CN1368679A - Monitor method for reverse mounting - Google Patents
Monitor method for reverse mounting Download PDFInfo
- Publication number
- CN1368679A CN1368679A CN 01103346 CN01103346A CN1368679A CN 1368679 A CN1368679 A CN 1368679A CN 01103346 CN01103346 CN 01103346 CN 01103346 A CN01103346 A CN 01103346A CN 1368679 A CN1368679 A CN 1368679A
- Authority
- CN
- China
- Prior art keywords
- installation
- record
- file
- supervising
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a method for monitoring anti-installation. The file recorder and registration recorder located on Ring0 layer is converted to Ring3 layer with these recorders being able to be operated and called. By support of four parts: task monitoring, file recording, registration recording and restarting protection, the modified file and setting content are recorded by executing detecting and monitoring installation program. Since the restarting protection part can intercept the system start-up function, so it protects data, which is recorded in processing of installation, against loss. Because of each installation program is relevant to file recorder and registration recorder located on Ring3 layer so that invention can monitoring multi-insulation program at the same time. Mistake of installation record does not exist.
Description
The present invention relates to a kind of anti-method for supervising of installing that is used for, particularly a kind ofly can monitor a plurality of installation procedures simultaneously, and be not subjected to the method for supervising of other operating influences of user at monitoring period.
In general, if want in computer system, to use a certain software, need from disk or CD, to carry out earlier an installation procedure (install.exe or setup.exe), software data is deposited in the associative directory of hard disk, could normally carry out this software afterwards, above-mentioned course of action is called installation (install or setup).One computer software is installed just its file data is not copied among the hard disk, can revise the relevant environment of operating system simultaneously and set; On the contrary, if will be with software by removing in the computer system, only the place directory delete with this software is not enough, also must remove some and set in operating system (the especially this integrated environment as Windows), otherwise software can remove very untotally.Remove totally though the relevant environment of software is set, for the moment computer is made mistakes, but get off for a long time, carry out many unnecessary setting contents always by the what computer, therefore can serious waste system resource and influence the computer operational paradigm, Hou even can make computer often fall machine.
For avoiding above-mentioned problem to take place,, therefore a kind of releasing installation procedure occurred, or be called anti-installation (uninstall) program so that allow the user from hard disk, remove institute's installed software is complete.By the anti-installation procedure of what when the action of carry out to remove installing, must know to remove which catalogue and environment set data relevant with this software, so before software is installed, need to start this anti-installation procedure earlier, allow anti-installation procedure can monitor and write down its setting content.And present installation monitoring technique is mostly based on " snapshot relatively ", that is to say: anti-installation procedure can be before software be installed, earlier the directory path of being correlated with in the computer system, the setting content of logining and may being modified are done once scanning and record, afterwards after the software installation, scanning and directory path, login and the setting content of noting down a computer system again, two compare under, anti-installation procedure is just known the environmental system setting that this software increased or changed is installed.
The characteristics of above-mentioned known method are: can only monitor an installation procedure at one time, and require the user any modification action can not be arranged at monitoring period, otherwise can cause the monitoring record mistake, cause the failure of installation process, if installation procedure has restart function, then can make and lose record in the monitor procedure, thereby can not obtain correct monitored results.
Supervise in this, the object of the present invention is to provide a kind of anti-method for supervising of installing that is used for, design a kind of anti-installation procedure that can monitor a plurality of install software simultaneously, and the record of its monitoring period is not subjected to other operating influences of user yet.
Purpose according to the invention described above; a kind of installation process that the anti-method for supervising of installing is applied to monitor at least one installation procedure that is used for provided by the invention; to remove the foundation of data as anti-installation (Uninstall) time shift; with the file record (File Record) and login record (Registry Record) of script in Ring0 layer access rights; but be converted to a new file record and a new login record in Ring3 layer access rights also operation calls; utilize the executory process of Mission Monitor module monitors whether installation procedure is arranged then; once find have installation procedure in computer system, to start; then the circular document recording module with the login recording module; respectively content before and after the change of file system data and logon data is backed up and notes down; by restarting protection module intercepting system start-up routine, cause the loss that the record data are installed to avoid computer to restart at last.Its concrete steps comprise: the process identification code (Process ID) of software during interception one is carried out, and confirm that this software is this installation procedure; With the file record (File Record) and a login record (Registry Record) of the Ring0 layer access rights of position what CPU (central processing unit) (CPU), but be converted to a new file record and a new login record in Ring3 layer access rights also operation calls; Monitor this installation procedure to I/O (I/O) operation of this new file record with a file system, and to the content backup of this new file record with this document system; Monitor of I/O (I/O) operation of this installation procedure to this new login record, and to the content backup of this new login record; And one of utilize in this installation procedure redirect (Jump) order and the system start-up function of interception computer.
Because the present invention allows the file record and the login record of the corresponding Ring3 layer of each installation procedure, therefore can allow a plurality of installation procedures carry out installation procedure simultaneously and can be mistaken with record is installed.
For above-mentioned and other purposes of the present invention, feature and advantage can be become apparent, a preferred embodiment cited below particularly, and conjunction with figs. is described in detail below.
Figure 1A shows high-level schematic functional block diagram of the present invention;
Figure 1B shows that the present invention will note down the synoptic diagram that is converted to Ring3 layer access rights by Ring0 layer access rights;
Fig. 2 shows the process flow diagram of Mission Monitor among the present invention;
Fig. 3 shows the process flow diagram of file record among the present invention;
Fig. 4 shows the process flow diagram of login record operation among the present invention;
Fig. 5 shows the process flow diagram of restarting protection among the present invention; And
Fig. 6 shows among the present invention by the data-switching process flow diagram of Ring0 layer to the Ring3 layer.
The reference numeral explanation
100.................Ring0 layer
101................. file record
102................. login record
110.................Ring3 layer
111................. file record
112................. login record
120.................Ring0 layer is to Ring3 layer data modular converter
130................. Mission Monitor module
140................. file recording module
150................. login recording module
160................. restart protection module
Please refer to Figure 1A, show among the figure that installation monitoring function of the present invention is partly supported by four, be i.e. Mission Monitor module 130, file logging module 140, login record module 150 and restart protection module 160; In addition; please refer to Figure 1B; the present invention also must be in addition with the file logging (File Record) and the login record (Registry Record) of Ring0 layer; utilize a data conversion module 120 to convert the file logging and the login record of Ring3 layer to; afterwards, again by above-mentioned four functional modules: Mission Monitor module 130, file logging module 140, login record module 150 and restart protection module 160 and finish the function that monitoring is installed jointly.
Details are as follows as for the operating process separately of above-mentioned four functional modules:
Mission Monitor module 130:
Please refer to Fig. 2, this module 130 is by the interception to Win32API, finish monitoring to system task (Task), at first call the establishment process function (CreateProcess) (step 201) relevant with processed process, read the identification code (Process ID) (step 202) of current process then, and from the original function value of feedback, take out the identification code of the process that is created, simultaneously this identification code ID is sent to primary control program (step 203), judge by primary control program whether this process is installation procedure process (step 204), if, then notifying primary control program is new record (step 205) of this task creation, if not, then return, continue to wait for next time and call (step 206).
Please refer to Fig. 3, at first call the interception function, I/O operation (step 301) with the interception file system, do you judge the program carried out at present whether monitored (step 302) then? if, judge then whether current operation is file opening (Open File) operation (step 303), if also be, then analyze its access (Access) operating right (step 309), judge simultaneously whether it is destructive procedure (step 310), if be again, then back up this document content (step 306), program is returned; If not, then direct termination routine.If before judge that present operation is not file opening operation, continue then to judge whether current operation is that (step 304) operated in deletion (Delete), if, backup file content (step 308) then; If not, judge further then whether current operation is rename (Rename) operation (step 305), if, backup this document content (step 306), if still be not, it is invalid then to be considered as current operation, program is returned, and waits for next operation (step 307);
Login record module 150
Please refer to Fig. 4, the present invention is by I/O (I/O) monitoring to login (Registry), to write down installation procedure to its modification of being made.At first call the interception function, the entry address (step 401) of displacement Ring0 layer and Ring3 layer, tackle I/O (I/O) operation (step 402) then, judge whether current operation has the login of modification (step 403), if, then write down the retouching operation result (step 404) who is done, and note raw data (step 405); If current login is unmodified, then program is returned (step 406), waits for next login of interception.
Restart protection 160
Please refer to Fig. 5, this module can prevent in the installation process, restarts the installation record data degradation that computer causes by the what installation procedure.At first seek installation procedure original function address (step 501), read redirect (JUMP) order (step 502) under it, and with the sensing of the jump address in this skip command interception function (step 503), right Hou intercepting system starts function (step 504), waits for and is called (step 505) by outer field installation procedure; If receive call operation (step 506), whether the program of then judging operation this moment monitored (step 507), if, then not influencing the function call (step 509) of this moment, program is returned; If not, then restart computer (step 508).
In addition, the Ring0 layer please refer to Fig. 6 to the data conversion module 120 of Ring3 layer, can finish data-switching from the Ring0 layer to the Ring3 layer by this module, so that the file logging of Ring0 layer and login record data can be called by the Ring3 layer operation.Initialization function (step 601) at first, read first Ring3 layer process (Process) (step 602), be converted into TDB address (step 603), right Hou is read Ring0 layer ID identification code (step 604), judge whether to equate with it (step 605), if then return this ID (step 606); If not, then take off an ID (step 607), judge whether this ID exists (step 608),, then continue to convert thereof into the TDB address, repeat to be converted to TDB address (step 603) to the operation of returning (step 609) if exist; If there is no, then program is returned, and shows operation empty (step 609).
Following spy is an example with the installation process of WinZip software, and installation monitor procedure of the present invention is described:
At first start installation procedure; at this moment; Mission Monitor module provided by the present invention is called; intercept current process identification code (Process ID); the prompting primary control program finds that the current process of moving is an installation procedure; whether inquire record; after the affirmation, begin to set up new record, next startup file system monitoring and login watchdog routine for current task; tackle I/O (I/O) operation of file system and login respectively; carry out back-up processing at its different situations, convert file logging of Ring0 layer and login record to the file logging of Ring3 layer and login record accordingly, start and restart protection; trace daemon changes; write down the change to file system and login that task produced thus, the source document that backup is modified is after the installation; show the record of being done, for user's reference.
Because the file that the present invention will carry out at the Ring0 layer is originally noted down the modification action with login record, be converted at the Ring3 layer and carry out, and the file record and the login record of the corresponding one group of Ring3 layer of each installation procedure, therefore can monitor a plurality of installation procedures simultaneously, and in monitor procedure, not influence other operations of user.
Moreover the present invention can monitor user's the request of restarting automatically, when the user is restarted installation procedure, can not cause the wrong or loss that record is installed, and also supports DOS operation and 16 Windows procedure operation simultaneously.
Though by the present invention having been done diagram and description with reference to a preferred embodiment of the present invention, so it is not to be used to limit the present invention.Will be appreciated by those skilled in the art that and to do various changes and modification to it and do not depart from the spirit and scope that the appended claim book is limited.Therefore protection scope of the present invention should be as the criterion with accompanying claims institute restricted portion.
Claims (12)
1, a kind ofly be used for the anti-method for supervising of installing, be applied to monitor the installation process of at least one installation procedure, with as the anti-foundation that (Uninstall) time shift is installed except that data, it comprises:
The process identification code (Process ID) of software during interception one is carried out, and confirm that this software is this installation procedure;
To be positioned at the file record (FileRecord) and a login record (Registry Record) of the Ring0 layer access rights of CPU (central processing unit) (CPU), but be converted to a new file record and a new login record in Ring3 layer access rights also operation calls;
Monitor this installation procedure to I/O (I/O) operation of this new file record with a file system, and to the content backup of this new file record with this document system;
Monitor of I/O (I/O) operation of this installation procedure to this new login record, and to the content backup of this new login record; And
One of utilize in this installation procedure redirect (Jump) order and the system start-up function of interception computer.
2, the method for supervising that is used for anti-installation as claimed in claim 1, (Application Program Interface API), reaches the Mission Monitor to this installation procedure wherein to see through the interception Application Program Interface.
3, the method for supervising that is used for anti-installation as claimed in claim 1, wherein this process identification code (Process ID) is by obtaining in establishment process (Create Process) function relevant with this software.
4, the method for supervising that is used for anti-installation as claimed in claim 1, wherein this document system comprises associative directory structure, file name, quantity of documents and file content.
5, the method for supervising that is used for anti-installation as claimed in claim 1 is wherein monitored this installation procedure to I/O (I/O) operation of this new file record with this document system, also comprises the following step:
Tackling this new file record operates with the I/O (I/O) of this document system; And
Whether judgement is monitored with the program that this document system carries out access to this new file record.
6, the anti-method for supervising of installation that is used for as claimed in claim 5, wherein this I/O (I/O) operation comprises one of them of file opening (Open File) operation, deleted file (Delete File) operation and rename (Rename) operative combination.
7, the method for supervising that is used for anti-installation as claimed in claim 6 wherein if this I/O (I/O) is operating as this file opening (Open File) operation, increases also then whether an access right of analyzing this operation is the step of a destructive procedure.
8, the method for supervising that is used for anti-installation as claimed in claim 7, wherein this destructive procedure refers to this file opening content is done the operation of any change.
9, the method for supervising that is used for anti-installation as claimed in claim 1 is wherein monitored I/O (I/O) operation of this installation procedure to this new login record, also comprises the following step:
Replace the address of this login record and the record of this new login;
Tackle I/O (I/O) operation of this new login record; And
Judge whether this I/O (I/O) operation revises this new login record.
10, the method for supervising that is used for anti-installation as claimed in claim 1, wherein the content backup to this new login record comprises:
Store the raw data of this new login record; And
Store the content of this I/O (I/O) operation.
11, as claimed in claim 1ly be used for the anti-method for supervising of installing, wherein tackle the system start-up function of computer, also comprise the following step:
Read this redirect (Jump) order under this installation procedure; And
Jump address in this redirect (Jump) order is converted to the address of an interception function.
12, the method for supervising that is used for anti-installation as claimed in claim 1 wherein is converted to Ring3 layer access rights with data by Ring0 layer access rights, also comprises the following step:
Read the process (Process) of a Ring3 layer, and be converted into the TDB address; And
Read the identification code (ID) of the relative Ring0 layer of this process, and judge whether identical with the identification code of this process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011033460A CN1173269C (en) | 2001-02-01 | 2001-02-01 | Monitor method for reverse mounting |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011033460A CN1173269C (en) | 2001-02-01 | 2001-02-01 | Monitor method for reverse mounting |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1368679A true CN1368679A (en) | 2002-09-11 |
| CN1173269C CN1173269C (en) | 2004-10-27 |
Family
ID=4653224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011033460A Expired - Fee Related CN1173269C (en) | 2001-02-01 | 2001-02-01 | Monitor method for reverse mounting |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1173269C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101568927B (en) * | 2006-12-21 | 2012-02-08 | 艾利森电话股份有限公司 | Obfuscating computer program code |
| CN1595935B (en) * | 2003-09-10 | 2012-04-25 | 微软公司 | Multiple offload of network state objects with support for failover events |
| CN103309729A (en) * | 2012-03-15 | 2013-09-18 | 宇龙计算机通信科技(深圳)有限公司 | Terminal and application program management method |
| CN103761178A (en) * | 2014-01-17 | 2014-04-30 | 北京奇虎科技有限公司 | Method for realizing application uninstalling surveys |
| CN104090903A (en) * | 2012-01-29 | 2014-10-08 | 北京奇虎科技有限公司 | Method for processing file |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102004643A (en) * | 2010-11-30 | 2011-04-06 | 中兴通讯股份有限公司 | Software uninstalling method and device based on Apple operating system |
-
2001
- 2001-02-01 CN CNB011033460A patent/CN1173269C/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1595935B (en) * | 2003-09-10 | 2012-04-25 | 微软公司 | Multiple offload of network state objects with support for failover events |
| CN101568927B (en) * | 2006-12-21 | 2012-02-08 | 艾利森电话股份有限公司 | Obfuscating computer program code |
| CN104090903A (en) * | 2012-01-29 | 2014-10-08 | 北京奇虎科技有限公司 | Method for processing file |
| CN104090903B (en) * | 2012-01-29 | 2017-12-19 | 北京奇虎科技有限公司 | Document handling method |
| CN103309729A (en) * | 2012-03-15 | 2013-09-18 | 宇龙计算机通信科技(深圳)有限公司 | Terminal and application program management method |
| CN103761178A (en) * | 2014-01-17 | 2014-04-30 | 北京奇虎科技有限公司 | Method for realizing application uninstalling surveys |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1173269C (en) | 2004-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7185335B2 (en) | Programmatic application installation diagnosis and cleaning | |
| US5832513A (en) | Detecting significant file system alterations during execution of a storage media software utility | |
| US6802025B1 (en) | Restoration of a computer to a previous working state | |
| US7757291B2 (en) | Malware containment by application encapsulation | |
| US8286154B2 (en) | Apparatus and method for live loading of version upgrades in a process control environment | |
| US7774636B2 (en) | Method and system for kernel panic recovery | |
| CN100432949C (en) | Method and device for storing user data on computer when software crashing | |
| KR20030085071A (en) | System and method for restoring computer systems damaged by a malicious computer program | |
| CN1506813A (en) | Reliably and safelf refreshing and recovering firmware from large scale memory equipment | |
| US8112745B2 (en) | Apparatus and method for capabilities verification and restriction of managed applications in an execution environment | |
| US20040107199A1 (en) | Computer application backup method and system | |
| US7823007B2 (en) | Apparatus, system, and method for switching a volume address association in a point-in-time copy relationship | |
| US7146531B2 (en) | Repairing applications | |
| AU2002250453A1 (en) | System and method for restoring computer systems damaged by a malicious computer program | |
| CN1606002A (en) | System and method of generating trouble tickets to document computer failures | |
| CN102999343A (en) | Method and device for forbidding self-starting of startup project | |
| CN101059768A (en) | System and method for implementing operating system standby | |
| CN103019706A (en) | Method and device for processing startup item | |
| US8140475B1 (en) | Dynamic configuration archival and retrieval | |
| CN1173269C (en) | Monitor method for reverse mounting | |
| CN1308846C (en) | Method and apparatus for realizing protection of computer operation system in hard disk | |
| CN1818824A (en) | High-reliable personal computer and operating system thereof | |
| US7114097B2 (en) | Autonomic method to resume multi-threaded preload imaging process | |
| CN1959646A (en) | System and method for testing correctness of position of installing hard disk | |
| JPH10333944A (en) | Memory dump sample system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20041027 Termination date: 20110201 |