CN109271763A - Striding course network share access authority giving method and system - Google Patents
Striding course network share access authority giving method and system Download PDFInfo
- Publication number
- CN109271763A CN109271763A CN201810932625.XA CN201810932625A CN109271763A CN 109271763 A CN109271763 A CN 109271763A CN 201810932625 A CN201810932625 A CN 201810932625A CN 109271763 A CN109271763 A CN 109271763A
- Authority
- CN
- China
- Prior art keywords
- network
- access authority
- windows
- fsd
- filter driver
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses striding course network share access authority giving method and systems, comprising the following steps: filter Driver on FSD handles the driving instruction in the distribution function of Windows driving, the process title of acquisition, network path;Filter Driver on FSD handles the document creation in the distribution function of Windows driving/opening request, it is filtered by process title and network path, whether the thread where judging current request needs network share access authority, when judging its success, to the thread where File I/O requests, user identity analog functuion is executed;Filter Driver on FSD handles the file close request in the distribution function of Windows driving, judges whether to have executed identity simulation, when judging successfully, then closes user identity analog functuion.The invention has the advantages that: by filter Driver on FSD treatment mechanism, realizes striding course network share access authority and authorize function, can be achieved the goal by call instruction row, it is easy to use.
Description
Technical field
The present invention relates to computer communication technology fields, it particularly relates to a kind of striding course network share access authority
Giving method and system.
Background technique
Since Microsoft joined 0 isolation technology of Session in version after the Windows Vista, so that running on
The system process and service routine of Session 0, cannot work as before, cannot especially obtain and pass through desktop login
User possessed by network share access authority.
For maintainable program, login user is added in code and carries out the function of user's simulation, is obtained with reaching
Permission possessed by other desktop users, but for not maintainable program, for example, be currently running process, mounted software
Deng, can not usually obtain permission possessed by other desktop users, due to most of process communication mode, require to software into
Row exploitation and compiling, therefore network share access authority can not be also authorized using process communication mode.
It can solve the technology of this problem at present, it is only a kind of: by throwing Cheng Kuaizhao into and enumerating in specified process
All threads obtain its handle, then carry out user identity simulation (Impersonate), but the technology belong to it is a kind of by dynamic model
Formula can not be triggered by the behavior in thread.Therefore during its realization, ceaselessly thread will inevitably be recycled
Movement is enumerated, drawback reduces system performance first is that a large amount of cpu times can be occupied;First is that can not timely respond to, it cannot be preferable
Effect.
For the problems in the relevant technologies, currently no effective solution has been proposed.
Summary of the invention
For above-mentioned technical problem in the related technology, the present invention proposes that a kind of striding course network share access authority is authorized
Method and system are able to solve in the case where can not safeguarding for the isolation of Session 0 and program, and caused process can not obtain
The problem of obtaining network share access authority possessed by desktop login user.
To realize the above-mentioned technical purpose, the technical scheme of the present invention is realized as follows:
A kind of striding course network share access authority giving method, comprising the following steps:
S1 is obtained specified process title, network path, network and is used by a Windows executable program resolve command row parameter
Name in an account book and password;
Windows executable program described in S2 in the environment of currently logged on user, using network user name and password into
Row authentication;
Windows executable program described in S3 calls Windows API to execute driving processing function, sends driving instruction, Xiang Yi
Filter Driver on FSD is passed to parameter: process title, network path;
Filter Driver on FSD described in S4 handles the driving instruction in the distribution function of Windows driving, obtain it is described into
Journey title, network path;
Filter Driver on FSD described in S5 handles the document creation in the distribution function of Windows driving/opening request, by process
Title and network path are filtered, and whether the thread where judging current request needs network share access authority, judge it
When success, to the thread where File I/O requests, user identity analog functuion is executed;
Filter Driver on FSD described in S6 handles the file close request in the distribution function of Windows driving, judges whether to have held
The simulation of row identity, when judging successfully, then closes user identity analog functuion.
Further, the filter Driver on FSD obtains the ring of currently logged on user after the execution of S3 step automatically immediately
Border context, and record.
Another aspect of the present invention provides a kind of striding course network share access authority and authorizes system, including
One filter Driver on FSD;With
One Windows executable program, for carrying out parameter setting to the filter Driver on FSD, including specified process title,
Specified network path carries out authentication of identification of network user, transmitting currently logged on user's environmental context,
Wherein, the filter Driver on FSD authorizes network share access authority, the file filter drives for analyzing thread activity
The environmental context of dynamic currently logged on user of the storage first with network share access authority, is secondly referred to by the filtering of process title
Determine process, the file access behavior of thread, judges whether thread meets trigger condition in analysis process.
Further, when thread needs to be awarded network share access authority, then the function of user identity simulation is executed.
Further, the Windows executable program is write with C language, and input item is command line parameter, described
Windows executable program resolve command row parameter, extract the process title of system process, the network path of network share,
Network share user name password calls network connecting part in Windows API, is obtained using network path, user name, password
The access authority of network share;It calls in Windows API and drives relevant part, be passed to process to the filter Driver on FSD
Title, network path parameter.
Further, the filter Driver on FSD is write with C language, and input item passes through tune by Windows executable program
Relevant part is driven to be transmitted in Windows API, the filter Driver on FSD is automatic to obtain after receiving input item
The environmental context of currently logged on user, wherein having network share access authority acquired in Window executable program.
Further, the treatment process of driving distribution function is provided in the filter Driver on FSD, to handle Windows
All Files I/O operation in file system filter driver.
Beneficial effects of the present invention:
1. realizing striding course network share access authority by filter Driver on FSD treatment mechanism and authorizing function, be able to solve
The problem of process can not obtain network share access authority caused by being isolated and can not safeguard because of Session 0.
2. being completely dependent on the file request of target process itself without throwing Cheng Kuaizhao into and enumerating thread to be touched
Hair, functional, response is timely.
3. only needing one filter Driver on FSD of installation and an executable program, mesh can be reached by call instruction row
, it is easy to use.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, below will be to institute in embodiment
Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the invention
Example, for those of ordinary skill in the art, without creative efforts, can also obtain according to these attached drawings
Obtain other attached drawings.
Fig. 1 is the flow chart of the striding course network share access authority giving method described according to embodiments of the present invention;
Fig. 2 is the structural schematic diagram that the striding course network share access authority described according to embodiments of the present invention authorizes system.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art's every other embodiment obtained belong to what the present invention protected
Range.
As shown in Figure 1, a kind of striding course network share access authority giving method described according to embodiments of the present invention, packet
Include following steps:
Windows executable program resolve command row parameter obtains process title, network path, the user of network share and close
Code;
Windows executable program carries out identity in the environment of currently logged on user, using network path, user name, password
Certification, obtains the access authority of network share;
Windows executable program calls and drives relevant part in Windows API, executes driving processing function, sends and drive
Dynamic instruction, is passed to parameter to filter Driver on FSD: process title, network path;
Filter Driver on FSD records process title, the network path parameter obtained from Windows executable program, and obtains automatically
The environmental context of currently logged on user, and record;
Filter Driver on FSD filters document creation/opening request from driving distribution function;
Filter Driver on FSD is filtered by process title and network path, judges whether current file I/O Request needs network total
Enjoy access authority;
It when needing network share access authority, executes user identity and simulates (Impersonate) function, the file of acquisition is created
It builds/opens request to be parsed, obtain process belonging to the request, thread information, call user identity simulation in Windows API
(Impersonate) function is passed to the environmental context of thread handle and login user, is total to so that the process obtains network
Enjoy access authority;
Filter Driver on FSD filters file close request from driving distribution function;
Filter Driver on FSD judges whether to have executed identity simulation;
As executed identity simulation, then user identity analog functuion is closed.
In one particular embodiment of the present invention, the filter Driver on FSD is being passed to parameter to a filter Driver on FSD
After execution, the environmental context of currently logged on user is obtained automatically immediately, and record;Filter Driver on FSD is obtained automatically and is currently stepped on
The environmental context at family is employed, wherein having network share access authority acquired in Window executable program.
In one particular embodiment of the present invention, further comprise: the filter Driver on FSD processing Windows driving
Distribution function in file close request, judge whether to have executed identity simulation, when judging successfully, then close user identity mould
Quasi- function.
Another aspect of the present invention provides a kind of striding course network share access authority and authorizes system, which includes
One filter Driver on FSD 22;With
One Windows executable program 21, for carrying out parameter setting, including specified process name to the filter Driver on FSD
Claim, specified network path, carry out authentication of identification of network user, transmitting currently logged on user's environmental context,
Wherein, the filter Driver on FSD 22 is authorized network share access authority, is specifically included: is first for analyzing thread activity
First, the environmental context of currently logged on user of the storage with network share access authority;Secondly, specified by the filtering of process title
Process, the file access behavior of thread, judges whether thread meets trigger condition in analysis process;When thread needs that net is awarded
When network share and access permission, then the function of user identity simulation (Impersonate) is executed.
Filter Driver on FSD 22, for receiving and recording parameters setting, including process title, network path, analysis system
File I/O requests in process 23 are judged according to process title and network path, when a triggering condition is met, to system
Process 23 executes user identity and simulates (Impersonate) function.
In the present embodiment, operating system is 7 operating system of Windows, and system process 23 is in session Session 0
In, and desktop login user is in session Session 1, system process 23 and desktop user can not intercommunications;Desktop login is used
After Session 1 has carried out network ID authentication, the system process 23 in Session 0 is can not directly to possess the network at family
Identity, therefore network share 24 can not be accessed.
In the present embodiment, the agreement that network share 24 uses is SMB agreement, obtains the side of its network share access authority
Formula is network path, user name, password, and the network connecting part in Windows API can be called to realize.
In one particular embodiment of the present invention, Windows executable program 21 is write with C language, and input item is
Command line parameter, 21 resolve command row parameter of Windows executable program, extracts process title, the network of system process 23
Share 24 network path, 24 user name password of network share;Network connecting part in Windows API is called, network is used
Path, user name, the access authority of password acquisition network share 24;It calls in Windows API and drives relevant part, Xiang Wen
Part filtration drive 22 is passed to the parameters such as process title, network path.
In one particular embodiment of the present invention, filter Driver on FSD 22 is write with C language, and input item is by Windows
Executable program 21 drives relevant part to be transmitted by calling in Windows API.The driving after receiving input item,
The automatic environmental context for obtaining currently logged on user, wherein having the access of network share acquired in Window executable program
Permission.It is provided with the treatment process of driving distribution function in the driving, all texts in Windows file system filter driver can be handled
Part I/O operation.For the process title of system process 23;Its File I/O operations is filtered out, process belonging to the request, thread are obtained
Information;Judge when its filename meets the network path of network share 24, at current environment (system process 23 and its thread)
Under, it calls the user identity in Windows API to simulate the part (Impersonate), is passed to thread handle and login user
Environmental context finally makes system process 23 obtain the access authority of network share 24.
In one particular embodiment of the present invention, the processing of driving distribution function is provided in the filter Driver on FSD
Process, to handle the All Files I/O operation in Windows file system filter driver.
In conclusion by means of above-mentioned technical proposal of the invention, can not only by filter Driver on FSD treatment mechanism,
Realize striding course network share access authority and authorize function, and only need one filter Driver on FSD of installation and one it is executable
Program can be achieved the goal by call instruction row, easy to use.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (7)
1. a kind of striding course network share access authority giving method, which comprises the following steps:
S1 is obtained specified process title, network path, network and is used by a Windows executable program resolve command row parameter
Name in an account book and password;
Windows executable program described in S2 in the environment of currently logged on user, using network user name and password into
Row authentication;
Windows executable program described in S3 calls Windows API to execute driving processing function, sends driving instruction, Xiang Yi
Filter Driver on FSD is passed to parameter: process title, network path;
Filter Driver on FSD described in S4 handles the driving instruction in the distribution function of Windows driving, obtain it is described into
Journey title, network path;
Filter Driver on FSD described in S5 handles the document creation in the distribution function of Windows driving/opening request, by process
Title and network path are filtered, and whether the thread where judging current request needs network share access authority, judge it
When success, to the thread where File I/O requests, user identity analog functuion is executed;
Filter Driver on FSD described in S6 handles the file close request in the distribution function of Windows driving, judges whether to have held
The simulation of row identity, when judging successfully, then closes user identity analog functuion.
2. striding course network share access authority giving method according to claim 1, which is characterized in that the file mistake
Filter driving obtains the environmental context of currently logged on user after the execution of S3 step automatically immediately, and records.
3. a kind of striding course network share access authority authorizes system, which is characterized in that including
One filter Driver on FSD;With
One Windows executable program, for carrying out parameter setting to the filter Driver on FSD, including specified process title,
Specified network path carries out authentication of identification of network user, transmitting currently logged on user's environmental context,
Wherein, the filter Driver on FSD authorizes network share access authority, the file filter drives for analyzing thread activity
The environmental context of dynamic currently logged on user of the storage first with network share access authority, is secondly referred to by the filtering of process title
Determine process, the file access behavior of thread, judges whether thread meets trigger condition in analysis process.
4. striding course network share access authority according to claim 3 authorizes system, which is characterized in that when thread needs
When network share access authority is awarded, then the function of user identity simulation is executed.
5. striding course network share access authority according to claim 3 authorizes system, which is characterized in that described
Windows executable program is write with C language, and input item is command line parameter, the Windows executable program parsing life
Row parameter is enabled, the process title of system process, the network path of network share, network share user name password are extracted, is called
Network connecting part in Windows API obtains the access authority of network share using network path, user name, password;It calls
Relevant part is driven in Windows API, is passed to process title, network path parameter to the filter Driver on FSD.
6. striding course network share access authority according to claim 3 authorizes system, which is characterized in that the file mistake
Filter driving is write with C language, and input item drives relevant portion by calling in Windows API by Windows executable program
To divide and is transmitted, the filter Driver on FSD is after receiving input item, the automatic environmental context for obtaining currently logged on user,
In have Window executable program acquired in network share access authority.
7. striding course network share access authority according to claim 6 authorizes system, which is characterized in that the file mistake
The treatment process of driving distribution function is provided in filter driving, to handle the All Files IO in Windows file system filter driver
Operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810932625.XA CN109271763B (en) | 2018-08-16 | 2018-08-16 | Method and system for granting cross-process network sharing access authority |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810932625.XA CN109271763B (en) | 2018-08-16 | 2018-08-16 | Method and system for granting cross-process network sharing access authority |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109271763A true CN109271763A (en) | 2019-01-25 |
CN109271763B CN109271763B (en) | 2022-06-24 |
Family
ID=65153815
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810932625.XA Active CN109271763B (en) | 2018-08-16 | 2018-08-16 | Method and system for granting cross-process network sharing access authority |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109271763B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110519329A (en) * | 2019-07-23 | 2019-11-29 | 苏州浪潮智能科技有限公司 | A kind of method, equipment and the readable medium of concurrent processing samba agreement request |
CN111274008A (en) * | 2020-01-08 | 2020-06-12 | 百度在线网络技术(北京)有限公司 | Process control method, server and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080295174A1 (en) * | 2007-03-05 | 2008-11-27 | Andrea Robinson Fahmy | Method and System for Preventing Unauthorized Access and Distribution of Digital Data |
CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
CN102262559A (en) * | 2010-05-24 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Resource sharing method and system |
CN105787355A (en) * | 2016-03-18 | 2016-07-20 | 山东华软金盾软件股份有限公司 | Security software process permission management method and device |
-
2018
- 2018-08-16 CN CN201810932625.XA patent/CN109271763B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080295174A1 (en) * | 2007-03-05 | 2008-11-27 | Andrea Robinson Fahmy | Method and System for Preventing Unauthorized Access and Distribution of Digital Data |
CN102262559A (en) * | 2010-05-24 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Resource sharing method and system |
CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
CN105787355A (en) * | 2016-03-18 | 2016-07-20 | 山东华软金盾软件股份有限公司 | Security software process permission management method and device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110519329A (en) * | 2019-07-23 | 2019-11-29 | 苏州浪潮智能科技有限公司 | A kind of method, equipment and the readable medium of concurrent processing samba agreement request |
CN110519329B (en) * | 2019-07-23 | 2022-06-07 | 苏州浪潮智能科技有限公司 | Method, device and readable medium for concurrently processing samba protocol request |
CN111274008A (en) * | 2020-01-08 | 2020-06-12 | 百度在线网络技术(北京)有限公司 | Process control method, server and electronic equipment |
CN111274008B (en) * | 2020-01-08 | 2023-07-18 | 百度在线网络技术(北京)有限公司 | Process control method, server and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN109271763B (en) | 2022-06-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7516476B1 (en) | Methods and apparatus for automated creation of security policy | |
US7356836B2 (en) | User controls for a computer | |
CA2735600C (en) | System and method for detection of malware | |
US8214905B1 (en) | System and method for dynamically allocating computing resources for processing security information | |
CN101359355B (en) | Method for raising user's authority for limitation account under Windows system | |
CN103065088B (en) | Based on the system and method for the ruling detection computations machine security threat of computer user | |
WO2019052496A1 (en) | Account authentication method for cloud storage, and server | |
CN101098226B (en) | Virus online real-time processing system and method | |
US8209758B1 (en) | System and method for classifying users of antivirus software based on their level of expertise in the field of computer security | |
CN109687991A (en) | User behavior recognition method, apparatus, equipment and storage medium | |
CN103176817B (en) | A kind of Linux security policy configuration based on self study | |
US8214904B1 (en) | System and method for detecting computer security threats based on verdicts of computer users | |
Jahanshahi et al. | You shall not pass: Mitigating sql injection attacks on legacy web applications | |
MXPA06001211A (en) | End user data activation. | |
CN104572394B (en) | process monitoring method and device | |
CN109271763A (en) | Striding course network share access authority giving method and system | |
CN107360155A (en) | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology | |
Berger et al. | An android security case study with bauhaus | |
EP2584488B1 (en) | System and method for detecting computer security threats based on verdicts of computer users | |
CN103942493B (en) | Intelligent active defensive system and method under Window | |
CN105243328A (en) | Behavioral characteristic based Ferry horse defense method | |
CN106020923B (en) | SELinux strategy compiling method and system | |
KR20130075300A (en) | Open type system for analyzing and managing malicious code | |
CN101256531B (en) | Method for analysis of built-in equipment real-time property | |
CN101777002A (en) | Software running method based on virtualization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220803 Address after: Room 301, floor 3, building 5, yard 16, Meiliyuan Middle Road, Haidian District, Beijing 100097 Patentee after: Beijing Mars high tech digital technology Co.,Ltd. Address before: No. 1401, 23 / F, No. 105, North West Third Ring Road, Haidian District, Beijing 100048 Patentee before: Huang Jiang |