WO2012152210A1 - Method and device for executing file operation - Google Patents

Method and device for executing file operation Download PDF

Info

Publication number
WO2012152210A1
WO2012152210A1 PCT/CN2012/075145 CN2012075145W WO2012152210A1 WO 2012152210 A1 WO2012152210 A1 WO 2012152210A1 CN 2012075145 W CN2012075145 W CN 2012075145W WO 2012152210 A1 WO2012152210 A1 WO 2012152210A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
routine
path
request
kernel
Prior art date
Application number
PCT/CN2012/075145
Other languages
French (fr)
Chinese (zh)
Inventor
王宇
潘剑锋
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2012152210A1 publication Critical patent/WO2012152210A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the present application relates to the technical field of file penetration, and in particular to a method of performing file operations and an apparatus for performing file operations. Background technique
  • the caller 101 calls the kernel interface layer 102, the kernel interface layer 102 calls the kernel execution layer 103, the kernel execution layer 103 calls the file object parsing routine 104, the file object parsing routine 104 calls the filter driver al05, and the top-level filter driver calls layer by layer until the call To the underlying filter driver N106, the underlying filter driver N106 calls the file system lower layer device 107.
  • the caller 101 and the kernel interface layer 102 belong to the operating system user state
  • the kernel execution layer 103, the file object parsing routine 104, the top filter driver al05, the underlying filter driver N106, and the file system lower layer device 107 belong to the operating system kernel state.
  • the underlying filter driver N gets the underlying filter driver.
  • a processing mechanism for file penetration operation is proposed, which not only provides attack and defense of the operating system user state, but also provides attack and defense of the operating system kernel state to enhance and drive.
  • One of the purposes of the present application is to provide a method of performing file operations to enhance the ability of attack and defense of malicious programs and to avoid the potential for incompatibility between security software due to file manipulation interference.
  • the present application also provides an apparatus for performing file operations to ensure the practical application and implementation of the above method.
  • the embodiment of the present application discloses a method for executing a file operation, including: Obtaining a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
  • the step of searching for a corresponding file object parsing routine in the object manager according to the file path specifically includes the following sub-steps;
  • Sub-step Sl determining whether the file path has been disassembled, if not, executing sub-step S2; if yes, performing sub-step S4;
  • Sub-step S2 disassembling the next path segment to be disassembled in the file path according to the path separator
  • Sub-step S3 using the currently disassembled path segment to search in the object manager, to determine whether there is a corresponding file object routine; if yes, return to sub-step S1; if not, then perform sub-step S5;
  • Sub-step S4 Obtain a file object parsing routine corresponding to the file path.
  • Sub-step S5 returning information that the corresponding file object parsing routine is not found.
  • the caller input parameter has a user mode address; and before the file object parsing routine is searched, the method further includes:
  • the I/O request packet includes file operation information extracted from the file operation request, and after sending the I/O request packet to the original address of the preset file system lower device, the method further includes:
  • the corresponding file operation is continued by the lower layer device of the file system according to the file operation information.
  • the method before acquiring the file operation request, the method further includes:
  • the caller initiates a file operation request, and invokes a corresponding file operation interface routine; wherein the request includes a caller input parameter, and the input parameter includes a file path;
  • the kernel state structure parameter is constructed according to the type of the system platform, and a corresponding file operation control code is generated according to the kernel state structure parameter, and the file operation control code is sent to the operating system kernel state driver.
  • the method further includes:
  • the file manipulation interface routine converts the ANSI related parameters in the caller input parameters to the UNICODE type and calls the corresponding file manipulation interface wide character routine.
  • the file operation interface routine includes a file creation routine FSCreateFile, and before continuing to perform the requested file operation by the file system lower layer device, the method further includes:
  • the method further includes:
  • the caller input parameter is verified according to the file operation request, and if the check passes, the step of finding the file object parsing routine is performed.
  • the file operation interface routine is consistent with the WINDOWS standard API, and the file operation interface routine further comprises: a file read routine FSReadFile, a file write routine FSWriteFile, a file attribute setting routine FSSetFileAttributes, a file attribute Get routine FSGetFileAttributes, file pointer setting routine FSSetFilePointer, enhanced file pointer setting routine FSSetFilePointerEx, file size get routine FSGetFileSize, file delete routine FSDeleteFile, directory removal routine FSRemoveDirectory, handle close routine FSCloseHandle, first file Find routine FSFindFirstFile, next file lookup routine FSFindNextFile, file lookup close routine FSFindClose, add file property get routine FSGetFileAttributesEx, routine FSPathlsDirectory to determine if the path is a directory, routine FSPathFileExists to determine whether the target file exists, long path Get routine FSGetL
  • control code comprises: a file creation operation control code FILE 10 CREATE FILE, a file read operation control code FILE 10 READ FILE, File write operation control code FILE_ 10 — WRITE — FILE, file query operation control code FILE — 10 — QUERY — FILE, file setting operation control code FILE — 10 — SET — FILE and / or file close preparation operation control code FILE — 10— PREPARE—CLOSE.
  • the embodiment of the present application further discloses an apparatus for executing file operations, including:
  • a kernel mode request obtaining module configured to obtain a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
  • the kernel state object parsing module is configured to search for a corresponding file object parsing routine in the object manager according to the file path; if the corresponding file object parsing routine is found, the kernel IRP is used to generate a sending module;
  • the kernel mode IRP generates a sending module, configured to generate an I/O request packet according to the file object parsing routine, and send the I/O request packet to a preset original address of a file system lower layer device.
  • the kernel object parsing module specifically includes the following modules;
  • the file path disassembly module is configured to disassemble the path segment in the file path step by step according to the path separator;
  • the object manager search module is set to search the object manager with the currently disassembled path segment to find the corresponding file object routine.
  • the caller input parameter has a user mode address; the device further includes: a kernel address reconstruction module, configured to reconstruct the user state address to a kernel state memory space.
  • the device further includes:
  • the user mode request sending module is configured to initiate a file operation request by the caller, and invoke the corresponding file operation interface routine; wherein the request includes a caller input parameter, and the input parameter includes a file path;
  • the user mode control code sending module is configured to construct a kernel state structure parameter according to the type of the system platform, generate a corresponding file operation control code according to the kernel state structure parameter, and send the file operation control code to the operating system kernel state driver.
  • the device further includes:
  • the wide character routine calls the module, which is set to convert the ANSI related parameters in the caller input parameters to the UNICODE type and call the corresponding file operation interface wide character routine.
  • the file operation interface routine includes a file creation routine FSCreateFile, and the device further includes:
  • the handle acquisition module is set to insert the newly created file object into the object manager and get the returned file handle.
  • the device further includes:
  • the kernel state parameter verification module is configured to check the caller input parameter according to the file operation request, and if the verification passes, the kernel object parsing module is called.
  • the embodiment of the present application further discloses a computer readable recording medium on which a program for executing a file operation is recorded, wherein the method for executing the file operation includes:
  • the operating system user interface completely implements a set of file operation calling library, the caller initiates a file operation request, invokes a corresponding file operation interface routine, and the operating system kernel mode driver acquires and verifies the request from the user state, constructs a query.
  • the data structure loops through the path of the incoming file, and finally finds the type of object maintained in the object manager. This process effectively counters the hidden state of the kernel state.
  • the operating system kernel mode driver builds and populates the IRP request packet and sends it to the original address of the pre-determined file system lower device.
  • the third-party filter driver on the file system call stack includes other security software and driver-level malicious.
  • the program can be penetrated, so that it can effectively avoid the interference caused by file operation and other security soft. There is a potential for incompatibility between the pieces; it can also enhance and combat the ability of the level of malicious programs to attack and defend.
  • the file path parsing method used in the embodiment of the present application can also dynamically parse the target file path.
  • the DOS-Style file path format, drive letter, and file can be dynamically obtained by searching the object manager.
  • 1 is a schematic diagram of an operating system file operation execution flow
  • FIG. 2 is a flow chart of the steps of Embodiment 1 of a file operation execution method of the present application
  • FIG. 3 is a flow chart showing steps of searching for a corresponding file object parsing routine in the object manager according to the file path in the present application
  • FIG. 4 is a first schematic diagram of a search in an object manager in a specific example of the present application.
  • Figure 5 is a second schematic diagram of a search in an object manager in a specific example of the present application.
  • FIG. 6 is a third schematic diagram of a search in an object manager in a specific example of the present application.
  • Figure 7 is a fourth schematic diagram of a search in an object manager in another specific example of the present application.
  • Figure 8 is a fifth schematic diagram of a search in an object manager in another specific example of the present application.
  • Figure 9 is a sixth schematic diagram of a search in an object manager in another specific example of the present application.
  • FIG. 10 is a flow chart of the steps of the second embodiment of the file operation method of the present application.
  • FIG. 11 is a schematic diagram of a file operation execution flow implemented by applying the embodiment of the present application;
  • FIG. 12 is a structural block diagram of an embodiment of an apparatus for executing a file operation according to the present application. detailed description
  • One of the core concepts of the embodiment of the present application is that a set of file operation calling library is completely implemented in the operating system user state interface, the caller initiates a file operation request, invokes a corresponding file operation interface routine, and the operating system kernel state driver acquires and authenticates.
  • the request from the user state is verified, the query data structure is constructed to cyclically parse the incoming file path, and finally the object type maintained in the object manager is found. This process effectively counters the kernel state's hijacking internal danger.
  • the operating system kernel mode driver builds and populates the IRP request packet and sends it to the original address of the pre-determined file system lower device.
  • Embodiment 1 of a file operation method of the present application may specifically include the following steps:
  • Step 201 Acquire a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path.
  • the file includes a file of a type supported by the WINDOWS operating system, where the file operation is a combination of an atomic operation or an atomic operation of the file, and the atomic operation includes: Create, File Read, File Write, File Property Settings, File Property Get, File Pointer Settings, File Size Get, File Delete, Directory Removal, Handle Close, First File Lookup, Next File Lookup, File Lookup Off Determine whether the path is a directory, determine whether the target file exists, long path acquisition, short path acquisition, path search, file copy, file move, and so on.
  • a file's anti-virus operations are a combination of atomic operations such as file reading, first file lookup, next file lookup, file lookup shutdown, file move, and so on.
  • Step 202 verifying the caller input parameter according to the file operation request, and if the verification passes, searching for a corresponding file object parsing routine in the object manager according to the file path;
  • the step of searching for a corresponding file object parsing routine in the object manager according to the file path may specifically include the following sub-steps;
  • Sub-step Sl determining whether the file path has been disassembled, if not, executing sub-step S2; if yes, performing sub-step S4;
  • Sub-step S2 disassembling the next path segment to be disassembled in the file path according to the path separator
  • Sub-step S3 using the currently disassembled path segment to search in the object manager, to determine whether there is a corresponding file object routine; if yes, return to sub-step S 1; if not, execute sub-step S5;
  • Sub-step S4 Obtain a file object parsing routine corresponding to the file path.
  • Sub-step S5 returning information that the corresponding file object parsing routine is not found.
  • the OpenPacket structure of the object manager query may be pre-built, and the file path is re-disassembled based on the path separator " ⁇ ".
  • the file path is: c: ⁇ a ⁇ b.txt
  • the first disassembly The path segment that is generated is c:
  • the path segment that is removed for the second time is: c: ⁇ a
  • the path segment that is disassembled for the third time is: c: ⁇ a ⁇ b.txt, that is, in the embodiment of the present application , is to resolve the file path based on recursive calls.
  • the Object Manager (obj ect Manager) is a basic component of the Windows NT kernel. When designing Windows NT, "object-oriented, design ideas have become popular, and the resources scattered around the operating system are abstracted and encapsulated, thus providing a consistent access path for various internal services.
  • Object Manager mainly Used to implement the following functions: (1) Provide a common, unified mechanism to use system resources; (2) Segregate object protection into a unified area of the operating system to achieve C2 security level; (3) Provide A mechanism to record the number of objects used by the process, which can impose restrictions on the use of system resources; (4) Establish a set of object naming schemes, which can more easily fuse existing objects. The object manager maintains dozens of objects.
  • Object types (Windows 2000 is 27 object types; Windows XP is 29 object types), common such as: Symbolic Link, Process, Thread, Job, File ), event (Event), timer (Timer) and many more.
  • the object manager maintains a zippered object hash table, and searches for the object manager based on the path segment that is disassembled each time. If the corresponding object parsing routine ParseProcedure can be found, the next file path disassembly is continued, and Searching for the object manager based on the next split path segment and the previously disassembled path segment. If the current file path is completely disassembled after loop resolution, the file object parsing routine found by the search object manager Parse Routine is the file object parsing routine corresponding to the current file path.
  • routines are collections of functional interfaces or services provided by a system externally.
  • the operating system's API, services, etc. are routines.
  • FIG. 4 the object manager search diagram shown in FIG. 4, FIG. 5, FIG. 6, FIG. 7, FIG. 8 and FIG. 9 is used to describe the application in detail by a specific example.
  • the file path is searched for the operation of the object manager.
  • the file path is: c: ⁇ test ⁇ test.txt , c: is a symbolic link ( SymbolicLink ), and the object manager search is essentially a symbolic link query process.
  • the file path "SystemRoot ⁇ System32 ⁇ Drivers ⁇ ntfs.sys SystemRoot” is also a symbolic link;
  • Type SymbolicLink and Additional Information: ⁇ Device ⁇ HarddiskO ⁇ Partitionl ⁇ WINDOWS Find the Device folder;
  • the path is based on the path separator " ⁇ ". Every time a separator is found, it is considered to find a "factor" and then search.
  • the object manager re-searches the object manager if necessary, and searches the object manager again.
  • the searched file object parsing routine is a function, and this function corresponds to a certain factor when registering, it knows How to deal with these factors correctly.
  • the file path parsing method used in the embodiment of the present application can dynamically parse the target file path.
  • the DOS-Style file path format, drive letter, and file system can be dynamically obtained by searching the object manager.
  • the corresponding processing relationship between the lower device objects, and thus the embodiment of the present application has the advantages of wide application range and many applicable scenarios.
  • Step 203 If a corresponding file object parsing routine is found, generating an I/O request packet according to the file object parsing routine, and sending the original address to the preset file system lower layer device.
  • the implementation of file object parsing Parse Routine is similar to the soft IoParseDevice routine (analog implementation), which internally builds and populates the I/O Request Packet (IRP) and sends it to the lower layer of the file system.
  • IRP I/O Request Packet
  • IRP is sent to communicate with the driver.
  • the data structure used to encapsulate the IRP is not only used to describe the contents of the request itself for an I/O operation, but also to maintain state information about the request as it passes through a series of drivers. That is to say, IRP can be defined as: I/O system in order to process an I/O The place where the request is used to store the necessary information.
  • the I/O Manager constructs an IRP that is used to represent this request as the I/O system processes the request.
  • the original address of the file system lower layer device may be set when the system is initialized.
  • the third-party filter driver other security software, driver-level malicious programs
  • Sex can also enhance and drive the ability of the level of malicious programs to attack and defend.
  • the I/O request packet includes file operation information extracted from a file operation request, and after the I/O request packet (IPR) is sent to the original address of the preset file system lower device, The file system lower layer device continues to perform the corresponding file operation according to the file operation information. Specifically, when the IRP is sent to the device object of the file system, until it is written to the hard disk, it goes through a series of complicated processing. Generally, this request is also subjected to a volume snapshot (Volsnap.sys), volume manager.
  • volume snapshot Volsnap.sys
  • Ahal54x.sys is a series of passes, and the small port driver ultimately determines the corresponding offset to write to the disk or tape drive.
  • Volume management introduces a dynamic concept that allows windows to create multi-partition volumes (such as mirrored volume mirrors, striped volumes, RAID-5, etc.), which will target requests to the target volume based on actual conditions. Offset.
  • the Partition Manager is responsible for notifying the Plug and Play Manager which partitions are currently in place, as well as their status (create, delete, etc.).
  • the disk class driver implements functions common to all disks. For example, SCSI (Small Computer System Interface) Port is for disk characteristics on the SCSI bus.
  • SCSI Small Computer System Interface
  • the small port driver is specific to certain vendors, and such drivers are often provided by the vendor itself. In general, each layer receives the request from the upper layer according to its own interface, finds a certain sector offset of the target device, and creates, writes, and deletes data by using the "view" that it sees. Referring to FIG. 10, a step of Embodiment 2 of a method for executing file operations of the present application is shown.
  • the flow chart may specifically include:
  • Step 401 Load a file operation interface routine, and initialize an original address of a file system lower layer device;
  • the file operation interface routine includes: a file creation routine FSCreateFile, a file read routine FSReadFile, a file write routine FSWriteFile, a file attribute setting routine FSSetFileAttributes, a file attribute acquisition routine FSGetFileAttributes , file pointer setting routine FSSetFilePointer, enhanced file pointer setting routine FSSetFilePointerEx, file size get routine FSGetFileSize, file delete routine FSDeleteFile, directory removal routine FSRemoveDirectory, handle close routine FSCloseHandle, first file lookup routine FSFindFirstFile Next file lookup routine FSFindNextFile, file lookup shutdown routine FSFindClose, add file property get routine FSGetFileAttributesEx, routine FSPathlsDirectory to determine if the path is a directory, routine FSPathFileExists to determine whether the target file exists, long path get routine FSGetL
  • Each of the above routines includes a narrow character routine and a wide character routine, such as FSCreateFile, including the narrow character routine FSCreateFileA and the wide character routine FSCreateFileW.
  • Step 402 The caller initiates a file operation request, and invokes a corresponding file operation interface routine.
  • the request includes a caller input parameter, where the input parameter includes a file path and a user state address.
  • the caller process initiates a file creation request for FSCreateFileA.
  • Step 403 The user mode part of the file operation interface routine converts the ANSI related parameter in the caller input parameter into a UNICODE type, and invokes a corresponding file operation interface wide character routine;
  • FSCreateFileA converts the ANSI related parameters in the caller input parameters to UNICODE type and calls the corresponding file operation interface wide character routine FSCreateFileW.
  • Step 404 Construct a kernel state structure parameter according to the type of the system platform, generate a corresponding file operation control code according to the kernel state structure parameter, and send the file operation control code to the kernel mode driver of the operating system;
  • the control code corresponding to the file operation interface routine includes: a file creation operation control code FILE-10 - CREATE_FILE, a file read operation control code FILE-10 - READ_FILE , file write operation control code FILE_ 10 — WRITE — FILE, file query operation control code FILE — 10 — QUERY — FILE, file setting operation control code FILE — 10 — SET — FILE and / or file close preparation operation control code FILE — 10— PREPARE—CLOSE.
  • the control code defines a unified identifier when the operating system user state and the kernel mode drive communication.
  • FSCreateFileW constructs the structure parameters by judging the system platform type (32-bit, 64-bit or 32-bit compatibility mode), sends the control code FILE_10_CREATE_FILE and waits for a return.
  • FSCreateFileW can also handle malformed file names, file paths, and actually perform parameter conversion operations.
  • the input and output buffers can be transmitted using the METHOD-BUFFERED mode when the operating system user mode and the kernel mode drive communication.
  • METHOD The BUFFERED method is: first allocate the buffer, and then copy the data from this buffer. The buffer size is the larger space between the input buffer and the output buffer. The read buffer is copied to the new buffer. Before returning, just copy the return value to the same buffer. The return value is placed in 10—STATUS—BLOCK, 10 manager copy data to the output buffer.
  • Step 405 The operating system kernel mode driver obtains a file operation request, and verifies the caller input. Parameters, and reconstruct (Captured) the user state address to the kernel state memory space;
  • the kernel part of the FSCreateFileW routine will execute the steps and process the corresponding caller input parameters in the kernel state memory space.
  • Step 406 If the input parameter verification is passed, searching for a corresponding file object parsing routine in the object manager according to the file path;
  • Step 407 If the corresponding file object parsing routine is found, the I/O request packet is generated according to the file object parsing routine, and sent to the original address of the preset file system lower layer device.
  • the kernel part of FSCreateFileW verifies the user-spaced parameters, builds the OpenPacket structure, loops through the file path format, and searches for the zippered object Hash table maintained by the object manager.
  • the path separator "V" can be used to disassemble the input file path, and the detached path part searches for the zippered object hash table maintained by the object manager to find the corresponding ParseProcedure.
  • the Parse Routine routine of the object. Parse Routine internally builds and populates the IRP request packet and sends it to the original address of the file system's underlying device to complete the file penetration creation process.
  • the driver (other security software, driver-level malicious programs) is bypassed.
  • the newly created object can also be inserted into the Hash structure of the object manager through the OblnsertObj ect routine, and the returned file handle is obtained.
  • the kernel can also synchronously call back the user state handle information and call the result. If the call fails, the user interface can set the corresponding error code so that the caller thread can get detailed error information through the GetLastError routine.
  • the caller 111 invokes the driver interface layer 112 implemented in this embodiment instead of calling the kernel interface layer 113 of the prior art;
  • the driver interface layer 112 calls the simulated kernel execution layer check caller input parameter 114; After the caller input parameter verification is passed, executing the search object manager loop parsing the file path 115 to obtain the object parsing routine 116, and constructing an operation of sending the IRP to the file system lower layer device original address 117;
  • the file system lower layer device 121 After the IRP is sent to the file system lower layer device 121, the file system lower layer device 121 performs the operation requested by the IRP.
  • FIG. 12 a structural block diagram of an embodiment of a file operation execution apparatus of the present application is shown, which may specifically include the following modules:
  • the kernel state request obtaining module 121 is configured to obtain a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
  • the kernel state parameter verification module 122 is configured to verify the caller input parameter according to the file operation request, and if the verification passes, call the kernel object parsing module 123;
  • the kernel state object parsing module 123 is configured to find a corresponding file object parsing routine in the object manager according to the file path; if the corresponding file object parsing routine is found, the kernel IRP generating sending module 124 is invoked;
  • the kernel state IRP generation sending module 124 is configured to generate an I/O request packet according to the file object parsing routine, and send the I/O request packet to a preset address of a preset file system lower layer device.
  • the kernel object parsing module 123 may specifically include the following modules;
  • the file path disassembly module is configured to disassemble the path segment in the file path step by step according to the path separator;
  • the object manager search module is set to search the object manager with the currently disassembled path segment to find the corresponding file object routine.
  • the caller input parameter has a user mode address; the device may further include:
  • the kernel address reconstruction module is configured to reconstruct the user state address to the kernel state memory space.
  • the following modules may also be included:
  • the user mode request sending module is configured to initiate a file operation request by the caller, and invoke the corresponding file operation interface routine; wherein the request includes a caller input parameter, and the input parameter includes a file path;
  • the user mode control code sending module is configured to construct a kernel state structure parameter according to the type of the system platform, generate a corresponding file operation control code according to the kernel state structure parameter, and send the file operation control code to the operating system kernel state driver.
  • the wide-character routine calls the module, which is set to convert the ANSI-related parameters in the caller's input parameters to the UNICODE type, and call the corresponding file operation interface wide-character routine.
  • the file operation interface routine may include a file creation routine FSCreateFile, and the device may further include the following module: a handle acquisition module, configured to insert a newly created file object to Object Manager, and get the returned file handle.
  • the device embodiment basically corresponds to the foregoing method embodiments shown in FIG. 1 , FIG. 2 and FIG. 3 , the description of the embodiment is not exhaustive, and reference may be made to the related description in the foregoing embodiment. I won't go into details.
  • the embodiment of the present application further discloses a computer readable recording medium on which a program for executing an execution method of a file operation is recorded, wherein the execution method of the file operation may include the following steps:
  • the computer readable recording medium includes any mechanism for storing or transmitting information in a form readable by a computer (e.g., a computer).
  • a machine readable medium includes a read only memory
  • ROM read only memory
  • RAM random access memory
  • magnetic disk storage media magnetic disk storage media
  • optical storage media flash storage media
  • electrical, optical, acoustic or other forms of propagating signals eg, carrier waves, infrared signals, digital signals, etc.
  • the application can be arranged in numerous general purpose or special purpose computing system environments or configurations. For example: personal computer, server computer, handheld or portable device, tablet device, multiprocessor system, microprocessor based system, set-top box, programmable consumer electronics device, network PC, small computer, mainframe computer, including A distributed computing environment of any of the above systems or devices, and the like.
  • the application can be described in the general context of computer-executable instructions executed by a computer, such as a program module.
  • program modules include routines, programs, objects, components, data structures, and the like that perform particular tasks or implement particular types of abstract data.
  • the present application can also be practiced in a distributed computing environment where tasks are performed by remote processing devices that are connected through a communication network.
  • program modules can be located in both local and remote computer storage media including storage devices.

Abstract

Provided in the present application is a method for executing a file operation, comprising: acquiring a file operation request, where the request comprises a caller input parameter, and the input parameter comprises a file path; searching for a file object parsing routine in an object manager on the basis of the file path; if a corresponding file object parsing routine is found, then generating an I/O request packet on the basis of the file object parsing routine, and transmitting to an original address of a preconfigured file system low-level device. The present application improves the resistive capability against offence and defense of driver-level malicious programs, and prevents the potential possibility of incompatibility between security software caused by interference from file operation.

Description

一种文件操作的执行方法及装置  Method and device for executing file operation
技术领域 Technical field
本申请涉及文件穿透的说技术领域, 特别是涉及一种文件操作的执行 方法和一种文件操作的执行装置。 背景技术  The present application relates to the technical field of file penetration, and in particular to a method of performing file operations and an apparatus for performing file operations. Background technique
在面对复杂问题的时候, 人们往往会采书用分而治之的方法分割、 缩 小问题的范围, 这一点在操作系统的设计中亦是如此, Windows 操作系 统借助分层的设计思想解决复杂的问题, 这一做法带来了可移植性、 可 扩展性等优点。 不过, 由于在设计理论上存在着安全性缺陷 (例如缺乏 完整性校验机制等), 高可扩展性的另一方面也意味着系统存在大量的被 篡改可能。 以文件系统的设计为例, 文件调用栈的分层式结构决定了其 调用链上存在数据流被篡改的风险。 正因为如此, 保证自身文件操作过 程的真实、 可信成了安全软件的一个必然要求。  In the face of complex problems, people often use books to divide and narrow the problem, and this is also the case in the design of the operating system. The Windows operating system solves complex problems with layered design ideas. This approach brings advantages such as portability and scalability. However, due to security flaws in design theory (such as the lack of an integrity check mechanism, etc.), the other aspect of high scalability also means that there is a large amount of tampering in the system. Taking the design of the file system as an example, the hierarchical structure of the file call stack determines the risk that the data stream is tampered with in the call chain. Because of this, ensuring the authenticity and credibility of its own file operations becomes an inevitable requirement of security software.
参考图 1 所示的操作系统文件操作执行流的示意图, 在执行文件操 作采用如下分层调用的方式:  Refer to the schematic diagram of the operating system file operation execution flow shown in Figure 1. In the execution file operation, the following hierarchical call is used:
调用者 101 调用内核接口层 102 , 内核接口层 102调用内核执行层 103 , 内核执行层 103调用文件对象解析例程 104 ,文件对象解析例程 104 调用过滤驱动 al05 , 顶层过滤驱动逐层调用直至调用到底层过滤驱动 N106 ,底层过滤驱动 N106调用文件系统下层设备 107。其中,调用者 101 和内核接口层 102属于操作系统用户态, 内核执行层 103、 文件对象解析 例程 104、 顶层过滤驱动 al05、 底层过滤驱动 N106和文件系统下层设备 107属于操作系统内核态。  The caller 101 calls the kernel interface layer 102, the kernel interface layer 102 calls the kernel execution layer 103, the kernel execution layer 103 calls the file object parsing routine 104, the file object parsing routine 104 calls the filter driver al05, and the top-level filter driver calls layer by layer until the call To the underlying filter driver N106, the underlying filter driver N106 calls the file system lower layer device 107. The caller 101 and the kernel interface layer 102 belong to the operating system user state, and the kernel execution layer 103, the file object parsing routine 104, the top filter driver al05, the underlying filter driver N106, and the file system lower layer device 107 belong to the operating system kernel state.
从操作系统的角度看, 文件操作执行流存在着如下潜在的篡改点: From the perspective of the operating system, there are potential tampering points in the file operation execution flow:
1 )内核接口层的用户态 IAT Hook ( Import Address Table Hook, 导入 表钩挂) /EAT Hook ( Export Address Table Hook, 导出表钩挂); 2 ) 内核接口层的用户态 Inline Hook (内联钩挂); 1) User interface IAT Hook (Import Address Table Hook) / EAT Hook (Export Table Hook); 2) User mode Inline Hook of the kernel interface layer (inline hook);
3 )内核接口层调用内核执行层时的 Int 2E (中断) /SysEnter Hook (用 户态进入内核态钩挂);  3) Int 2E (interrupt) / SysEnter Hook when the kernel interface layer calls the kernel execution layer (user state enters kernel state hook);
4 ) 内核执行层的 Native API SSDT Hook ( System Service Dispatch Table Hook, 系统服务分派表钩挂);  4) Native API SSDT Hook (System Service Dispatch Table Hook) of the kernel execution layer;
5 ) 内核执行层的 Native API Inline Hook;  5) Native API Inline Hook of the kernel execution layer;
6 )文件对象解析例程的 Object Parse Routine Hook (对象解析例程钩 挂);  6) Object Parse Routine Hook of the file object parsing routine;
7 ) 顶层过滤驱动 a的顶层过滤驱动获取;  7) The top filter driver of the top filter driver is acquired;
8 )底层过滤驱动 N的底层过滤驱动获取。  8) The underlying filter driver N gets the underlying filter driver.
传统安全软件厂商虽然意识到了种种文件操作调用被劫持的可能 性, 但是现有的解决方案大多只考虑了操作系统用户态的劫持风险, 在 操作系统内核态的攻防上往往体现出一定的能力缺失, 驱动级恶意程序 ( Rootkit ) 对抗能力偏弱。  Although traditional security software vendors realize the possibility of hijacking various file operation calls, most of the existing solutions only consider the hijacking risk of the operating system user state, and often show certain lack of capabilities in the attack and defense of the operating system kernel state. Driver-level malicious programs (rootkits) have weaker confrontational capabilities.
因此, 目前需要本领域技术人员迫切解决的一个技术问题就是: 提 出一种文件穿透操作的处理机制, 不仅提供操作系统用户态的攻防, 还 进一步提供操作系统内核态的攻防, 以增强和驱动级恶意程序攻防的对 抗能力, 并避免因文件操作干扰而导致安全软件间产生不兼容的潜在可 能性。 发明内容  Therefore, a technical problem that needs to be solved urgently by those skilled in the art is as follows: A processing mechanism for file penetration operation is proposed, which not only provides attack and defense of the operating system user state, but also provides attack and defense of the operating system kernel state to enhance and drive. The ability of a malicious program to attack and defend, and to avoid the potential for incompatibility between security software due to file operation interference. Summary of the invention
本申请的目的之一是提供一种文件操作的执行方法, 以增强和驱动 级恶意程序攻防的对抗能力, 并避免因文件操作干扰而导致安全软件间 产生不兼容的潜在可能性。  One of the purposes of the present application is to provide a method of performing file operations to enhance the ability of attack and defense of malicious programs and to avoid the potential for incompatibility between security software due to file manipulation interference.
本申请还提供了一种文件操作的执行装置, 用以保证上述方法在实 际中的应用及实现。  The present application also provides an apparatus for performing file operations to ensure the practical application and implementation of the above method.
为了解决上述问题, 本申请实施例公开了一种文件操作的执行方法, 包括: 获取文件操作请求, 所述请求中包括调用者输入参数, 所述输入参 数中包括文件路径; In order to solve the above problem, the embodiment of the present application discloses a method for executing a file operation, including: Obtaining a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
依据所述文件路径在对象管理器中查找对应的文件对象解析例程; 若查找到对应的文件对象解析例程, 则依据所述文件对象解析例程 生成 I/O 请求包, 并发送所述 I/O 请求包至预置的文件系统下层设备的 原始地址。  Searching for a corresponding file object parsing routine in the object manager according to the file path; if a corresponding file object parsing routine is found, generating an I/O request packet according to the file object parsing routine, and transmitting the The I/O request packet is addressed to the original address of the underlying device of the file system.
优选地, 所述依据文件路径在对象管理器中查找对应的文件对象解 析例程的步骤具体包括以下子步骤;  Preferably, the step of searching for a corresponding file object parsing routine in the object manager according to the file path specifically includes the following sub-steps;
子步骤 Sl、 判断文件路径是否已经拆解完毕, 若否, 则执行子步骤 S2; 若是, 则执行子步骤 S4;  Sub-step Sl, determining whether the file path has been disassembled, if not, executing sub-step S2; if yes, performing sub-step S4;
子步骤 S2、 按照路径分隔符拆解出文件路径中下一个待拆解的路径 段;  Sub-step S2, disassembling the next path segment to be disassembled in the file path according to the path separator;
子步骤 S3、 采用当前拆解出的路径段在对象管理器中搜索, 判断是 否存在对应的文件对象例程; 若是, 则返回子步骤 S1 ; 若否, 则执行子 步骤 S5;  Sub-step S3, using the currently disassembled path segment to search in the object manager, to determine whether there is a corresponding file object routine; if yes, return to sub-step S1; if not, then perform sub-step S5;
子步骤 S4、 获得所述文件路径对应的文件对象解析例程。  Sub-step S4: Obtain a file object parsing routine corresponding to the file path.
子步骤 S5、 返回未找到对应文件对象解析例程的信息。  Sub-step S5, returning information that the corresponding file object parsing routine is not found.
优选地, 所述调用者输入参数具有用户态地址; 在查找文件对象解 析例程之前, 所述的方法还包括:  Preferably, the caller input parameter has a user mode address; and before the file object parsing routine is searched, the method further includes:
重构所述用户态地址至内核态内存空间。  Reconstructing the user state address to the kernel state memory space.
优选地, 所述 I/O 请求包中包括从文件操作请求中提取的文件操作 信息, 在发送 I/O 请求包至预置的文件系统下层设备的原始地址之后, 还包括:  Preferably, the I/O request packet includes file operation information extracted from the file operation request, and after sending the I/O request packet to the original address of the preset file system lower device, the method further includes:
由所述文件系统下层设备依据所述文件操作信息继续执行对应的文 件操作。  The corresponding file operation is continued by the lower layer device of the file system according to the file operation information.
优选地, 在获取文件操作请求之前, 还包括:  Preferably, before acquiring the file operation request, the method further includes:
调用者发起文件操作请求, 调用对应的文件操作接口例程; 其中, 所述请求中包括调用者输入参数, 所述输入参数中包括文件路径; 依据系统平台的类型构建内核态结构参数, 依据所述内核态结构参 数生成相应的文件操作控制码, 并发送所述文件操作控制码至操作系统 内核态驱动。 The caller initiates a file operation request, and invokes a corresponding file operation interface routine; wherein the request includes a caller input parameter, and the input parameter includes a file path; The kernel state structure parameter is constructed according to the type of the system platform, and a corresponding file operation control code is generated according to the kernel state structure parameter, and the file operation control code is sent to the operating system kernel state driver.
优选地, 在构建内核态结构参数之前, 还包括:  Preferably, before constructing the kernel state structure parameter, the method further includes:
文件操作接口例程将调用者输入参数中的 ANSI 相关参数转换为 UNICODE类型, 并调用对应的文件操作接口宽字符例程。  The file manipulation interface routine converts the ANSI related parameters in the caller input parameters to the UNICODE type and calls the corresponding file manipulation interface wide character routine.
优选地, 所述文件操作接口例程包括文件创建例程 FSCreateFile , 在 由所述文件系统下层设备继续执行所请求的文件操作之前, 还包括:  Preferably, the file operation interface routine includes a file creation routine FSCreateFile, and before continuing to perform the requested file operation by the file system lower layer device, the method further includes:
插入新创建的文件对象至对象管理器, 并得到返回的文件句柄。 优选地, 所述的方法, 还包括:  Insert the newly created file object into the object manager and get the returned file handle. Preferably, the method further includes:
依据所述文件操作请求校验调用者输入参数, 若校验通过, 则执行 查找文件对象解析例程的步骤。  The caller input parameter is verified according to the file operation request, and if the check passes, the step of finding the file object parsing routine is performed.
优选地, 所述文件操作接口例程与 WINDOWS标准 API—致, 所述 文件操作接口例程还包括: 文件读取例程 FSReadFile、 文件写入例程 FSWriteFile, 文件属性设置例程 FSSetFileAttributes、 文件属性获取例程 FSGetFileAttributes, 文件指针设置例程 FSSetFilePointer、 增强文件指针 设置例程 FSSetFilePointerEx、 文件大小获取例程 FSGetFileSize、 文件删 除例程 FSDeleteFile、 目录移除例程 FSRemoveDirectory, 句柄关闭例程 FSCloseHandle,第一个文件查找例程 FSFindFirstFile、 下一个文件查找例 程 FSFindNextFile、 文件查找关闭例程 FSFindClose、 增加文件属性获取 例 程 FSGetFileAttributesEx 、 判 断 路径 是 否 为 目 录 的 例 程 FSPathlsDirectory, 判断目标文件是否存在的例程 FSPathFileExists、 长路 径获取例程 FSGetLongPathName,短路径获取例程 FSGetShortPathName, 路径查找例程 FSSearchPath、 增强文件大小获取例程 FSGetFileSizeEx、 文件复制例程 FSCopyFile、文件移动例程 FSMoveFile和 /或增强文件移动 例程 FSMoveFileEx。  Preferably, the file operation interface routine is consistent with the WINDOWS standard API, and the file operation interface routine further comprises: a file read routine FSReadFile, a file write routine FSWriteFile, a file attribute setting routine FSSetFileAttributes, a file attribute Get routine FSGetFileAttributes, file pointer setting routine FSSetFilePointer, enhanced file pointer setting routine FSSetFilePointerEx, file size get routine FSGetFileSize, file delete routine FSDeleteFile, directory removal routine FSRemoveDirectory, handle close routine FSCloseHandle, first file Find routine FSFindFirstFile, next file lookup routine FSFindNextFile, file lookup close routine FSFindClose, add file property get routine FSGetFileAttributesEx, routine FSPathlsDirectory to determine if the path is a directory, routine FSPathFileExists to determine whether the target file exists, long path Get routine FSGetLongPathName, short path get routine FSGetShortPathName, path lookup routine FSSearchPath, enhanced file size get routine FSGetFi leSizeEx, file copy routine FSCopyFile, file move routine FSMoveFile, and/or enhanced file move routine FSMoveFileEx.
优选地 , 所 述控 制 码 包 括 : 文件创 建操作 控 制 码 FILE 10 CREATE FILE, 文件读取操作控制码 FILE 10 READ FILE, 文件写入操作控制码 FILE— 10— WRITE— FILE、 文件查询操作控制码 FILE— 10— QUERY— FILE、 文件设置操作控制码 FILE— 10— SET— FILE和 /或 文件关闭准备操作控制码 FILE— 10— PREPARE— CLOSE。 本申请实施例还公开了一种文件操作的执行装置, 包括: Preferably, the control code comprises: a file creation operation control code FILE 10 CREATE FILE, a file read operation control code FILE 10 READ FILE, File write operation control code FILE_ 10 — WRITE — FILE, file query operation control code FILE — 10 — QUERY — FILE, file setting operation control code FILE — 10 — SET — FILE and / or file close preparation operation control code FILE — 10— PREPARE—CLOSE. The embodiment of the present application further discloses an apparatus for executing file operations, including:
内核态请求获取模块, 设置为获取文件操作请求, 所述请求中包括 调用者输入参数, 所述输入参数中包括文件路径;  a kernel mode request obtaining module, configured to obtain a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
内核态对象解析模块, 设置为依据所述文件路径在对象管理器中查 找对应的文件对象解析例程; 若查找到对应的文件对象解析例程, 则调 用内核 IRP生成发送模块;  The kernel state object parsing module is configured to search for a corresponding file object parsing routine in the object manager according to the file path; if the corresponding file object parsing routine is found, the kernel IRP is used to generate a sending module;
内核态 IRP 生成发送模块, 设置为依据所述文件对象解析例程生成 I/O 请求包, 并发送所述 I/O 请求包至预置的文件系统下层设备的原始 地址。  The kernel mode IRP generates a sending module, configured to generate an I/O request packet according to the file object parsing routine, and send the I/O request packet to a preset original address of a file system lower layer device.
优选地, 所述内核对象解析模块具体包括以下模块;  Preferably, the kernel object parsing module specifically includes the following modules;
文件路径拆解模块, 设置为按照路径分隔符逐级拆解出文件路径中 的路径段;  The file path disassembly module is configured to disassemble the path segment in the file path step by step according to the path separator;
对象管理器搜索模块, 设置为采用当前拆解出的路径段在对象管理 器中搜索, 查找对应的文件对象例程。  The object manager search module is set to search the object manager with the currently disassembled path segment to find the corresponding file object routine.
优选地, 所述调用者输入参数具有用户态地址; 所述的装置还包括: 内核地址重构模块, 设置为重构所述用户态地址至内核态内存空间。 优选地, 所述的装置, 还包括:  Preferably, the caller input parameter has a user mode address; the device further includes: a kernel address reconstruction module, configured to reconstruct the user state address to a kernel state memory space. Preferably, the device further includes:
用户态请求发送模块, 设置为由调用者发起文件操作请求, 调用对 应的文件操作接口例程; 其中, 所述请求中包括调用者输入参数, 所述 输入参数中包括文件路径;  The user mode request sending module is configured to initiate a file operation request by the caller, and invoke the corresponding file operation interface routine; wherein the request includes a caller input parameter, and the input parameter includes a file path;
用户态控制码发送模块, 设置为依据系统平台的类型构建内核态结 构参数, 依据所述内核态结构参数生成相应的文件操作控制码, 并发送 所述文件操作控制码至操作系统内核态驱动。  The user mode control code sending module is configured to construct a kernel state structure parameter according to the type of the system platform, generate a corresponding file operation control code according to the kernel state structure parameter, and send the file operation control code to the operating system kernel state driver.
优选地, 所述的装置, 还包括: 宽字符例程调用模块,设置为将调用者输入参数中的 ANSI相关参数 转换为 UNICODE类型, 并调用对应的文件操作接口宽字符例程。 Preferably, the device further includes: The wide character routine calls the module, which is set to convert the ANSI related parameters in the caller input parameters to the UNICODE type and call the corresponding file operation interface wide character routine.
优选地, 所述文件操作接口例程包括文件创建例程 FSCreateFile , 所 述的装置还包括:  Preferably, the file operation interface routine includes a file creation routine FSCreateFile, and the device further includes:
句柄获取模块, 设置为插入新创建的文件对象至对象管理器, 并得 到返回的文件句柄。  The handle acquisition module is set to insert the newly created file object into the object manager and get the returned file handle.
优选地, 所述的装置, 还包括:  Preferably, the device further includes:
内核态参数校验模块, 设置为依据所述文件操作请求校验调用者输 入参数, 若校验通过, 则调用内核对象解析模块。 本申请实施例还公开了一种在其上记录有用于执行一种文件操作的 执行方法的程序的计算机可读记录介质, 其中, 所述一种文件操作的执 行方法, 包括:  The kernel state parameter verification module is configured to check the caller input parameter according to the file operation request, and if the verification passes, the kernel object parsing module is called. The embodiment of the present application further discloses a computer readable recording medium on which a program for executing a file operation is recorded, wherein the method for executing the file operation includes:
获取文件操作请求, 所述请求中包括调用者输入参数, 所述输入参 数中包括文件路径;  Obtaining a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
依据所述文件路径在对象管理器中查找对应的文件对象解析例程; 若查找到对应的文件对象解析例程, 则依据所述文件对象解析例程 生成 I/O 请求包, 并发送至预置的文件系统下层设备的原始地址。 与现有技术相比, 本申请具有以下优点:  Searching for a corresponding file object parsing routine in the object manager according to the file path; if the corresponding file object parsing routine is found, generating an I/O request packet according to the file object parsing routine, and sending the pre-process The original address of the underlying device of the file system. Compared with the prior art, the present application has the following advantages:
在操作系统用户态接口完整实现一套文件操作调用库, 调用者发起 文件操作请求, 调用对应的文件操作接口例程, 操作系统内核态驱动获 取并校验所述来自用户态的请求, 构建查询数据结构循环解析传入的文 件路径, 最终查找到对象管理器中维护的对象类型, 这一过程有效对抗 了内核态的劫持内险。 此后, 操作系统内核态驱动构建并填充 IRP 请求 数据包, 发送至预先确定的文件系统下层设备的原始地址处, 此时文件 系统调用栈上的第三方过滤驱动, 包括其他安全软件和驱动级恶意程序 可以被穿透, 从而既可以有效避免因文件操作干扰而导致和其他安全软 件间产生不兼容的潜在可能性; 又可以增强和驱动级恶意程序攻防时的 对抗能力。 The operating system user interface completely implements a set of file operation calling library, the caller initiates a file operation request, invokes a corresponding file operation interface routine, and the operating system kernel mode driver acquires and verifies the request from the user state, constructs a query. The data structure loops through the path of the incoming file, and finally finds the type of object maintained in the object manager. This process effectively counters the hidden state of the kernel state. Thereafter, the operating system kernel mode driver builds and populates the IRP request packet and sends it to the original address of the pre-determined file system lower device. At this point, the third-party filter driver on the file system call stack includes other security software and driver-level malicious. The program can be penetrated, so that it can effectively avoid the interference caused by file operation and other security soft. There is a potential for incompatibility between the pieces; it can also enhance and combat the ability of the level of malicious programs to attack and defend.
本申请实施例中所采用的文件路径解析方法还能动态解析目标文件 路径, 例如, 对于动态映射的网络磁盘驱动器, 通过搜索对象管理器就 能动态获得 DOS-Style 文件路径格式、 盘符和文件系统下层设备对象之 间的对应处理关系, 因而本申请实施例还有适用范围广, 适用场景多的 优点。 附图说明  The file path parsing method used in the embodiment of the present application can also dynamically parse the target file path. For example, for a dynamically mapped network disk drive, the DOS-Style file path format, drive letter, and file can be dynamically obtained by searching the object manager. The corresponding processing relationship between the underlying device objects of the system, and thus the embodiment of the present application has the advantages of wide application range and many applicable scenarios. DRAWINGS
图 1是操作系统文件操作执行流的示意图;  1 is a schematic diagram of an operating system file operation execution flow;
图 2是本申请的一种文件操作的执行方法实施例 1的步骤流程图; 图 3 是本申请中依据文件路径在对象管理器中查找对应的文件对象 解析例程的步骤流程图;  2 is a flow chart of the steps of Embodiment 1 of a file operation execution method of the present application; FIG. 3 is a flow chart showing steps of searching for a corresponding file object parsing routine in the object manager according to the file path in the present application;
图 4是本申请的一种具体示例中在对象管理器中进行搜索的第一示 意图;  4 is a first schematic diagram of a search in an object manager in a specific example of the present application;
图 5 是本申请的一种具体示例中在对象管理器中进行搜索的第二示 意图;  Figure 5 is a second schematic diagram of a search in an object manager in a specific example of the present application;
图 6是本申请的一种具体示例中在对象管理器中进行搜索的第三示 意图;  6 is a third schematic diagram of a search in an object manager in a specific example of the present application;
图 7 是本申请的另一具体示例中在对象管理器中进行搜索的第四示 意图;  Figure 7 is a fourth schematic diagram of a search in an object manager in another specific example of the present application;
图 8 是本申请的另一具体示例中在对象管理器中进行搜索的第五示 意图;  Figure 8 is a fifth schematic diagram of a search in an object manager in another specific example of the present application;
图 9是本申请的另一具体示例中在对象管理器中进行搜索的第六示 意图;  Figure 9 is a sixth schematic diagram of a search in an object manager in another specific example of the present application;
图 10是本申请的一种文件操作的执行方法实施例 2的步骤流程图; 图 11是应用本申请实施例实现的文件操作执行流示意图;  10 is a flow chart of the steps of the second embodiment of the file operation method of the present application; FIG. 11 is a schematic diagram of a file operation execution flow implemented by applying the embodiment of the present application;
图 12是本申请的一种文件操作的执行装置实施例的结构框图。 具体实施方式 FIG. 12 is a structural block diagram of an embodiment of an apparatus for executing a file operation according to the present application. detailed description
为使本申请的上述目的、 特征和优点能够更加明显易懂, 下面结合 附图和具体实施方式对本申请作进一步详细的说明。  The above described objects, features, and advantages of the present invention will become more apparent from the following detailed description.
本申请实施例的核心构思之一在于, 在操作系统用户态接口完整实 现一套文件操作调用库, 调用者发起文件操作请求, 调用对应的文件操 作接口例程, 操作系统内核态驱动获取并校验所述来自用户态的请求, 构建查询数据结构循环解析传入的文件路径, 最终查找到对象管理器中 维护的对象类型, 这一过程有效对抗了内核态的劫持内险。 此后, 操作 系统内核态驱动构建并填充 IRP 请求数据包, 发送至预先确定的文件系 统下层设备的原始地址处,此时文件系统调用栈上的第三方过滤驱动(其 他安全软件、 驱动级恶意程序)被穿透 (旁路, bypass )。 简而言之, 即 本申请通过建立一条新的、 可信的、 可以穿透过滤驱动的文件操作执行 路径, 有效避免了传统操作系统的文件执行路径上存在的风险。  One of the core concepts of the embodiment of the present application is that a set of file operation calling library is completely implemented in the operating system user state interface, the caller initiates a file operation request, invokes a corresponding file operation interface routine, and the operating system kernel state driver acquires and authenticates. The request from the user state is verified, the query data structure is constructed to cyclically parse the incoming file path, and finally the object type maintained in the object manager is found. This process effectively counters the kernel state's hijacking internal danger. Thereafter, the operating system kernel mode driver builds and populates the IRP request packet and sends it to the original address of the pre-determined file system lower device. At this time, the third-party filter driver on the file system call stack (other security software, driver-level malicious program) ) is penetrated (bypass, bypass). In short, this application effectively avoids the risk of the file execution path of the traditional operating system by establishing a new, trusted, and transparent file-driven execution path.
参考图 2,示出了本申请的一种文件操作的执行方法实施例 1的步骤 流程图, 具体可以包括以下步骤:  Referring to FIG. 2, a flow chart of the steps of Embodiment 1 of a file operation method of the present application is shown, which may specifically include the following steps:
步骤 201、 获取文件操作请求, 所述请求中包括调用者输入参数, 所 述输入参数中包括文件路径;  Step 201: Acquire a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path.
需要说明的是, 在本申请实施例中, 所述文件包括 WINDOWS操作 系统中所支持类型的文件, 所述文件操作是指针对文件的原子操作或原 子操作的组合, 所述原子操作包括: 文件创建、 文件读取、 文件写入、 文件属性设置、 文件属性获取、 文件指针设置、 文件大小获取、 文件删 除、 目录移除、 句柄关闭、 第一个文件查找、 下一个文件查找、 文件查 找关闭、 判断路径是否为目录、 判断目标文件是否存在、 长路径获取、 短路径获取、 路径查找、 文件复制、 文件移动等。 例如, 文件的杀毒操 作即为文件读取、 第一个文件查找、 下一个文件查找、 文件查找关闭、 文件移动等原子操作的组合。  It should be noted that, in the embodiment of the present application, the file includes a file of a type supported by the WINDOWS operating system, where the file operation is a combination of an atomic operation or an atomic operation of the file, and the atomic operation includes: Create, File Read, File Write, File Property Settings, File Property Get, File Pointer Settings, File Size Get, File Delete, Directory Removal, Handle Close, First File Lookup, Next File Lookup, File Lookup Off Determine whether the path is a directory, determine whether the target file exists, long path acquisition, short path acquisition, path search, file copy, file move, and so on. For example, a file's anti-virus operations are a combination of atomic operations such as file reading, first file lookup, next file lookup, file lookup shutdown, file move, and so on.
步骤 202、依据所述文件操作请求校验调用者输入参数,若校验通过, 则依据所述文件路径在对象管理器中查找对应的文件对象解析例程; 参考图 3 , 在本申请的一种优选实施例中, 所述依据文件路径在对象 管理器中查找对应的文件对象解析例程的步骤具体可以包括以下子步 骤; Step 202, verifying the caller input parameter according to the file operation request, and if the verification passes, searching for a corresponding file object parsing routine in the object manager according to the file path; Referring to FIG. 3, in a preferred embodiment of the present application, the step of searching for a corresponding file object parsing routine in the object manager according to the file path may specifically include the following sub-steps;
子步骤 Sl、 判断文件路径是否已经拆解完毕, 若否, 则执行子步骤 S2; 若是, 则执行子步骤 S4;  Sub-step Sl, determining whether the file path has been disassembled, if not, executing sub-step S2; if yes, performing sub-step S4;
子步骤 S2、 按照路径分隔符拆解出文件路径中下一个待拆解的路径 段;  Sub-step S2, disassembling the next path segment to be disassembled in the file path according to the path separator;
子步骤 S3、 采用当前拆解出的路径段在对象管理器中搜索, 判断是 否存在对应的文件对象例程; 若是, 则返回子步骤 S 1 ; 若否, 则执行子 步骤 S5;  Sub-step S3, using the currently disassembled path segment to search in the object manager, to determine whether there is a corresponding file object routine; if yes, return to sub-step S 1; if not, execute sub-step S5;
子步骤 S4、 获得所述文件路径对应的文件对象解析例程。  Sub-step S4: Obtain a file object parsing routine corresponding to the file path.
子步骤 S5、 返回未找到对应文件对象解析例程的信息。  Sub-step S5, returning information that the corresponding file object parsing routine is not found.
在具体实现中, 可以预先构建对象管理器查询的 OpenPacket结构, 基于路径分隔符 "\"循环拆解文件路径, 例如, 文件路径为: c:\a\b.txt, 则 第一次拆解出的路径段为 c:, 第二次拆解出的路径段为: c:\a, 第三次拆 解出的路径段为: c:\a\b.txt, 即在本申请实施例, 是基于递归调用的方式 拆解文件路径。  In the specific implementation, the OpenPacket structure of the object manager query may be pre-built, and the file path is re-disassembled based on the path separator "\". For example, the file path is: c:\a\b.txt, then the first disassembly The path segment that is generated is c:, and the path segment that is removed for the second time is: c:\a, and the path segment that is disassembled for the third time is: c:\a\b.txt, that is, in the embodiment of the present application , is to resolve the file path based on recursive calls.
对象管理器( Obj ect Manager )是 Windows NT 内核的一个基本组件。 Windows NT 在设计的时候, "面向对象,,的设计思想已大行其道, 即将原 本散落在操作系统各处的资源集中抽象、 封装起来, 进而为各种内部服 务提供一致的访问途径。 对象管理器主要用于实现以下功能: ( 1 ) 提供 一种公共的、 统一的机制来使用系统资源; (2 ) 将对象保护隔离到操作 系统的统一区域中, 从而可以做到 C2安全等级; (3 )提供一种机制来记 录进程使用对象的数量, 从而可以对系统资源的使用加上限制; (4 ) 建 立一套对象命名方案, 可以更方便地融合现有的对象。 对象管理器共维 护了几十种对象类型 (Windows 2000 是 27种对象类型; Windows XP是 29种对象类型), 常见的如: 符号链接 ( Symbolic Link )、 进程 ( Process )、 线程 ( Thread )、作业 ( Job )、 文件 ( File )、 事件 ( Event )、 定时器 ( Timer ) 等等。 The Object Manager (obj ect Manager) is a basic component of the Windows NT kernel. When designing Windows NT, "object-oriented, design ideas have become popular, and the resources scattered around the operating system are abstracted and encapsulated, thus providing a consistent access path for various internal services. Object Manager mainly Used to implement the following functions: (1) Provide a common, unified mechanism to use system resources; (2) Segregate object protection into a unified area of the operating system to achieve C2 security level; (3) Provide A mechanism to record the number of objects used by the process, which can impose restrictions on the use of system resources; (4) Establish a set of object naming schemes, which can more easily fuse existing objects. The object manager maintains dozens of objects. Object types (Windows 2000 is 27 object types; Windows XP is 29 object types), common such as: Symbolic Link, Process, Thread, Job, File ), event (Event), timer (Timer) and many more.
对象管理器中维护有拉链式的对象 Hash表, 基于每次拆解出的路径 段搜索对象管理器, 若能查找到对应的对象解析例程 ParseProcedure, 则 继续下一次的文件路径拆解, 并基于下一次拆解出的路径段和之前已拆 解出的路径段搜索对象管理器, 若当前的文件路径经过循环解析被完全 拆解完毕, 则经过搜索对象管理器找到的文件对象解析例程 Parse Routine为当前文件路径对应的文件对象解析例程。  The object manager maintains a zippered object hash table, and searches for the object manager based on the path segment that is disassembled each time. If the corresponding object parsing routine ParseProcedure can be found, the next file path disassembly is continued, and Searching for the object manager based on the next split path segment and the previously disassembled path segment. If the current file path is completely disassembled after loop resolution, the file object parsing routine found by the search object manager Parse Routine is the file object parsing routine corresponding to the current file path.
公知的是, 例程是某个系统对外提供的功能接口或服务的集合。 比 如操作系统的 API、 服务等就是例程。  It is well known that a routine is a collection of functional interfaces or services provided by a system externally. For example, the operating system's API, services, etc. are routines.
为使本领域技术人员更好地理解本申请, 以下结合图 4、 图 5、 图 6、 图 7、 图 8和图 9所示的对象管理器搜索示意图, 通过一个具体例子详细 说明本申请拆解文件路径搜索对象管理器的操作。  In order to enable the person skilled in the art to better understand the present application, the object manager search diagram shown in FIG. 4, FIG. 5, FIG. 6, FIG. 7, FIG. 8 and FIG. 9 is used to describe the application in detail by a specific example. The file path is searched for the operation of the object manager.
例如, 文件路径为: c:\test\test.txt , c: 就是一个符号链接 ( SymbolicLink ), 对象管理器搜索实质上是一个符号链接的查询过程。  For example, the file path is: c:\test\test.txt , c: is a symbolic link ( SymbolicLink ), and the object manager search is essentially a symbolic link query process.
( 1 ) 参考图 4, 搜索从对象管理器的 "根"开始 (即 "\" );  (1) Referring to Figure 4, the search starts from the "root" of the object manager (ie "\" );
( 2 ) 找到 "V,下的 GLOBAL??目录;  (2) Find the GLOBAL?? directory under "V."
( 3 )根据 GLOBAL??目录找到 "V,下的 GLOBAL??文件夹;  (3) Find the GLOBAL folder under "V," according to the GLOBAL?? directory;
此后, 继续在 GLOBAL?? 里寻找 c: ( 注意 C: 在图 中属于After that, continue to look for C: in GLOBAL? (Note C: belongs to the figure
SymbolicLink ) SymbolicLink )
( 4 ) 参考图 5 , 从 GLOBAL??文件夹中找到 C: ;  (4) Referring to Figure 5, find C: from the GLOBAL?? folder;
( 5 ) 依据 C : 所对应的类型 (Type ): SymbolicLink 和附加信息 ( Additional Information ): \Device\HarddiskVolume 1找到 Device文件夹; 如有必要, 会继续解析 \Device\harddiskVolumel 符号链接等等, 直接无 法拆解为止。  (5) According to the type of C: (Type): SymbolicLink and Additional Information: \Device\HarddiskVolume 1 Find the Device folder; if necessary, continue to parse the \Device\harddiskVolumel symbolic link, etc. Can't be disassembled.
( 6 ) 参考图 6, 从 Device文件夹下找到 HarddiskVolumel。  (6) Refer to Figure 6, find HarddiskVolumel from the Device folder.
又 如 , 文件路径 为 "SystemRoot\System32\Drivers\ntfs.sys SystemRoot"也是符号链接; ( 2 )依据 SystemRoot所对应的类型 ( Type ): SymbolicLink和附力口 信息 (Additional Information ): \Device\HarddiskO\Partitionl\ WINDOWS 找到 Device文件夹; As another example, the file path "SystemRoot\System32\Drivers\ntfs.sys SystemRoot" is also a symbolic link; (2) According to the type corresponding to SystemRoot (Type): SymbolicLink and Additional Information: \Device\HarddiskO\Partitionl\ WINDOWS Find the Device folder;
( 3 ) 参考图 8 , 找到 Device文件夹下的 \HarddiskO;  (3) Referring to Figure 8, find the \HarddiskO under the Device folder;
( 4 ) 找到 \HarddiskO 下的 Partitionl, 依据 Partitionl 所对应的类型 ( Type ): SymbolicLink 和附力口信息 ( Additional Information ): (4) Find Partitionl under \HarddiskO, according to the type (Type) of Partitionl: SymbolicLink and Additional Information:
\Device\HarddiskVolume 1找到 Device文件夹; \Device\HarddiskVolume 1 Find the Device folder;
( 5 ) 参考图 9, 找到 Device文件夹下的 HarddiskVolumel„ 在本例中, 路径拆解的依据是路径分隔符 "\" , 每找到一个分隔符, 就认为找到一段"因子", 然后去搜索对象管理器, 如有必要再合并路径, 重新搜索对象管理器。 在本实施例中, 搜索出的文件对象解析例程是一 个函数, 这个函数在注册的时候就和某个因子对应, 它知道如何去正确 地处理这些因子。  (5) Referring to Figure 9, find the HarddiskVolumel in the Device folder. In this example, the path is based on the path separator "\". Every time a separator is found, it is considered to find a "factor" and then search. The object manager re-searches the object manager if necessary, and searches the object manager again. In this embodiment, the searched file object parsing routine is a function, and this function corresponds to a certain factor when registering, it knows How to deal with these factors correctly.
本申请实施例中所采用的文件路径解析方法能动态解析目标文件路 径, 例如, 对于动态映射的网络磁盘驱动器, 通过搜索对象管理器就能 动态获得 DOS-Style 文件路径格式、 盘符和文件系统下层设备对象之间 的对应处理关系, 因而本申请实施例还有适用范围广, 适用场景多的优 点。  The file path parsing method used in the embodiment of the present application can dynamically parse the target file path. For example, for a dynamically mapped network disk drive, the DOS-Style file path format, drive letter, and file system can be dynamically obtained by searching the object manager. The corresponding processing relationship between the lower device objects, and thus the embodiment of the present application has the advantages of wide application range and many applicable scenarios.
步骤 203、 若查找到对应的文件对象解析例程, 则依据所述文件对象 解析例程生成 I/O 请求包, 并发送至预置的文件系统下层设备的原始地 址。  Step 203: If a corresponding file object parsing routine is found, generating an I/O request packet according to the file object parsing routine, and sending the original address to the preset file system lower layer device.
在具体实现中, 文件对象解析 Parse Routine 的实现类似于 软的 IoParseDevice 例程(模拟实现), 其内部会构建并填充 I/O 请求包 ( I/O Request Packet, IRP )并发送至文件系统下层设备的原始地址处。 在微软 的 Windows 操作系统家族中, 都通过发送 IRP来进行和驱动程序的通 讯。用来封装 IRP 的数据结构不仅仅用来描述一个 I/O 操作的请求本身 的内容, 还要用来维护这一请求在一系列驱动程序中传递的过程中的相 关状态信息。也就是说 IRP 可以被定义为:是 I/O系统为了处理一个 I/O 请求而用来存储必要信息的地方。 当一个线程调用一个 I/O服务的时候, I/O管理器构造 IRP , 用于在 I/O 系统处理此请求的过程中代表此请求。 In a concrete implementation, the implementation of file object parsing Parse Routine is similar to the soft IoParseDevice routine (analog implementation), which internally builds and populates the I/O Request Packet (IRP) and sends it to the lower layer of the file system. The original address of the device. In Microsoft's Windows operating system family, IRP is sent to communicate with the driver. The data structure used to encapsulate the IRP is not only used to describe the contents of the request itself for an I/O operation, but also to maintain state information about the request as it passes through a series of drivers. That is to say, IRP can be defined as: I/O system in order to process an I/O The place where the request is used to store the necessary information. When a thread invokes an I/O service, the I/O Manager constructs an IRP that is used to represent this request as the I/O system processes the request.
在具体实现中, 所述文件系统下层设备的原始地址可以在系统初始 化时设置。 经过此步骤, 文件系统调用栈上的第三方过滤驱动 (其他安 全软件、 驱动级恶意程序) 会被穿透, 从而可以有效避免因文件操作干 扰而导致和其他安全软件间产生不兼容的潜在可能性; 还可以增强和驱 动级恶意程序攻防时的对抗能力。  In a specific implementation, the original address of the file system lower layer device may be set when the system is initialized. After this step, the third-party filter driver (other security software, driver-level malicious programs) on the file system call stack will be penetrated, which can effectively avoid the possibility of incompatibility with other security software due to file operation interference. Sex; can also enhance and drive the ability of the level of malicious programs to attack and defend.
在实际中, 所述 I/O 请求包中包括从文件操作请求中提取的文件操 作信息, 当 I/O 请求包(IPR )被发送至预置的文件系统下层设备的原始 地址之后, 则由所述文件系统下层设备依据所述文件操作信息继续执行 对应的文件操作。 具体而言, 当 IRP 发送给文件系统的设备对象后, 直 到写入硬盘, 还要经过一系列复杂的处理过程, 一般而言, 这个请求还 要经过卷快照 ( Volsnap.sys )、 卷管理器 ( Ftdisk.sys )、 分区管理器 ( Partmgr.sys ), 磁盘类驱动 ( disk.sys )、 磁盘端口驱动 (以 IDE 系统为 例是 atapi.sys )、小端口驱动(以 Adaptec 1540 SCSI 为例是 Ahal54x.sys ) 等一系列的传递, 最终由小端口驱动决定写入磁盘或磁带机的相应偏移。 卷管理 (包括快照) 引入了动态的概念, 使得 windows可以创建多分区 卷(比如镜像卷 mirrors, 条带卷 stripes, RAID-5 等 ), 该组件会根据实 际情况将请求定位到目标卷的某个偏移。 分区管理器负责通知即插即用 管理器当前有哪些分区, 以及他们的状态 (创建、 删除等)。 磁盘类驱动 实现了对于所有磁盘共有的功能, 例如, SCSI ( Small Computer System Interface, 小型计算机系统接口) Port 是针对 SCSI总线上的磁盘特性。 最后小端口驱动针对某些厂商的特有产品特点, 这类驱动往往由厂商自 己提供。 总的来说, 就是每一层根据自己的接口, 接收上层传递来的请 求, 以自己看到的 "视图", 找到目标设备的某个扇区偏移, 创建、 写入、 删除数据。 参考图 10, 示出了本申请的一种文件操作的执行方法实施例 2的步 骤流程图, 具体可以包括: In practice, the I/O request packet includes file operation information extracted from a file operation request, and after the I/O request packet (IPR) is sent to the original address of the preset file system lower device, The file system lower layer device continues to perform the corresponding file operation according to the file operation information. Specifically, when the IRP is sent to the device object of the file system, until it is written to the hard disk, it goes through a series of complicated processing. Generally, this request is also subjected to a volume snapshot (Volsnap.sys), volume manager. (Ftdisk.sys), Partition Manager (Partmgr.sys), Disk Class Driver (disk.sys), Disk Port Driver (at the API system as atapi.sys), Small Port Driver (with Adaptec 1540 SCSI as an example) Ahal54x.sys ) is a series of passes, and the small port driver ultimately determines the corresponding offset to write to the disk or tape drive. Volume management (including snapshots) introduces a dynamic concept that allows windows to create multi-partition volumes (such as mirrored volume mirrors, striped volumes, RAID-5, etc.), which will target requests to the target volume based on actual conditions. Offset. The Partition Manager is responsible for notifying the Plug and Play Manager which partitions are currently in place, as well as their status (create, delete, etc.). The disk class driver implements functions common to all disks. For example, SCSI (Small Computer System Interface) Port is for disk characteristics on the SCSI bus. Finally, the small port driver is specific to certain vendors, and such drivers are often provided by the vendor itself. In general, each layer receives the request from the upper layer according to its own interface, finds a certain sector offset of the target device, and creates, writes, and deletes data by using the "view" that it sees. Referring to FIG. 10, a step of Embodiment 2 of a method for executing file operations of the present application is shown. The flow chart may specifically include:
步骤 401、 加载文件操作接口例程, 初始化文件系统下层设备的原始 地址;  Step 401: Load a file operation interface routine, and initialize an original address of a file system lower layer device;
作为具体应用的一种示例, 所述文件操作接口例程包括: 文件创建 例程 FSCreateFile、文件读取例程 FSReadFile,文件写入例程 FSWriteFile, 文件属性设置例程 FSSetFileAttributes、 文件属性获取例程 FSGetFileAttributes, 文件指针设置例程 FSSetFilePointer、 增强文件指针 设置例程 FSSetFilePointerEx、 文件大小获取例程 FSGetFileSize、 文件删 除例程 FSDeleteFile、 目录移除例程 FSRemoveDirectory, 句柄关闭例程 FSCloseHandle,第一个文件查找例程 FSFindFirstFile、 下一个文件查找例 程 FSFindNextFile、 文件查找关闭例程 FSFindClose、 增加文件属性获取 例 程 FSGetFileAttributesEx 、 判 断 路径 是 否 为 目 录 的 例 程 FSPathlsDirectory, 判断目标文件是否存在的例程 FSPathFileExists、 长路 径获取例程 FSGetLongPathName,短路径获取例程 FSGetShortPathName, 路径查找例程 FSSearchPath、 增强文件大小获取例程 FSGetFileSizeEx、 文件复制例程 FSCopyFile、文件移动例程 FSMoveFile和 /或增强文件移动 例程 FSMoveFileEx。 所述文件操作接口例程的设置, 如调用约定、 调用 参数和对应的 WINDOWS标准 API—致。 上述每个例程均包括窄字符例 程和宽字符例程, 例如对于 FSCreateFile 而言, 包括窄字符例程 FSCreateFileA和宽字符例程 FSCreateFileW。  As an example of a specific application, the file operation interface routine includes: a file creation routine FSCreateFile, a file read routine FSReadFile, a file write routine FSWriteFile, a file attribute setting routine FSSetFileAttributes, a file attribute acquisition routine FSGetFileAttributes , file pointer setting routine FSSetFilePointer, enhanced file pointer setting routine FSSetFilePointerEx, file size get routine FSGetFileSize, file delete routine FSDeleteFile, directory removal routine FSRemoveDirectory, handle close routine FSCloseHandle, first file lookup routine FSFindFirstFile Next file lookup routine FSFindNextFile, file lookup shutdown routine FSFindClose, add file property get routine FSGetFileAttributesEx, routine FSPathlsDirectory to determine if the path is a directory, routine FSPathFileExists to determine whether the target file exists, long path get routine FSGetLongPathName , short path get routine FSGetShortPathName, path lookup routine FSSearchPath, enhanced file size get routine FSGetFileSizeEx File copy routines FSCopyFile, file movement routines FSMoveFile and / or enhanced mobile document routine FSMoveFileEx. The settings of the file operation interface routine, such as calling conventions, calling parameters, and corresponding WINDOWS standard APIs. Each of the above routines includes a narrow character routine and a wide character routine, such as FSCreateFile, including the narrow character routine FSCreateFileA and the wide character routine FSCreateFileW.
步骤 402、调用者发起文件操作请求,调用对应的文件操作接口例程; 其中, 所述请求中包括调用者输入参数, 所述输入参数中包括文件路径 和用户态地址;  Step 402: The caller initiates a file operation request, and invokes a corresponding file operation interface routine. The request includes a caller input parameter, where the input parameter includes a file path and a user state address.
例如, 调用者进程发起 FSCreateFileA的文件创建请求。  For example, the caller process initiates a file creation request for FSCreateFileA.
步骤 403、所述文件操作接口例程的用户态部分将调用者输入参数中 的 ANSI相关参数转换为 UNICODE类型,并调用对应的文件操作接口宽 字符例程;  Step 403: The user mode part of the file operation interface routine converts the ANSI related parameter in the caller input parameter into a UNICODE type, and invokes a corresponding file operation interface wide character routine;
公知的是, ANSI 中的字符采用 8bit, 而 UNICODE 中的字符采用 16bit。 (对于字符来说 ANSI以单字节存放英文字符, 以双字节存放中文 等字符, 而 Unicode下, 英文和中文的字符都以双字节存放)。 It is well known that characters in ANSI use 8bit, while characters in UNICODE are used. 16bit. (For characters, ANSI stores English characters in single bytes, and Chinese characters in double bytes. In Unicode, English and Chinese characters are stored in double bytes).
以文件创建过程为例, 为保证平台适用性, FSCreateFileA 会将调 用者输入参数中的 ANSI相关参数转换为 UNICODE类型,并调用对应的 文件操作接口宽字符例程 FSCreateFileW。  Taking the file creation process as an example, to ensure platform applicability, FSCreateFileA converts the ANSI related parameters in the caller input parameters to UNICODE type and calls the corresponding file operation interface wide character routine FSCreateFileW.
当然, 若在实际中直接调用的是宽字符例程, 则无需执行本步骤。 步骤 404、依据系统平台的类型构建内核态结构参数, 依据所述内核 态结构参数生成相应的文件操作控制码, 并发送所述文件操作控制码至 操作系统内核态驱动;  Of course, if you are calling a wide-character routine directly in practice, you do not need to perform this step. Step 404: Construct a kernel state structure parameter according to the type of the system platform, generate a corresponding file operation control code according to the kernel state structure parameter, and send the file operation control code to the kernel mode driver of the operating system;
所述系统平台的类型包括 32位、 64位以及 32位兼容模式。 作为本 申请一种具体应用的示例, 与所述文件操作接口例程对应的控制码包括: 文件创建操作控制码 FILE— 10— CREATE— FILE、 文件读取操作控制码 FILE— 10— READ— FILE、 文件写入操作控制码 FILE— 10— WRITE— FILE、 文 件查询操作控制码 FILE— 10— QUERY— FILE、 文件设置操作控制码 FILE— 10— SET— FILE 和 / 或 文 件 关 闭 准 备 操 作 控 制 码 FILE— 10— PREPARE— CLOSE。 所述控制码定义了操作系统用户态和内核 态驱动通信时的统一标识。  The types of system platforms include 32-bit, 64-bit, and 32-bit compatible modes. As an example of a specific application of the present application, the control code corresponding to the file operation interface routine includes: a file creation operation control code FILE-10 - CREATE_FILE, a file read operation control code FILE-10 - READ_FILE , file write operation control code FILE_ 10 — WRITE — FILE, file query operation control code FILE — 10 — QUERY — FILE, file setting operation control code FILE — 10 — SET — FILE and / or file close preparation operation control code FILE — 10— PREPARE—CLOSE. The control code defines a unified identifier when the operating system user state and the kernel mode drive communication.
以文件创建过程为例, FSCreateFileW通过判断系统平台类型( 32位、 64 位或 32 位兼容模式 ) 构 建结构 参数 , 发送控制 码 FILE— 10— CREATE— FILE 并同步等待返回。  Taking the file creation process as an example, FSCreateFileW constructs the structure parameters by judging the system platform type (32-bit, 64-bit or 32-bit compatibility mode), sends the control code FILE_10_CREATE_FILE and waits for a return.
在实际中, FSCreateFileW还可以处理畸形文件名、 文件路径, 并实 际完成参数转换的操作。 操作系统用户态和内核态驱动通信时输入、 输 出 緩 冲 区 可 以 采 用 METHOD— BUFFERED 方 式 传 输 。 METHOD— BUFFERED方式为: 先分配緩冲, 再从这个緩冲 copy数据, 緩冲区大小是输入緩冲和输出緩冲间空间较大的那个。 读緩冲被 copy到 新的緩冲。 在返回前, 只是 copy返回值到相同的緩冲。 返回值被放到 10— STATUS— BLOCK , 10管理器 copy数据到输出緩冲。  In practice, FSCreateFileW can also handle malformed file names, file paths, and actually perform parameter conversion operations. The input and output buffers can be transmitted using the METHOD-BUFFERED mode when the operating system user mode and the kernel mode drive communication. METHOD—The BUFFERED method is: first allocate the buffer, and then copy the data from this buffer. The buffer size is the larger space between the input buffer and the output buffer. The read buffer is copied to the new buffer. Before returning, just copy the return value to the same buffer. The return value is placed in 10—STATUS—BLOCK, 10 manager copy data to the output buffer.
步骤 405、 操作系统内核态驱动获取文件操作请求, 校验调用者输入 参数, 并重构 ( Captured ) 所述用户态地址至内核态内存空间; Step 405: The operating system kernel mode driver obtains a file operation request, and verifies the caller input. Parameters, and reconstruct (Captured) the user state address to the kernel state memory space;
以文件创建过程为例, 由 FSCreateFileW例程内核部分将执行步骤, 并在内核态内存空间处理相应的调用者输入参数。  Taking the file creation process as an example, the kernel part of the FSCreateFileW routine will execute the steps and process the corresponding caller input parameters in the kernel state memory space.
步骤 406、 若输入参数校验通过, 则依据所述文件路径在对象管理器 中查找对应的文件对象解析例程;  Step 406: If the input parameter verification is passed, searching for a corresponding file object parsing routine in the object manager according to the file path;
步骤 407、 若查找到对应的文件对象解析例程, 则依据所述文件对象 解析例程生成 I/O 请求包, 并发送至预置的文件系统下层设备的原始地 址。  Step 407: If the corresponding file object parsing routine is found, the I/O request packet is generated according to the file object parsing routine, and sent to the original address of the preset file system lower layer device.
以文件创建过程为例, FSCreateFileW 的内核部分会校验用户态传入 参数,构建 OpenPacket 结构,循环解析文件路径格式并搜索对象管理器 维护的拉链式对象 Hash 表。 具体可以采用路径分隔符" V,拆解输入的文 件路径, 拆解出的路径部分搜索对象管理器维护的拉链式对象 Hash 表, 查找出对应的 ParseProcedure。 在循环解析完毕时, 便认为找到了对象的 Parse Routine 例程。 Parse Routine内部会构建并填充 IRP 请求数据包并 发送至文件系统下层设备的原始地址处, 完成文件穿透的创建过程。 此 时, 文件系统调用栈上的第三方过滤驱动 (其他安全软件、 驱动级恶意 程序 )被旁路。  Taking the file creation process as an example, the kernel part of FSCreateFileW verifies the user-spaced parameters, builds the OpenPacket structure, loops through the file path format, and searches for the zippered object Hash table maintained by the object manager. Specifically, the path separator "V" can be used to disassemble the input file path, and the detached path part searches for the zippered object hash table maintained by the object manager to find the corresponding ParseProcedure. When the loop is parsed, it is found. The Parse Routine routine of the object. Parse Routine internally builds and populates the IRP request packet and sends it to the original address of the file system's underlying device to complete the file penetration creation process. At this point, the third-party filtering on the file system call stack The driver (other security software, driver-level malicious programs) is bypassed.
在具体实现中, 对于新创建出的对象还可以通过 OblnsertObj ect 例 程插入至对象管理器的 Hash 结构中, 并得到返回的文件句柄。 并且, 内核还可以同步调用返回用户态句柄信息以及调用结果。 如果调用失败, 用户态接口可以设置相应的错误码, 这样, 调用者线程可以通过 GetLastError 例程得到详细的错误信息。 以下结合图 11所示的应用本申请实施例实现的文件操作执行流示意 图更进一步说明本申请的工作原理。  In the concrete implementation, the newly created object can also be inserted into the Hash structure of the object manager through the OblnsertObj ect routine, and the returned file handle is obtained. Moreover, the kernel can also synchronously call back the user state handle information and call the result. If the call fails, the user interface can set the corresponding error code so that the caller thread can get detailed error information through the GetLastError routine. The working principle of the file operation flow shown in FIG. 11 and the application of the embodiment of the present application is further illustrated.
调用者 111调用本实施例中实现的驱动接口层 112, 而非调用现有技 术中的内核接口层 113 ;  The caller 111 invokes the driver interface layer 112 implemented in this embodiment instead of calling the kernel interface layer 113 of the prior art;
驱动接口层 112调用模拟内核执行层校验调用者输入参数 114; 调用者输入参数验证通过后, 执行搜索对象管理器循环解析文件路 径 115得到对象解析例程 116, 以及, 构建 IRP发送至文件系统下层设备 原始地址 117的操作; The driver interface layer 112 calls the simulated kernel execution layer check caller input parameter 114; After the caller input parameter verification is passed, executing the search object manager loop parsing the file path 115 to obtain the object parsing routine 116, and constructing an operation of sending the IRP to the file system lower layer device original address 117;
在此过程中, 现有技术中的文件对象解析例程 118、 顶层过滤驱动 al l9、 底层过滤驱动 N120被穿透。  In this process, the file object parsing routine 118, the top filter driver al l9, and the underlying filter driver N120 in the prior art are penetrated.
IRP被发送至文件系统下层设备 121后,由文件系统下层设备 121执 行 IRP所请求的操作。  After the IRP is sent to the file system lower layer device 121, the file system lower layer device 121 performs the operation requested by the IRP.
需要说明的是, 对于方法实施例, 为了简单描述, 故将其都表述为 一系列的动作组合, 但是本领域技术人员应该知悉, 本申请并不受所描 述的动作顺序的限制, 因为依据本申请, 某些步骤可以采用其他顺序或 者同时进行。 其次, 本领域技术人员也应该知悉, 说明书中所描述的实 施例均属于优选实施例, 所涉及的动作和模块并不一定是本申请所必须 的。 参考图 12, 示出了本申请的一种文件操作的执行装置实施例的结构 框图, 具体可以包括以下模块:  It should be noted that, for the method embodiment, for the sake of simple description, it is expressed as a series of action combinations, but those skilled in the art should understand that the present application is not limited by the described action sequence, because Application, some steps can be performed in other orders or at the same time. In addition, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application. Referring to FIG. 12, a structural block diagram of an embodiment of a file operation execution apparatus of the present application is shown, which may specifically include the following modules:
内核态请求获取模块 121 , 设置为获取文件操作请求, 所述请求中包 括调用者输入参数, 所述输入参数中包括文件路径;  The kernel state request obtaining module 121 is configured to obtain a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
内核态参数校验模块 122,设置为依据所述文件操作请求校验调用者 输入参数, 若校验通过, 则调用内核对象解析模块 123;  The kernel state parameter verification module 122 is configured to verify the caller input parameter according to the file operation request, and if the verification passes, call the kernel object parsing module 123;
内核态对象解析模块 123 ,设置为依据所述文件路径在对象管理器中 查找对应的文件对象解析例程; 若查找到对应的文件对象解析例程, 则 调用内核 IRP生成发送模块 124;  The kernel state object parsing module 123 is configured to find a corresponding file object parsing routine in the object manager according to the file path; if the corresponding file object parsing routine is found, the kernel IRP generating sending module 124 is invoked;
内核态 IRP生成发送模块 124,设置为依据所述文件对象解析例程生 成 I/O 请求包, 并发送所述 I/O 请求包至预置的文件系统下层设备的原 始地址。  The kernel state IRP generation sending module 124 is configured to generate an I/O request packet according to the file object parsing routine, and send the I/O request packet to a preset address of a preset file system lower layer device.
在本申请的一种优选实施例中, 所述内核对象解析模块 123 具体可 以包括以下模块; 文件路径拆解模块, 设置为按照路径分隔符逐级拆解出文件路径中 的路径段; In a preferred embodiment of the present application, the kernel object parsing module 123 may specifically include the following modules; The file path disassembly module is configured to disassemble the path segment in the file path step by step according to the path separator;
对象管理器搜索模块, 设置为采用当前拆解出的路径段在对象管理 器中搜索, 查找对应的文件对象例程。  The object manager search module is set to search the object manager with the currently disassembled path segment to find the corresponding file object routine.
在具体实现中, 所述调用者输入参数具有用户态地址; 所述的装置 还可以包括:  In a specific implementation, the caller input parameter has a user mode address; the device may further include:
内核地址重构模块, 设置为重构所述用户态地址至内核态内存空间。 在本申请的一种优选实施例中, 还可以包括以下模块:  The kernel address reconstruction module is configured to reconstruct the user state address to the kernel state memory space. In a preferred embodiment of the present application, the following modules may also be included:
用户态请求发送模块, 设置为由调用者发起文件操作请求, 调用对 应的文件操作接口例程; 其中, 所述请求中包括调用者输入参数, 所述 输入参数中包括文件路径;  The user mode request sending module is configured to initiate a file operation request by the caller, and invoke the corresponding file operation interface routine; wherein the request includes a caller input parameter, and the input parameter includes a file path;
用户态控制码发送模块, 设置为依据系统平台的类型构建内核态结 构参数, 依据所述内核态结构参数生成相应的文件操作控制码, 并发送 所述文件操作控制码至操作系统内核态驱动。  The user mode control code sending module is configured to construct a kernel state structure parameter according to the type of the system platform, generate a corresponding file operation control code according to the kernel state structure parameter, and send the file operation control code to the operating system kernel state driver.
在具体实现中, 还可以包括以下模块:  In a specific implementation, the following modules may also be included:
宽字符例程调用模块,设置为将调用者输入参数中的 ANSI相关参数 转换为 UNICODE类型, 并调用对应的文件操作接口宽字符例程。  The wide-character routine calls the module, which is set to convert the ANSI-related parameters in the caller's input parameters to the UNICODE type, and call the corresponding file operation interface wide-character routine.
作为本申请实施例一种具体应用的示例, 所述文件操作接口例程可 以包括文件创建例程 FSCreateFile, 所述的装置还可以包括以下模块: 句柄获取模块, 设置为插入新创建的文件对象至对象管理器, 并得 到返回的文件句柄。  As an example of a specific application of the embodiment of the present application, the file operation interface routine may include a file creation routine FSCreateFile, and the device may further include the following module: a handle acquisition module, configured to insert a newly created file object to Object Manager, and get the returned file handle.
由于所述装置实施例基本相应于前述图 1、图 2和图 3所示的方法实 施例, 故本实施例的描述中未详尽之处, 可以参见前述实施例中的相关 说明, 在此就不贅述了。  Since the device embodiment basically corresponds to the foregoing method embodiments shown in FIG. 1 , FIG. 2 and FIG. 3 , the description of the embodiment is not exhaustive, and reference may be made to the related description in the foregoing embodiment. I won't go into details.
本申请实施例还公开了一种在其上记录有用于执行一种文件操作的 执行方法的程序的计算机可读记录介质, 其中, 所述一种文件操作的执 行方法可以包括如下步骤:  The embodiment of the present application further discloses a computer readable recording medium on which a program for executing an execution method of a file operation is recorded, wherein the execution method of the file operation may include the following steps:
获取文件操作请求, 所述请求中包括调用者输入参数, 所述输入参 数中包括文件路径; Obtaining a file operation request, where the request includes a caller input parameter, and the input parameter The number includes the file path;
依据所述文件路径在对象管理器中查找对应的文件对象解析例程; 若查找到对应的文件对象解析例程, 则依据所述文件对象解析例程 生成 I/O 请求包, 并发送至预置的文件系统下层设备的原始地址。  Searching for a corresponding file object parsing routine in the object manager according to the file path; if the corresponding file object parsing routine is found, generating an I/O request packet according to the file object parsing routine, and sending the pre-process The original address of the underlying device of the file system.
所述计算机可读记录介质包括用于以计算机 (例如计算机 ) 可读的 形式存储或传送信息的任何机制。 例如, 机器可读介质包括只读存储器 The computer readable recording medium includes any mechanism for storing or transmitting information in a form readable by a computer (e.g., a computer). For example, a machine readable medium includes a read only memory
( ROM ), 随机存取存储器 (RAM )、 磁盘存储介质、 光存储介质、 闪速 存储介质、 电、 光、 声或其他形式的传播信号 (例如, 载波、 红外信号、 数字信号等) 等。 本申请可设置为众多通用或专用的计算系统环境或配置中。 例如: 个人计算机、 服务器计算机、 手持设备或便携式设备、 平板型设备、 多 处理器系统、 基于微处理器的系统、 置顶盒、 可编程的消费电子设备、 网络 PC、 小型计算机、 大型计算机、 包括以上任何系统或设备的分布式 计算环境等等。 (ROM), random access memory (RAM), magnetic disk storage media, optical storage media, flash storage media, electrical, optical, acoustic or other forms of propagating signals (eg, carrier waves, infrared signals, digital signals, etc.). The application can be arranged in numerous general purpose or special purpose computing system environments or configurations. For example: personal computer, server computer, handheld or portable device, tablet device, multiprocessor system, microprocessor based system, set-top box, programmable consumer electronics device, network PC, small computer, mainframe computer, including A distributed computing environment of any of the above systems or devices, and the like.
本申请可以在由计算机执行的计算机可执行指令的一般上下文中描 述, 例如程序模块。 一般地, 程序模块包括执行特定任务或实现特定抽 象数据类型的例程、 程序、 对象、 组件、 数据结构等等。 也可以在分布 式计算环境中实践本申请, 在这些分布式计算环境中, 由通过通信网络 而被连接的远程处理设备来执行任务。 在分布式计算环境中, 程序模块 可以位于包括存储设备在内的本地和远程计算机存储介质中。  The application can be described in the general context of computer-executable instructions executed by a computer, such as a program module. Generally, program modules include routines, programs, objects, components, data structures, and the like that perform particular tasks or implement particular types of abstract data. The present application can also be practiced in a distributed computing environment where tasks are performed by remote processing devices that are connected through a communication network. In a distributed computing environment, program modules can be located in both local and remote computer storage media including storage devices.
以上对本申请所提供的一种文件操作的执行方法和一种文件操作的 执行装置进行了详细介绍, 本文中应用了具体个例对本申请的原理及实 施方式进行了阐述, 以上实施例的说明只是用于帮助理解本申请的方法 及其核心思想; 同时, 对于本领域的一般技术人员, 依据本申请的思想, 在具体实施方式及应用范围上均会有改变之处, 综上所述, 本说明书内 容不应理解为对本申请的限制。  The foregoing describes a method for executing a file operation and a device for executing a file operation provided by the present application. The specific examples are used herein to explain the principles and embodiments of the present application. The description of the above embodiment is only The method for understanding the present application and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present application, there will be changes in specific embodiments and application scopes. The contents of the description should not be construed as limiting the application.

Claims

权 利 要 求 书 Claim
1、 一种文件操作的执行方法, 其特征在于, 包括: A method for executing a file operation, comprising:
获取文件操作请求, 所述请求中包括调用者输入参数, 所述输入参 数中包括文件路径;  Obtaining a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
依据所述文件路径在对象管理器中查找对应的文件对象解析例程; 若查找到对应的文件对象解析例程, 则依据所述文件对象解析例程 生成 I/O 请求包, 并发送所述 I/O 请求包至预置的文件系统下层设备的 原始地址。  Searching for a corresponding file object parsing routine in the object manager according to the file path; if a corresponding file object parsing routine is found, generating an I/O request packet according to the file object parsing routine, and transmitting the The I/O request packet is addressed to the original address of the underlying device of the file system.
2、 如权利要求 1所述的方法, 其特征在于, 所述依据文件路径在对 象管理器中查找对应的文件对象解析例程的步骤具体包括以下子步骤; 子步骤 Sl、 判断文件路径是否已经拆解完毕, 若否, 则执行子步骤 S2; 若是, 则执行子步骤 S4;  2. The method according to claim 1, wherein the step of searching for a corresponding file object parsing routine in the object manager according to the file path comprises the following sub-steps; sub-step S1, determining whether the file path has been After the disassembly is completed, if not, sub-step S2 is performed; if yes, sub-step S4 is performed;
子步骤 S2、 按照路径分隔符拆解出文件路径中下一个待拆解的路径 段;  Sub-step S2, disassembling the next path segment to be disassembled in the file path according to the path separator;
子步骤 S3、 采用当前拆解出的路径段在对象管理器中搜索, 判断是 否存在对应的文件对象例程; 若是, 则返回子步骤 S1 ; 若否, 则执行子 步骤 S5;  Sub-step S3, using the currently disassembled path segment to search in the object manager, to determine whether there is a corresponding file object routine; if yes, return to sub-step S1; if not, then perform sub-step S5;
子步骤 S4、 获得所述文件路径对应的文件对象解析例程。  Sub-step S4: Obtain a file object parsing routine corresponding to the file path.
子步骤 S5、 返回未找到对应文件对象解析例程的信息。  Sub-step S5, returning information that the corresponding file object parsing routine is not found.
3、 如权利要求 1或 2所述的方法, 其特征在于, 所述调用者输入参 数具有用户态地址; 在查找文件对象解析例程之前, 所述的方法还包括: 重构所述用户态地址至内核态内存空间。  The method according to claim 1 or 2, wherein the caller input parameter has a user state address; before the file object parsing routine is searched, the method further comprises: reconstructing the user state Address to kernel mode memory space.
4、 如权利要求 1或 2所述的方法, 其特征在于, 所述 I/O 请求包中 包括从文件操作请求中提取的文件操作信息, 在发送 I/O 请求包至预置 的文件系统下层设备的原始地址之后, 还包括:  The method according to claim 1 or 2, wherein the I/O request packet includes file operation information extracted from a file operation request, and sends an I/O request packet to a preset file system. After the original address of the lower device, it also includes:
由所述文件系统下层设备依据所述文件操作信息继续执行对应的文 件操作。  The corresponding file operation is continued by the lower layer device of the file system according to the file operation information.
5、 如权利要求 3所述的方法, 其特征在于, 在获取文件操作请求之 前, 还包括: 5. The method of claim 3, wherein the obtaining a file operation request Before, it also includes:
调用者发起文件操作请求, 调用对应的文件操作接口例程; 其中, 所述请求中包括调用者输入参数, 所述输入参数中包括文件路径;  The caller initiates a file operation request, and invokes a corresponding file operation interface routine; wherein the request includes a caller input parameter, and the input parameter includes a file path;
依据系统平台的类型构建内核态结构参数, 依据所述内核态结构参 数生成相应的文件操作控制码, 并发送所述文件操作控制码至操作系统 内核态驱动。  The kernel state structure parameter is constructed according to the type of the system platform, and a corresponding file operation control code is generated according to the kernel state structure parameter, and the file operation control code is sent to the kernel mode driver of the operating system.
6、 如权利要求 5所述的方法, 其特征在于, 在构建内核态结构参数 之前, 还包括:  6. The method according to claim 5, further comprising: before constructing the kernel state structure parameter, further comprising:
文件操作接口例程将调用者输入参数中的 ANSI 相关参数转换为 UNICODE类型, 并调用对应的文件操作接口宽字符例程。  The file manipulation interface routine converts the ANSI related parameters in the caller input parameters to the UNICODE type and calls the corresponding file manipulation interface wide character routine.
7、 如权利要求 6所述的方法, 其特征在于, 所述文件操作接口例程 包括文件创建例程 FSCreateFile, 在由所述文件系统下层设备继续执行所 请求的文件操作之前, 还包括:  The method of claim 6, wherein the file operation interface routine includes a file creation routine FSCreateFile, and before continuing to perform the requested file operation by the lower layer device of the file system, the method further includes:
插入新创建的文件对象至对象管理器, 并得到返回的文件句柄。 Insert the newly created file object into the object manager and get the returned file handle.
8、 如权利要求 1所述的方法, 其特征在于, 还包括: 8. The method of claim 1, further comprising:
依据所述文件操作请求校验调用者输入参数, 若校验通过, 则执行 查找文件对象解析例程的步骤。  The caller input parameter is verified according to the file operation request, and if the check passes, the step of finding the file object parsing routine is performed.
9、 如权利要求 7所述的方法, 其特征在于, 所述文件操作接口例程 与 WINDOWS标准 API—致, 所述文件操作接口例程还包括: 文件读取 例程 FSReadFile、 文件写入例程 FSWriteFile、 文件属性设置例程 FSSetFileAttributes, 文件属性获取例程 FSGetFileAttributes、 文件指针设 置例程 FSSetFilePointer、 增强文件指针设置例程 FSSetFilePointerEx, 文 件大小获取例程 FSGetFileSize、 文件删除例程 FSDeleteFile、 目录移除例 程 FSRemoveDirectory、 句柄关闭例程 FSCloseHandle, 第一个文件查找 例程 FSFindFirstFile、 下一个文件查找例程 FSFindNextFile, 文件查找关 闭例程 FSFindClose、 增加文件属性获取例程 FSGetFileAttributesEx, 判 断路径是否为目录的例程 FSPathIsDirectory、判断目标文件是否存在的例 程 FSPathFileExists、 长路径获取例程 FSGetLongPathName, 短路径获取 例程 FSGetShortPathName、 路径查找例程 FSSearchPath, 增强文件大小 获取例程 FSGetFileSizeEx、 文件复制例程 FSCopyFile、 文件移动例程 FSMoveFile和 /或增强文件移动例程 FSMoveFileEx。 9. The method according to claim 7, wherein the file operation interface routine and the WINDOWS standard API, the file operation interface routine further comprises: a file read routine FSReadFile, a file write example FSWriteFile, file property setting routine FSSetFileAttributes, file property get routine FSGetFileAttributes, file pointer setting routine FSSetFilePointer, enhanced file pointer setting routine FSSetFilePointerEx, file size get routine FSGetFileSize, file delete routine FSDeleteFile, directory removal routine FSRemoveDirectory, handle close routine FSCloseHandle, first file lookup routine FSFindFirstFile, next file lookup routine FSFindNextFile, file lookup close routine FSFindClose, add file property get routine FSGetFileAttributesEx, routine FSPathIsDirectory to determine whether the path is a directory, The routine FSPathFileExists, long path acquisition routine FSGetLongPathName, short path acquisition to determine whether the target file exists The routine FSGetShortPathName, the path lookup routine FSSearchPath, the enhanced file size get routine FSGetFileSizeEx, the file copy routine FSCopyFile, the file move routine FSMoveFile, and/or the enhanced file move routine FSMoveFileEx.
10、 如权利要求 9 所述的方法, 其特征在于, 所述控制码包括: 文 件创建操作控制码 FILE— 10— CREATE— FILE、 文件读取操作控制码 FILE— 10— READ— FILE、 文件写入操作控制码 FILE— 10— WRITE— FILE、 文 件查询操作控制码 FILE— 10— QUERY— FILE、 文件设置操作控制码 FILE— 10— SET— FILE 和 / 或 文 件 关 闭 准 备 操 作 控 制 码 FILE— 10— PREPARE— CLOSE。  10. The method according to claim 9, wherein the control code comprises: a file creation operation control code FILE-10 - CREATE_FILE, a file read operation control code FILE-10 - READ_FILE, file write Input operation control code FILE_ 10 — WRITE — FILE, file query operation control code FILE — 10 — QUERY — FILE, file setting operation control code FILE — 10 — SET — FILE and / or file close preparation operation control code FILE — 10 — PREPARE—CLOSE.
11、 一种文件操作的执行装置, 其特征在于, 包括: 11. An apparatus for performing file operations, comprising:
内核态请求获取模块, 设置为获取文件操作请求, 所述请求中包括 调用者输入参数, 所述输入参数中包括文件路径;  a kernel mode request obtaining module, configured to obtain a file operation request, where the request includes a caller input parameter, where the input parameter includes a file path;
内核态对象解析模块, 设置为依据所述文件路径在对象管理器中查 找对应的文件对象解析例程; 若查找到对应的文件对象解析例程, 则调 用内核 IRP生成发送模块;  The kernel state object parsing module is configured to search for a corresponding file object parsing routine in the object manager according to the file path; if the corresponding file object parsing routine is found, the kernel IRP is used to generate a sending module;
内核态 IRP 生成发送模块, 设置为依据所述文件对象解析例程生成 I/O 请求包, 并发送所述 I/O 请求包至预置的文件系统下层设备的原始 地址。  The kernel mode IRP generates a sending module, configured to generate an I/O request packet according to the file object parsing routine, and send the I/O request packet to a preset original address of a file system lower layer device.
12、 如权利要求 11所述的装置, 其特征在于, 所述内核对象解析模 块具体包括:  The apparatus according to claim 11, wherein the kernel object parsing module specifically includes:
文件路径拆解模块, 设置为按照路径分隔符逐级拆解出文件路径中 的路径段;  The file path disassembly module is configured to disassemble the path segment in the file path step by step according to the path separator;
对象管理器搜索模块, 设置为采用当前拆解出的路径段在对象管理 器中搜索, 查找对应的文件对象例程。  The object manager search module is set to search the object manager with the currently disassembled path segment to find the corresponding file object routine.
13、 如权利要求 11 或 12所述的装置, 其特征在于, 所述调用者输 入参数具有用户态地址; 所述的装置还包括:  The device according to claim 11 or 12, wherein the caller input parameter has a user mode address; the device further includes:
内核地址重构模块, 设置为重构所述用户态地址至内核态内存空间。 The kernel address reconstruction module is configured to reconstruct the user state address to the kernel state memory space.
14、 如权利要求 13所述的装置, 其特征在于, 还包括: 用户态请求发送模块, 设置为由调用者发起文件操作请求, 调用对 应的文件操作接口例程; 其中, 所述请求中包括调用者输入参数, 所述 输入参数中包括文件路径; 14. The apparatus according to claim 13, further comprising: a user state request sending module, configured to initiate a file operation request by the caller, and invoke a corresponding file operation interface routine; wherein the request includes The caller inputs a parameter, and the input parameter includes a file path;
用户态控制码发送模块, 设置为依据系统平台的类型构建内核态结 构参数, 依据所述内核态结构参数生成相应的文件操作控制码, 并发送 所述文件操作控制码至操作系统内核态驱动。  The user mode control code sending module is configured to construct a kernel state structure parameter according to the type of the system platform, generate a corresponding file operation control code according to the kernel state structure parameter, and send the file operation control code to the operating system kernel state driver.
15、 如权利要求 14所述的装置, 其特征在于, 还包括:  The device of claim 14, further comprising:
宽字符例程调用模块,设置为将调用者输入参数中的 ANSI相关参数 转换为 UNICODE类型, 并调用对应的文件操作接口宽字符例程。  The wide-character routine calls the module, which is set to convert the ANSI-related parameters in the caller's input parameters to the UNICODE type, and call the corresponding file operation interface wide-character routine.
16、 如权利要求 15所述的装置, 其特征在于, 所述文件操作接口例 程包括文件创建例程 FSCreateFile, 所述的装置还包括:  The device according to claim 15, wherein the file operation interface routine includes a file creation routine FSCreateFile, and the device further includes:
句柄获取模块, 设置为插入新创建的文件对象至对象管理器, 并得 到返回的文件句柄。  The handle acquisition module is set to insert the newly created file object into the object manager and get the returned file handle.
17、 如权利要求 11所述的装置, 其特征在于, 还包括:  The device of claim 11, further comprising:
内核态参数校验模块, 设置为依据所述文件操作请求校验调用者输 入参数, 若校验通过, 则调用内核对象解析模块。  The kernel state parameter verification module is configured to check the caller input parameter according to the file operation request, and if the verification passes, the kernel object parsing module is called.
18、 一种在其上记录有用于执行权利要求 1 所述方法的程序的计 机可读记录介质。 18. A computer readable recording medium having recorded thereon a program for executing the method of claim 1.
PCT/CN2012/075145 2011-05-11 2012-05-07 Method and device for executing file operation WO2012152210A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110121180.5 2011-05-11
CN201110121180.5A CN102779244B (en) 2011-05-11 2011-05-11 Method and device for carrying out file operation

Publications (1)

Publication Number Publication Date
WO2012152210A1 true WO2012152210A1 (en) 2012-11-15

Family

ID=47124154

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/075145 WO2012152210A1 (en) 2011-05-11 2012-05-07 Method and device for executing file operation

Country Status (2)

Country Link
CN (1) CN102779244B (en)
WO (1) WO2012152210A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113542412A (en) * 2021-07-16 2021-10-22 中国电信股份有限公司 Data transmission method and device, electronic equipment and storage medium
US11663333B2 (en) 2020-08-11 2023-05-30 Beijing Didi Infinity Technology And Development Co., Ltd. Cloud-based systems and methods for detecting and removing rootkit
CN116708597A (en) * 2023-08-04 2023-09-05 新华三技术有限公司 Data processing method and device

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104516974B (en) * 2014-12-26 2018-03-13 华为技术有限公司 A kind of management method and device of file system directories item
CN105677794B (en) * 2015-12-31 2019-04-05 新浪网技术(中国)有限公司 The operation processing method and device of file in PaaS system
CN105912482B (en) * 2016-06-24 2019-05-28 飞天诚信科技股份有限公司 A kind of processing method and filtration drive of IRP
CN110334063A (en) * 2019-07-15 2019-10-15 深圳前海微众银行股份有限公司 Operating method, device, equipment and the computer readable storage medium of file system
CN112463662B (en) * 2020-12-16 2024-04-05 福州创实讯联信息技术有限公司 Method and terminal for user mode control of I2C equipment
CN112947990B (en) * 2021-03-23 2023-04-07 四川虹美智能科技有限公司 Development library creating method, device and computer readable medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040010565A1 (en) * 2002-05-30 2004-01-15 Icube Wireless receiver for receiving multi-contents file and method for outputting data using the same
CN101291346A (en) * 2008-06-06 2008-10-22 中国科学院计算技术研究所 Grid document processing method and processing apparatus thereof
CN101459697A (en) * 2009-01-07 2009-06-17 清华大学 Access method and apparatus for shared document
CN101464900A (en) * 2009-01-15 2009-06-24 上海交通大学 Light file hiding method in NTFS file system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7647308B2 (en) * 2006-11-08 2010-01-12 Mcafee, Inc. Method and system for the detection of file system filter driver based rootkits
CN101414327B (en) * 2007-10-15 2012-09-12 北京瑞星信息技术有限公司 Method for file protection
CN101256570A (en) * 2008-02-22 2008-09-03 山东中创软件工程股份有限公司 File protection technique based on Windows system files filtering drive

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040010565A1 (en) * 2002-05-30 2004-01-15 Icube Wireless receiver for receiving multi-contents file and method for outputting data using the same
CN101291346A (en) * 2008-06-06 2008-10-22 中国科学院计算技术研究所 Grid document processing method and processing apparatus thereof
CN101459697A (en) * 2009-01-07 2009-06-17 清华大学 Access method and apparatus for shared document
CN101464900A (en) * 2009-01-15 2009-06-24 上海交通大学 Light file hiding method in NTFS file system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11663333B2 (en) 2020-08-11 2023-05-30 Beijing Didi Infinity Technology And Development Co., Ltd. Cloud-based systems and methods for detecting and removing rootkit
CN113542412A (en) * 2021-07-16 2021-10-22 中国电信股份有限公司 Data transmission method and device, electronic equipment and storage medium
CN113542412B (en) * 2021-07-16 2024-01-05 天翼云科技有限公司 Data transmission method, device, electronic equipment and storage medium
CN116708597A (en) * 2023-08-04 2023-09-05 新华三技术有限公司 Data processing method and device
CN116708597B (en) * 2023-08-04 2023-10-24 新华三技术有限公司 Data processing method and device

Also Published As

Publication number Publication date
CN102779244A (en) 2012-11-14
CN102779244B (en) 2015-03-25

Similar Documents

Publication Publication Date Title
WO2012152210A1 (en) Method and device for executing file operation
JP6942824B2 (en) Configurable logical platform
Jin et al. A VMM-based intrusion prevention system in cloud computing environment
US7908656B1 (en) Customized data generating data storage system filter for data security
Wu et al. AirBag: Boosting Smartphone Resistance to Malware Infection.
US8549288B2 (en) Dynamic creation and hierarchical organization of trusted platform modules
IL268474A (en) System and method for securely connecting to a peripheral device
US8756197B1 (en) Generating data set views for backup restoration
US8352939B1 (en) System, method and computer program product for performing a security or maintenance operation in association with virtual disk data
US20070011491A1 (en) Method for platform independent management of devices using option ROMs
JP5970141B2 (en) Method, boot loader, user trusted device, and system for executing software modules on a computer
KR20160147862A (en) Consistent extension points to allow an extension to extend functionality of an application to another application
WO2018059545A1 (en) Method and apparatus for layered access of file in virtualization instance
WO2012152212A1 (en) Method and device for executing registry operation
JP2006333433A (en) Data communication protocol
WO2018082289A1 (en) Method and device for managing application and computer storage medium
WO2014075504A1 (en) Security control method and device for running application
Guo et al. Minimum viable device drivers for ARM trustzone
US20210397583A1 (en) Namespace representation and enhanced browsability for replicated file systems
US8042185B1 (en) Anti-virus blade
JP5476381B2 (en) Improved I / O control and efficiency in encrypted file systems
US7634521B1 (en) Technique for scanning stealthed, locked, and encrypted files
Zhao et al. A survey of malicious HID devices
Feng et al. MobiGyges: A mobile hidden volume for preventing data loss, improving storage utilization, and avoiding device reboot
Hsu et al. Data concealments with high privacy in new technology file system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12781632

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12781632

Country of ref document: EP

Kind code of ref document: A1