CN115237352B - Hidden storage method, device, storage medium and electronic equipment - Google Patents

Hidden storage method, device, storage medium and electronic equipment Download PDF

Info

Publication number
CN115237352B
CN115237352B CN202210925658.8A CN202210925658A CN115237352B CN 115237352 B CN115237352 B CN 115237352B CN 202210925658 A CN202210925658 A CN 202210925658A CN 115237352 B CN115237352 B CN 115237352B
Authority
CN
China
Prior art keywords
storage space
shard
file
fragment
space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210925658.8A
Other languages
Chinese (zh)
Other versions
CN115237352A (en
Inventor
方赴洋
徐桂忠
张淯舒
林倩如
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC Information Science Research Institute
Original Assignee
CETC Information Science Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC Information Science Research Institute filed Critical CETC Information Science Research Institute
Priority to CN202210925658.8A priority Critical patent/CN115237352B/en
Publication of CN115237352A publication Critical patent/CN115237352A/en
Application granted granted Critical
Publication of CN115237352B publication Critical patent/CN115237352B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/0608Saving storage space on storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/061Improving I/O performance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0643Management of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0644Management of space entities, e.g. partitions, extents, pools
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0674Disk device
    • G06F3/0676Magnetic disk device

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present disclosure relates to a method, an apparatus, a storage medium and an electronic device for latent storage, wherein the method comprises: acquiring a preset file to be stored; determining a target fragment storage space on a disk; and writing the preset file into the target fragment storage space. The scheme of the disclosure can write the files needing to be hidden into the fragment storage space on the disk, namely, the fragment storage space is utilized to store the files needing to be hidden, so as to improve the concealment of storing the attack program files in the system disk.

Description

Hidden storage method, device, storage medium and electronic equipment
Technical Field
Embodiments of the present disclosure relate to the field of computer technology, and in particular, to a hidden storage method, a hidden storage device, a computer readable storage medium, and an electronic apparatus.
Background
At present, the method for realizing the hiding of the program in the target system, such as NTFS (New TechnologyFile System) file system commonly used in Windows operating system, mainly includes the ways of attribute hiding, modifying file name, using Hook technology, replacing system DLL file, etc. to hide the program file, but these ways have low hiding property and are easy to be detected by disk detection tools, so a hidden storage scheme with high hiding property is needed.
Disclosure of Invention
To solve or at least partially solve the above technical problems, embodiments of the present disclosure provide a hidden storage method, a hidden storage device, a computer-readable storage medium, and an electronic apparatus.
In a first aspect, an embodiment of the present disclosure provides a method for hidden storage, including:
acquiring a preset file to be stored;
determining a target fragment storage space on a disk;
and writing the preset file into the target fragment storage space.
In one embodiment, the target shard storage space includes one or more of a first shard storage space, a second shard storage space, and a third shard storage space;
wherein the first shard memory space comprises spare memory space in one or more clusters on the disk, the second shard memory space comprises reserved memory space of a master file table (Master File Table, MFT) on the disk, and the third shard memory space comprises reserved memory space of the master file table on the disk.
In one embodiment, the one or more clusters are clusters for storing specified system files; wherein the specified system file is a system file with a very resident file record attribute in the NTFS file system.
In one embodiment, the first shard storage space, the second shard storage space, and the third shard storage space have different priorities, and the writing the preset file to the target shard storage space includes:
acquiring respective priorities of the first fragment storage space, the second fragment storage space and the third fragment storage space;
writing the preset file into a first designated fragment storage space; wherein the first designated shard storage space is a highest priority shard storage space of the first shard storage space, the second shard storage space, and the third shard storage space.
In one embodiment, the method further comprises:
when the file size of the preset file is determined to exceed the size of the first specified fragment storage space, writing the preset file into a second specified fragment storage space; wherein the second designated shard storage space is a priority-centered shard space of the first shard storage space, the second shard storage space, and the third shard storage space.
In one embodiment, the first shard memory space has a highest priority, the second shard memory space has a centered priority, and the third shard memory space has a lowest priority.
In one embodiment, the preset file is a file to which the attack program belongs; the obtaining the preset file to be stored includes:
acquiring one or more files to which the attack program belongs;
the writing the preset file into the target fragment storage space comprises the following steps:
and writing the one or more files to which the attack program belongs into corresponding storage units in the target fragment storage space, wherein each storage unit comprises one or more sectors.
In one embodiment, further comprising:
recording program file information and sector information of the attack program, wherein the program file information comprises attribute information of the attack program, and the sector information is used for identifying a sector corresponding to a storage unit corresponding to one or more files to which the attack program belongs in the target fragment storage space;
reading the one or more files to which the attack program belongs from the sector corresponding to the corresponding storage unit in the target fragment storage space based on the sector information;
and recovering the attack program based on the read one or more files to which the attack program belongs and the attribute information of the attack program.
In a second aspect, embodiments of the present disclosure provide a suppressed storage device, comprising:
the acquisition module is used for acquiring a preset file to be stored;
the determining module is used for determining a target fragment storage space on the disk;
and the writing module is used for writing the preset file into the target fragment storage space.
In a third aspect, embodiments of the present disclosure provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the concealment storage method of any of the embodiments described above.
In a fourth aspect, an embodiment of the present disclosure provides an electronic device, including:
a processor; and
a memory for storing a computer program;
wherein the processor is configured to perform the steps of the concealment storage method of any of the embodiments described above via execution of the computer program.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
the embodiment of the disclosure provides a hidden storage method, a device, a storage medium and electronic equipment, which are used for acquiring a preset file to be stored, determining a target fragment storage space on a disk and writing the preset file into the target fragment storage space. Therefore, the scheme of the embodiment can write the files needing to be hidden into the fragment storage space on the disk, namely, the fragment storage space is utilized to store the files needing to be hidden, so that the stored files are not easy to detect, and the concealment of the files stored in the system disk is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flow chart of a method of latent storing according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a method of latent storing according to another embodiment of the present disclosure;
FIG. 3 is a flow chart of a method of latent storing according to yet another embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a hidden memory device according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of an electronic device implementing a hidden storage method according to an embodiment of the disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
It should be understood that, hereinafter, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" is used to describe association relationships of associated objects, meaning that there may be three relationships, e.g., "a and/or B" may mean: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
Fig. 1 is a flowchart of a method for latent storing according to an embodiment of the present disclosure, the method including the steps of:
step S101: and obtaining a preset file to be stored.
The preset file may be, for example, a file to which a target program, such as an attack program for network security, which needs to be duly hidden in a system of the target computer device, belongs.
Step S102: a target fragment storage space on the disk is determined.
By way of example, the target shard storage space may be, but is not limited to, free storage space in the storage space allocated for the stored files by the NTFS file system on the target computer device.
Step S103: and writing the preset file into the target fragment storage space.
Illustratively, after determining the target shard storage space, a file, such as an attacker, may be written to the target shard storage space.
According to the scheme, the files needing to be hidden and stored can be written into the fragment storage space on the disk, namely the fragment storage space is utilized to store the files needing to be hidden, so that the stored files are not easy to detect, and the concealment of the files stored in the system disk is improved.
In one embodiment, the target shard storage space may include, but is not limited to, one or more of a first shard storage space, a second shard storage space, and a third shard storage space. Wherein the first shard memory space comprises spare memory space, i.e., slot space, in one or more clusters on the disk, the second shard memory space comprises reserved memory space of a master file table (Master File Table, MFT) on the disk, and the third shard memory space comprises reserved memory space of the master file table on the disk.
Specifically, as an example, to implement the hidden storage of the attack program in the target computer device system, it is necessary to search, based on analyzing the NTFS file system of the target computer device system, for a space that can be used to store the attack program in the NTFS file system, and some of the chip storage spaces such as the slot space, the reserved storage space of the MFT, and the like that are commonly found in the NTFS are listed below.
In order to improve the concealment of the storage of the attack program in the target system, the file shape is not directly created in the file system in the embodiment, because once the file is created in the system, a corresponding record is left in the MFT, and the slot space, the reserved storage space of the MFT file and the reserved storage space of the MFT file are selected as "fragment" storage spaces of the attack program file in the target system.
Because the system takes the cluster as a unit when allocating disk storage space for a file, if the size of the file is not an integer multiple of the cluster, the system still allocates storage space for the file with the integer multiple of the cluster, and because the common file length is not an integer multiple of the cluster, the available slot space, namely the first fragment storage space, is generated, and the space is not reused by the system, so that the storage of the file of the attack program into the slot space is safer and more stable.
The reserved memory space of the MFT is variable, i.e., when the memory space of the MFT is insufficient, the system allocates the reserved memory space to the MFT, and when the memory space of the MFT is sufficient, the system reserves the reserved memory space again. Thus, storing the files of the attacker into the reserved memory space of the MFT file does not cause an abnormality, and since the space is not allocated in general, storing the files of the attacker into this location is safer and more stable.
The reserved storage space of the MFT is a file reserved space, so that the reserved storage space of the MFT file storing the file of the attack program into the target system NTFS file system is not covered, and therefore, the file storing the file of the attack program into the position is safer and more stable.
In one embodiment, the one or more clusters are clusters for storing specified system files; wherein the specified system file is a system file with a very resident file record attribute in the NTFS file system.
Specifically, the size of the metadata file of the system is generally fixed, so that the size of the space is also fixed, and the space is not reused by the system, so that the slot space for storing the attack program into the metadata file of the NTFS file system of the target system is safer and more stable.
In a specific example, after determining the target fragment storage space (hereinafter, simply referred to as fragments), the corresponding information of these fragment hosts may be recorded next, and in addition to recording the number of all fragments, the basic information of each fragment needs to be recorded, including specifically the fragment number, the start sector number of the fragment, the number of free sectors, and whether a flag has been allocated. The specific recording steps are as follows:
finding the MFT table location prepares to read the contents of the table. The content of the DBR is read (the DBR is located in the first sector of the NTFS partition, so that the first sector can be directly read), the position of the BPB is found, the initial logical cluster number of the MFT table is found in the BPB, and the content of the MFT table is read according to the initial logical cluster number.
The slot space of the system file is recorded first. The first 16 records of the MFT table hold the corresponding information of the 16 system metadata files, so the slot space in which the system files are to be recorded relies on reading the first 16 records of the MFT table in order to obtain the corresponding information.
The system file's slot space refers to the slot space in which data is run, with the slot space in which the system file's very resident 08H attribute (data attribute) is run as the target shard. When a system file is recorded in a slot space running with a very resident 08H attribute, firstly checking a resident attribute mark of the 08H attribute, if the resident attribute is the resident attribute, the system file cannot be used as a target fragment, continuing to transfer to the record of the next system file, if the resident attribute is the very resident attribute, calculating the expected initial sector number of the slot space of the system file and the sector number of the area according to key word information in the record, and setting whether the mark is allocated to an unallocated state. When the recording of the relevant information is completed, the recording of the next system metadata file slot space is started, and the recording method repeats the above steps until the slot space of 15 system files (excluding the MET system file) is recorded.
In one embodiment, for a reserved memory space of the MFT, a starting sector number of the reserved memory space and a number of sectors of the area may be recorded. When the storage space of the MFT is insufficient, the NTFS file system firstly divides the reserved storage space into two parts, namely a former storage space and a latter storage space when the reserved storage space of the MFT is allocated to the MFT, and the system starts to allocate from the second part, namely the latter storage space, so that the probability that the former storage space of the reserved storage space is used is smaller than that of the second part. Therefore, in this embodiment, 1/4 of the reserved storage space may be selected as the second fragment storage space, but is not limited thereto.
In one embodiment, the first, second and third shard memory spaces have different priorities, and illustratively, the first shard memory space, i.e., the slot space, has the highest priority, the second shard memory space, i.e., the reserved memory space of the MFT, has the centered priority, and the third shard memory space, i.e., the reserved memory space of the MFT, has the lowest priority, but is not limited thereto. As shown in fig. 2, the writing the preset file into the target fragment storage space includes the following steps:
step S201: and acquiring the respective priorities of the first fragment storage space, the second fragment storage space and the third fragment storage space.
Illustratively, the priority of a first shard memory space, i.e., the slot space, is obtained, a second shard memory space, i.e., the priority of the reserved memory space of the MFT, and a third shard memory space, i.e., the priority of the reserved memory space of the MFT.
Step S202: writing the preset file into a first designated fragment storage space; wherein the first designated shard storage space is a highest priority shard storage space of the first shard storage space, the second shard storage space, and the third shard storage space.
Illustratively, since the first shard memory space, i.e., the slot space, has the highest priority, the first designated shard memory space is the slot space, and thus the file of the attacker is written to the slot space.
In this embodiment, according to the security of storing the file in the fragment storage space, a corresponding priority is defined for the file, and the higher the priority is, the higher the security of storing the file is. The higher level of shard storage space is preferentially selected when shards are selected based on their priority, which may provide security for the suppressed storage.
In one embodiment, the method further comprises the steps of:
step A: when the file size of the preset file is determined to exceed the size of the first specified fragment storage space, writing the preset file into a second specified fragment storage space; wherein the second designated shard storage space is a priority-centered shard space of the first shard storage space, the second shard storage space, and the third shard storage space.
For example, when it is determined that the file size of the attacker exceeds the slot space, the file of the attacker may be written into a second designated fragment memory space, i.e., the reserved memory space of the MFT, i.e., the fragment memory space of the second priority.
In one embodiment, the preset file is a file to which the attack program belongs, and correspondingly, the obtaining the preset file to be stored includes the following steps: acquiring one or more files to which the attack program belongs; the writing the preset file into the target fragment storage space comprises the following steps: and writing the one or more files to which the attack program belongs into corresponding storage units in the target fragment storage space, wherein each storage unit comprises one or more sectors.
By way of example, in this embodiment, the multiple files included in the attack program are stored in the target fragment storage space, such as the slot space, the reserved storage space of the MFT, and the like, so that the hidden storage of the attack program is realized, and the hidden storage is improved, so that the attack program is not easy to detect.
In one embodiment, as shown in fig. 3, the method further comprises the steps of:
step S301: program file information and sector information of the attack program are recorded, the program file information comprises attribute information of the attack program, and the sector information is used for identifying a sector corresponding to a storage unit corresponding to one or more files to which the attack program belongs in the target fragment storage space.
By way of example, attribute information may include, but is not limited to, the name of the attacker, the length of the data, whether a memory flag is present, etc. The sector information may be a unique number such as a sector identification, a sector number, etc. The sector information may be pre-recorded, i.e., when a file is written to the target fragment storage space, one or more sector numbers in which the file is located in the target fragment storage space are recorded.
Step S302: and based on the sector information, reading the one or more files to which the attack program belongs from the sector corresponding to the corresponding storage unit in the target fragment storage space.
Illustratively, when the hidden attack program needs to be recovered, a plurality of files to which the attack program belongs are read from the target fragment storage space based on the recorded sector information such as the sector number.
Step S303: and recovering the attack program based on the read one or more files to which the attack program belongs and the attribute information of the attack program.
Illustratively, the attack program is restored based on the plurality of files to which the read attack program belongs and attribute information of the attack program such as the name of the attack program, and the like.
In a specific example, when the attack program is stored in a hidden manner, some basic information of the attack program such as attribute information, such as a name, a data length, etc., of the attack program is required. Specifically, the basic information of the attack program can be recorded, including but not limited to the name of the attack program, the length of the attack program, the number of attack program files, the sector numbers of the attack program files in the corresponding fragment storage space, whether the attack program files are in the memory mark, etc. When the attack program is stored in the corresponding fragment storage space, based on the recorded serial numbers of the sectors storing the attack program file in the fragment storage space, the corresponding initial sector numbers and the corresponding sector numbers can be conveniently found in the fragment storage space according to the serial numbers when the attack program is recovered, and then the attack program file is read for recovery processing.
In a specific example, after determining and recording the information of the corresponding target fragment storage space, the file of the attack program may be stored in blocks. If an attacker is not loaded by the host process for a long period of time, the system may choose to store the attacker in disk with concealment. In the storing process, according to the determined priority of the fragment storage space, the sectors in the unallocated fragment storage space with high priority are preferentially selected for storing and corresponding information is recorded. The specific process is as follows:
the fragment storage space information is first read, for example, sequentially from the first entry of the recorded fragment storage space information table. The fragment storage space information table may record sector numbers of respective sectors in the target fragment storage space and allocation states such as sector allocated (i.e., written data) and sector unallocated (i.e., free unwritten data).
And judging whether the currently read fragment storage unit is allocated or not, if so, continuing to read the next item, and if not, recording the starting sector number and the sector number.
And then, calculating the byte number of the idle area according to the sector number, comparing the byte number with the byte number of the remaining attack program files in the current memory, and if the byte number of the remaining attack program files is smaller than or equal to the byte number of the idle area, writing all the attack program files in the memory into the idle area and ending storage. If the number of bytes of the rest of the attack program files is larger than the number of bytes of the idle area, the attack program files are blocked, the attack program files with the length being the number of bytes of the idle area are intercepted, the part of the files are stored in the idle area, and the previous steps are repeated for storage based on the rest of the attack program files in the current memory.
Each time a file of an attack program is stored in a fragment storage space, a corresponding sector sequence number recorded in a fragment storage space information table by a sector storing the file in the fragment storage space can be recorded in another table storing basic information of the attack program, so that the attack program can be recovered later.
It should be noted that although the steps of the methods of the present disclosure are illustrated in the accompanying drawings in a particular order, this does not require or imply that the steps must be performed in that particular order or that all of the illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc. In addition, it is also readily understood that these steps may be performed synchronously or asynchronously, for example, in a plurality of modules/processes/threads.
As shown in fig. 4, an embodiment of the present disclosure provides a hidden storage device, including:
an obtaining module 401, configured to obtain a preset file to be stored;
a determining module 402, configured to determine a target fragment storage space on a disk;
and a writing module 403, configured to write the preset file into the target fragment storage space.
According to the scheme, the files needing to be hidden and stored can be written into the fragment storage space on the disk, namely the fragment storage space is utilized to store the files needing to be hidden, so that the stored files are not easy to detect, and the concealment of the files stored in the system disk is improved.
In one embodiment, the target shard storage space includes one or more of a first shard storage space, a second shard storage space, and a third shard storage space; wherein the first shard memory space comprises spare memory space in one or more clusters on the disk, the second shard memory space comprises reserved memory space of a master file table (Master File Table, MFT) on the disk, and the third shard memory space comprises reserved memory space of the master file table on the disk.
In one embodiment, the one or more clusters are clusters for storing specified system files; wherein the specified system file is a system file with a very resident file record attribute in the NTFS file system.
In one embodiment, the first tile storage space, the second tile storage space, and the third tile storage space have different priorities, and the writing module 403 is configured to: acquiring respective priorities of the first fragment storage space, the second fragment storage space and the third fragment storage space; writing the preset file into a first designated fragment storage space; wherein the first designated shard storage space is a highest priority shard storage space of the first shard storage space, the second shard storage space, and the third shard storage space.
In one embodiment, the writing module 403 is further configured to: when the file size of the preset file is determined to exceed the size of the first specified fragment storage space, writing the preset file into a second specified fragment storage space; wherein the second designated shard storage space is a priority-centered shard space of the first shard storage space, the second shard storage space, and the third shard storage space.
In one embodiment, the first shard memory space has a highest priority, the second shard memory space has a centered priority, and the third shard memory space has a lowest priority.
In one embodiment, the preset file is a file to which the attack program belongs; the acquisition module is used for acquiring one or more files to which the attack program belongs. The writing module is configured to write the one or more files to which the attack program belongs into corresponding storage units in the target fragment storage space, where each storage unit includes one or more sectors.
In one embodiment, the apparatus further comprises a recording module for: recording program file information and sector information of the attack program, wherein the program file information comprises attribute information of the attack program, and the sector information is used for identifying a sector corresponding to a storage unit corresponding to one or more files to which the attack program belongs in the target fragment storage space; the reading module is used for reading the one or more files to which the attack program belongs from the sector corresponding to the corresponding storage unit in the target fragment storage space based on the sector information; and the recovery module is used for recovering the attack program based on the read one or more files to which the attack program belongs and the attribute information of the attack program.
The specific manner in which the respective modules perform the operations and the corresponding technical effects thereof have been described in corresponding detail in relation to the embodiments of the method in the above embodiments, and will not be described in detail herein.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied. The components shown as modules or units may or may not be physical units, may be located in one place, or may be distributed across multiple network elements. Some or all of the modules can be selected according to actual needs to achieve the purpose of the wood disclosure scheme. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The disclosed embodiments also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the concealment storage method of any of the embodiments described above.
By way of example, the readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
The embodiment of the disclosure also provides an electronic device comprising a processor and a memory, wherein the memory is used for storing a computer program. Wherein the processor is configured to perform the steps of the suppressed storage method of any of the embodiments above via execution of the computer program.
An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 5. The electronic device 600 shown in fig. 5 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 5, the electronic device 600 is embodied in the form of a general purpose computing device. Components of electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting the different system components (including the memory unit 620 and the processing unit 610), a display unit 640, etc.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs the steps according to various exemplary embodiments of the present invention described in the above-mentioned hidden storage method section of the present specification. For example, the processing unit 610 may perform the steps of the suppressed storage method as shown in FIG. 1.
The memory unit 620 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 6201 and/or cache memory unit 6202, and may further include Read Only Memory (ROM) 6203.
The storage unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 630 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 600, and/or any device (e.g., router, modem, etc.) that enables the electronic device 600 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 650. Also, electronic device 600 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 600, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a usb disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-mentioned hidden storage method according to the embodiments of the present disclosure.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A method of concealing storage comprising:
acquiring a preset file to be stored, wherein the preset file is a file to which an attack program belongs;
determining a target fragment storage space on a disk;
writing the preset file into the target fragment storage space;
the target shard storage space includes one or more of a first shard storage space, a second shard storage space, and a third shard storage space;
wherein the first shard storage space comprises spare storage space in one or more clusters on the disk, the second shard storage space comprises reserved storage space of a master file table on the disk, and the third shard storage space comprises reserved storage space of the master file table on the disk;
the first fragment storage space, the second fragment storage space and the third fragment storage space have different priorities, and the writing the preset file into the target fragment storage space includes:
acquiring respective priorities of the first fragment storage space, the second fragment storage space and the third fragment storage space;
writing the preset file into a first designated fragment storage space; wherein the first designated shard storage space is a highest priority shard storage space of the first shard storage space, the second shard storage space, and the third shard storage space.
2. The method of claim 1, wherein the one or more clusters are clusters for storing specified system files; wherein the specified system file is a system file with a very resident file record attribute in the NTFS file system.
3. The method according to claim 1, wherein the method further comprises:
when the file size of the preset file is determined to exceed the size of the first specified fragment storage space, writing the preset file into a second specified fragment storage space; wherein the second designated shard storage space is a priority-centered shard space of the first shard storage space, the second shard storage space, and the third shard storage space.
4. A method according to claim 1 or 3, wherein the first shard memory space has the highest priority, the second shard memory space has the highest priority, and the third shard memory space has the lowest priority.
5. A method according to any one of claims 1 to 3, wherein the obtaining a preset file to be stored includes:
acquiring one or more files to which the attack program belongs;
the writing the preset file into the target fragment storage space comprises the following steps:
and writing the one or more files to which the attack program belongs into corresponding storage units in the target fragment storage space, wherein each storage unit comprises one or more sectors.
6. The method as recited in claim 4, further comprising:
recording program file information and sector information of the attack program, wherein the program file information comprises attribute information of the attack program, and the sector information is used for identifying a sector corresponding to a storage unit corresponding to one or more files to which the attack program belongs in the target fragment storage space;
reading the one or more files to which the attack program belongs from the sector corresponding to the corresponding storage unit in the target fragment storage space based on the sector information;
and recovering the attack program based on the read one or more files to which the attack program belongs and the attribute information of the attack program.
7. A hidden memory device, comprising:
the acquisition module is used for acquiring a preset file to be stored, wherein the preset file is a file to which an attack program belongs;
the determining module is used for determining a target fragment storage space on the disk;
the writing module is used for writing the preset file into the target fragment storage space;
the target shard storage space includes one or more of a first shard storage space, a second shard storage space, and a third shard storage space;
wherein the first shard storage space comprises spare storage space in one or more clusters on the disk, the second shard storage space comprises reserved storage space of a master file table on the disk, and the third shard storage space comprises reserved storage space of the master file table on the disk;
the first fragment storage space, the second fragment storage space and the third fragment storage space have different priorities, and the writing module is configured to write the preset file into the target fragment storage space, and includes:
the writing module is used for:
acquiring respective priorities of the first fragment storage space, the second fragment storage space and the third fragment storage space;
writing the preset file into a first designated fragment storage space; wherein the first designated shard storage space is a highest priority shard storage space of the first shard storage space, the second shard storage space, and the third shard storage space.
8. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the concealment storage method of any of claims 1-6.
9. An electronic device, comprising:
a processor; and
a memory for storing a computer program;
wherein the processor is configured to perform the steps of the concealment storage method of any of claims 1-6 via execution of the computer program.
CN202210925658.8A 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment Active CN115237352B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210925658.8A CN115237352B (en) 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210925658.8A CN115237352B (en) 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN115237352A CN115237352A (en) 2022-10-25
CN115237352B true CN115237352B (en) 2023-08-15

Family

ID=83676972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210925658.8A Active CN115237352B (en) 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115237352B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1975935A (en) * 2006-12-15 2007-06-06 北京中星微电子有限公司 External storing performance testing method and apparatus
CN101770809A (en) * 2008-12-31 2010-07-07 J·埃金顿 Recovery for non-volatile memory after power loss
CN103176911A (en) * 2011-12-20 2013-06-26 陕西银河网电科技有限公司 Embedded type software security memory management method
CN104751076A (en) * 2015-04-15 2015-07-01 四川神琥科技有限公司 Method for recovering disk data
CN110908596A (en) * 2018-09-18 2020-03-24 爱思开海力士有限公司 Data storage device, method of operating the same, and storage system including the same
CN114328373A (en) * 2020-09-29 2022-04-12 伊姆西Ip控股有限责任公司 Method, electronic device and computer program product for managing a file system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9208335B2 (en) * 2013-09-17 2015-12-08 Auburn University Space-time separated and jointly evolving relationship-based network access and data protection system
CN110245119B (en) * 2018-11-02 2023-01-31 浙江大华技术股份有限公司 File sorting method and storage system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1975935A (en) * 2006-12-15 2007-06-06 北京中星微电子有限公司 External storing performance testing method and apparatus
CN101770809A (en) * 2008-12-31 2010-07-07 J·埃金顿 Recovery for non-volatile memory after power loss
CN103176911A (en) * 2011-12-20 2013-06-26 陕西银河网电科技有限公司 Embedded type software security memory management method
CN104751076A (en) * 2015-04-15 2015-07-01 四川神琥科技有限公司 Method for recovering disk data
CN110908596A (en) * 2018-09-18 2020-03-24 爱思开海力士有限公司 Data storage device, method of operating the same, and storage system including the same
CN114328373A (en) * 2020-09-29 2022-04-12 伊姆西Ip控股有限责任公司 Method, electronic device and computer program product for managing a file system

Also Published As

Publication number Publication date
CN115237352A (en) 2022-10-25

Similar Documents

Publication Publication Date Title
US11782632B2 (en) Selective erasure of data in a SSD
US8977812B1 (en) Iterating in parallel for deduplication
US8838875B2 (en) Systems, methods and computer program products for operating a data processing system in which a file delete command is sent to an external storage device for invalidating data thereon
JP5902323B2 (en) Method and apparatus for arranging content-derived data in memory
US8850105B2 (en) Method for controlling memory system, information processing apparatus, and storage medium
WO2017107414A1 (en) File operation method and device
US7441077B2 (en) Device for transmitting data and method for the same
CN103268201A (en) Data storing method, storing device and reading method
CN111104347B (en) Heap memory block searching method, device, equipment and storage medium
CN113419686A (en) RAID reconstruction method and device
CN104133640B (en) From the fast quick-recovery of dormancy
CN115237352B (en) Hidden storage method, device, storage medium and electronic equipment
CN111831589B (en) Method and device for improving IO command processing parallelism
CN111831224A (en) Method, system and equipment for erasing exFAT partition file residual space
CN112148220A (en) Method and device for realizing data processing, computer storage medium and terminal
US8949553B2 (en) System and method for retention of historical data in storage resources
CN111913915A (en) File hiding method and device
CN112416657A (en) System cloning method
CN114816542B (en) System starting method and device
CN117093160B (en) Data processing method and device of Cache, computer equipment and medium
US11803313B2 (en) Method of constructing a file system based on a hierarchy of nodes
CN112997137B (en) Method for managing performance of logic disk and storage array
CN111813327B (en) Memory system, memory controller and method for detecting half match
US10740015B2 (en) Optimized management of file system metadata within solid state storage devices (SSDs)
JP2009181567A (en) Memory card, its access method, and access system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant