CN113704179B - File monitoring method, device, computer system and storage medium - Google Patents

File monitoring method, device, computer system and storage medium Download PDF

Info

Publication number
CN113704179B
CN113704179B CN202010438627.0A CN202010438627A CN113704179B CN 113704179 B CN113704179 B CN 113704179B CN 202010438627 A CN202010438627 A CN 202010438627A CN 113704179 B CN113704179 B CN 113704179B
Authority
CN
China
Prior art keywords
file
monitoring
parameter
file system
external operation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010438627.0A
Other languages
Chinese (zh)
Other versions
CN113704179A (en
Inventor
屈梦梦
李常坤
刘金朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Original Assignee
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secworld Information Technology Beijing Co Ltd, Qax Technology Group Inc filed Critical Secworld Information Technology Beijing Co Ltd
Priority to CN202010438627.0A priority Critical patent/CN113704179B/en
Publication of CN113704179A publication Critical patent/CN113704179A/en
Application granted granted Critical
Publication of CN113704179B publication Critical patent/CN113704179B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure provides a file monitoring method, comprising the following steps: setting operation parameters of a functional module for realizing a file system notification mechanism in a kernel mode, wherein the operation parameters comprise processing functions for responding to file events; monitoring whether the file system responds to external operation within a predetermined period of time by calling a monitoring interface function of the functional module; in response to monitoring that the file system responds to external operation within a predetermined period of time, calling a processing function according to a file event triggered by the response of the file system to the external operation to obtain information of a file responding to the external operation in the file system, wherein the information of the file responding to the external operation comprises a path of the file and a type of the file event; and sending the information of the file responding to the external operation to the user-mode application program so that the application program can process the file responding to the external operation. The disclosure also provides a file monitoring device, a computer system and a storage medium.

Description

文件监控方法、装置、计算机系统及存储介质File monitoring method, device, computer system and storage medium

技术领域Technical field

本公开涉及计算机技术领域,更具体地,涉及一种文件监控方法、装置、计算机系统及存储介质。The present disclosure relates to the field of computer technology, and more specifically, to a file monitoring method, device, computer system and storage medium.

背景技术Background technique

在计算机应用中,有些应用程序需要感知文件系统中的文件创建、文件关闭等操作的情况,以便对这些发生操作的文件进行处理。In computer applications, some applications need to sense file creation, file closing and other operations in the file system in order to process the files where these operations have occurred.

在实现本公开构思的过程中,发明人发现,如果在用户态提供直接使用的文件监控通知应用,在对文件进行监控时,调用该文件监控通知应用可以对指定的文件或目录进行监控。In the process of realizing the concept of the present disclosure, the inventor found that if a file monitoring notification application for direct use is provided in the user mode, when monitoring a file, calling the file monitoring notification application can monitor the specified file or directory.

但是,用户态的文件监控通知应用在进行监控时一般需要针对需要监控的目录或文件做明确设置,如果当前文件系统上的文件或目录非常多时,逐个指定监控目录及文件,非常耗时,并且耗费大量的内存,造成系统负载大。However, user-mode file monitoring notification applications generally need to make clear settings for the directories or files that need to be monitored when monitoring. If there are many files or directories on the current file system, specifying the monitoring directories and files one by one is very time-consuming, and It consumes a lot of memory and causes a heavy system load.

发明内容Contents of the invention

有鉴于此,本公开提供了一种文件监控方法、装置、计算机系统及存储介质。In view of this, the present disclosure provides a file monitoring method, device, computer system and storage medium.

本公开的一个方面提供了一种文件监控方法,包括:设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,运行参数包括用于响应文件事件的处理函数;通过调用功能模块的监控接口函数,监控文件系统是否在预定时段内响应了外部操作;响应于监控到文件系统在预定时段内响应了外部操作,根据文件系统对于外部操作的响应而触发的文件事件,调用处理函数,以获得文件系统中响应外部操作的文件的信息,其中,响应外部操作的文件的信息包括文件的路径和文件事件的类型;以及将响应外部操作的文件的信息发送给用户态的应用程序,以使应用程序对响应外部操作的文件进行处理。One aspect of the present disclosure provides a file monitoring method, including: setting operating parameters of a functional module in the kernel state for implementing a file system notification mechanism, where the operating parameters include a processing function for responding to file events; by calling a function The monitoring interface function of the module monitors whether the file system responds to external operations within a predetermined period of time; in response to monitoring that the file system responds to external operations within a predetermined period of time, call processing based on file events triggered by the file system's response to external operations. Function to obtain information about files in the file system that respond to external operations, where the information about files that respond to external operations includes the path of the file and the type of file event; and to send information about files that respond to external operations to user-mode applications. , to enable the application to process files in response to external operations.

根据本公开的实施例,监控接口函数包括第一参数和第二参数,第一参数用于标识与第一参数对应的第一目录以及第一目录下的各级子目录中的所有文件,第二参数用于标识与第二参数对应的第二目录中的文件。According to an embodiment of the present disclosure, the monitoring interface function includes a first parameter and a second parameter. The first parameter is used to identify the first directory corresponding to the first parameter and all files in subdirectories at all levels under the first directory. The second parameter is used to identify the file in the second directory corresponding to the second parameter.

根据本公开的实施例,该方法还包括,在调用监控接口函数之后:将第一参数设置为文件系统的根目录,以及将第二参数设置为空,以使在调用监控接口函数的过程中监控文件系统的根目录下的各级子目录中的所有文件是否响应了外部操作。According to an embodiment of the present disclosure, the method further includes, after calling the monitoring interface function: setting the first parameter to the root directory of the file system, and setting the second parameter to empty, so that during the process of calling the monitoring interface function Monitor whether all files in subdirectories at all levels under the root directory of the file system respond to external operations.

根据本公开的实施例,该方法还包括,在调用功能模块的监控接口函数之前:调用功能模块的注册接口函数;根据运行参数向功能模块进行注册;以及在注册成功之后,调用功能模块的监控接口函数。According to an embodiment of the present disclosure, the method further includes: before calling the monitoring interface function of the functional module: calling the registration interface function of the functional module; registering with the functional module according to the operating parameters; and after successful registration, calling the monitoring interface function of the functional module Interface functions.

根据本公开的实施例,将响应外部操作的文件的信息发送给用户态的应用程序包括:将发生操作的文件的信息发送到与应用程序预先约定的通信端口号,以使应用程序通过监听通信端口号获取响应外部操作的文件的信息。According to an embodiment of the present disclosure, sending the information of the file in response to the external operation to the user-mode application includes: sending the information of the file in which the operation occurs to a communication port number pre-agreed with the application, so that the application can communicate by monitoring The port number obtains information about the file that responds to external operations.

根据本公开的实施例,文件事件的类型包括以下至少之一:文件创建、文件打开、文件写入、文件关闭、文件删除和文件重命名。According to an embodiment of the present disclosure, the type of file event includes at least one of the following: file creation, file opening, file writing, file closing, file deletion, and file renaming.

本公开的另一个方面提供了一种文件监控装置,包括:第一设置模块,用于设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,运行参数包括用于响应文件事件的处理函数;监控模块,用于通过调用功能模块的监控接口函数,监控文件系统是否在预定时段内响应了外部操作;处理模块,用于响应于监控到文件系统在预定时段内响应了外部操作,根据文件系统对于外部操作的响应而触发的文件事件,调用处理函数,以获得文件系统中响应外部操作的文件的信息,其中,响应外部操作的文件的信息包括文件的路径和文件事件的类型;以及发送模块,用于将响应外部操作的文件的信息发送给用户态的应用程序,以使应用程序对响应外部操作的文件进行处理。Another aspect of the present disclosure provides a file monitoring device, including: a first setting module for setting operating parameters of a functional module for implementing a file system notification mechanism in the kernel state, wherein the operating parameters include a file system for responding to a file. The event processing function; the monitoring module, used to monitor whether the file system responds to external operations within a predetermined period of time by calling the monitoring interface function of the function module; the processing module, used to respond to monitoring that the file system responds to external operations within a predetermined period of time Operation, according to the file event triggered by the file system's response to the external operation, the processing function is called to obtain the information of the file in the file system that responds to the external operation, where the information of the file that responds to the external operation includes the path of the file and the name of the file event. type; and a sending module, used to send information about files responding to external operations to user-mode applications, so that the applications can process files responding to external operations.

根据本公开的实施例,监控接口函数包括第一参数和第二参数,第一参数用于标识与第一参数对应的第一目录以及第一目录下的各级子目录中的所有文件,第二参数用于标识与第二参数对应的第二目录中的文件。According to an embodiment of the present disclosure, the monitoring interface function includes a first parameter and a second parameter. The first parameter is used to identify the first directory corresponding to the first parameter and all files in subdirectories at all levels under the first directory. The second parameter is used to identify the file in the second directory corresponding to the second parameter.

根据本公开的实施例,该装置还包括:第二设置模块,用于在调用监控接口函数之后,将第一参数设置为文件系统的根目录,以及将第二参数设置为空,以使在调用监控接口函数的过程中监控文件系统的根目录下的各级子目录中的所有文件是否响应了外部操作。According to an embodiment of the present disclosure, the device further includes: a second setting module, configured to set the first parameter to the root directory of the file system after calling the monitoring interface function, and set the second parameter to empty, so that after calling the monitoring interface function, During the process of calling the monitoring interface function, monitor whether all files in subdirectories at all levels under the root directory of the file system respond to external operations.

本公开的另一方面提供了一种计算机可读存储介质,存储有计算机可执行指令,所述指令在被执行时用于实现如上所述的方法。Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are used to implement the method as described above.

本公开的另一方面提供了一种计算机程序产品,包括计算机可执行指令,所述指令在被执行时用于实现如上所述的方法。Another aspect of the present disclosure provides a computer program product comprising computer-executable instructions that, when executed, are used to implement the method as described above.

本公开的另一方面提供了一种计算机系统,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现如上所述的方法。Another aspect of the present disclosure provides a computer system, including: one or more processors; a storage device for storing one or more programs, wherein when the one or more programs are processed by the one or more When executed by one or more processors, the one or more processors implement the method as described above.

根据本公开的实施例,采用了设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,运行参数包括用于响应文件事件的处理函数;通过调用功能模块的监控接口函数,监控文件系统是否在预定时段内响应了外部操作;响应于监控到文件系统在预定时段内响应了外部操作,触发文件事件,调用处理函数处理文件事件,获得文件系统中响应外部操作的文件的信息,其中,响应外部操作的文件的信息包括文件的路径和文件事件的类型;将响应外部操作的文件的信息发送给用户态的应用程序,以使应用程序对响应外部操作的文件进行处理的技术手段。由于利用内核态的用于实现文件系统通知机制的功能模块对文件系统进行监控,无需逐个指定监控目录及文件,所以至少部分地克服了相关技术中逐个指定监控目录及文件造成的系统负载大的技术问题,进而达到了对系统负载影响小的技术效果。According to the embodiment of the present disclosure, the operating parameters of the functional module used to implement the file system notification mechanism in the kernel mode are set, where the operating parameters include a processing function for responding to file events; by calling the monitoring interface function of the functional module, Monitor whether the file system responds to external operations within a predetermined period of time; in response to monitoring that the file system responds to external operations within a predetermined period of time, trigger file events, call processing functions to process file events, and obtain information about files in the file system that respond to external operations. , where the information of the file in response to external operations includes the path of the file and the type of file event; the technology of sending the information of the file in response to external operations to the user-mode application so that the application can process the file in response to external operations. means. Since the functional module of the kernel state for implementing the file system notification mechanism is used to monitor the file system, there is no need to specify the monitoring directories and files one by one. Therefore, the problem of large system load caused by specifying the monitoring directories and files one by one in the related technology is at least partially overcome. Technical problems, and then achieve the technical effect of having little impact on the system load.

附图说明Description of drawings

通过以下参照附图对本公开实施例的描述,本公开的上述以及其他目的、特征和优点将更为清楚,在附图中:The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:

图1示意性示出了可以应用本公开的文件监控方法和装置的示例性系统架构;Figure 1 schematically illustrates an exemplary system architecture in which the file monitoring method and device of the present disclosure can be applied;

图2示意性示出了根据本公开实施例的文件监控方法的流程图;Figure 2 schematically shows a flow chart of a file monitoring method according to an embodiment of the present disclosure;

图3示意性示出了根据本公开实施例的处理模块向监控模块进行注册的方法的流程图;Figure 3 schematically shows a flow chart of a method for a processing module to register with a monitoring module according to an embodiment of the present disclosure;

图4示意性示出了根据本公开实施例的文件监控装置的框图;以及Figure 4 schematically shows a block diagram of a file monitoring device according to an embodiment of the present disclosure; and

图5示意性示出了根据本公开实施例的适于文件监控方法和装置的计算机系统的框图。Figure 5 schematically shows a block diagram of a computer system suitable for file monitoring methods and devices according to embodiments of the present disclosure.

具体实施方式Detailed ways

以下,将参照附图来描述本公开的实施例。但是应该理解,这些描述只是示例性的,而并非要限制本公开的范围。在下面的详细描述中,为便于解释,阐述了许多具体的细节以提供对本公开实施例的全面理解。然而,明显地,一个或多个实施例在没有这些具体细节的情况下也可以被实施。此外,在以下说明中,省略了对公知结构和技术的描述,以避免不必要地混淆本公开的概念。Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood, however, that these descriptions are exemplary only and are not intended to limit the scope of the present disclosure. In the following detailed description, for convenience of explanation, numerous specific details are set forth to provide a comprehensive understanding of the disclosed embodiments. It will be apparent, however, that one or more embodiments may be practiced without these specific details. Furthermore, in the following description, descriptions of well-known structures and techniques are omitted to avoid unnecessarily confusing the concepts of the present disclosure.

在此使用的术语仅仅是为了描述具体实施例,而并非意在限制本公开。在此使用的术语“包括”、“包含”等表明了所述特征、步骤、操作和/或部件的存在,但是并不排除存在或添加一个或多个其他特征、步骤、操作或部件。The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the disclosure. The terms "comprising," "comprising," and the like, as used herein, indicate the presence of stated features, steps, operations, and/or components but do not exclude the presence or addition of one or more other features, steps, operations, or components.

在此使用的所有术语(包括技术和科学术语)具有本领域技术人员通常所理解的含义,除非另外定义。应注意,这里使用的术语应解释为具有与本说明书的上下文相一致的含义,而不应以理想化或过于刻板的方式来解释。All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art, unless otherwise defined. It should be noted that the terms used here should be interpreted to have meanings consistent with the context of this specification and should not be interpreted in an idealized or overly rigid manner.

在使用类似于“A、B和C等中至少一个”这样的表述的情况下,一般来说应该按照本领域技术人员通常理解该表述的含义来予以解释(例如,“具有A、B和C中至少一个的系统”应包括但不限于单独具有A、单独具有B、单独具有C、具有A和B、具有A和C、具有B和C、和/或具有A、B、C的系统等)。在使用类似于“A、B或C等中至少一个”这样的表述的情况下,一般来说应该按照本领域技术人员通常理解该表述的含义来予以解释(例如,“具有A、B或C中至少一个的系统”应包括但不限于单独具有A、单独具有B、单独具有C、具有A和B、具有A和C、具有B和C、和/或具有A、B、C的系统等)。Where an expression similar to "at least one of A, B, C, etc." is used, it should generally be interpreted in accordance with the meaning that a person skilled in the art generally understands the expression to mean (e.g., "having A, B and C "A system with at least one of" shall include, but is not limited to, systems with A alone, B alone, C alone, A and B, A and C, B and C, and/or systems with A, B, C, etc. ). Where an expression similar to "at least one of A, B or C, etc." is used, it should generally be interpreted in accordance with the meaning that a person skilled in the art generally understands the expression to mean (for example, "having A, B or C "A system with at least one of" shall include, but is not limited to, systems with A alone, B alone, C alone, A and B, A and C, B and C, and/or systems with A, B, C, etc. ).

在实现本公开的过程中发现,可以在用户态提供直接使用的文件监控通知方案。在用户态可以直接使用的监控方案包括inotify(inode notify,索引节点监控通知)和dnotify(directory notify,目录监控通知)。In the process of implementing the present disclosure, it is found that a directly used file monitoring notification solution can be provided in the user mode. Monitoring solutions that can be used directly in user mode include inotify (inode notify, index node monitoring notification) and dnotify (directory notify, directory monitoring notification).

运行在用户态的inotify或dnotify,在进行监控时都需要针对需要监控的目录或文件做明确设置,否则就无法监控,从限定了其只能监控指定标识的文件或目录的变化。When monitoring, inotify or dnotify running in the user mode needs to make clear settings for the directories or files that need to be monitored, otherwise it will not be able to monitor, thus limiting it to only monitor changes in files or directories with specified identifiers.

同时,无论是inotify或dnotify在监控时都无法监控到指定目录中各级子目录的文件,在需要同时监控对应目录及其子目录时,需要逐级指定所有子目录,限制了其只能适用于少量文件或目录的监控。At the same time, neither inotify nor dnotify can monitor files in subdirectories at all levels in the specified directory. When the corresponding directory and its subdirectories need to be monitored at the same time, all subdirectories need to be specified level by level, which limits its application. Monitoring of a small number of files or directories.

进一步的,利用inotify或dnotify实现对整个文件系统的监控就需要先对当前系统上的文件及目录进行全部扫描,然后再逐个指定监控目录及文件,非常麻烦,且可行性不高。因为,如果当前文件系统上的文件或目录非常多时,对整个文件系统扫描是非常耗时的,且对所有目录及文件设置监控,需要耗费大量的内存、文件描述符资源,极有可能会因内存或文件描述符不足而失败。Furthermore, using inotify or dnotify to monitor the entire file system requires first scanning all files and directories on the current system, and then specifying the monitoring directories and files one by one, which is very troublesome and not very feasible. Because, if there are many files or directories on the current file system, scanning the entire file system is very time-consuming, and setting up monitoring for all directories and files requires a large amount of memory and file descriptor resources, which is very likely to cause problems. Failed due to insufficient memory or file descriptors.

基于此,本公开的实施例提供了一种文件监控方法。该方法包括设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,运行参数包括用于响应文件事件的处理函数;通过调用功能模块的监控接口函数,监控文件系统是否在预定时段内响应了外部操作;响应于监控到文件系统在预定时段内响应了外部操作,根据文件系统对于外部操作的响应而触发的文件事件,调用处理函数,以获得文件系统中响应外部操作的文件的信息,其中,响应外部操作的文件的信息包括文件的路径和文件事件的类型;以及将响应外部操作的文件的信息发送给用户态的应用程序,以使应用程序对响应外部操作的文件进行处理。Based on this, embodiments of the present disclosure provide a file monitoring method. The method includes setting operating parameters of a functional module in the kernel state for implementing a file system notification mechanism, where the operating parameters include a processing function for responding to file events; by calling a monitoring interface function of the functional module, monitoring whether the file system is scheduled Responded to an external operation within a period; in response to monitoring that the file system responded to an external operation within a predetermined period, based on the file event triggered by the file system's response to the external operation, the processing function was called to obtain the files in the file system that responded to the external operation. The information of the file in response to the external operation includes the path of the file and the type of the file event; and the information of the file in response to the external operation is sent to the user-mode application, so that the application can process the file in response to the external operation. deal with.

图1示意性示出了可以应用本公开实施例的文件监控方法和装置的示例性系统架构100。需要注意的是,图1所示仅为可以应用本公开实施例的系统架构的示例,以帮助本领域技术人员理解本公开的技术内容,但并不意味着本公开实施例不可以用于其他设备、系统、环境或场景。FIG. 1 schematically illustrates an exemplary system architecture 100 to which the file monitoring method and device of embodiments of the present disclosure can be applied. It should be noted that Figure 1 is only an example of a system architecture to which embodiments of the present disclosure can be applied, to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure cannot be used in other applications. Device, system, environment or scenario.

如图1所示,根据该实施例的系统架构100可以包括监控模块101、处理模块102和应用程序103。其中,监控模块101、处理模块102可以运行在操作系统的内核态的功能模块,应用程序103可以运行在操作系统的用户态的功能模块。As shown in Figure 1, the system architecture 100 according to this embodiment may include a monitoring module 101, a processing module 102 and an application program 103. Among them, the monitoring module 101 and the processing module 102 can run as functional modules in the kernel mode of the operating system, and the application program 103 can run as functional modules in the user mode of the operating system.

Linux操作系统的内核提供了一种文件系统通知机制(file system notify,简称fsnotify)。监控模块101可以是用于实现该文件系统通知机制的功能模块。The kernel of the Linux operating system provides a file system notification mechanism (file system notify, fsnotify for short). The monitoring module 101 may be a functional module used to implement the file system notification mechanism.

处理模块102可以是用于调用监控模块的接口函数以实现文件系统监控的功能模块,处理模块102还可以与应用程序103之间进行内核态和用户态的通信,例如,处理模块102可以将监控结果通知给应用程序103。The processing module 102 can be a functional module for calling the interface function of the monitoring module to implement file system monitoring. The processing module 102 can also communicate with the application program 103 in the kernel mode and the user mode. For example, the processing module 102 can monitor The result is notified to the application 103.

应用程序103可以是需要感知文件系统响应外部操作的软件,例如,应用程序103可以是杀毒软件,需要感知全盘文件系统的文件创建、写入、关闭、重命名等。The application program 103 may be software that needs to be aware of the file system to respond to external operations. For example, the application program 103 may be anti-virus software that needs to be aware of file creation, writing, closing, renaming, etc. of the entire file system.

图2示意性示出了根据本公开实施例的文件监控方法的流程图。Figure 2 schematically shows a flow chart of a file monitoring method according to an embodiment of the present disclosure.

如图2所示,该方法包括操作S201~S204。As shown in Figure 2, the method includes operations S201 to S204.

在操作S201,设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,运行参数包括用于响应文件事件的处理函数。In operation S201, operating parameters of the functional module used to implement the file system notification mechanism in the kernel state are set, where the operating parameters include a processing function used to respond to the file event.

根据本公开实施例,可以在处理模块102中预先设置用于实现文件系统通知机制的运行参数,以便利用该运行参数调用监控模块101的接口函数。该运行参数例如可以是结构体,在该结构体中可以包括用于处理文件事件的处理函数。其中,文件事件可以是文件系统响应了外部操作而触发的时间,例如文件系统响应于外部操作发生了文件打开、写入、重命名等操作而触发了相应的文件打开事件、文件写入事件、文件重命名事件等。According to the embodiment of the present disclosure, operating parameters for implementing the file system notification mechanism may be preset in the processing module 102, so that the interface functions of the monitoring module 101 can be called using the operating parameters. The running parameter may be, for example, a structure, and the structure may include a processing function for processing file events. Among them, the file event can be the time when the file system is triggered in response to an external operation. For example, the file system triggers the corresponding file open event, file write event, etc. in response to the external operation such as file opening, writing, renaming, etc. File rename events, etc.

根据本公开实施例,处理模块102可以在文件事件触发时调用该处理函数以处理相应的文件事件。还可以对多种文件事件进行过滤,例如,针对文件删除事件无需进行处理,可以对文件删除触发的文件事件进行过滤。还可以将文件事件的处理结果通知给用户态的应用程序,例如,将与文件事件对应的文件的路径等信息发送给应用程序,以便应用程序对该文件进行处理。According to an embodiment of the present disclosure, the processing module 102 may call the processing function when a file event is triggered to process the corresponding file event. Various file events can also be filtered. For example, file deletion events do not need to be processed, and file events triggered by file deletion can be filtered. The processing result of the file event can also be notified to the user-mode application, for example, information such as the path of the file corresponding to the file event is sent to the application so that the application can process the file.

在操作S202,通过调用功能模块的监控接口函数,监控文件系统是否在预定时段内响应了外部操作。In operation S202, by calling the monitoring interface function of the function module, it is monitored whether the file system responds to the external operation within a predetermined period of time.

根据本公开实施例,处理模块102可以调用监控模块101的监控接口函数,以在监控接口函数的运行过程中实现对文件系统的监控。例如,可以监控文件系统是否有文件发生打开、写入、关闭等操作。According to the embodiment of the present disclosure, the processing module 102 can call the monitoring interface function of the monitoring module 101 to implement monitoring of the file system during the running process of the monitoring interface function. For example, you can monitor whether files in the file system are opened, written, closed, etc.

根据本公开实施例,监控接口函数可以包括第一参数和第二参数,第一参数可以用于标识与第一参数对应的第一目录以及第一目录下的各级子目录中的所有文件,第二参数可以用于标识与第二参数对应的第二目录中的文件。According to an embodiment of the present disclosure, the monitoring interface function may include a first parameter and a second parameter, and the first parameter may be used to identify the first directory corresponding to the first parameter and all files in subdirectories at all levels under the first directory, The second parameter may be used to identify a file in the second directory corresponding to the second parameter.

本公开实施例在操作S202调用监控接口函数之后,还包括:After calling the monitoring interface function in operation S202, the embodiment of the present disclosure also includes:

将第一参数设置为文件系统的根目录,以及将第二参数设置为空,以使在调用监控接口函数的过程中监控文件系统的根目录下的各级子目录中的所有文件是否响应了外部操作。Set the first parameter to the root directory of the file system, and set the second parameter to empty, so that during the process of calling the monitoring interface function, it can monitor whether all files in the subdirectories at all levels under the root directory of the file system have responded. External operations.

根据本公开实施例,该监控接口函数可以包括第一参数和第二参数,其中,第一参数可以是mnt参数,第二参数可以是inode参数,mnt参数可以指定为文件系统的挂载点,inode参数可以指定为相应的文件或目录。According to an embodiment of the present disclosure, the monitoring interface function may include a first parameter and a second parameter, wherein the first parameter may be an mnt parameter, the second parameter may be an inode parameter, and the mnt parameter may be specified as a mount point of the file system, The inode parameter can be specified as the corresponding file or directory.

根据本公开实施例,文件系统的挂载点可以是操作系统每个分区对应的目录,具体的,操作系统可以包括多个分区,例如C盘、D等,每个分区都会映射到一个目录,该目录例如可以是根目录,每个分区对应的根目录即是该分区的“挂载点”。操作系统可以包括多个分区,对应地,操作系统可以存在多个挂载点,操作系统的每个分区都可以是一个独立的文件系统。According to the embodiment of the present disclosure, the mount point of the file system may be a directory corresponding to each partition of the operating system. Specifically, the operating system may include multiple partitions, such as C drive, D, etc., and each partition will be mapped to a directory. This directory can be, for example, the root directory, and the root directory corresponding to each partition is the "mount point" of the partition. The operating system can include multiple partitions. Correspondingly, the operating system can have multiple mount points. Each partition of the operating system can be an independent file system.

根据本公开实施例,inode是Linux操作系统中的一种数据结构,其本质是结构体,它包含了与文件系统中各个文件相关的一些重要信息。在Linux中创建文件系统时,同时将会创建大量的inode。每一个文件都有对应的inode,里面包含了与该文件有关的一些信息。According to the embodiment of the present disclosure, inode is a data structure in the Linux operating system. Its essence is a structure, which contains some important information related to each file in the file system. When creating a file system in Linux, a large number of inodes will be created at the same time. Each file has a corresponding inode, which contains some information related to the file.

根据本公开实施例,mnt参数可以指定为根目录,inode参数可以指定为空,从而在调用监控接口函数的过程中,可以对根目录下的各级子目录中的所有文件文件进行监控。相比于inotify或dnotify方案中只能监控指定的目录或文件,本公开实施例可以实现全盘文件的监控,无需对整个文件系统扫描以逐个指定监控目录及文件,对系统负载影响小。According to the embodiment of the present disclosure, the mnt parameter can be specified as the root directory, and the inode parameter can be specified as empty, so that in the process of calling the monitoring interface function, all files in subdirectories at all levels under the root directory can be monitored. Compared with the inotify or dnotify solution, which can only monitor specified directories or files, the embodiments of the present disclosure can realize the monitoring of all files, without the need to scan the entire file system to specify monitoring directories and files one by one, and have little impact on the system load.

根据本公开实施例,针对操作系统中存在多个不同的挂载点,并且所在的挂载点都在根目录下的情况,需要所有的挂载点都调用上述的处理函数进行mnt参数和inode参数的设定。According to the embodiment of the present disclosure, when there are multiple different mount points in the operating system, and the mount points are all in the root directory, all mount points need to call the above processing function to process the mnt parameter and inode Parameter settings.

在操作S203,响应于监控到文件系统在预定时段内响应了外部操作,根据文件系统对于外部操作的响应而触发的文件事件,调用处理函数,以获得文件系统中响应外部操作的文件的信息,其中,响应外部操作的文件的信息包括文件的路径和文件事件的类型。In operation S203, in response to monitoring that the file system responds to an external operation within a predetermined period, a processing function is called according to a file event triggered by the file system's response to the external operation to obtain information about files in the file system that respond to the external operation, Among them, the information of the file responding to the external operation includes the path of the file and the type of the file event.

根据本公开实施例,在监控模块101监控到文件系统中有文件发生了打开、写入、关闭等操作的情况下,会触发相应的文件事件。响应于文件事件,处理模块102可以调用预先设置的处理函数,该过程可以称为处理函数的回调。在回调该处理函数的过程中,可以对文件事件进行处理,可以得到发生打开、写入、关闭等操作的文件的路径和文件事件类型。According to the embodiment of the present disclosure, when the monitoring module 101 monitors that a file in the file system has been opened, written, closed, etc., a corresponding file event will be triggered. In response to the file event, the processing module 102 may call a preset processing function, and this process may be called a callback of the processing function. In the process of calling back the processing function, the file event can be processed, and the path and file event type of the file where operations such as opening, writing, closing, etc. occur can be obtained.

根据本公开实施例,文件事件类型可以包括以下至少之一:文件创建、文件打开、文件写入、文件关闭、文件删除和文件重命名。According to embodiments of the present disclosure, the file event type may include at least one of the following: file creation, file opening, file writing, file closing, file deletion, and file renaming.

例如,发生打开操作的文件的文件事件的类型可以是文件打开,发生创建操作的文件的文件事件的类型可以是文件创建,发生写入操作的文件的文件事件的类型可以是文件写入,发生关闭操作的文件的文件事件的类型可以是文件关闭,发生删除操作的文件的文件事件的类型可以是文件删除,发生重命名操作的文件的文件事件的类型可以是文件重命名。For example, the file event type of a file where an open operation occurs may be file open, the type of file event of a file where a create operation occurs may be file creation, and the type of file event of a file where a write operation occurs may be file write. The type of the file event of the file in which the closing operation occurs may be file closing, the type of the file event of the file in which the deletion operation occurs may be file deletion, and the type of the file event of the file in which the renaming operation occurs may be file renaming.

在操作S204,将响应外部操作的文件的信息发送给用户态的应用程序,以使应用程序对响应外部操作的文件进行处理。In operation S204, information about the file that responds to the external operation is sent to the user-mode application program, so that the application program processes the file that responds to the external operation.

根据本公开实施例,可以将发生操作的文件的路径和文件事件类型发送给用户态的应用程序103,以使应用程序103对该发生操作的文件进行处理,例如,应用程序103对该文件进行查杀等。According to the embodiment of the present disclosure, the path and file event type of the file where the operation occurs can be sent to the user-mode application 103, so that the application 103 processes the file where the operation occurs. For example, the application 103 performs processing on the file. Check and kill etc.

根据本公开实施例,在内核态调用用于实现文件系统通知机制的功能模块的接口函数,监控文件系统中的文件是否发生打开、关闭等操作,当发生这些操作时触发文件事件,响应于文件事件,调用预先在内核态设置的文件事件处理函数,可以获得发生操作的文件的路径和文件事件类型,将文件路径和事件类型通知到用户态的应用程序,以便应用程序对发生操作的文件进行处理。能够在内核态实现对文件系统的精确监控,无需逐个指定监控目录及文件,对系统负载影响小。According to the embodiment of the present disclosure, the interface function of the functional module for implementing the file system notification mechanism is called in the kernel mode to monitor whether files in the file system are opened, closed, etc., and trigger file events when these operations occur. In response to the file event, call the file event processing function preset in the kernel mode to obtain the path and file event type of the file where the operation occurred, and notify the file path and event type to the user-mode application so that the application can perform operations on the file where the operation occurred. deal with. It can achieve precise monitoring of the file system in the kernel mode without specifying monitoring directories and files one by one, and has little impact on the system load.

根据本公开实施例,本公开实施例的执行主体可以是处理模块102。处理模块102可以直接与操作系统内核集成,采用内核中提供的文件系统通知机制,灵活、高效的实现文件的创建、关闭、写入、删除等操作的通知。According to the embodiment of the present disclosure, the execution subject of the embodiment of the present disclosure may be the processing module 102. The processing module 102 can be directly integrated with the operating system kernel, and uses the file system notification mechanism provided in the kernel to flexibly and efficiently implement notifications for file creation, closing, writing, deletion and other operations.

图3示意性示出了处理模块向监控模块进行注册的方法的流程图。Figure 3 schematically shows a flow chart of a method for a processing module to register with a monitoring module.

如图3所示,该方法可以包括操作S301~S303。As shown in Figure 3, the method may include operations S301 to S303.

在操作S301,调用功能模块的注册接口函数。In operation S301, the registration interface function of the function module is called.

根据本公开实施例,处理模块102在调用监控模块101的监控接口函数之前,可以调用监控模块101的注册接口函数进行注册。According to the embodiment of the present disclosure, before calling the monitoring interface function of the monitoring module 101, the processing module 102 may call the registration interface function of the monitoring module 101 to register.

在操作S302,根据运行参数向功能模块进行注册。In operation S302, register with the function module according to the operating parameters.

根据本公开实施例,可以将在处理模块102中预先设置用于实现文件系统通知机制的运行参数传入该注册接口函数,实现处理模块102向监控模块101的注册。According to the embodiment of the present disclosure, the operating parameters preset in the processing module 102 for implementing the file system notification mechanism can be passed into the registration interface function to realize the registration of the processing module 102 with the monitoring module 101 .

在操作S303,在注册成功之后,调用功能模块的监控接口函数。In operation S303, after successful registration, the monitoring interface function of the functional module is called.

根据本公开实施例,处理模块102向监控模块101进行注册成功之后,可以调用监控模块101的监控接口函数。According to the embodiment of the present disclosure, after the processing module 102 successfully registers with the monitoring module 101, it can call the monitoring interface function of the monitoring module 101.

根据本公开实施例,操作S204可以包括:将发生操作的文件的信息发送到与应用程序预先约定的通信端口号,以使应用程序通过监听通信端口号获取响应外部操作的文件的信息。According to an embodiment of the present disclosure, operation S204 may include: sending the information of the file on which the operation occurs to a communication port number pre-agreed with the application program, so that the application program obtains the information of the file in response to the external operation by monitoring the communication port number.

根据本公开实施例,处理模块102还可以与应用程序103之间进行内核态和用户态的通信,例如可以通过预先预定的通信端口号进行通信,其中,通信端口号例如可以是netlink端口号。According to the embodiment of the present disclosure, the processing module 102 can also communicate with the application program 103 in the kernel state and the user state, for example, through a predetermined communication port number, where the communication port number can be, for example, a netlink port number.

根据本公开实施例,处理模块102可以将发生操作的文件的路径和文件事件类型发送到预先预定的通信端口号,用户态的应用程序103可以通过监听预先约定好的通信端口号获取到发生操作的文件的路径和文件事件类型,从而应用程序103可以感知到文件系统中的文件创建、文件关闭、文件重命名等操作。According to the embodiment of the present disclosure, the processing module 102 can send the path and file event type of the file where the operation occurs to a predetermined communication port number, and the user-mode application 103 can obtain the operation occurrence by monitoring the predetermined communication port number. The path of the file and the file event type, so that the application 103 can perceive file creation, file closing, file renaming and other operations in the file system.

图4示意性示出了根据本公开的实施例的文件监控装置的框图。FIG. 4 schematically shows a block diagram of a file monitoring device according to an embodiment of the present disclosure.

如图4所示,文件监控装置400包括第一设置模块410、监控模块420、处理模块430和发送模块440。As shown in FIG. 4 , the file monitoring device 400 includes a first setting module 410 , a monitoring module 420 , a processing module 430 and a sending module 440 .

第一设置模块410,用于设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,运行参数包括用于响应文件事件的处理函数。The first setting module 410 is used to set the operating parameters of the functional module used to implement the file system notification mechanism in the kernel state, where the operating parameters include a processing function for responding to file events.

监控模块420,用于通过调用功能模块的监控接口函数,监控文件系统是否在预定时段内响应了外部操作。The monitoring module 420 is used to monitor whether the file system responds to external operations within a predetermined period of time by calling the monitoring interface function of the function module.

处理模块430,用于响应于监控到文件系统在预定时段内响应了外部操作,根据文件系统对于外部操作的响应而触发的文件事件,调用处理函数,以获得文件系统中响应外部操作的文件的信息,其中,响应外部操作的文件的信息包括文件的路径和文件事件的类型;以及The processing module 430 is configured to, in response to monitoring that the file system responds to an external operation within a predetermined period of time, call a processing function according to a file event triggered by the file system's response to the external operation, to obtain the file information of the file in the file system that responds to the external operation. Information, wherein the information about the file in response to the external operation includes the path of the file and the type of file event; and

发送模块440,用于将响应外部操作的文件的信息发送给用户态的应用程序,以使应用程序对响应外部操作的文件进行处理。The sending module 440 is used to send the information of the file in response to the external operation to the user-mode application program, so that the application program processes the file in response to the external operation.

根据本公开实施例,监控接口函数包括第一参数和第二参数,第一参数用于标识与第一参数对应的第一目录以及第一目录下的各级子目录中的所有文件,第二参数用于标识与第二参数对应的第二目录中的文件。According to an embodiment of the present disclosure, the monitoring interface function includes a first parameter and a second parameter. The first parameter is used to identify the first directory corresponding to the first parameter and all files in subdirectories at all levels under the first directory. The second parameter The parameter is used to identify the file in the second directory corresponding to the second parameter.

根据本公开实施例,文件监控装置400还包括:第二设置模块。According to an embodiment of the present disclosure, the file monitoring device 400 further includes: a second setting module.

第二设置模块,用于在调用监控接口函数之后,将第一参数设置为文件系统的根目录,以及将第二参数设置为空,以使在调用监控接口函数的过程中监控文件系统的根目录下的各级子目录中的所有文件是否响应了外部操作。The second setting module is used to set the first parameter to the root directory of the file system after calling the monitoring interface function, and set the second parameter to empty, so that the root directory of the file system is monitored during the process of calling the monitoring interface function. Whether all files in subdirectories at all levels under the directory respond to external operations.

根据本公开实施例,监控模块420包括:第一调用单元和注册单元。According to an embodiment of the present disclosure, the monitoring module 420 includes: a first calling unit and a registration unit.

第一调用单元调用功能模块的注册接口函数。The first calling unit calls the registration interface function of the function module.

注册单元用于根据运行参数向功能模块进行注册。The registration unit is used to register with the function module according to the operating parameters.

根据本公开实施例,发送模块440具体用于将响应外部操作的文件的信息发送给用户态的应用程序,以使应用程序对响应外部操作的文件进行处理。According to an embodiment of the present disclosure, the sending module 440 is specifically configured to send information about files that respond to external operations to user-mode applications, so that the applications process the files that respond to external operations.

根据本公开的实施例的模块、子模块、单元、子单元中的任意多个、或其中任意多个的至少部分功能可以在一个模块中实现。根据本公开实施例的模块、子模块、单元、子单元中的任意一个或多个可以被拆分成多个模块来实现。根据本公开实施例的模块、子模块、单元、子单元中的任意一个或多个可以至少被部分地实现为硬件电路,例如现场可编程门阵列(FPGA)、可编程逻辑阵列(PLA)、片上系统、基板上的系统、封装上的系统、专用集成电路(ASIC),或可以通过对电路进行集成或封装的任何其他的合理方式的硬件或固件来实现,或以软件、硬件以及固件三种实现方式中任意一种或以其中任意几种的适当组合来实现。或者,根据本公开实施例的模块、子模块、单元、子单元中的一个或多个可以至少被部分地实现为计算机程序模块,当该计算机程序模块被运行时,可以执行相应的功能。Any number of modules, sub-modules, units, sub-units according to embodiments of the present disclosure, or at least part of the functions of any number of them, may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be split into multiple modules for implementation. Any one or more of the modules, sub-modules, units, and sub-units according to embodiments of the present disclosure may be at least partially implemented as hardware circuits, such as field programmable gate arrays (FPGAs), programmable logic arrays (PLA), System-on-a-chip, system-on-substrate, system-on-package, application-specific integrated circuit (ASIC), or any other reasonable means of integrating or packaging circuits that can be implemented in hardware or firmware, or in a combination of software, hardware, and firmware Any one of these implementation methods or an appropriate combination of any of them. Alternatively, one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be at least partially implemented as a computer program module, and when the computer program module is executed, corresponding functions may be performed.

例如,第一设置模块410、监控模块420、处理模块430和发送模块440中的任意多个可以合并在一个模块/单元/子单元中实现,或者其中的任意一个模块/单元/子单元可以被拆分成多个模块/单元/子单元。或者,这些模块/单元/子单元中的一个或多个模块/单元/子单元的至少部分功能可以与其他模块/单元/子单元的至少部分功能相结合,并在一个模块/单元/子单元中实现。根据本公开的实施例,第一设置模块410、监控模块420、处理模块430和发送模块440中的至少一个可以至少被部分地实现为硬件电路,例如现场可编程门阵列(FPGA)、可编程逻辑阵列(PLA)、片上系统、基板上的系统、封装上的系统、专用集成电路(ASIC),或可以通过对电路进行集成或封装的任何其他的合理方式等硬件或固件来实现,或以软件、硬件以及固件三种实现方式中任意一种或以其中任意几种的适当组合来实现。或者,第一设置模块410、监控模块420、处理模块430和发送模块440中的至少一个可以至少被部分地实现为计算机程序模块,当该计算机程序模块被运行时,可以执行相应的功能。For example, any one of the first setting module 410, the monitoring module 420, the processing module 430 and the sending module 440 can be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units can be implemented by Split into multiple modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/subunits may be combined with at least part of the functionality of other modules/units/subunits and combined in one module/unit/subunit realized in. According to an embodiment of the present disclosure, at least one of the first setting module 410, the monitoring module 420, the processing module 430 and the sending module 440 may be at least partially implemented as a hardware circuit, such as a field programmable gate array (FPGA), a programmable A logic array (PLA), a system on a chip, a system on a substrate, a system on a package, an application specific integrated circuit (ASIC), or any other reasonable means of integrating or packaging circuits that can be implemented in hardware or firmware, or in It can be implemented in any one of the three implementation methods of software, hardware and firmware or in an appropriate combination of any of them. Alternatively, at least one of the first setting module 410, the monitoring module 420, the processing module 430 and the sending module 440 may be at least partially implemented as a computer program module, and when the computer program module is executed, corresponding functions may be performed.

需要说明的是,本公开的实施例中文件监控装置部分与本公开的实施例中文件监控方法部分是相对应的,文件监控装置部分的描述具体参考文件监控方法部分,在此不再赘述。It should be noted that the file monitoring device part in the embodiment of the present disclosure corresponds to the file monitoring method part in the embodiment of the present disclosure. For the description of the file monitoring device part, please refer to the file monitoring method part and will not be described again here.

图5示意性示出了根据本公开实施例的适于实现上文描述的方法的计算机系统的框图。图5示出的计算机系统仅仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。Figure 5 schematically illustrates a block diagram of a computer system suitable for implementing the method described above, according to an embodiment of the present disclosure. The computer system shown in FIG. 5 is only an example and should not impose any limitations on the functions and scope of use of the embodiments of the present disclosure.

如图5所示,根据本公开实施例的计算机系统500包括处理器501,其可以根据存储在只读存储器(ROM)502中的程序或者从存储部分508加载到随机访问存储器(RAM)503中的程序而执行各种适当的动作和处理。处理器501例如可以包括通用微处理器(例如CPU)、指令集处理器和/或相关芯片组和/或专用微处理器(例如,专用集成电路(ASIC)),等等。处理器501还可以包括用于缓存用途的板载存储器。处理器501可以包括用于执行根据本公开实施例的方法流程的不同动作的单一处理单元或者是多个处理单元。As shown in FIG. 5 , a computer system 500 according to an embodiment of the present disclosure includes a processor 501 that can be loaded into a random access memory (RAM) 503 according to a program stored in a read-only memory (ROM) 502 or from a storage portion 508 program to perform various appropriate actions and processes. Processor 501 may include, for example, a general-purpose microprocessor (eg, a CPU), an instruction set processor and/or associated chipset, and/or a special-purpose microprocessor (eg, an application specific integrated circuit (ASIC)), among others. Processor 501 may also include onboard memory for caching purposes. The processor 501 may include a single processing unit or multiple processing units for performing different actions of the method flow according to the embodiments of the present disclosure.

在RAM 503中,存储有系统500操作所需的各种程序和数据。处理器501、ROM 502以及RAM 503通过总线504彼此相连。处理器501通过执行ROM 502和/或RAM 503中的程序来执行根据本公开实施例的方法流程的各种操作。需要注意,所述程序也可以存储在除ROM502和RAM503以外的一个或多个存储器中。处理器501也可以通过执行存储在所述一个或多个存储器中的程序来执行根据本公开实施例的方法流程的各种操作。In the RAM 503, various programs and data required for the operation of the system 500 are stored. The processor 501, ROM 502, and RAM 503 are connected to each other through a bus 504. The processor 501 performs various operations according to the method flow of the embodiment of the present disclosure by executing programs in the ROM 502 and/or RAM 503. It should be noted that the program may also be stored in one or more memories other than ROM 502 and RAM 503. The processor 501 may also perform various operations according to the method flow of embodiments of the present disclosure by executing programs stored in the one or more memories.

根据本公开的实施例,系统500还可以包括输入/输出(I/O)接口505,输入/输出(I/O)接口505也连接至总线504。系统500还可以包括连接至I/O接口505的以下部件中的一项或多项:包括键盘、鼠标等的输入部分506;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分507;包括硬盘等的存储部分508;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分509。通信部分509经由诸如因特网的网络执行通信处理。驱动器510也根据需要连接至I/O接口505。可拆卸介质511,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器510上,以便于从其上读出的计算机程序根据需要被安装入存储部分508。According to embodiments of the present disclosure, system 500 may also include an input/output (I/O) interface 505 that is also connected to bus 504 . System 500 may also include one or more of the following components connected to I/O interface 505: an input portion 506 including a keyboard, mouse, etc.; including a cathode ray tube (CRT), liquid crystal display (LCD), etc.; and a speaker. an output section 507, etc.; a storage section 508 including a hard disk, etc.; and a communication section 509 including a network interface card such as a LAN card, a modem, etc. The communication section 509 performs communication processing via a network such as the Internet. Driver 510 is also connected to I/O interface 505 as needed. Removable media 511, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, etc., are installed on the drive 510 as needed, so that a computer program read therefrom is installed into the storage portion 508 as needed.

根据本公开的实施例,根据本公开实施例的方法流程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在计算机可读存储介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分509从网络上被下载和安装,和/或从可拆卸介质511被安装。在该计算机程序被处理器501执行时,执行本公开实施例的系统中限定的上述功能。根据本公开的实施例,上文描述的系统、设备、装置、模块、单元等可以通过计算机程序模块来实现。According to embodiments of the present disclosure, the method flow according to the embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product including a computer program carried on a computer-readable storage medium, the computer program containing program code for performing the method illustrated in the flowchart. In such embodiments, the computer program may be downloaded and installed from the network via communication portion 509 and/or installed from removable media 511 . When the computer program is executed by the processor 501, the above-described functions defined in the system of the embodiment of the present disclosure are performed. According to embodiments of the present disclosure, the systems, devices, devices, modules, units, etc. described above may be implemented by computer program modules.

本公开还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施例中描述的设备/装置/系统中所包含的;也可以是单独存在,而未装配入该设备/装置/系统中。上述计算机可读存储介质承载有一个或者多个程序,当上述一个或者多个程序被执行时,实现根据本公开实施例的方法。The present disclosure also provides a computer-readable storage medium. The computer-readable storage medium may be included in the device/device/system described in the above embodiments; it may also exist independently without being assembled into the device/system. in the device/system. The above computer-readable storage medium carries one or more programs. When the above one or more programs are executed, the method according to the embodiment of the present disclosure is implemented.

根据本公开的实施例,计算机可读存储介质可以是非易失性的计算机可读存储介质。例如可以包括但不限于:便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本公开中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include but are not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In this disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device.

例如,根据本公开的实施例,计算机可读存储介质可以包括上文描述的ROM 502和/或RAM 503和/或ROM 502和RAM 503以外的一个或多个存储器。For example, according to embodiments of the present disclosure, the computer-readable storage medium may include the ROM 502 and/or RAM 503 and/or one or more memories other than the ROM 502 and RAM 503 described above.

附图中的流程图和框图,图示了按照本公开各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。本领域技术人员可以理解,本公开的各个实施例和/或权利要求中记载的特征可以进行多种组合和/或结合,即使这样的组合或结合没有明确记载于本公开中。特别地,在不脱离本公开精神和教导的情况下,本公开的各个实施例和/或权利要求中记载的特征可以进行多种组合和/或结合。所有这些组合和/或结合均落入本公开的范围。The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operations of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more logic functions that implement the specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block in the block diagram or flowchart illustration, and combinations of blocks in the block diagram or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or operations, or may be implemented by special purpose hardware-based systems that perform the specified functions or operations. Achieved by a combination of specialized hardware and computer instructions. Those skilled in the art will understand that the features recited in the various embodiments and/or claims of the present disclosure may be combined and/or combined in various ways, even if such combinations or combinations are not explicitly recited in the present disclosure. In particular, various combinations and/or combinations of features recited in the various embodiments and/or claims of the disclosure may be made without departing from the spirit and teachings of the disclosure. All such combinations and/or combinations fall within the scope of this disclosure.

以上对本公开的实施例进行了描述。但是,这些实施例仅仅是为了说明的目的,而并非为了限制本公开的范围。尽管在以上分别描述了各实施例,但是这并不意味着各个实施例中的措施不能有利地结合使用。本公开的范围由所附权利要求及其等同物限定。不脱离本公开的范围,本领域技术人员可以做出多种替代和修改,这些替代和修改都应落在本公开的范围之内。The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although each embodiment is described separately above, this does not mean that the measures in the various embodiments cannot be used in combination to advantage. The scope of the disclosure is defined by the appended claims and their equivalents. Without departing from the scope of the present disclosure, those skilled in the art can make various substitutions and modifications, and these substitutions and modifications should all fall within the scope of the present disclosure.

Claims (7)

1.一种文件监控方法,包括:1. A file monitoring method, including: 设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,所述运行参数包括用于响应文件事件的处理函数;Set the operating parameters of the functional module used to implement the file system notification mechanism in the kernel state, where the operating parameters include a processing function used to respond to file events; 通过调用所述功能模块的监控接口函数,监控所述文件系统是否在预定时段内响应了外部操作;By calling the monitoring interface function of the functional module, monitor whether the file system responds to external operations within a predetermined period; 响应于监控到所述文件系统在预定时段内响应了外部操作,根据文件系统对于外部操作的响应而触发的文件事件,调用所述处理函数,以获得所述文件系统中响应外部操作的文件的信息,其中,所述响应外部操作的文件的信息包括所述文件的路径和所述文件事件的类型;以及In response to monitoring that the file system responds to an external operation within a predetermined period, the processing function is called according to a file event triggered by the file system's response to the external operation to obtain the file information of the file in the file system that responds to the external operation. Information, wherein the information about the file in response to the external operation includes the path of the file and the type of the file event; and 将所述响应外部操作的文件的信息发送给用户态的应用程序,以使所述应用程序对所述响应外部操作的文件进行处理;Send the information of the file that responds to the external operation to the user-mode application program, so that the application program processes the file that responds to the external operation; 其中,所述监控接口函数包括第一参数和第二参数,所述第一参数用于标识与所述第一参数对应的第一目录以及所述第一目录下的各级子目录中的所有文件,所述第二参数用于标识与所述第二参数对应的第二目录中的文件;Wherein, the monitoring interface function includes a first parameter and a second parameter. The first parameter is used to identify the first directory corresponding to the first parameter and all the subdirectories at all levels under the first directory. file, the second parameter is used to identify the file in the second directory corresponding to the second parameter; 在调用所述监控接口函数之后,还包括:After calling the monitoring interface function, it also includes: 将所述第一参数设置为文件系统的根目录,以及将所述第二参数设置为空,以使在调用所述监控接口函数的过程中监控所述文件系统的根目录下的各级子目录中的所有文件是否响应了外部操作。The first parameter is set to the root directory of the file system, and the second parameter is set to empty, so that in the process of calling the monitoring interface function, all levels of sub-directories under the root directory of the file system are monitored. Whether all files in the directory respond to external operations. 2.根据权利要求1所述的方法,还包括,在调用所述功能模块的监控接口函数之前:2. The method according to claim 1, further comprising, before calling the monitoring interface function of the functional module: 调用所述功能模块的注册接口函数;Call the registration interface function of the functional module; 根据所述运行参数向所述功能模块进行注册;以及Register with the functional module according to the operating parameters; and 在注册成功之后,调用所述功能模块的监控接口函数。After successful registration, the monitoring interface function of the functional module is called. 3.根据权利要求1所述的方法,其中,所述将所述响应外部操作的文件的信息发送给用户态的应用程序包括:3. The method according to claim 1, wherein said sending the information of the file in response to an external operation to a user-mode application includes: 将发生操作的文件的信息发送到与所述应用程序预先约定的通信端口号,以使所述应用程序通过监听所述通信端口号获取所述响应外部操作的文件的信息。The information of the file on which the operation occurs is sent to a communication port number pre-agreed with the application program, so that the application program obtains the information of the file in response to the external operation by monitoring the communication port number. 4.根据权利要求1所述的方法,其中,所述文件事件的类型包括以下至少之一:4. The method according to claim 1, wherein the type of the file event includes at least one of the following: 文件创建、文件打开、文件写入、文件关闭、文件删除和文件重命名。File creation, file opening, file writing, file closing, file deletion and file renaming. 5.一种文件监控装置,包括:5. A file monitoring device, including: 第一设置模块,用于设置内核态中用于实现文件系统通知机制的功能模块的运行参数,其中,所述运行参数包括用于响应文件事件的处理函数;The first setting module is used to set the operating parameters of the functional module used to implement the file system notification mechanism in the kernel state, where the operating parameters include a processing function for responding to file events; 监控模块,用于通过调用所述功能模块的监控接口函数,监控所述文件系统是否在预定时段内响应了外部操作;A monitoring module, configured to monitor whether the file system responds to external operations within a predetermined period of time by calling the monitoring interface function of the functional module; 处理模块,用于响应于监控到所述文件系统在预定时段内响应了外部操作,根据文件系统对于外部操作的响应而触发的文件事件,调用所述处理函数,以获得所述文件系统中响应外部操作的文件的信息,其中,所述响应外部操作的文件的信息包括所述文件的路径和所述文件事件的类型;以及A processing module configured to, in response to monitoring that the file system responds to an external operation within a predetermined period of time, call the processing function according to a file event triggered by the file system's response to the external operation to obtain a response in the file system Information about files operated externally, wherein the information about files responding to external operations includes the path of the file and the type of the file event; and 发送模块,用于将所述响应外部操作的文件的信息发送给用户态的应用程序,以使所述应用程序对所述响应外部操作的文件进行处理;A sending module, configured to send the information of the file responding to the external operation to the user-mode application program, so that the application program processes the file responding to the external operation; 其中,所述监控接口函数包括第一参数和第二参数,所述第一参数用于标识与所述第一参数对应的第一目录以及所述第一目录下的各级子目录中的所有文件,所述第二参数用于标识与所述第二参数对应的第二目录中的文件;Wherein, the monitoring interface function includes a first parameter and a second parameter. The first parameter is used to identify the first directory corresponding to the first parameter and all the subdirectories at all levels under the first directory. file, the second parameter is used to identify the file in the second directory corresponding to the second parameter; 所述装置还包括:The device also includes: 第二设置模块,用于在调用所述监控接口函数之后,将所述第一参数设置为文件系统的根目录,以及将所述第二参数设置为空,以使在调用所述监控接口函数的过程中监控所述文件系统的根目录下的各级子目录中的所有文件是否响应了外部操作。A second setting module, configured to set the first parameter to the root directory of the file system after calling the monitoring interface function, and set the second parameter to empty, so that after calling the monitoring interface function During the process, it is monitored whether all files in subdirectories at all levels under the root directory of the file system respond to external operations. 6.一种计算机系统,包括:6. A computer system comprising: 一个或多个处理器;one or more processors; 存储器,用于存储一个或多个程序,memory for storing one or more programs, 其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现权利要求1至4中任一项所述的方法。Wherein, when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the method described in any one of claims 1 to 4. 7.一种计算机可读存储介质,其上存储有可执行指令,该指令被处理器执行时使处理器实现权利要求1至4中任一项所述的方法。7. A computer-readable storage medium having executable instructions stored thereon, which when executed by a processor causes the processor to implement the method according to any one of claims 1 to 4.
CN202010438627.0A 2020-05-21 2020-05-21 File monitoring method, device, computer system and storage medium Active CN113704179B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010438627.0A CN113704179B (en) 2020-05-21 2020-05-21 File monitoring method, device, computer system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010438627.0A CN113704179B (en) 2020-05-21 2020-05-21 File monitoring method, device, computer system and storage medium

Publications (2)

Publication Number Publication Date
CN113704179A CN113704179A (en) 2021-11-26
CN113704179B true CN113704179B (en) 2023-12-05

Family

ID=78645937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010438627.0A Active CN113704179B (en) 2020-05-21 2020-05-21 File monitoring method, device, computer system and storage medium

Country Status (1)

Country Link
CN (1) CN113704179B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114328097A (en) * 2021-12-23 2022-04-12 北京字跳网络技术有限公司 A file monitoring method, device, electronic device and storage medium
CN114661669A (en) * 2022-04-06 2022-06-24 中信百信银行股份有限公司 File processing method and device, electronic equipment and storage medium
CN115840938B (en) * 2023-02-21 2023-05-09 山东捷讯通信技术有限公司 File monitoring method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
CN104866778A (en) * 2015-01-30 2015-08-26 武汉华工安鼎信息技术有限责任公司 A method and device for document security access control based on Linux kernel
CN109388538A (en) * 2018-09-13 2019-02-26 西安交通大学 A kind of file operation behavior monitoring method and device based on kernel

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8201029B2 (en) * 2008-01-31 2012-06-12 International Business Machines Corporation Method and apparatus for operating system event notification mechanism using file system interface

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
CN104866778A (en) * 2015-01-30 2015-08-26 武汉华工安鼎信息技术有限责任公司 A method and device for document security access control based on Linux kernel
CN109388538A (en) * 2018-09-13 2019-02-26 西安交通大学 A kind of file operation behavior monitoring method and device based on kernel

Also Published As

Publication number Publication date
CN113704179A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
US9934064B2 (en) Storing and resuming application runtime state
US8789138B2 (en) Application execution in a restricted application execution environment
CN113704179B (en) File monitoring method, device, computer system and storage medium
US9003412B1 (en) Performing identified repeatable computations in a changing computing environment
US8347288B1 (en) System and method for verification of repeatable virtualized computing
JP2005327239A (en) Security-related programming interface
US10929162B2 (en) Virtual machine container for applications
US11204992B1 (en) Systems and methods for safely executing unreliable malware
CN110413390A (en) Thread task processing method, device, server and storage medium
US8880744B2 (en) Configuration registry systems and methods
US20180246729A1 (en) Techniques for managing software container dependencies
CN111158945B (en) Kernel fault processing method, device, network security equipment and readable storage medium
CN108170552A (en) A kind of method, apparatus and equipment for capturing Dump files
JP2017033561A (en) Integrity assurance through early loading in the boot phase
US10915624B2 (en) Method and apparatus for determining behavior information corresponding to a dangerous file
US11113393B2 (en) Providing security features in write filter environments
JP2017033552A (en) User-mode component injection and atomic hooking
CN115335806A (en) Shadow stack violation enforcement at module granularity
US9852028B2 (en) Managing a computing system crash
US11635948B2 (en) Systems and methods for mapping software applications interdependencies
US11436319B2 (en) Automated detection of user device security risks related to process threads and corresponding activity
US10997269B1 (en) Using web application components with different web application frameworks in a web application
JP2017174426A (en) User-mode component injection techniques
EP3834104A1 (en) Handling file commit and commit-delete operations in an overlay optimizer
CN115617496B (en) Method, device, electronic equipment and medium for communication between user mode and kernel mode

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Applicant after: QAX Technology Group Inc.

Address before: 100097 No. 202, 203, 205, 206, 207, 208, 2nd floor, block D, No. 51, Kunming Hunan Road, Haidian District, Beijing

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Applicant before: QAX Technology Group Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant