CN109271763B - Method and system for granting cross-process network sharing access authority - Google Patents
Method and system for granting cross-process network sharing access authority Download PDFInfo
- Publication number
- CN109271763B CN109271763B CN201810932625.XA CN201810932625A CN109271763B CN 109271763 B CN109271763 B CN 109271763B CN 201810932625 A CN201810932625 A CN 201810932625A CN 109271763 B CN109271763 B CN 109271763B
- Authority
- CN
- China
- Prior art keywords
- file
- network
- windows
- driver
- network sharing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention discloses a method and a system for granting cross-process network sharing access authority, which comprises the following steps: the file filtering driver processes a driving instruction in a distribution function of the Windows driver to obtain a process name and a network path; the file filtering driver processes file creating/opening requests in a distribution function of the Windows driver, filters according to process names and network paths, judges whether a thread where a current request is located needs network sharing access authority or not, and executes a user identity simulation function on the thread where a file IO request is located when the thread where the current request is located is judged to be successful; and the file filtering driver processes a file closing request in a distribution function of the Windows driver, judges whether identity simulation is executed or not, and closes the user identity simulation function when the judgment is successful. The invention has the beneficial effects that: through a file filtering driving processing mechanism, the function of granting the cross-process network sharing access authority is realized, the purpose can be achieved by calling a command line, and the use is simple and convenient.
Description
Technical Field
The invention relates to the technical field of computer communication, in particular to a method and a system for granting cross-process network sharing access authority.
Background
Since the microsoft adds Session 0 isolation technology to the later version of Windows Vista, the system process and service program running in Session 0 cannot work as before, and especially cannot obtain the network sharing access right of the user who logs in through the desktop.
For maintainable programs, a login user is added in a code and a user simulation function is performed to obtain the authority of other desktop users, but for non-maintainable programs, such as running processes, installed software and the like, the authority of other desktop users cannot be obtained generally, and most process communication modes need to be developed and compiled, so that the process communication mode cannot be adopted to grant the network sharing access authority.
At present, only one of the technologies that can solve the problem is: all threads in a specified process are clicked and enumerated to obtain handles, and then user identity simulation (Impersonate) is carried out. Therefore, in the implementation process, the thread enumeration action which is not circulated continuously is inevitably carried out, and the defects that a large amount of cpu time is occupied and the system performance is reduced are overcome; firstly, the response cannot be timely carried out, and a better effect cannot be obtained.
An effective solution to the problems in the related art has not been proposed yet.
Disclosure of Invention
Aiming at the technical problems in the related art, the invention provides a method and a system for granting a cross-process network sharing access authority, which can solve the problem that a process cannot obtain the network sharing access authority of a desktop login user under the conditions of Session 0 isolation and program maintainability.
In order to achieve the technical purpose, the technical scheme of the invention is realized as follows:
a cross-process network sharing access right granting method comprises the following steps:
s1, analyzing the command line parameter through a Windows executable program to obtain the name of the appointed process, the network path, the network user name and the password;
s2, the Windows executable program uses the network user name and password to carry out identity authentication in the environment of the current login user;
s3, the Windows executable program calls the Windows API to execute the drive processing function, sends the drive instruction, and transmits the parameters to a file filter driver: process name, network path;
s4, the file filter driver processes the driver command in the Windows driver distribution function to obtain the process name and the network path;
s5, the file filter driver processes the file creating/opening request in the Windows driving distribution function, filters according to the process name and the network path, judges whether the thread of the current request needs the network sharing access authority, and executes the user identity simulation function to the thread of the file IO request when judging that the thread is successful;
s6, the file filter driver processes the file closing request in the distribution function of Windows driver, judges whether the identity simulation is executed, if the judgment is successful, closes the user identity simulation function.
Further, the file filter driver automatically obtains the context of the current login user immediately after executing step S3, and records the context.
In another aspect of the present invention, there is provided a system for granting access rights shared across a process network, comprising
A file filter driver; and
a Windows executable program for setting parameters of the file filter driver, including specifying process name, specifying network path, performing network user identity authentication, transferring current login user environment context,
the file filtering driver is used for analyzing thread actions and granting network sharing access authority, firstly stores the environment context of a current login user with the network sharing access authority, secondly filters an appointed process according to a process name, analyzes the file access behavior of the thread in the process and judges whether the thread meets a trigger condition.
Further, when the thread needs to be granted the network sharing access right, the function of user identity simulation is executed.
Furthermore, the Windows executable program is written in C language, the input item is command line parameter, the Windows executable program analyzes the command line parameter, extracts the process name of the system process, the network path of the network sharing, and the user name and password of the network sharing, calls the network connection part in the Windows API, and obtains the access authority of the network sharing by using the network path, the user name and the password; and calling a relevant part of the driver in the Windows API, and transmitting a process name and network path parameters to the file filter driver.
Furthermore, the file filter driver is written in C language, the input items are transmitted by a Windows executable program by calling related parts of the driver in a Windows API, and after receiving the input items, the file filter driver automatically acquires the environment context of the current login user, wherein the environment context has the network sharing access authority acquired by the Window executable program.
Furthermore, a processing process of driving a distribution function is arranged in the file filtering driver so as to process all file IO operations in the Windows file filtering system.
The invention has the beneficial effects that:
1. through a file filtering driving processing mechanism, the function of granting the cross-process network sharing access authority is realized, and the problem that the process cannot obtain the network sharing access authority due to Session 0 isolation and non-maintainability can be solved.
2. The method does not need to make process snapshots and enumerate threads, and completely depends on the file request of the target process to trigger, so that the performance is good, and the response is timely.
3. Only one file filtering driver and one executable program are needed to be installed, the purpose can be achieved by calling a command line, and the method is simple and convenient to use.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a flowchart of a cross-process network sharing access right granting method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a cross-process network shared access right granting system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.
As shown in fig. 1, a method for granting access rights across process network sharing according to an embodiment of the present invention includes the following steps:
the Windows executable program analyzes the command line parameters to obtain a process name, a network path, a network shared user and a password;
the Windows executable program uses a network path, a user name and a password to carry out identity authentication in the environment of the current login user, and obtains the access authority of network sharing;
the Windows executable program calls the relevant part of the driver in the Windows API, executes the driver processing function, sends the driver instruction, and transmits parameters to the file filter driver: process name, network path;
the file filtering driver records the process name and the network path parameter obtained from the Windows executable program, automatically obtains the environment context of the current login user and records the environment context;
the file filtering driver filters file creating/opening requests from the driver distribution function;
the file filtering driver filters according to the process name and the network path and judges whether the current file IO request needs the network sharing access authority or not;
when the network sharing access right is needed, executing a user identity simulation (Impersonate) function, analyzing an obtained file creating/opening request, acquiring process and thread information of the request, calling a user identity simulation (Impersonate) function in a Windows API, and transmitting a thread handle and the environment context of a login user, so that the process obtains the network sharing access right;
the file filtering driver filters a file closing request from the driving distribution function;
the file filtering driver judges whether identity simulation is executed or not;
if the identity simulation is executed, the user identity simulation function is closed.
In a specific embodiment of the present invention, after the file filter driver transmits parameters to a file filter driver for execution, the file filter driver automatically obtains and records the context of the current login user; and the file filtering driver automatically acquires the environment context of the current login user, wherein the environment context has the network sharing access right acquired by the Window executable program.
In a specific embodiment of the present invention, further comprising: and the file filtering driver processes a file closing request in a distribution function of the Windows driver, judges whether identity simulation is executed or not, and closes the user identity simulation function when the judgment is successful.
In another aspect of the present invention, a cross-process network sharing access right granting system is provided, the system 200 comprises
A document filter driver 22; and
a Windows executable 21 for setting parameters of the file filter driver, including specifying process name, specifying network path, performing network user identity authentication, transferring current login user environment context,
the file filtering driver 22 is configured to analyze a thread action and grant a network sharing access right, and specifically includes: firstly, storing the environment context of the current login user with the network sharing access authority; secondly, filtering the designated process according to the process name, analyzing the file access behavior of the thread in the process, and judging whether the thread meets the triggering condition; when the thread needs to be granted the network sharing access right, the function of user identity simulation (Impersonate) is executed.
And the file filter driver 22 is configured to receive and record parameter settings, including a process name and a network path, analyze a file IO request in the system process 23, perform judgment according to the process name and the network path, and execute a user identity simulation (Impersonate) function on the system process 23 when a trigger condition is met.
In this embodiment, the operating system is a Windows 7 operating system, the system process 23 is in Session 0, and the desktop login user is in Session 1, and the system process 23 and the desktop user cannot communicate with each other; after Session 1 has performed network identity authentication, the system process 23 in Session 0 cannot directly own the network identity, and therefore cannot access the network share 24.
In this embodiment, the protocol used by the network share 24 is SMB protocol, and the manner of obtaining the network share access authority is network path, user name, and password, which can be implemented by calling the network connection part in the Windows API.
In a specific embodiment of the present invention, the Windows executable program 21 is written in C language, the input item is a command line parameter, the Windows executable program 21 analyzes the command line parameter, and extracts the process name of the system process 23, the network path of the network share 24, and the username and password of the network share 24; calling a network connection part in the Windows API, and acquiring the access authority of the network share 24 by using a network path, a user name and a password; and calling the relevant part of the driver in the Windows API, and transmitting parameters such as the process name, the network path and the like to the file filter driver 22.
In one embodiment of the invention, the file filter driver 22 is written in the C language, and the entries are passed by the Windows executables 21 by calling the relevant part of the driver in the Windows API. After receiving the input item, the driver automatically acquires the environment context of the current login user, wherein the environment context has the network sharing access right acquired by the Window executable program. The driver is internally provided with a processing process of a driver distribution function and can process all file IO operations in the Windows file filtering system. Process name for system process 23; filtering out file IO operation, and acquiring process and thread information of the request; when the file name of the system process 23 conforms to the network path of the network share 24, the user identity simulation (Impersonate) part in the Windows API is called under the current environment (the system process 23 and the thread thereof), the thread handle is transmitted, the environment context of the user is logged in, and finally the system process 23 obtains the access right of the network share 24.
In a specific embodiment of the present invention, a processing procedure of a driver distribution function is provided in the file filter driver, so as to process all file IO operations in the Windows file filter system.
In summary, with the technical solution of the present invention, not only can the function of granting the access right for cross-process network sharing be realized through the file filtering driver processing mechanism, but also the purpose can be achieved by only installing one file filtering driver and one executable program and calling the command line, and the use is simple and convenient.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (2)
1. A cross-process network sharing access right granting method is characterized by comprising the following steps:
s1, analyzing the command line parameter through a Windows executable program to obtain the name of the appointed process, the network path, the network user name and the password;
s2, the Windows executable program uses the network user name and password to carry out identity authentication in the environment of the current login user;
s3, the Windows executable program calls the Windows API to execute the drive processing function, sends the drive instruction, and transmits the parameters to a file filter driver: process name, network path;
s4, the file filter driver processes the driver command in the Windows driver distribution function to obtain the process name and the network path;
s5, the file filter driver processes the file creating/opening request in the Windows driven distribution function, the file filter driver filters according to the process name and the network path, judges whether the current file IO request needs the network sharing access authority, when the network sharing access authority is needed, executes the user identity simulation function, analyzes the obtained file creating/opening request, obtains the process and the thread information of the request, calls the user identity simulation function in the Windows API, and transmits the thread handle and the environment context of the login user, thereby the process obtains the network sharing access authority;
s6, the file filter driver processes the file closing request in the Windows driver distribution function, the file filter driver judges whether the identity simulation is executed, if the identity simulation is executed, the user identity simulation function is closed.
2. The method for granting access right to process network sharing as claimed in claim 1, wherein the file filter driver automatically obtains and records the context of the current logged-in user immediately after step S3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810932625.XA CN109271763B (en) | 2018-08-16 | 2018-08-16 | Method and system for granting cross-process network sharing access authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810932625.XA CN109271763B (en) | 2018-08-16 | 2018-08-16 | Method and system for granting cross-process network sharing access authority |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109271763A CN109271763A (en) | 2019-01-25 |
| CN109271763B true CN109271763B (en) | 2022-06-24 |
Family
ID=65153815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810932625.XA Active CN109271763B (en) | 2018-08-16 | 2018-08-16 | Method and system for granting cross-process network sharing access authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109271763B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519329B (en) * | 2019-07-23 | 2022-06-07 | 苏州浪潮智能科技有限公司 | Method, device and readable medium for concurrently processing samba protocol request |
| CN111274008B (en) * | 2020-01-08 | 2023-07-18 | 百度在线网络技术(北京)有限公司 | Process control method, server and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN102262559A (en) * | 2010-05-24 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Resource sharing method and system |
| CN105787355A (en) * | 2016-03-18 | 2016-07-20 | 山东华软金盾软件股份有限公司 | Security software process permission management method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008109106A1 (en) * | 2007-03-05 | 2008-09-12 | Andrea Robinson Fahmy | Method and system for preventing unauthorized access and distribution of digital data |
-
2018
- 2018-08-16 CN CN201810932625.XA patent/CN109271763B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102262559A (en) * | 2010-05-24 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Resource sharing method and system |
| CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN105787355A (en) * | 2016-03-18 | 2016-07-20 | 山东华软金盾软件股份有限公司 | Security software process permission management method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109271763A (en) | 2019-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10459822B1 (en) | Iterative static analysis using stored partial results | |
| EP2427826B1 (en) | Low-privilege debug channel | |
| US9596268B2 (en) | Security enforcement in virtualized systems | |
| JP4945935B2 (en) | Autonomous operation management system, autonomous operation management method and program | |
| US8887157B2 (en) | System and method for managing virtual machine states by restoring previously saved states based on a virtual machine application's request active with the virtual machine | |
| US7366812B2 (en) | Determination of access rights to information technology resources | |
| US9081601B2 (en) | Virtual mobile infrastructure and its base platform | |
| JP4558661B2 (en) | Computer system and method for transferring executable programs between partitions | |
| USRE47717E1 (en) | Serial output redirection using HTTP | |
| US20160306647A1 (en) | Method for affinity binding of interrupt of virtual network interface card, and computer device | |
| CN110035088A (en) | Method and apparatus based on RPA remote control operation system automated log on | |
| WO2005059684B1 (en) | End point control | |
| CN109271763B (en) | Method and system for granting cross-process network sharing access authority | |
| DE202015009286U1 (en) | Short lived applications | |
| US20120089875A1 (en) | Multi-user test framework | |
| US9122859B1 (en) | Browser based event information delivery mechanism using application resident on removable storage device | |
| US9858065B2 (en) | Methods and systems for dynamic upgrade of an access manager | |
| US9021008B1 (en) | Managing targeted scripts | |
| CN110413308B (en) | Software operation and maintenance method, device, equipment and computer storage medium | |
| US9088480B2 (en) | Techniques for auditing and controlling network services | |
| CN114184885A (en) | Fault detection method, device and storage medium | |
| US20120215836A1 (en) | Information processing apparatus, control method thereof, and computer program | |
| US20190236293A1 (en) | Managing Privilege Delegation on a Server Device | |
| RU2630591C1 (en) | Method of managing application software configuration in user's computer | |
| CN115695079A (en) | Industrial Ethernet protocol optimization method, system and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220803 Address after: Room 301, floor 3, building 5, yard 16, Meiliyuan Middle Road, Haidian District, Beijing 100097 Patentee after: Beijing Mars high tech digital technology Co.,Ltd. Address before: No. 1401, 23 / F, No. 105, North West Third Ring Road, Haidian District, Beijing 100048 Patentee before: Huang Jiang |