff operation with the name of described process;
Substep S12, the handle that calls Windows operating system nucleus attitude according to described request are closed routine ZwClose, described ZwClose routine execute file handle shutoff operation.
In specific implementation, after the shutoff operation of described file destination handle was finished, described file destination namely was eliminated, thereby finished the process of file unlock and pulverizing.
Need to prove, for embodiment of the method, for simple description, therefore it all is expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not subjected to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the instructions all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
With reference to figure 2, show the structured flowchart of the device embodiment of a kind of file unlock of the present invention, specifically can comprise with lower module:
Handle table spider module 22 for the handle table of traversing operation system, obtains file handle File Handle corresponding to file destination;
Handle shutoff operation initiation module 25 is used for the shutoff operation based on described process initiation file destination handle.
In specific implementation, the situation whether described file destination exists handle to take can be according to described error code information judgement, and in this case, described device can also comprise with lower module:
The file operation module is used for attempting opening or deleting file destination;
The error code read module is used for reading the error code information of returning in the time can't opening or delete file destination.
For the concrete application in Windows operating system, described file destination has corresponding complete trails; Described handle epi-position is in operating system nucleus, wherein safeguard the handle information that has all processes to open, the information that comprises file handle File Handle in the described handle information, the complete trails that comprises the file that each file handle File Handle is corresponding in the information of described file handle File Handle, the file handle File Handle that described file destination is corresponding obtains by described complete trails contrast.
In specific implementation, the embodiment of the invention can also comprise with lower module:
The switching judging module is used for judging whether the process under the described file handle File Handle can be switched, and, calling process handover module in the time switching.
In a preferred embodiment of the present invention, described handle shutoff operation initiation module specifically can comprise following submodule:
Submodule is initiated in request, is used for initiating the request of file handle shutoff operation with the name of described process;
The routine call submodule is closed routine ZwClose, described ZwClose routine execute file handle shutoff operation for the handle that calls Windows operating system nucleus attitude according to described request.
For the application of file unlock and pulverizing, after the shutoff operation of described file destination handle was finished, described file destination namely was eliminated.
Because described device embodiment is substantially corresponding to preceding method embodiment, therefore not detailed part in the description of the present embodiment can referring to the related description in the previous embodiment, just not given unnecessary details at this.
The present invention can be used in numerous general or special purpose computingasystem environment or the configuration.For example: personal computer, server computer, handheld device or portable set, plate equipment, multicomputer system, the system based on microprocessor, set top box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, comprise distributed computing environment of above any system or equipment etc.
The present invention can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract data type, program, object, assembly, data structure etc.Also can in distributed computing environment, put into practice the present invention, in these distributed computing environment, be executed the task by the teleprocessing equipment that is connected by communication network.In distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium that comprises memory device.
Above the method for a kind of file unlock provided by the present invention and a kind of device of file unlock are described in detail, used specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (13)
1. the method for a file unlock is characterized in that, comprising:
Judge the situation whether file destination exists handle to take;
If then the handle table of traversing operation system obtains file handle FileHandle corresponding to file destination, and obtain the process under the described file handle File Handle;
Switch to described process, initiate the shutoff operation of file destination handle based on described process.
2. the method for claim 1 is characterized in that, before judging whether file destination exists the situation that handle takies, also comprises:
File destination is opened or is deleted in trial;
If can't open or delete file destination, then read the error code information of returning;
The situation whether described file destination exists handle to take is judged according to described error code information.
3. method as claimed in claim 2 is characterized in that, if described error code information is STATUS_DELETE_PENDING, numerical value is 0xC0000056L; Or be that ERROR_ACCESS_DENIED, numerical value are 5, then judge the situation that described file destination exists handle to take.
4. method as claimed in claim 2 or claim 3 is characterized in that, also comprises:
After the shutoff operation of described file destination handle was finished, described file destination was eliminated.
5. such as claim 1,2 or 3 described methods, it is characterized in that, described file destination has corresponding complete trails; Described handle epi-position is in operating system nucleus, wherein safeguard the handle information that has all processes to open, the information that comprises file handle File Handle in the described handle information, the complete trails that comprises the file that each file handle File Handle is corresponding in the information of described file handle File Handle, the handle table of described traversing operation system, the step that obtains file handle File Handle corresponding to file destination comprises:
The complete trails of the file that the complete trails of file destination is corresponding with each file handle File Handle compares, if find consistent file complete trails, then extracting file handle File Handle corresponding to this document complete trails is file handle File Handle corresponding to described file destination.
6. method as claimed in claim 5 is characterized in that, also comprises:
Judge whether the process under the described file handle File Handle can be switched, if in the time switching, carry out the described step that switches to process.
7. method as claimed in claim 6 is characterized in that, the described operation that switches to described process is that the storehouse connection process routine KeStackAttachProcess by call operation system application interface API carries out; The operation of the handle table of described traversing operation system is to carry out by the function of the handle infosystem SystemHandleInformation among the system information inquiry routine ZwQuerySystemInformation of call operation system application interface API.
8. the method for claim 1 is characterized in that, the step that described processed-based is initiated the shutoff operation of file destination handle comprises:
Initiate the request of file handle shutoff operation with the name of described process;
Call the handle of Windows operating system nucleus attitude according to described request and close routine ZwClose, described ZwClose routine execute file handle shutoff operation.
9. the device of a file unlock is characterized in that, comprising:
Judge module is used for judging the situation whether file destination exists handle to take; If then call handle table spider module;
Handle table spider module for the handle table of traversing operation system, obtains file handle File Handle corresponding to file destination;
The process acquisition module is used for obtaining the affiliated process of described file handle File Handle;
The process switching module is used for switching to described process;
Handle shutoff operation initiation module is used for the shutoff operation based on described process initiation file destination handle.
10. device as claimed in claim 9 is characterized in that, the described error code information judgement of the situation foundation whether described file destination exists handle to take, and described device also comprises:
The file operation module is used for attempting opening or deleting file destination;
The error code read module is used for reading the error code information of returning in the time can't opening or delete file destination.
11. such as claim 9 or 10 described devices, it is characterized in that, described file destination has corresponding complete trails; Described handle epi-position is in operating system nucleus, wherein safeguard the handle information that has all processes to open, the information that comprises file handle File Handle in the described handle information, the complete trails that comprises the file that each file handle File Handle is corresponding in the information of described file handle File Handle, the file handle File Handle that described file destination is corresponding obtains by described complete trails contrast.
12. device as claimed in claim 11 is characterized in that, also comprises:
The switching judging module is used for judging whether the process under the described file handle File Handle can be switched, and, calling process handover module in the time switching.
13. device as claimed in claim 10 is characterized in that, described handle shutoff operation initiation module comprises:
Submodule is initiated in request, is used for initiating the request of file handle shutoff operation with the name of described process;
The routine call submodule is closed routine ZwClose, described ZwClose routine execute file handle shutoff operation for the handle that calls Windows operating system nucleus attitude according to described request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110175549.0A CN102855437B (en) | 2011-06-27 | 2011-06-27 | A kind of method of file unlock and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110175549.0A CN102855437B (en) | 2011-06-27 | 2011-06-27 | A kind of method of file unlock and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102855437A true CN102855437A (en) | 2013-01-02 |
| CN102855437B CN102855437B (en) | 2015-08-05 |
Family
ID=47402020
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110175549.0A Active - Reinstated CN102855437B (en) | 2011-06-27 | 2011-06-27 | A kind of method of file unlock and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102855437B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104503704A (en) * | 2014-12-19 | 2015-04-08 | 北京奇虎科技有限公司 | Cleaning method and device for disk space |
| CN109976764A (en) * | 2019-03-28 | 2019-07-05 | 深圳市创联时代科技有限公司 | A kind of handle conversion method |
| CN112749142A (en) * | 2019-10-31 | 2021-05-04 | 上海哔哩哔哩科技有限公司 | Handle management method and system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373505A (en) * | 2008-06-17 | 2009-02-25 | 华为技术有限公司 | Method and apparatus for releasing handle and file deleting system |
-
2011
- 2011-06-27 CN CN201110175549.0A patent/CN102855437B/en active Active - Reinstated
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373505A (en) * | 2008-06-17 | 2009-02-25 | 华为技术有限公司 | Method and apparatus for releasing handle and file deleting system |
Non-Patent Citations (1)
| Title |
|---|
| 杨平等: ""基于句柄分析的Windows Rootkit检测技术研究"", 《通信技术》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104503704A (en) * | 2014-12-19 | 2015-04-08 | 北京奇虎科技有限公司 | Cleaning method and device for disk space |
| CN104503704B (en) * | 2014-12-19 | 2018-05-04 | 北京奇虎科技有限公司 | The method for cleaning and device of a kind of disk space |
| CN109976764A (en) * | 2019-03-28 | 2019-07-05 | 深圳市创联时代科技有限公司 | A kind of handle conversion method |
| CN112749142A (en) * | 2019-10-31 | 2021-05-04 | 上海哔哩哔哩科技有限公司 | Handle management method and system |
| CN112749142B (en) * | 2019-10-31 | 2023-09-01 | 上海哔哩哔哩科技有限公司 | Handle management method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102855437B (en) | 2015-08-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102202062B (en) | Method and apparatus for realizing access control | |
| CN102855435B (en) | A kind of method of file unlock, pulverizing and device | |
| CN102567659B (en) | File security active protection method based on double-drive linkage | |
| EP2750067B1 (en) | System and method for selecting synchronous or asynchronous file access method during antivirus analysis | |
| CN103020524A (en) | Computer virus monitoring system | |
| CN103971067A (en) | Operating system nucleus universal access control method supporting entities inside and outside nucleus | |
| CN103246849A (en) | Safe running method based on ROST under Windows | |
| CN103473501B (en) | A kind of Malware method for tracing based on cloud security | |
| US9418232B1 (en) | Providing data loss prevention for copying data to unauthorized media | |
| CN103049695A (en) | Computer virus monitoring method and device | |
| CA2960214A1 (en) | Secure document importation via portable media | |
| RU2645265C2 (en) | System and method of blocking elements of application interface | |
| CN102855437B (en) | A kind of method of file unlock and device | |
| CN102855432B (en) | A kind of file, file unblock and delet method and system | |
| US9003533B1 (en) | Systems and methods for detecting malware | |
| CN102855436B (en) | File unlocking method and file unlocking device | |
| CN102222201A (en) | File scanning method and device thereof | |
| CN117009964A (en) | Method and system for identifying malicious intention of malicious code and constructing attack chain based on custom semantic block | |
| CN102902925A (en) | Infected file processing method and system | |
| CN108287986B (en) | Method and device for instantly granting and withdrawing permission | |
| CN102855431B (en) | A kind of method of file unlock, pulverizing and device | |
| CN103246734A (en) | Browser homepage locking method | |
| CN102855433B (en) | A kind of method of file unlock and device | |
| CN102855438B (en) | File unlocking method and device | |
| Tidswell et al. | An approach to dynamic domain and type enforcement |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150902 Owner name: BEIJING QIHU TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150902 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150902 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150805 Termination date: 20190627 |
|
| RR01 | Reinstatement of patent right | ||
| RR01 | Reinstatement of patent right |
Former decision: Patent right to terminate Former decision publication date: 20200623 |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220824 Address after: No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000 Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |