CN109271763A - Striding course network share access authority giving method and system - Google Patents

Striding course network share access authority giving method and system Download PDF

Info

Publication number
CN109271763A
CN109271763A CN201810932625.XA CN201810932625A CN109271763A CN 109271763 A CN109271763 A CN 109271763A CN 201810932625 A CN201810932625 A CN 201810932625A CN 109271763 A CN109271763 A CN 109271763A
Authority
CN
China
Prior art keywords
network
access authority
windows
fsd
filter driver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810932625.XA
Other languages
Chinese (zh)
Other versions
CN109271763B (en
Inventor
张京
黄疆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Mars High Tech Digital Technology Co ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201810932625.XA priority Critical patent/CN109271763B/en
Publication of CN109271763A publication Critical patent/CN109271763A/en
Application granted granted Critical
Publication of CN109271763B publication Critical patent/CN109271763B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses striding course network share access authority giving method and systems, comprising the following steps: filter Driver on FSD handles the driving instruction in the distribution function of Windows driving, the process title of acquisition, network path;Filter Driver on FSD handles the document creation in the distribution function of Windows driving/opening request, it is filtered by process title and network path, whether the thread where judging current request needs network share access authority, when judging its success, to the thread where File I/O requests, user identity analog functuion is executed;Filter Driver on FSD handles the file close request in the distribution function of Windows driving, judges whether to have executed identity simulation, when judging successfully, then closes user identity analog functuion.The invention has the advantages that: by filter Driver on FSD treatment mechanism, realizes striding course network share access authority and authorize function, can be achieved the goal by call instruction row, it is easy to use.

Description

Striding course network share access authority giving method and system
Technical field
The present invention relates to computer communication technology fields, it particularly relates to a kind of striding course network share access authority Giving method and system.
Background technique
Since Microsoft joined 0 isolation technology of Session in version after the Windows Vista, so that running on The system process and service routine of Session 0, cannot work as before, cannot especially obtain and pass through desktop login User possessed by network share access authority.
For maintainable program, login user is added in code and carries out the function of user's simulation, is obtained with reaching Permission possessed by other desktop users, but for not maintainable program, for example, be currently running process, mounted software Deng, can not usually obtain permission possessed by other desktop users, due to most of process communication mode, require to software into Row exploitation and compiling, therefore network share access authority can not be also authorized using process communication mode.
It can solve the technology of this problem at present, it is only a kind of: by throwing Cheng Kuaizhao into and enumerating in specified process All threads obtain its handle, then carry out user identity simulation (Impersonate), but the technology belong to it is a kind of by dynamic model Formula can not be triggered by the behavior in thread.Therefore during its realization, ceaselessly thread will inevitably be recycled Movement is enumerated, drawback reduces system performance first is that a large amount of cpu times can be occupied;First is that can not timely respond to, it cannot be preferable Effect.
For the problems in the relevant technologies, currently no effective solution has been proposed.
Summary of the invention
For above-mentioned technical problem in the related technology, the present invention proposes that a kind of striding course network share access authority is authorized Method and system are able to solve in the case where can not safeguarding for the isolation of Session 0 and program, and caused process can not obtain The problem of obtaining network share access authority possessed by desktop login user.
To realize the above-mentioned technical purpose, the technical scheme of the present invention is realized as follows:
A kind of striding course network share access authority giving method, comprising the following steps:
S1 is obtained specified process title, network path, network and is used by a Windows executable program resolve command row parameter Name in an account book and password;
Windows executable program described in S2 in the environment of currently logged on user, using network user name and password into Row authentication;
Windows executable program described in S3 calls Windows API to execute driving processing function, sends driving instruction, Xiang Yi Filter Driver on FSD is passed to parameter: process title, network path;
Filter Driver on FSD described in S4 handles the driving instruction in the distribution function of Windows driving, obtain it is described into Journey title, network path;
Filter Driver on FSD described in S5 handles the document creation in the distribution function of Windows driving/opening request, by process Title and network path are filtered, and whether the thread where judging current request needs network share access authority, judge it When success, to the thread where File I/O requests, user identity analog functuion is executed;
Filter Driver on FSD described in S6 handles the file close request in the distribution function of Windows driving, judges whether to have held The simulation of row identity, when judging successfully, then closes user identity analog functuion.
Further, the filter Driver on FSD obtains the ring of currently logged on user after the execution of S3 step automatically immediately Border context, and record.
Another aspect of the present invention provides a kind of striding course network share access authority and authorizes system, including
One filter Driver on FSD;With
One Windows executable program, for carrying out parameter setting to the filter Driver on FSD, including specified process title, Specified network path carries out authentication of identification of network user, transmitting currently logged on user's environmental context,
Wherein, the filter Driver on FSD authorizes network share access authority, the file filter drives for analyzing thread activity The environmental context of dynamic currently logged on user of the storage first with network share access authority, is secondly referred to by the filtering of process title Determine process, the file access behavior of thread, judges whether thread meets trigger condition in analysis process.
Further, when thread needs to be awarded network share access authority, then the function of user identity simulation is executed.
Further, the Windows executable program is write with C language, and input item is command line parameter, described Windows executable program resolve command row parameter, extract the process title of system process, the network path of network share, Network share user name password calls network connecting part in Windows API, is obtained using network path, user name, password The access authority of network share;It calls in Windows API and drives relevant part, be passed to process to the filter Driver on FSD Title, network path parameter.
Further, the filter Driver on FSD is write with C language, and input item passes through tune by Windows executable program Relevant part is driven to be transmitted in Windows API, the filter Driver on FSD is automatic to obtain after receiving input item The environmental context of currently logged on user, wherein having network share access authority acquired in Window executable program.
Further, the treatment process of driving distribution function is provided in the filter Driver on FSD, to handle Windows All Files I/O operation in file system filter driver.
Beneficial effects of the present invention:
1. realizing striding course network share access authority by filter Driver on FSD treatment mechanism and authorizing function, be able to solve The problem of process can not obtain network share access authority caused by being isolated and can not safeguard because of Session 0.
2. being completely dependent on the file request of target process itself without throwing Cheng Kuaizhao into and enumerating thread to be touched Hair, functional, response is timely.
3. only needing one filter Driver on FSD of installation and an executable program, mesh can be reached by call instruction row , it is easy to use.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, below will be to institute in embodiment Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the invention Example, for those of ordinary skill in the art, without creative efforts, can also obtain according to these attached drawings Obtain other attached drawings.
Fig. 1 is the flow chart of the striding course network share access authority giving method described according to embodiments of the present invention;
Fig. 2 is the structural schematic diagram that the striding course network share access authority described according to embodiments of the present invention authorizes system.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art's every other embodiment obtained belong to what the present invention protected Range.
As shown in Figure 1, a kind of striding course network share access authority giving method described according to embodiments of the present invention, packet Include following steps:
Windows executable program resolve command row parameter obtains process title, network path, the user of network share and close Code;
Windows executable program carries out identity in the environment of currently logged on user, using network path, user name, password Certification, obtains the access authority of network share;
Windows executable program calls and drives relevant part in Windows API, executes driving processing function, sends and drive Dynamic instruction, is passed to parameter to filter Driver on FSD: process title, network path;
Filter Driver on FSD records process title, the network path parameter obtained from Windows executable program, and obtains automatically The environmental context of currently logged on user, and record;
Filter Driver on FSD filters document creation/opening request from driving distribution function;
Filter Driver on FSD is filtered by process title and network path, judges whether current file I/O Request needs network total Enjoy access authority;
It when needing network share access authority, executes user identity and simulates (Impersonate) function, the file of acquisition is created It builds/opens request to be parsed, obtain process belonging to the request, thread information, call user identity simulation in Windows API (Impersonate) function is passed to the environmental context of thread handle and login user, is total to so that the process obtains network Enjoy access authority;
Filter Driver on FSD filters file close request from driving distribution function;
Filter Driver on FSD judges whether to have executed identity simulation;
As executed identity simulation, then user identity analog functuion is closed.
In one particular embodiment of the present invention, the filter Driver on FSD is being passed to parameter to a filter Driver on FSD After execution, the environmental context of currently logged on user is obtained automatically immediately, and record;Filter Driver on FSD is obtained automatically and is currently stepped on The environmental context at family is employed, wherein having network share access authority acquired in Window executable program.
In one particular embodiment of the present invention, further comprise: the filter Driver on FSD processing Windows driving Distribution function in file close request, judge whether to have executed identity simulation, when judging successfully, then close user identity mould Quasi- function.
Another aspect of the present invention provides a kind of striding course network share access authority and authorizes system, which includes
One filter Driver on FSD 22;With
One Windows executable program 21, for carrying out parameter setting, including specified process name to the filter Driver on FSD Claim, specified network path, carry out authentication of identification of network user, transmitting currently logged on user's environmental context,
Wherein, the filter Driver on FSD 22 is authorized network share access authority, is specifically included: is first for analyzing thread activity First, the environmental context of currently logged on user of the storage with network share access authority;Secondly, specified by the filtering of process title Process, the file access behavior of thread, judges whether thread meets trigger condition in analysis process;When thread needs that net is awarded When network share and access permission, then the function of user identity simulation (Impersonate) is executed.
Filter Driver on FSD 22, for receiving and recording parameters setting, including process title, network path, analysis system File I/O requests in process 23 are judged according to process title and network path, when a triggering condition is met, to system Process 23 executes user identity and simulates (Impersonate) function.
In the present embodiment, operating system is 7 operating system of Windows, and system process 23 is in session Session 0 In, and desktop login user is in session Session 1, system process 23 and desktop user can not intercommunications;Desktop login is used After Session 1 has carried out network ID authentication, the system process 23 in Session 0 is can not directly to possess the network at family Identity, therefore network share 24 can not be accessed.
In the present embodiment, the agreement that network share 24 uses is SMB agreement, obtains the side of its network share access authority Formula is network path, user name, password, and the network connecting part in Windows API can be called to realize.
In one particular embodiment of the present invention, Windows executable program 21 is write with C language, and input item is Command line parameter, 21 resolve command row parameter of Windows executable program, extracts process title, the network of system process 23 Share 24 network path, 24 user name password of network share;Network connecting part in Windows API is called, network is used Path, user name, the access authority of password acquisition network share 24;It calls in Windows API and drives relevant part, Xiang Wen Part filtration drive 22 is passed to the parameters such as process title, network path.
In one particular embodiment of the present invention, filter Driver on FSD 22 is write with C language, and input item is by Windows Executable program 21 drives relevant part to be transmitted by calling in Windows API.The driving after receiving input item, The automatic environmental context for obtaining currently logged on user, wherein having the access of network share acquired in Window executable program Permission.It is provided with the treatment process of driving distribution function in the driving, all texts in Windows file system filter driver can be handled Part I/O operation.For the process title of system process 23;Its File I/O operations is filtered out, process belonging to the request, thread are obtained Information;Judge when its filename meets the network path of network share 24, at current environment (system process 23 and its thread) Under, it calls the user identity in Windows API to simulate the part (Impersonate), is passed to thread handle and login user Environmental context finally makes system process 23 obtain the access authority of network share 24.
In one particular embodiment of the present invention, the processing of driving distribution function is provided in the filter Driver on FSD Process, to handle the All Files I/O operation in Windows file system filter driver.
In conclusion by means of above-mentioned technical proposal of the invention, can not only by filter Driver on FSD treatment mechanism, Realize striding course network share access authority and authorize function, and only need one filter Driver on FSD of installation and one it is executable Program can be achieved the goal by call instruction row, easy to use.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (7)

1. a kind of striding course network share access authority giving method, which comprises the following steps:
S1 is obtained specified process title, network path, network and is used by a Windows executable program resolve command row parameter Name in an account book and password;
Windows executable program described in S2 in the environment of currently logged on user, using network user name and password into Row authentication;
Windows executable program described in S3 calls Windows API to execute driving processing function, sends driving instruction, Xiang Yi Filter Driver on FSD is passed to parameter: process title, network path;
Filter Driver on FSD described in S4 handles the driving instruction in the distribution function of Windows driving, obtain it is described into Journey title, network path;
Filter Driver on FSD described in S5 handles the document creation in the distribution function of Windows driving/opening request, by process Title and network path are filtered, and whether the thread where judging current request needs network share access authority, judge it When success, to the thread where File I/O requests, user identity analog functuion is executed;
Filter Driver on FSD described in S6 handles the file close request in the distribution function of Windows driving, judges whether to have held The simulation of row identity, when judging successfully, then closes user identity analog functuion.
2. striding course network share access authority giving method according to claim 1, which is characterized in that the file mistake Filter driving obtains the environmental context of currently logged on user after the execution of S3 step automatically immediately, and records.
3. a kind of striding course network share access authority authorizes system, which is characterized in that including
One filter Driver on FSD;With
One Windows executable program, for carrying out parameter setting to the filter Driver on FSD, including specified process title, Specified network path carries out authentication of identification of network user, transmitting currently logged on user's environmental context,
Wherein, the filter Driver on FSD authorizes network share access authority, the file filter drives for analyzing thread activity The environmental context of dynamic currently logged on user of the storage first with network share access authority, is secondly referred to by the filtering of process title Determine process, the file access behavior of thread, judges whether thread meets trigger condition in analysis process.
4. striding course network share access authority according to claim 3 authorizes system, which is characterized in that when thread needs When network share access authority is awarded, then the function of user identity simulation is executed.
5. striding course network share access authority according to claim 3 authorizes system, which is characterized in that described Windows executable program is write with C language, and input item is command line parameter, the Windows executable program parsing life Row parameter is enabled, the process title of system process, the network path of network share, network share user name password are extracted, is called Network connecting part in Windows API obtains the access authority of network share using network path, user name, password;It calls Relevant part is driven in Windows API, is passed to process title, network path parameter to the filter Driver on FSD.
6. striding course network share access authority according to claim 3 authorizes system, which is characterized in that the file mistake Filter driving is write with C language, and input item drives relevant portion by calling in Windows API by Windows executable program To divide and is transmitted, the filter Driver on FSD is after receiving input item, the automatic environmental context for obtaining currently logged on user, In have Window executable program acquired in network share access authority.
7. striding course network share access authority according to claim 6 authorizes system, which is characterized in that the file mistake The treatment process of driving distribution function is provided in filter driving, to handle the All Files IO in Windows file system filter driver Operation.
CN201810932625.XA 2018-08-16 2018-08-16 Method and system for granting cross-process network sharing access authority Active CN109271763B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810932625.XA CN109271763B (en) 2018-08-16 2018-08-16 Method and system for granting cross-process network sharing access authority

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810932625.XA CN109271763B (en) 2018-08-16 2018-08-16 Method and system for granting cross-process network sharing access authority

Publications (2)

Publication Number Publication Date
CN109271763A true CN109271763A (en) 2019-01-25
CN109271763B CN109271763B (en) 2022-06-24

Family

ID=65153815

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810932625.XA Active CN109271763B (en) 2018-08-16 2018-08-16 Method and system for granting cross-process network sharing access authority

Country Status (1)

Country Link
CN (1) CN109271763B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519329A (en) * 2019-07-23 2019-11-29 苏州浪潮智能科技有限公司 A kind of method, equipment and the readable medium of concurrent processing samba agreement request
CN111274008A (en) * 2020-01-08 2020-06-12 百度在线网络技术(北京)有限公司 Process control method, server and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080295174A1 (en) * 2007-03-05 2008-11-27 Andrea Robinson Fahmy Method and System for Preventing Unauthorized Access and Distribution of Digital Data
CN102202062A (en) * 2011-06-03 2011-09-28 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN102262559A (en) * 2010-05-24 2011-11-30 腾讯科技(深圳)有限公司 Resource sharing method and system
CN105787355A (en) * 2016-03-18 2016-07-20 山东华软金盾软件股份有限公司 Security software process permission management method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080295174A1 (en) * 2007-03-05 2008-11-27 Andrea Robinson Fahmy Method and System for Preventing Unauthorized Access and Distribution of Digital Data
CN102262559A (en) * 2010-05-24 2011-11-30 腾讯科技(深圳)有限公司 Resource sharing method and system
CN102202062A (en) * 2011-06-03 2011-09-28 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN105787355A (en) * 2016-03-18 2016-07-20 山东华软金盾软件股份有限公司 Security software process permission management method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519329A (en) * 2019-07-23 2019-11-29 苏州浪潮智能科技有限公司 A kind of method, equipment and the readable medium of concurrent processing samba agreement request
CN110519329B (en) * 2019-07-23 2022-06-07 苏州浪潮智能科技有限公司 Method, device and readable medium for concurrently processing samba protocol request
CN111274008A (en) * 2020-01-08 2020-06-12 百度在线网络技术(北京)有限公司 Process control method, server and electronic equipment
CN111274008B (en) * 2020-01-08 2023-07-18 百度在线网络技术(北京)有限公司 Process control method, server and electronic equipment

Also Published As

Publication number Publication date
CN109271763B (en) 2022-06-24

Similar Documents

Publication Publication Date Title
US7516476B1 (en) Methods and apparatus for automated creation of security policy
US7356836B2 (en) User controls for a computer
CA2735600C (en) System and method for detection of malware
US8214905B1 (en) System and method for dynamically allocating computing resources for processing security information
CN101359355B (en) Method for raising user's authority for limitation account under Windows system
CN103065088B (en) Based on the system and method for the ruling detection computations machine security threat of computer user
WO2019052496A1 (en) Account authentication method for cloud storage, and server
CN101098226B (en) Virus online real-time processing system and method
US8209758B1 (en) System and method for classifying users of antivirus software based on their level of expertise in the field of computer security
CN109687991A (en) User behavior recognition method, apparatus, equipment and storage medium
CN103176817B (en) A kind of Linux security policy configuration based on self study
US8214904B1 (en) System and method for detecting computer security threats based on verdicts of computer users
Jahanshahi et al. You shall not pass: Mitigating sql injection attacks on legacy web applications
MXPA06001211A (en) End user data activation.
CN104572394B (en) process monitoring method and device
CN109271763A (en) Striding course network share access authority giving method and system
CN107360155A (en) A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology
Berger et al. An android security case study with bauhaus
EP2584488B1 (en) System and method for detecting computer security threats based on verdicts of computer users
CN103942493B (en) Intelligent active defensive system and method under Window
CN105243328A (en) Behavioral characteristic based Ferry horse defense method
CN106020923B (en) SELinux strategy compiling method and system
KR20130075300A (en) Open type system for analyzing and managing malicious code
CN101256531B (en) Method for analysis of built-in equipment real-time property
CN101777002A (en) Software running method based on virtualization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220803

Address after: Room 301, floor 3, building 5, yard 16, Meiliyuan Middle Road, Haidian District, Beijing 100097

Patentee after: Beijing Mars high tech digital technology Co.,Ltd.

Address before: No. 1401, 23 / F, No. 105, North West Third Ring Road, Haidian District, Beijing 100048

Patentee before: Huang Jiang