CN115994350A - Method and device for changing interception file opening mode, electronic equipment and storage medium - Google Patents
Method and device for changing interception file opening mode, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115994350A CN115994350A CN202111223612.3A CN202111223612A CN115994350A CN 115994350 A CN115994350 A CN 115994350A CN 202111223612 A CN202111223612 A CN 202111223612A CN 115994350 A CN115994350 A CN 115994350A
- Authority
- CN
- China
- Prior art keywords
- file
- target process
- path
- opening mode
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a method, a device, electronic equipment and a storage medium for changing an interception file opening mode, wherein the method comprises the following steps: hooking a first function of a target process; calling a second function to acquire the running information of the target process; intercepting the operation of changing the file opening mode of the target process based on the running information; the target process is a process for changing the opening mode of the original process associated with the file; the first function is a function for executing a file opening mode changing operation at an application layer. According to the method, the first function of the target process is hooked, so that the operation of modifying the key value item of the registry by the target process is suspended, the second function is called, the running information of the target process carries the changing condition information of the file opening mode, whether the target process is about to change the opening mode of the original process related to the file or not is judged according to the changing condition information, if so, the changing operation is intercepted, and interception of file opening mode change on an application layer is realized.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for changing an interception file opening mode, an electronic device, and a storage medium.
Background
In an implementation of the invention, the file is opened by a process (application) to which the file extension is associated. Associated information such as a process associated with the file extension is stored in a sub-key of the registry, and the change of the file opening mode can be realized by modifying the sub-key. In view of this, some third party processes frequently occur without permission of the user to change the file opening mode privately, which seriously affects the user experience, so it is important to intercept the privately change of the file opening mode.
Currently, there are two common ways to intercept the private change of the file opening mode, the first is to register a registry operation interceptor in the kernel layer (driving layer) by using a registry event callback function (cmregisterback function), and intercept the private change of the file opening mode by using the registry operation interceptor; the second is to intercept the private change of the file opening mode by hooking the system service function (e.g., a modified registry key data function (zwsetvalue key function) in kernel mode) in the system service descriptor table (SSDT table) at the kernel layer.
These methods can have good effects in some security software or anti-kernel tools (ARK tools), but for processes only working at the application layer, since the kernel module cannot be easily installed to access the address space of the kernel mode, the operation of the kernel layer cannot be involved, and naturally, it is very difficult to change and intercept the file opening mode by intercepting the registry operation at the application layer.
Disclosure of Invention
The invention provides a method, a device, electronic equipment and a storage medium for changing an interception file opening mode, which are used for solving the defect that in the prior art, the interception of registry operation is difficult to prevent the file opening mode from being changed in an application layer, and realizing the interception of the file opening mode change which is not permitted by a user in the application layer.
In a first aspect, an embodiment of the present invention provides a method for intercepting a file opening mode change, where the method includes:
hooking a first function of a target process;
calling a second function to acquire the running information of the target process;
intercepting the operation of changing the file opening mode of the target process based on the running information;
the target process is a process for changing the opening mode of the original process associated with the file;
the first function is a function for executing a file opening mode changing operation at an application layer.
Optionally, the intercepting the operation of changing the file opening mode by the target process based on the running information includes:
extracting key handle parameters contained in the operation information;
acquiring a path pointed by the key handle parameter;
and comparing the path with a standard path, and under the condition that the path is the same as the standard path, determining that the target process executes the operation of changing the file opening mode, and sending an association change notification to the original process associated with the file.
Optionally, the method further comprises:
the path is composed of a first wildcard and one or more first path elements in a permutation and combination form;
the standard path is composed of second wildcards and one or more second path elements in a permutation and combination form;
wherein the path element includes: the registry's root key-user information file, home key-application information file, microsoft, operating system, current version, browser, file format name, and user selection;
the wild card is a file extension character string or other character strings.
Optionally, the comparing the path with the standard path, and determining that the target process performs the operation of changing the file opening mode if the path is the same as the standard path includes:
a prefix first path element part of a first wildcard of the path is identical to a prefix second path element part of a second wildcard of the standard path; and the target process performs an operation of changing the file opening mode in the case that the suffix first path element part of the first wildcard of the path is identical to the suffix second path element part of the second wildcard of the standard path.
Optionally, after the sending the association change notification to the original process associated with the file, the method further includes:
and in the case that the target process receives an allowed change instruction, calling back the first function of the target process.
Optionally, the target process receives an allow change instruction, including:
the target process is updated and set as a default opening mode of the file;
alternatively, the target process receives a reply that allows the change.
Optionally, after the sending the association change notification to the original process associated with the file, the method further includes:
and returning a response of successful change of the file opening mode to the target process under the condition that the target process receives the change prohibition instruction.
Optionally, the method further comprises:
and comparing the path with a standard path, and under the condition that the path is different from the standard path, determining that the target process does not execute the operation of changing the file opening mode, and calling back the first function of the target process.
In a second aspect, the present invention further provides an apparatus for intercepting a file opening mode change, where the apparatus includes:
the hooking module is used for hooking the first function of the target process;
the acquisition module is used for calling a second function and acquiring the running information of the target process;
the interception module is used for intercepting the operation of changing the file opening mode of the target process based on the running information;
the target process is a process for changing the opening mode of the original process associated with the file;
the first function is a function for executing a file opening mode changing operation at an application layer.
In a third aspect, the present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the steps of the method for intercepting a file opening change according to the first aspect are implemented when the processor executes the program.
In a fourth aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of intercepting a change in file opening according to the first aspect.
According to the method, the device, the electronic equipment and the storage medium for changing the file opening mode, the first function of the target process is hooked, so that the operation of modifying the key value item of the registry by the target process is suspended, the second function is called, the running information of the target process is obtained, further the changing condition information of the file opening mode carried in the running information is obtained, whether the target process is about to change the opening mode of the original process associated with the file is judged according to the changing condition information, under the condition that the change is about to be sent, the changing operation can be intercepted, the target process is prevented from unauthorized changing of the file opening mode, and the interception of the file opening mode change on an application layer is realized.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a method for intercepting file opening mode change provided by the invention;
FIG. 2 is a schematic diagram illustrating the method for intercepting file opening mode changes according to the present invention;
FIG. 3 is a schematic diagram of a device for intercepting file opening mode change according to the present invention;
fig. 4 is a schematic structural diagram of an electronic device for implementing a method for intercepting file opening mode change according to the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
For ease of understanding, the words appearing in the embodiments of the application are explained below.
A file: an electronic document or paper document that manages content or business content, is signed and published by an authorized person through a prescribed program, and requests a recipient to respond to the specification accordingly is described in text or graphics.
Interception: blocking midway and preventing passing.
And (3) changing: meaning of change or variation.
Application layer: the system is the highest layer of an open system and directly provides network application services for application processes, and has the effects that a series of services required by business processing are completed while a plurality of system application processes are mutually communicated, and a kernel module cannot be easily installed inside to access a kernel-mode address space, so that the operation of the kernel layer cannot be involved.
Kernel layer: the kernel is used for storing the kernel and is responsible for managing the processes, the memory, the device drivers, the files and the network system of the system, and determining the performance and the stability of the system.
Refer to: concrete things are replaced by abstract concepts.
Elements: the necessary factors for the things.
Prefix: word formation component added in front of root
Suffix: word components added after the root.
Hook: it can be understood that hooking, in a computer language, a function is performed by using a hook function (a piece of code) to change the code of the head of the function, so that the changed code jumps to the function set by the user, and then breaks away from the original execution track of the function, and then pauses the operation being performed by the function.
And (3) injection: code is injected into a process in a computer language, meaning that the process is caused to actively load code.
And (5) returning: it can be understood that the release, i.e. restoring the code of a function modified by the hook function, makes the function execute the original operation again;
calling: it will be appreciated that references to providing predefined functions in an implementation of the present invention, invoking the functions, may give applications and developers the ability to use the functions based on certain software or hardware, without having to access the source code, or understand the details of the internal working mechanisms of the functions.
Hook function: the code of the object function header may be changed to jump the changed code to a piece of code in the function that we set themselves.
A first function: is a key-value setting function that has the ability to create or replace registry key entries.
The key value setting function may be a modified registry key function (ntsetvalue key function) in the user mode, or may be a function that creates or replaces registry key items by calling the modified registry key function in the user mode, for example: setting default/unnamed values/functions of registry keys (RegSetValue function), first modified registry value function (RegSetValue ex function), second modified registry value function (shasetvalue function), and open registry value stream function (shaopenregstream 2 function), etc.
The second function: the method has the capability of acquiring the process running information; the running information mainly refers to a process name, copyrights of the process, all visible process information in a task manager and information related to a registry, wherein the information related to the registry comprises: key handle parameters of the process, information of all visible keys or values in the registry editor such as data content written into the registry by calling a modified registry key value function in user mode, and the last writing time.
A typical second function is a tangent plane function (Detours function), which is described by way of example:
the tangent plane function may intercept any Application Programming Interface (API) call, the intercept code being loaded at dynamic runtime. The tangent plane function replaces the first few instructions of the target application programming interface to unconditionally jump to the user-provided intercept function. The first few instructions of the replaced application programming interface are saved into a springboard function (a data structure in memory) that saves the first few instructions of the replaced target application programming interface and an unconditional branch to the remaining instructions of the target application programming interface. When the program is executed to the target application programming interface, the program directly jumps to the interception function provided by the user to be executed, and the interception function can execute the own code. Of course, the interception function can directly return, or call the springboard function, and the springboard function returns to the interception function after the call of the intercepted target application programming interface is finished.
The following describes a method, a device, an electronic device and a storage medium for changing an interception file opening mode with reference to fig. 1 to 4.
In a first aspect, as shown in fig. 1, the method for intercepting a file opening mode change provided by the present invention includes:
s11, hooking a first function of a target process;
the file opening mode is indicated as that the file is opened through the application program associated with the file extension; the documents mentioned here include: text files, form files, presentation files, video files, and audio files, etc.
Because the file opening mode information of the application program and the like associated with the file extension is stored in the sub-keys of the file extension under the registry root key, the sub-keys can be modified to realize the change of the file opening mode; the first function provided by the invention is a function with the capability of modifying the sub-keys.
The target process specified by the invention is a process of an opening mode of an original process associated with a possible file, for example: the user originally adopts the PDF with the process name A to open the PDF file, the PDF with the process name B is used as an application program for opening the PDF file of the user, the PDF with the process name B is the target process, and the PDF with the process name A is other programs.
According to the method, the hook function is injected into the target process, and the hook function hook is utilized to have the function of modifying the sub-key capability, so that the task of creating or replacing the key value item of the registry, which is executed by the first function, is suspended, and a basic guarantee is provided for intercepting file opening mode change at an application layer.
S12, calling a second function to acquire the running information of the target process;
the running information of the invention mainly refers to the process name, the copyrights of the process, all visible process information in the task manager and information related to a registry, wherein the information related to the registry comprises: key handle parameters of the process, information of all visible keys or values in the registry editor such as data content written into the registry by calling a modified registry key value function in user mode, and the last writing time. The running information can reflect the executing operation of the target process, so as to control the dynamic state of the target process; the direction is provided for changing the opening mode of the subsequent interception file.
S13, intercepting the operation of changing the file opening mode of the target process based on the running information;
according to the method and the device, whether the target process changes the file opening mode can be distinguished by analyzing the operation information, and when the target process changes the file opening mode, the change operation executed by the target process can be intercepted based on the user intention, so that the target process is prevented from changing the file opening mode without permission.
The target process is a process for changing the opening mode of the original process associated with the file;
the first function is a function for executing a file opening mode changing operation at an application layer.
It should be noted that, the first function of the present invention may perform the file opening mode changing operation at the application layer, but it is not representative that all tasks performed by the first function are to change the file opening mode, that is, the first function may perform the modifying operation of the registry key independent of the file opening mode.
According to the method, the first function of the target process is hooked, so that the operation of modifying the registry key item by the target process is suspended, the second function is called, the running information of the target process is obtained, further, the changing condition information of the file opening mode carried in the running information is obtained, whether the target process is about to change the opening mode of the original process related to the file is judged according to the changing condition information, under the condition that the change is about to be sent, the changing operation can be intercepted, the target process is prevented from unauthorized changing of the file opening mode, and interception of file opening mode change on an application layer is realized.
On the basis of the foregoing embodiments, as an optional embodiment, the operation of intercepting, based on the running information, the target process to change the file opening mode includes:
extracting key handle parameters contained in the operation information;
in an implementation of the present invention, the key handle parameter may be regarded as a code number of the path.
Acquiring a path pointed by a key handle parameter;
the key handle parameter adopted by the invention can be a first key handle parameter (KeyHandle); in addition, in the implementation mode of the invention, the target process path contains the working catalog information, the working catalog information may contain information such as Microsoft, an operating system, a current version, a browser, user selection and the like, and the task to be executed by the process can be extracted from the working catalog information.
Comparing the path with the standard path, and under the condition that the path is the same as the standard path, determining that the target process executes the operation of changing the file opening mode, and sending an association change notification to the original process associated with the file.
The path format of the standard path provided by the invention can be considered as the path format which is used for changing the file opening mode, the path format is obtained by summarizing and empirically after a large amount of analysis is carried out on the flow for changing the default opening mode, and when the path format of the target process is consistent with the path format of the standard path, the file opening mode related to the target process in the process of changing the original process is described. At this time, an association change notification needs to be sent to the original process;
it should be noted that, the related change notification refers to sending a notification that the file opening mode is about to be changed to the original process, and in order to prevent the target process from unauthorized changing of the file opening mode related to the original process, sending a notification that the file opening mode is about to be changed to the original process, further soliciting the opinion of the user, and determining whether to change the file opening mode by the user, so as to ensure the use experience of the user.
On the basis of the above embodiments, as an alternative embodiment, the method further includes:
a path formed by the first wildcard and one or more first path elements in a permutation and combination form;
a standard path formed by arranging and combining one or more second path elements by the second wildcards;
wherein the path element comprises: the registry's root key-user information file, home key-application information file, microsoft, operating system, current version, browser, file format name, and user selection;
wild cards are file extension strings or other strings.
The invention concludes that the path changing the file opening mode is formed by arranging and combining wild cards and path elements in a certain mode after a large amount of analysis is carried out on the flow changing the default opening mode, and the arrangement and combination mode is usually certain, thus a standard path format is summarized, for example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*\UserChoice;
wherein, is a wildcard, refers to a file extension, such as ". Doc" or other character strings of any length; hkey_current_user is the root key-USER information file of the registry, software is the primary key-application information file, microsoft is Microsoft, windows is the operating system, currentVersion is the CURRENT version, explorer is the browser, fileExts is the file format name, userchois is the USER selection.
The determination of the standard path of the invention provides possibility for identifying whether the target process is changing the file opening mode associated with the original process by utilizing the path of the target process, and provides great help for preventing the file opening mode which is not allowed by the user from being changed on the application layer, thereby being a key influencing factor capable of being realized by the invention.
On the basis of the foregoing embodiments, as an optional embodiment, comparing the path with the standard path, and determining that the target process executes the operation of changing the file opening mode in the case that the path is the same as the standard path includes:
the prefix first path element part of the first wildcard of the path is identical with the prefix second path element part of the second wildcard of the standard path; and the target process performs an operation of changing the file opening mode in the case that the suffix first path element part of the first wildcard of the path is identical to the suffix second path element part of the second wildcard of the standard path.
The path/standard path is composed of the prefix, the wildcard and the suffix, and the prefix and the suffix of the standard path are the standard forms which are summarized by a large amount of analysis on the flow of changing the default opening mode by staff, so that the operation of changing the file opening mode can be executed on behalf of the target process when the wildcard prefix part and the wildcard suffix part of the path and the standard path are consistent.
The setting of the present invention can prevent the occurrence of an event that the file opening mode is not changed by the user as much as possible.
On the basis of the above embodiments, as an optional embodiment, after sending the association change notification to the original process associated with the file, the method further includes:
in the event that the target process receives an allow change instruction, the first function of the target process is recalled.
It will be appreciated that the target process receives the enable/disable change instruction, and does not actually send the enable/disable change instruction to the target process, but the operating system defaults to the target process receiving the enable/disable change instruction;
in the technical field of the invention, the first function of the target process is called back to mean that the task to be executed by the target process for creating or replacing the registry key is continued, and when the user allows the file opening mode to be changed, the task execution of the target process is not prevented. At this time, whether to call back the first function is determined by acquiring the instruction of the user, so as to recover/terminate the mode of opening the change file, i.e. the mode of opening the change file of the target process is not intercepted; the whole process can prevent the event of changing the file opening mode without the permission of the user from happening on the application layer without calling the resources of the kernel layer (i.e. without passing through the kernel layer).
The invention furthest conforms to the selection of the user, and takes the wish of the user as the basis of whether to intercept or not.
Based on the above embodiments, as an optional embodiment, the target process receives an instruction for allowing a change, including:
the target process is updated and set as a default opening mode of the file;
alternatively, the target process receives a reply that allows the change.
The target process receives the allowed change instruction, and may further include:
if the original process meets any setting requirement, the target process is determined to receive an allowed change instruction; otherwise, the target process is determined to receive a change prohibition instruction;
wherein, the setting requirement includes: the original process is not set as a default opening mode of the file;
after the original process executes the popup operation, a reply allowing the change is received;
the original process does not receive a reply within a preset time period after executing the popup operation.
The default opening mode of the file is an opening mode of the interface hook by a user through changing the opening mode of the file, and the preset time length can be set according to the requirement of the user, for example, one minute or 30 seconds;
in the art, the setting request is not limited to the above 3 cases, and other reasonable cases are also used as the setting request.
After the method sends the notice that the file opening mode is about to be changed to the original process, the original process can perform popup operation so as to consult the opinion of the user; by fully considering the wish of the user, the use satisfaction of the user is ensured.
On the basis of the above embodiments, as an optional embodiment, after sending the association change notification to the original process associated with the file, the method further includes:
and returning a response of successful change of the file opening mode to the target process when the target process receives the change prohibition instruction.
When the target process receives a command for prohibiting the change, the file opening mode is not changed successfully in practice, and in order to avoid the situation that the target process tries to change the file opening mode again to fall into a dead loop after detecting the change failure, the invention sends a response message (returning 0 to the target process in the computer program) for 'changing the file opening mode successfully', thereby preventing the target process from changing the file opening mode again.
In one implementation manner of the present invention, the response message of "change file opening mode is successful" may be a numerical identifier sent to the target process, and the target process determines that the response of "change file opening mode is successful" by reading the numerical identifier. Wherein, the numerical value can be any natural number such as 0, 1 and the like.
On the basis of the above embodiments, as an alternative embodiment, the method further includes:
comparing the path with the standard path, determining that the target process does not execute the operation of changing the file opening mode under the condition that the path is different from the standard path, and calling back the first function of the target process.
In the technical field, when the target process path is inconsistent with the wild card prefix part and/or the wild card suffix part of the standard path, the task for creating or replacing the registry key value item, which represents that the target process path is executing, is not a file opening mode for changing the original process, in this case, the task of the target process is not necessary to be blocked, so that the first function of the target process is adjusted back, the task of the target process can be successfully executed, and the normal task cannot be completed due to interference of the invention.
After the task carried out by the target is completed, a successful response is returned to the target process, and it can be understood that no matter whether the file opening mode is completed or not, a response for successfully changing the file opening mode is returned to the target process, and the difference is that the file opening mode is really completed, and the response only plays a role in message transmission; the file opening mode is not really finished, and the response aims to avoid the situation that the target process tries to modify the file opening mode again to fall into a dead loop after detecting the failure of the change.
According to the method, the execution of the task of the target process is suspended through the first function of the target process, the target process path is extracted to determine whether the target process changes the file opening mode associated with the original process, if yes, and other processes return a response of successfully changing the file opening mode when receiving the instruction of 'not allowing the change of the file opening mode' of a user, so that the target process receives a successful response of task execution, and even if the target process receives a successful response of changing the file opening mode; in this way, the target process can be prevented from repeating/reinitiating the request for changing the file opening mode, and the change of the file opening mode which is not allowed by the user is prevented on the application layer.
To further explain the present invention, a specific example is provided:
the invention is a technical scheme that can be implemented at an application layer to prevent a file opening mode from being unauthorized to be changed by a user, which is obtained by performing a large amount of analysis on a process of searching and modifying a default opening mode by an operating system (for example, a Windows system), and FIG. 2 illustrates a method operation schematic diagram of the invention for intercepting the file opening mode change, and the specific process is as follows:
step A: injecting codes for hooking the first function into the target process; the code mentioned here, namely the hook function; the first function selects a modified registry key value function (NtSetValueKey function) in a user mode;
and (B) step (B): hooking the first function, checking key handle parameters of the target function operation by using the second function to determine whether the path pointed by the key handle parameters accords with the following modes:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*\UserChoice
wherein, is a wildcard, refers to a file extension, such as ". Doc" or other character strings of any length; hkey_current_user is the root key-USER information file of the registry, software is the primary key-application information file, microsoft is Microsoft, windows is the operating system, currentVersion is the CURRENT version, explorer is the browser, fileExts is the file format name, userchois is the USER selection.
The second function is a tangent plane function (Detours function), and the key handle parameter is a first key handle parameter (Key handle);
step C: if the path pointed by the key handle parameter accords with the mode, the external process (namely the original process) sends a notification that the file opening mode is about to be changed, and the external process can obtain an opportunity for intercepting the changed file opening mode.
Step D: only when the external process decides to allow the change of the file opening mode, the first function is called back, otherwise, 0 is directly returned; here 0 indicates success.
In a second aspect, a device for intercepting a file opening mode change provided by the present invention is described, where the device for intercepting a file opening mode change described below and the method for intercepting a file opening mode change described above may be referred to correspondingly with each other. FIG. 3 illustrates a schematic structure of an apparatus for intercepting file opening changes, the apparatus comprising:
the hooking module is used for hooking the first function of the target process;
the acquisition module is used for calling a second function and acquiring the running information of the target process;
the interception module is used for intercepting the operation of changing the file opening mode of the target process based on the running information;
the target process is a process for changing the opening mode of the original process associated with the file;
the first function is a function for executing a file opening mode changing operation at an application layer.
According to the interception file opening mode changing device, the first function of the target process is hooked, so that the operation of modifying the registry key value item of the target process is suspended, the second function is called, the running information of the target process is obtained, further, the changing condition information of the file opening mode carried in the running information is obtained, whether the target process is about to change the opening mode of the original process associated with the file or not is judged according to the changing condition information, under the condition that the change is about to be sent, the changing operation can be intercepted, the target process is prevented from unauthorized changing of the file opening mode, and interception of file opening mode change on an application layer is achieved.
On the basis of the above embodiments, as an optional embodiment, the interception module includes:
an extracting unit, configured to extract key handle parameters included in the operation information;
an obtaining unit, configured to obtain a path pointed by the key handle parameter;
and the notification unit is used for comparing the path with the standard path, determining that the target process executes the operation of changing the file opening mode under the condition that the path is the same as the standard path, and sending the associated change notification to the original process associated with the file.
On the basis of the above embodiments, as an alternative embodiment, the apparatus further includes:
the path is composed of first wildcards and one or more first path elements in a permutation and combination form;
a standard path formed by arranging and combining one or more second path elements by the second wildcards;
wherein the path element comprises: the registry's root key-user information file, home key-application information file, microsoft, operating system, current version, browser, file format name, and user selection;
wild cards are file extension strings or other strings.
On the basis of the above embodiments, as an alternative embodiment, the notification unit is specifically configured to:
the prefix first path element part of the first wildcard of the path is identical with the prefix second path element part of the second wildcard of the standard path; and the target process performs an operation of changing the file opening mode in the case that the suffix first path element part of the first wildcard of the path is identical to the suffix second path element part of the second wildcard of the standard path.
On the basis of the foregoing embodiments, as an optional embodiment, the interception module further includes: a first callback unit for:
in the event that the target process receives an allow change instruction, the first function of the target process is recalled.
Based on the above embodiments, as an optional embodiment, the target process receives an instruction for allowing a change, including:
the target process is updated and set as a default opening mode of the file;
alternatively, the target process receives a reply that allows the change.
On the basis of the above embodiments, as an optional embodiment, after sending the association change notification to the original process associated with the file, the method further includes:
and returning a response of successful change of the file opening mode to the target process when the target process receives the change prohibition instruction.
On the basis of the above embodiments, as an optional embodiment, the interception module further includes a second tuning back module, configured to:
comparing the path with the standard path, determining that the target process does not execute the operation of changing the file opening mode under the condition that the path is different from the standard path, and calling back the first function of the target process.
In a third aspect, fig. 4 illustrates a physical schematic diagram of an electronic device, as shown in fig. 4, where the electronic device may include: processor 410, communication interface (Communications Interface) 420, memory 430, communication bus 440, and a computer program stored on memory 430 and executable on processor 410, wherein processor 410, communication interface 420, memory 430 complete communication with each other through communication bus 440. The processor 410 may invoke logic instructions in the memory 430 to perform a method of intercepting a file open change, the method comprising: hooking a first function of a target process; calling a second function to acquire the running information of the target process; intercepting the operation of changing the file opening mode of the target process based on the running information; the target process is a process for changing the opening mode of the original process associated with the file; the first function is a function for executing a file opening mode changing operation at an application layer.
Further, the logic instructions in the memory 430 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In a fourth aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method for performing the above-described intercepted file opening mode change, the method comprising: hooking a first function of a target process; calling a second function to acquire the running information of the target process; intercepting the operation of changing the file opening mode of the target process based on the running information; the target process is a process for changing the opening mode of the original process associated with the file; the first function is a function for executing a file opening mode changing operation at an application layer.
The apparatus embodiments described above are merely illustrative, wherein elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product, which may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the various embodiments or methods of some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (11)
1. A method of intercepting a file opening change, the method comprising:
hooking a first function of a target process;
calling a second function to acquire the running information of the target process;
intercepting the operation of changing the file opening mode of the target process based on the running information;
the target process is a process for changing the opening mode of the original process associated with the file;
the first function is a function for executing a file opening mode changing operation at an application layer.
2. The method for intercepting a file open mode change according to claim 1, wherein said intercepting said target process from changing said file open mode based on said running information comprises:
extracting key handle parameters contained in the operation information;
acquiring a path pointed by the key handle parameter;
and comparing the path with a standard path, and under the condition that the path is the same as the standard path, determining that the target process executes the operation of changing the file opening mode, and sending an association change notification to the original process associated with the file.
3. The method of intercepting a file open change according to claim 2, wherein said method further comprises:
the path is composed of a first wildcard and one or more first path elements in a permutation and combination form;
the standard path is composed of second wildcards and one or more second path elements in a permutation and combination form;
wherein the path element includes: the registry's root key-user information file, home key-application information file, microsoft, operating system, current version, browser, file format name, and user selection;
the wild card is a file extension character string or other character strings.
4. A method of intercepting a file open change according to claim 3, wherein said comparing said path with said standard path and, in the event that said path is the same as said standard path, determining that said target process is performing an operation of changing said file open change comprises:
a prefix first path element part of a first wildcard of the path is identical to a prefix second path element part of a second wildcard of the standard path; and the target process performs an operation of changing the file opening mode in the case that the suffix first path element part of the first wildcard of the path is identical to the suffix second path element part of the second wildcard of the standard path.
5. The method for intercepting a file open change according to claim 2, wherein after said sending an association change notification to an original process associated with said file, further comprises:
and in the case that the target process receives an allowed change instruction, calling back the first function of the target process.
6. The method for intercepting a file open change according to claim 5, wherein said target process receives an allow change instruction comprising:
the target process is updated and set as a default opening mode of the file;
alternatively, the target process receives a reply that allows the change.
7. The method for intercepting a file open change according to claim 2, wherein after said sending an association change notification to an original process associated with said file, further comprises:
and returning a response of successful change of the file opening mode to the target process under the condition that the target process receives the change prohibition instruction.
8. The method of intercepting a file open change according to claim 2, wherein said method further comprises:
and comparing the path with a standard path, and under the condition that the path is different from the standard path, determining that the target process does not execute the operation of changing the file opening mode, and calling back the first function of the target process.
9. An apparatus for intercepting a change in a file opening manner, the apparatus comprising:
the hooking module is used for hooking the first function of the target process;
the acquisition module is used for calling a second function and acquiring the running information of the target process;
the interception module is used for intercepting the operation of changing the file opening mode of the target process based on the running information;
the target process is a process for changing the opening mode of the original process associated with the file;
the first function is a function for executing a file opening mode changing operation at an application layer.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of intercepting a file opening change according to any of claims 1 to 8 when the program is executed.
11. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of a method of intercepting a change of file opening according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111223612.3A CN115994350A (en) | 2021-10-20 | 2021-10-20 | Method and device for changing interception file opening mode, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111223612.3A CN115994350A (en) | 2021-10-20 | 2021-10-20 | Method and device for changing interception file opening mode, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115994350A true CN115994350A (en) | 2023-04-21 |
Family
ID=85992998
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111223612.3A Pending CN115994350A (en) | 2021-10-20 | 2021-10-20 | Method and device for changing interception file opening mode, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115994350A (en) |
-
2021
- 2021-10-20 CN CN202111223612.3A patent/CN115994350A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8887152B1 (en) | Android application virtual environment | |
| KR101122787B1 (en) | Security-related programming interface | |
| US8650578B1 (en) | System and method for intercepting process creation events | |
| US20170346843A1 (en) | Behavior processing method and device based on application program | |
| US20100306851A1 (en) | Method and apparatus for preventing a vulnerability of a web browser from being exploited | |
| US20110106948A1 (en) | Running Internet Applications with Low Rights | |
| US11706220B2 (en) | Securing application behavior in serverless computing | |
| KR101453742B1 (en) | Security providing method and device for executing of mobile Web application | |
| US9043812B2 (en) | Dynamic rule management for kernel mode filter drivers | |
| US8051482B2 (en) | Nullification of malicious code by data file transformation | |
| US20100186093A1 (en) | Portable mass storage device with hooking process | |
| US20180026986A1 (en) | Data loss prevention system and data loss prevention method | |
| CN112805708A (en) | Securing selected disks on a computer system | |
| US8418170B2 (en) | Method and system for assessing deployment and un-deployment of software installations | |
| CN110990798B (en) | Application program permission configuration method and device, electronic equipment and storage medium | |
| US10063558B2 (en) | Method for blocking unauthorized data access and computing device with feature of blocking unauthorized data access | |
| CN115994350A (en) | Method and device for changing interception file opening mode, electronic equipment and storage medium | |
| US20100218261A1 (en) | Isolating processes using aspects | |
| CN111625813B (en) | Method for protecting program by modifying process | |
| CN115994061A (en) | Method and device for recognizing file opening mode tampering, electronic equipment and storage medium | |
| CN115080355B (en) | Method and device for generating monitoring log | |
| US20130263278A1 (en) | Method and apparatus for controlling operations performed by a mobile co | |
| JP2011081501A (en) | Operating system program and computer carrying the same | |
| CN117131515B (en) | Application request execution method and device, computer equipment and storage medium | |
| CN116166620A (en) | Software resource processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |