WO2017113781A1 - Virtual memory data protection method and system - Google Patents

Virtual memory data protection method and system Download PDF

Info

Publication number
WO2017113781A1
WO2017113781A1 PCT/CN2016/092339 CN2016092339W WO2017113781A1 WO 2017113781 A1 WO2017113781 A1 WO 2017113781A1 CN 2016092339 W CN2016092339 W CN 2016092339W WO 2017113781 A1 WO2017113781 A1 WO 2017113781A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
virtual memory
write
address
legal
Prior art date
Application number
PCT/CN2016/092339
Other languages
French (fr)
Chinese (zh)
Inventor
张维超
Original Assignee
福建联迪商用设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 福建联迪商用设备有限公司 filed Critical 福建联迪商用设备有限公司
Publication of WO2017113781A1 publication Critical patent/WO2017113781A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

Provided are a virtual memory data protection method and system. The method comprises: setting the attribute of a virtual memory disk to be read-only; pre-setting a valid function, and a valid write operation of the virtual memory disk calling the valid function; calling a write function; and intercepting the write function, and modifying an address of the write function to be an address of the valid function. The present invention uses a protection principle of the read-write attribute of a virtual memory disk of an operating system, so as to establish a protection wall for memory data by means of modifying the attribute of the disk, so that virtual memory data is protected from the source, and any invalid write operation is prohibited; and meanwhile, the data of the virtual memory disk is validly modified or written by means of providing a unique valid access entry, the proceeding of a valid writing operation is ensured, and the valid modification and valid write are both realised.

Description

说明书 发明名称:一种虚拟内存数据的保护方法及其系统 技术领域  Description: A method for protecting virtual memory data and its system
[0001] 本发明涉及磁盘存储领域, 具体说的是一种虚拟内存数据的保护方法及其系统 [0002]  [0001] The present invention relates to the field of disk storage, and more specifically to a method and system for protecting virtual memory data [0002]
背景技术  Background technique
[0003] 虚拟内存磁盘指的是使用计算机内存的一部分来模拟一个硬盘, 利用 HOOK API技术对磁盘内数据进行操作。 一个应用程序要调用一个 API函数, 则应用程 序需要知道函数的地址; 所述 HOOK API技术指的便是将所要调用的 API函数地 址替换为另一个函数 MyCreateFileW的地址, 那么每当程序调用 CreateFileW吋, 就会调用 MyCreateFileW。  [0003] A virtual memory disk refers to the use of a portion of computer memory to simulate a hard disk, using HOOK API technology to operate on-disk data. An application needs to call an API function, then the application needs to know the address of the function; the HOOK API technology refers to replacing the address of the API function to be called with the address of another function MyCreateFileW, then whenever the program calls CreateFileW吋, will call MyCreateFileW.
[0004] 在没有对虚拟内存数据保护的情况下, 程序在不被允许的条件下可以对虚拟内 存磁盘数据进行修改或写入, 其中便包括不可预料的错误 (如数组越界等) , 这将直接导致内存数据被非法修改的问题, 使得虚拟内存磁盘无法保证数据的 安全性。  [0004] Without the protection of the virtual memory data, the program can modify or write the virtual memory disk data without being allowed, including unpredictable errors (such as array out of bounds, etc.), which will The problem that the memory data is directly modified is invalid, so that the virtual memory disk cannot guarantee the security of the data.
[0005] 现有内存磁盘技术大部分是基于系统底层来实现的, 其内存数据的保护作法是 对内存属性进行标识, 通过用不同的标识来标记此块内存地址是可读可写还是 可执行。 而基于应用层的内存数据保护, 现在的作法是对内存数据进行校验, 具体作法是在内存块写数据后, 通过一些算法对内存数据进行计算, 并把计算 的结果保存起来; 在读数据吋, 为了确保数据的正确性, 需要重新对保护内存 的数据进行计算, 再把计算的结果与保存的结果进行对比, 如果一致说明数据 是正确的, 没有被修改过。  [0005] Most of the existing memory disk technology is implemented based on the underlying system. The protection method of the memory data is to identify the memory attribute. By marking the block memory address with different identifiers, it is readable and writable or executable. . Based on the application layer's memory data protection, the current practice is to verify the memory data. The specific method is to calculate the memory data through some algorithms after the data is written in the memory block, and save the calculated result; In order to ensure the correctness of the data, it is necessary to recalculate the data of the protected memory, and then compare the calculated result with the saved result. If the data is consistent, it has not been modified.
[0006] 申请号为 201210108928.2的专利申请公幵了一种数据备份的方法、 服务器及热 备份系统, 通过在对进程地址空间的虚拟内存区备份的过程中, 根据虚拟内存 区的标志位判断虚拟内存区对应的物理内存页中是否含有内存脏页, 当存在吋 则对对应内存页进行遍历, 保存内部物理脏页的内容。 [0007] 上述专利申请只能对可能已经发生数据篡改后的虚拟内存磁盘进行检测备份, 其内存数据保护效果不佳, 无法从根源上进行防护。 [0006] The patent application with the application number 201210108928.2 discloses a data backup method, a server and a hot backup system, and judges the virtual according to the flag of the virtual memory area in the process of backing up the virtual memory area of the process address space. Whether the physical memory page corresponding to the memory area contains a dirty page of the memory, and if there is a flaw, the corresponding memory page is traversed, and the content of the internal physical dirty page is saved. [0007] The above patent application can only detect and back up a virtual memory disk that may have undergone data tampering, and the memory data protection effect is not good, and the protection cannot be performed from the root source.
技术问题  technical problem
[0008] 本发明所要解决的技术问题是: 提供一种虚拟内存数据的保护方法及其系统, 能够有效防止内存数据被非法篡改, 同吋又能合法写入。  [0008] The technical problem to be solved by the present invention is: Providing a method and a system for protecting virtual memory data, which can effectively prevent memory data from being illegally falsified, and can be legally written at the same time.
问题的解决方案  Problem solution
技术解决方案  Technical solution
[0009] 为了解决上述技术问题, 本发明采用的技术方案为:  [0009] In order to solve the above technical problem, the technical solution adopted by the present invention is:
[0010] 一种虚拟内存数据的保护方法, 包括 [0010] A method for protecting virtual memory data, including
[0011] 设置虚拟内存磁盘的属性为只读; [0011] setting the attribute of the virtual memory disk to read-only;
[0012] 预设合法函数, 所述虚拟内存磁盘的合法写入操作调用所述合法函数;  [0012] preset legal function, the legal write operation of the virtual memory disk calls the legal function;
[0013] 调用写入函数; [0013] calling a write function;
[0014] 拦截所述写入函数, 修改所述写入函数的地址为所述合法函数的地址。  [0014] intercepting the write function, modifying an address of the write function to an address of the legal function.
[0015] 本发明提供的另一个技术方案为:  [0015] Another technical solution provided by the present invention is:
[0016] 一种虚拟内存数据的保护系统, 包括  [0016] A virtual memory data protection system, including
[0017] 设置模块, 用于设置虚拟内存磁盘的属性为只读;  [0017] a setting module, configured to set a virtual memory disk attribute to read-only;
[0018] 预设模块, 用于预设合法函数, 所述虚拟内存磁盘的合法写入操作调用所述合 法函数;  [0018] a preset module, configured to preset a legal function, where the legal write operation of the virtual memory disk calls the normal function;
[0019] 调用模块, 用于调用写入函数;  [0019] a calling module, configured to call a write function;
[0020] 拦截模块, 用于拦截所述写入函数, 修改所述写入函数的地址为所述合法函数 的地址。  [0020] an intercepting module, configured to intercept the write function, and modify an address of the write function to be an address of the legal function.
发明的有益效果  Advantageous effects of the invention
有益效果  Beneficial effect
[0021] 本发明的有益效果在于: 区别于现有技术中基于应用层的虚拟内存数据保护需 要通过对内存数据的计算来校验, 验证过程复杂, 属于事后校验, 保护效果差 的不足。 本发明提供一种虚拟内存数据的保护方法, 通过将虚拟内存磁盘的属 性设置为只读, 以此杜绝非法分子对磁盘内数据执行任何修改操作, 从根源上 对虚拟内存磁盘进行保护; 同吋预设合法函数, 提供合法写入数据的入口, 能 够在合法调用写入函数吋运用拦截技术, 修改写入函数的地址为合法函数的地 址, 以实现对虚拟内存磁盘的数据写入操作。 本发明通过修改磁盘的属性来建 立内存数据的防护墙, 从根源上对虚拟内存数据进行保护, 禁止任何的非法写 入操作; 同吋也不会影响合法地写入操作, 实现二者的兼顾。 [0021] The beneficial effects of the present invention are as follows: The virtual memory data protection based on the application layer in the prior art needs to be verified by the calculation of the memory data, the verification process is complicated, and the post-mortem verification is performed, and the protection effect is poor. The invention provides a method for protecting virtual memory data, by setting the attribute of the virtual memory disk to read-only, thereby preventing the illegal molecule from performing any modification operation on the data in the disk, and protecting the virtual memory disk from the root source; Preset legal function, providing an entry for legally writing data, It is enough to legally call the write function, use the interception technology, and modify the address of the write function to the address of the legal function to implement the data write operation to the virtual memory disk. The invention establishes a protection wall for memory data by modifying the attributes of the disk, protects the virtual memory data from the root source, and prohibits any illegal write operation; the same does not affect the legal write operation, achieving both .
对附图的简要说明  Brief description of the drawing
附图说明  DRAWINGS
[0022] 图 1为本发明虚拟内存数据的保护方法的流程示意图;  1 is a schematic flow chart of a method for protecting virtual memory data according to the present invention;
[0023] 图 2为本发明实施例一虚拟内存数据的保护方法的流程示意图;  2 is a schematic flowchart of a method for protecting virtual memory data according to an embodiment of the present invention;
[0024] 图 3为本发明虚拟内存数据的保护系统的结构示意图;  3 is a schematic structural diagram of a virtual memory data protection system according to the present invention;
[0025] 图 4为本发明实施例二虚拟内存数据的保护系统中拦截模块的结构示意图; 4 is a schematic structural diagram of an intercepting module in a virtual memory data protection system according to Embodiment 2 of the present invention;
[0026] 图 5为本发明虚拟内存数据的保护方法及其系统的原理图; 5 is a schematic diagram of a method for protecting virtual memory data and a system thereof according to the present invention;
[0027] 图 6为本发明虚拟内存数据的保护方法及其系统中合法写入函数的示意图。  6 is a schematic diagram of a method for protecting virtual memory data and a legal write function in the system according to the present invention.
[0028] 标号说明:  [0028] Description of the label:
[0029] 1、 设置模块; 2、 预设模块; 3、 调用模块; 4、 拦截模块;  [0029] 1. setting module; 2. preset module; 3. calling module; 4. intercepting module;
[0030] 41、 第一修改单元; 42、 操作单元; 43、 第二修改单元。 [0030] 41, a first modifying unit; 42, an operating unit; 43, a second modifying unit.
具体实施方式 detailed description
[0031] 本发明最关键的构思在于: 设置虚拟内存磁盘的属性为只读, 禁止非法的写入 操作; 预设合法函数, 通过拦截技术实现合法写入操作。  [0031] The most critical idea of the present invention is: setting the attribute of the virtual memory disk to read-only, prohibiting illegal write operations; presetting the legal function, and implementing the legal write operation by the interception technology.
[0032] 请参照图 1、 图 2以及图 3和图 4, 本发明提供一种虚拟内存数据的保护方法, 包 括 Referring to FIG. 1, FIG. 2, and FIG. 3 and FIG. 4, the present invention provides a method for protecting virtual memory data, including
[0033] 设置虚拟内存磁盘的属性为只读;  [0033] setting the attribute of the virtual memory disk to read-only;
[0034] 预设合法函数, 所述虚拟内存磁盘的合法写入操作调用所述合法函数;  [0034] preset legal function, the legal write operation of the virtual memory disk calls the legal function;
[0035] 调用写入函数; [0035] calling a write function;
[0036] 拦截所述写入函数, 修改所述写入函数的地址为所述合法函数的地址。  [0036] intercepting the write function, modifying an address of the write function to an address of the legal function.
[0037] 进一步的, 所述"拦截所述写入函数, 修改所述写入函数的地址为所述合法函 数地址"之后, 进一步包括: [0037] Further, after the “intercepting the write function and modifying the address of the write function to the legal function address”, the method further includes:
[0038] 修改虚拟内存磁盘的属性为可读写; [0039] 依据所述写入函数, 对所述虚拟内存磁盘执行写入操作; [0038] modifying the attributes of the virtual memory disk to be readable and writable; [0039] performing a write operation on the virtual memory disk according to the write function;
[0040] 修改虚拟内存磁盘的属性为只读。 [0040] Modify the properties of the virtual memory disk to read-only.
[0041] 由上述描述可知, 通过拦截技术实现函数地址的替换, 实现对虚拟内存磁盘的 合法写入。  [0041] As can be seen from the above description, the replacement of the function address is implemented by the interception technology, and the legal write to the virtual memory disk is realized.
[0042] 进一步的, 所述"调用写入函数; 拦截所述写入函数, 修改所述写入函数的地 址为所述合法函数的地址"具体为:  [0042] Further, the “calling write function; intercepting the write function, modifying an address of the write function to an address of the legal function” is specifically:
[0043] 通过虚拟内存磁盘模块合法调用写入函数; [0043] legally calling the write function through the virtual memory disk module;
[0044] 虚拟内存磁盘拦截所述写入函数, 修改所述写入函数的地址为所述合法函数的 地址, 同吋依据所述写入函数, 获取写入操作对应的写入数据, 构成拦截函数 , 所述拦截函数对应包括修改虚拟内存磁盘属性以及写入对应数据的操作。  [0044] The virtual memory disk intercepts the write function, modifies an address of the write function to an address of the legal function, and acquires write data corresponding to the write operation according to the write function, thereby forming an interception The function, the intercepting function corresponding to the operation of modifying the virtual memory disk attribute and writing the corresponding data.
[0045] 由上述描述可知, 通过虚拟内存磁盘模块来执行对虚拟内存数据的合法写入操 作, 能够确保操作身份的合法, 同吋也能够提高函数调用以及数据合法写入的 效率。  [0045] As can be seen from the above description, the legal write operation of the virtual memory data is performed by the virtual memory disk module, and the legality of the operation identity can be ensured, and the efficiency of the function call and the legal data writing can be improved.
[0046] 进一步的, 通过 VirtualProtectEx函数设置所述虚拟内存磁盘的属性。  [0046] Further, the attribute of the virtual memory disk is set by a VirtualProtectEx function.
[0047] 进一步的, 通过 HOOK API技术拦截所述写入函数, 修改所述写入函数的地址 为所述合法函数的地址。  [0047] Further, the write function is intercepted by the HOOK API technology, and the address of the write function is modified to be the address of the legal function.
[0048] 请参阅图 3和图 4, 本发明提供的另一个技术方案为: [0048] Referring to FIG. 3 and FIG. 4, another technical solution provided by the present invention is:
[0049] 一种虚拟内存数据的保护系统, 包括 [0049] A virtual memory data protection system, including
[0050] 设置模块 1, 用于设置虚拟内存磁盘的属性为只读; [0050] setting module 1, the attribute for setting the virtual memory disk is read-only;
[0051] 预设模块 2, 用于预设合法函数, 所述虚拟内存磁盘的合法写入操作调用所述 合法函数;  [0051] The preset module 2 is configured to preset a legal function, and the legal write operation of the virtual memory disk invokes the legal function;
[0052] 调用模块 3, 用于调用写入函数;  [0052] calling module 3, used to call a write function;
[0053] 拦截模块 4, 用于拦截所述写入函数, 修改所述写入函数的地址为所述合法函 数的地址。  [0053] The intercepting module 4 is configured to intercept the write function, and modify an address of the write function to be an address of the legal function.
[0054] 从上述描述可知, 本发明的有益效果在于: 通过设置模块 1设置虚拟内存磁盘 的属性, 禁止任何非法写入操作; 通过预设模块 2配置合法函数, 为合法写入操 作提供合法入口; 通过调用模块 3以及拦截模块实现基于合法入口的写入操作。 通过虚拟内存数据的保护系统实现从根源上对内存数据进行保护, 同吋不会对 合法写入操作造成影响。 [0054] As can be seen from the above description, the beneficial effects of the present invention are: setting the virtual memory disk by setting the module 1 to prohibit any illegal write operation; configuring the legal function by the preset module 2 to provide a legal entry for the legal write operation A write operation based on a legal entry is implemented by calling module 3 and intercepting the module. The protection of the virtual memory data system to protect the memory data from the root source, the same will not Legal write operations have an impact.
[0055] 进一步的, 所述拦截模块 4包括:  [0055] Further, the intercepting module 4 includes:
[0056] 第一修改单元 41, 用于修改虚拟内存磁盘的属性为可读写;  [0056] The first modifying unit 41 is configured to modify the attributes of the virtual memory disk to be readable and writable;
[0057] 操作单元 42, 用于依据所述写入函数, 对所述虚拟内存磁盘执行写入操作; [0057] the operation unit 42 is configured to perform a write operation on the virtual memory disk according to the write function;
[0058] 第二修改单元 43, 用于修改虚拟内存磁盘的属性为只读。 [0058] The second modification unit 43 is configured to modify the attribute of the virtual memory disk to be read-only.
[0059] 进一步的, 还包括虚拟内存磁盘模块, 所述虚拟内存磁盘模块包括所述调用模 块 3和所述拦截模块 4;  [0059] Further, the virtual memory disk module includes the calling module 3 and the intercepting module 4;
[0060] 所述调用模块, 具体用于通过虚拟内存磁盘模块合法调用写入函数; [0060] the calling module is specifically configured to legally invoke a write function by using a virtual memory disk module;
[0061] 所述拦截模块, 具体用于虚拟内存磁盘拦截所述写入函数, 修改所述写入函数 的地址为所述合法函数的地址, 同吋依据所述写入函数, 获取写入操作对应的 写入数据, 构成拦截函数, 所述拦截函数对应包括修改虚拟内存磁盘属性以及 写入对应数据的操作。 [0061] The intercepting module is specifically configured to intercept the write function by the virtual memory disk, modify an address of the write function to be an address of the legal function, and obtain a write operation according to the write function. Corresponding write data constitutes an intercept function, and the intercept function corresponds to an operation of modifying a virtual memory disk attribute and writing corresponding data.
[0062] 进一步的, 所述设置模块 1, 具体用于通过 VirtualProtectEx函数设置所述虚拟 内存磁盘的属性。  [0062] Further, the setting module 1 is specifically configured to set an attribute of the virtual memory disk by using a VirtualProtectEx function.
[0063] 进一步的, 所述拦截模块 4, 具体用于通过 HOOK API技术拦截所述写入函数, 修改所述写入函数的地址为所述合法函数地址。  [0063] Further, the intercepting module 4 is specifically configured to intercept the write function by using a HOOK API technology, and modify an address of the write function to be the legal function address.
[0064] 实施例一 [0064] Embodiment 1
[0065] 请参照图 1-4, 提供一种虚拟内存数据的保护方法, 基于应用层实现写入函数 的调用。 具体可以包括:  [0065] Referring to FIG. 1-4, a method for protecting virtual memory data is provided, and a call of a write function is implemented based on an application layer. Specifically, it may include:
[0066] 在 windows系统进程的虚拟内存中, 通过 VirtualAlloc或 VirtualAlocEx函数在虚 拟内存中申请一片虚拟内存空间作为虚拟内存磁盘, 用来保存虚拟内存数据。 获取虚拟内存磁盘的地址后, 使用 VirtualProtectEx函数将这片虚拟内存空间的保 护属性设置成只读属性; 即利用虚拟内存空间本身的保护属性对虚拟内存磁盘 进行保护, 当虚拟内存磁盘的属性为只读属性吋, 程序任何的写操作都会引发 访问违规; 这一特征可以防止非法分子对虚拟内存磁盘执行写入操作后, 产生 不可预料的 (如数组越界等) 错误, 从而导致虚拟内存数据被修改引发的访问 违规, 引发系统进程强制结束。 [0066] In the virtual memory of the windows system process, a virtual memory space is requested in the virtual memory as a virtual memory disk by the VirtualAlloc or VirtualAlocEx function to save the virtual memory data. After obtaining the address of the virtual memory disk, use the VirtualProtectEx function to set the protection attribute of the virtual memory space to a read-only attribute; that is, to protect the virtual memory disk by using the protection attribute of the virtual memory space itself, when the attribute of the virtual memory disk is only Read attribute 吋, any write operation of the program will cause access violation; this feature can prevent unintended (such as array out of bounds) errors after the illegal molecules perform write operations on the virtual memory disk, resulting in the virtual memory data being modified. The resulting access violation caused the system process to be forced to end.
[0067] 上述操作已经能够禁止非法分子的任何写入操作, 而为了确保具有合法身份的 合法写入操作能够正常进行, 本实施例通过设置合法函数的调用入口 (合法函 数地址) 来实现, 有且只有这个合法身份才能知晓的入口可以对虚拟内存磁盘 执行如修改保护属性的操作。 具体的, 通过以下方式来实现合法的写入操作:[0067] The above operation has been able to prohibit any writing operation of illegal molecules, and to ensure legal identity The legal write operation can be performed normally. In this embodiment, the call entry (legal function address) of the legal function is set, and only the entry that the legal identity can know can perform the operation of modifying the protection attribute on the virtual memory disk. Specifically, the legal write operation is implemented by the following methods:
[0068] 预设合法函数, 所述虚拟内存磁盘的合法写入操作调用所述合法函数, 该合法 函数的地址只有合法身份才能获取; 所述合法函数中包含了修改虚拟内存磁盘 保护属性的操作; [0068] Presetting a legal function, the legal write operation of the virtual memory disk calls the legal function, and the address of the legal function is only obtained by a legal identity; the legal function includes an operation of modifying a virtual memory disk protection attribute. ;
[0069] 合法身份通过虚拟内存磁盘模块对虚拟内存磁盘执行合法的写入操作; 可选的 , 通过调用系统 API中的 WriteFile写入函数来执行; 然后虚拟内存磁盘模块对所 述 WriteFile写入函数进行拦截, 通过拦截技术修改所述 WriteFile写入函数的地址 为所述合法函数的地址, 优选通过 HOOK API技术进行拦截。 所述拦截技术在本 实施例中的具体运用包括: 将所述 WriteFile写入函数地址替换成预设的合法函数 地址, 同吋获取所述 WriteFile写入函数执行写入操作对应需要写入的数据, 构成 拦截函数; 所述拦截函数中包含了执行修改虚拟内存磁盘属性以及执行写入对 应数据的操作, 被拦截后的所述 WriteFile写入函数如图 4所示;  [0069] The legal identity performs a legal write operation on the virtual memory disk through the virtual memory disk module; optionally, by calling a WriteFile write function in the system API; then the virtual memory disk module writes the function to the WriteFile The interception is performed, and the address of the WriteFile write function is modified by the interception technology to be the address of the legal function, and is preferably intercepted by the HOOK API technology. The specific application of the interception technology in the embodiment includes: replacing the WriteFile write function address with a preset legal function address, and acquiring the data that needs to be written by the WriteFile write function to perform a write operation. The interception function includes performing an operation of modifying a virtual memory disk attribute and performing a write corresponding data, and the intercepted WriteFile write function is as shown in FIG. 4;
[0070] 当程序调用经过上述操作后的 WriteFile写入函数吋, 将依据被修改的地址自动 跳转到拦截函数, 依据拦截函数指向的操作首先将虚拟内存磁盘的保护属性修 改为可读写属性, 即 PAGE_EXECUTE_READWRITE; 依据从 WriteFile写入函数 获取到的所述需要写入的数据, 对虚拟内存磁盘中的虚拟内存数据进行写入或 修改操作; 写入操作执行完毕后, 所述拦截函数通过调用 VirtualProtectEx函数将 之前设置成可读写的虚拟内存磁盘恢复成只读属性, 即 PAGE_READONLY, 关 闭写入操作唯一合法的入口, 防止内存数据被意外修改。  [0070] When the program calls the WriteFile write function after the above operation, it will automatically jump to the intercept function according to the modified address, and firstly modify the protection attribute of the virtual memory disk to a read/write attribute according to the operation pointed to by the intercept function. , ie, PAGE_EXECUTE_READWRITE; according to the data to be written obtained from the WriteFile write function, write or modify the virtual memory data in the virtual memory disk; after the write operation is completed, the intercept function is called The VirtualProtectEx function restores the previously readable and writable virtual memory disk to a read-only property, PAGE_READONLY, which closes the only legal entry for write operations, preventing memory data from being accidentally modified.
[0071] 实施例二  Embodiment 2
[0072] 请参照图 5和图 6, 本实施例在实施例一的基础上, 提供一种虚拟内存数据的保 护系统, 包括:  [0072] Referring to FIG. 5 and FIG. 6, the embodiment provides a protection system for virtual memory data based on the first embodiment, including:
[0073] 设置模块 1, 用于设置虚拟内存磁盘的属性为只读; 可选通过 VirtualProtectEx 函数设置;  [0073] setting module 1, the property for setting the virtual memory disk is read-only; optionally set by the VirtualProtectEx function;
[0074] 预设模块 2, 用于预设合法函数, 所述虚拟内存磁盘的合法写入操作调用所述 合法函数; [0075] 调用模块 3, 用于调用写入函数; [0074] The preset module 2 is configured to preset a legal function, and the legal write operation of the virtual memory disk invokes the legal function; [0075] calling module 3, for calling a write function;
[0076] 拦截模块 4, 用于拦截所述写入函数, 修改所述写入函数的地址为所述合法函 数的地址; 可选采用 HOOK  [0076] The intercepting module 4 is configured to intercept the write function, and modify an address of the write function to be an address of the legal function;
API技术拦截或者其他拦截技术实现; 所述拦截模块 4具体包括第一修改单元 41 , 用于修改虚拟内存磁盘的属性为可读写; 操作单元 42, 用于依据所述写入函 数, 对所述虚拟内存磁盘执行写入操作; 第二修改单元 43, 用于修改虚拟内存 磁盘的属性为只读。  An API technology interception or other interception technology is implemented. The intercepting module 4 specifically includes a first modifying unit 41, configured to modify a property of the virtual memory disk to be readable and writable, and an operating unit 42, configured to perform, according to the writing function, The virtual memory disk performs a write operation; the second modifying unit 43 is configured to modify the attribute of the virtual memory disk to be read-only.
[0077] 可选的, 还包括虚拟内存磁盘模块, 所述虚拟内存磁盘模块包括所述调用模块 3和所述拦截模块 4;  [0077] Optionally, further comprising a virtual memory disk module, the virtual memory disk module comprising the calling module 3 and the intercepting module 4;
[0078] 所述调用模块 3, 具体用于通过虚拟内存磁盘模块合法调用写入函数;  [0078] The calling module 3 is specifically configured to legally invoke a write function by using a virtual memory disk module;
[0079] 所述拦截模块 4, 具体用于虚拟内存磁盘拦截所述写入函数, 修改所述写入函 数的地址为所述合法函数的地址, 同吋依据所述写入函数, 获取写入操作对应 的写入数据, 构成拦截函数, 所述拦截函数对应包括修改虚拟内存磁盘属性以 及写入对应数据的操作。 [0079] The intercepting module 4 is specifically configured to intercept the write function by the virtual memory disk, modify an address of the write function to be an address of the legal function, and obtain a write according to the write function. The corresponding write data is operated to form an intercept function, and the intercept function corresponds to an operation of modifying the virtual memory disk attribute and writing the corresponding data.
[0080] 综上所述, 本发明提供的一种虚拟内存数据的保护方法及其系统, 能够禁止对 虚拟内存磁盘的任何非法写入操作, 防止程序因不可预料的错误导致虚拟内存 数据被破坏; 同吋预留合法身份的写入操作入口, 确保合法修改虚拟内存数据 的进行; 进一步的, 通过 HOOK API拦截技术实现合法写入, 操作简单, 且安全 性高。 本发明基于虚拟内存磁盘读写属性的保护原理, 建立内存数据的防护墙 , 从根源上对虚拟内存数据进行保护, 禁止任何的非法写入操作; 同吋也不会 影响合法地写入操作, 实现二者的兼顾。 [0080] In summary, the present invention provides a method and system for protecting virtual memory data, which can prohibit any illegal write operation on a virtual memory disk, and prevent the program from being destroyed due to unpredictable errors. The peer reserves the write operation entry of the legal identity to ensure the legal modification of the virtual memory data. Further, the HOOK API interception technology implements legal writing, which is simple in operation and high in security. The invention is based on the protection principle of the virtual memory disk read/write attribute, establishes a protection wall for the memory data, protects the virtual memory data from the root source, and prohibits any illegal write operation; the same does not affect the legal write operation. Achieve both.

Claims

权利要求书 Claim
[权利要求 1] 一种虚拟内存数据的保护方法, 其特征在于, 包括  [Claim 1] A method for protecting virtual memory data, comprising:
设置虚拟内存磁盘的属性为只读;  Set the properties of the virtual memory disk to read-only;
预设合法函数, 所述虚拟内存磁盘的合法写入操作调用所述合法函数 调用写入函数;  Presetting a legal function, the legal write operation of the virtual memory disk calls the legal function to call a write function;
拦截所述写入函数, 修改所述写入函数的地址为所述合法函数的地址 如权利要求 1所述的一种虚拟内存数据的保护方法, 其特征在于, 所 述"拦截所述写入函数, 修改所述写入函数的地址为所述合法函数的 地址"之后, 进一步包括:  Intersecting the write function, modifying an address of the write function to an address of the legal function, and a method for protecting virtual memory data according to claim 1, wherein the intercepting the write The function, after modifying the address of the write function to the address of the legal function, further includes:
修改虚拟内存磁盘的属性为可读写;  Modify the properties of the virtual memory disk to be readable and writable;
依据所述写入函数, 对所述虚拟内存磁盘执行写入操作;  Performing a write operation on the virtual memory disk according to the write function;
修改虚拟内存磁盘的属性为只读。  Modify the properties of the virtual memory disk to read-only.
如权利要求 1所述的一种虚拟内存数据的保护方法, 其特征在于, 所 述"调用写入函数; 拦截所述写入函数, 修改所述写入函数的地址为 所述合法函数的地址 "具体为:  A method for protecting virtual memory data according to claim 1, wherein: said "calling a write function; intercepting said write function, modifying an address of said write function to an address of said legal function "Specifically:
通过虚拟内存磁盘模块合法调用写入函数;  The write function is legally called by the virtual memory disk module;
虚拟内存磁盘拦截所述写入函数, 修改所述写入函数的地址为所述合 法函数的地址, 同吋依据所述写入函数, 获取写入操作对应的写入数 据, 构成拦截函数, 所述拦截函数对应包括修改虚拟内存磁盘属性以 及写入对应数据的操作。  The virtual memory disk intercepts the write function, modifies an address of the write function to an address of the legal function, and obtains a write data corresponding to the write operation according to the write function, thereby forming an intercept function. The interception function corresponds to an operation of modifying a virtual memory disk attribute and writing corresponding data.
如权利要求 1所述的一种虚拟内存数据的保护方法, 其特征在于, 通 过 VirtualProtectEx函数设置所述虚拟内存磁盘的属性。  The method for protecting virtual memory data according to claim 1, wherein the attribute of the virtual memory disk is set by a VirtualProtectEx function.
如权利要求 1所述的一种虚拟内存数据的保护方法, 其特征在于, 通 过 HOOK API技术拦截所述写入函数, 修改所述写入函数的地址为所 述合法函数的地址。  A method for protecting virtual memory data according to claim 1, wherein the write function is intercepted by a HOOK API technique, and an address of the write function is modified to be an address of the legal function.
一种虚拟内存数据的保护系统, 其特征在于, 包括 设置模块, 用于设置虚拟内存磁盘的属性为只读; A virtual memory data protection system, characterized in that Setting a module, the attribute for setting the virtual memory disk is read-only;
预设模块, 用于预设合法函数, 所述虚拟内存磁盘的合法写入操作调 用所述合法函数; a preset module, configured to preset a legal function, wherein the legal write function of the virtual memory disk invokes the legal function;
调用模块, 用于调用写入函数; Calling a module for calling a write function;
拦截模块, 用于拦截所述写入函数, 修改所述写入函数的地址为所述 合法函数的地址。 And an intercepting module, configured to intercept the write function, and modify an address of the write function to be an address of the legal function.
如权利要求 6所述的一种虚拟内存数据的保护系统, 其特征在于, 所 述拦截模块包括: The protection system of the virtual memory data according to claim 6, wherein the intercepting module comprises:
第一修改单元, 用于修改虚拟内存磁盘的属性为可读写; a first modifying unit, configured to modify a property of the virtual memory disk to be readable and writable;
操作单元, 用于依据所述写入函数, 对所述虚拟内存磁盘执行写入操 作; An operation unit, configured to perform a write operation on the virtual memory disk according to the write function;
第二修改单元, 用于修改虚拟内存磁盘的属性为只读。 The second modification unit is configured to modify the attribute of the virtual memory disk to be read-only.
如权利要求 6所述的一种虚拟内存数据的保护系统, 其特征在于, 还 包括虚拟内存磁盘模块, 所述虚拟内存磁盘模块包括所述调用模块和 所述拦截模块; A virtual memory data protection system according to claim 6, further comprising a virtual memory disk module, wherein the virtual memory disk module comprises the calling module and the intercepting module;
所述调用模块, 具体用于通过虚拟内存磁盘模块合法调用写入函数; 所述拦截模块, 具体用于虚拟内存磁盘拦截所述写入函数, 修改所述 写入函数的地址为所述合法函数的地址, 同吋依据所述写入函数, 获 取写入操作对应的写入数据, 构成拦截函数, 所述拦截函数对应包括 修改虚拟内存磁盘属性以及写入对应数据的操作。 The calling module is specifically configured to legally invoke a write function by using a virtual memory disk module; the intercepting module is specifically configured to intercept the write function by the virtual memory disk, and modify an address of the write function to be the legal function. The address, the peer obtains the write data corresponding to the write operation according to the write function, and constitutes an intercept function, and the intercept function corresponds to an operation of modifying the virtual memory disk attribute and writing the corresponding data.
如权利要求 6所述的一种虚拟内存数据的保护系统, 其特征在于, 所 述设置模块, 具体用于通过 VirtualProtectEx函数设置所述虚拟内存磁 盘的属性。 A protection system for virtual memory data according to claim 6, wherein the setting module is specifically configured to set an attribute of the virtual memory disk by a VirtualProtectEx function.
如权利要求 6所述的一种虚拟内存数据的保护系统, 其特征在于, 所 述拦截模块, 具体用于通过 HOOK API技术拦截所述写入函数, 修改 所述写入函数的地址为所述合法函数的地址。 The protection system of the virtual memory data according to claim 6, wherein the intercepting module is specifically configured to intercept the write function by using a HOOK API technology, and modify an address of the write function to The address of the legal function.
PCT/CN2016/092339 2015-12-30 2016-07-29 Virtual memory data protection method and system WO2017113781A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201511025006.5A CN105653980B (en) 2015-12-30 2015-12-30 A kind of guard method and its system of virtual memory data
CN201511025006.5 2015-12-30

Publications (1)

Publication Number Publication Date
WO2017113781A1 true WO2017113781A1 (en) 2017-07-06

Family

ID=56490786

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/092339 WO2017113781A1 (en) 2015-12-30 2016-07-29 Virtual memory data protection method and system

Country Status (2)

Country Link
CN (1) CN105653980B (en)
WO (1) WO2017113781A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653980B (en) * 2015-12-30 2019-06-11 福建联迪商用设备有限公司 A kind of guard method and its system of virtual memory data
CN106708631B (en) * 2016-11-30 2020-06-09 福建省天奕网络科技有限公司 Shared memory attribute modifying method and system
CN108491287A (en) * 2018-03-21 2018-09-04 闻泰通讯股份有限公司 Memory address monitoring method, device and electronic equipment
CN108958926B (en) * 2018-05-25 2021-09-07 厦门普杰信息科技有限公司 Darwin streaming media server-based virtual memory pool design method
CN109558375B (en) * 2018-12-05 2021-03-16 武汉斗鱼网络科技有限公司 Optimized file storage method, storage medium, equipment and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102063585A (en) * 2010-10-29 2011-05-18 华南理工大学 Xen based secure virtual disk access control method
CN102385486A (en) * 2010-09-03 2012-03-21 深圳市拾三意强者科技有限公司 Method and device for penetrating and reducing disk and equipment
CN102855138A (en) * 2012-07-20 2013-01-02 腾讯科技(深圳)有限公司 Application program interface (API) intercepting method and device and mobile terminal
CN105550582A (en) * 2015-12-11 2016-05-04 福建联迪商用设备有限公司 Method and system for accessing to virtual disk
CN105653980A (en) * 2015-12-30 2016-06-08 福建联迪商用设备有限公司 Virtual memory data protection method and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2906624A1 (en) * 2006-10-03 2008-04-04 Bull S A S Soc Par Actions Sim Generated data storing system, has management module utilizing calculation result for managing priorities in accessing time by system for copying data of new volumes of virtual bookshop to virtual volumes of physical bookshop
CN101833485B (en) * 2010-03-23 2011-12-21 杭州顺网科技股份有限公司 System protection method based on snapshot
CN101908108A (en) * 2010-07-08 2010-12-08 福建升腾资讯有限公司 Write-protection method of NOVELL mirror image of local DOS (Disk Operating System) disc
CN102662799B (en) * 2012-04-13 2015-01-21 华为技术有限公司 Data backup method, server and hot backup system
CN103559450B (en) * 2013-10-11 2016-01-13 南京邮电大学 A kind of electronic tag data guard method based on kernel-driven Hook Technique
CN103617135B (en) * 2013-11-26 2016-10-26 深圳市江波龙电子有限公司 The method and device of digital independent in a kind of storage device
CN104680079A (en) * 2015-02-04 2015-06-03 上海信息安全工程技术研究中心 Electronic document security management system and electronic document security management method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102385486A (en) * 2010-09-03 2012-03-21 深圳市拾三意强者科技有限公司 Method and device for penetrating and reducing disk and equipment
CN102063585A (en) * 2010-10-29 2011-05-18 华南理工大学 Xen based secure virtual disk access control method
CN102855138A (en) * 2012-07-20 2013-01-02 腾讯科技(深圳)有限公司 Application program interface (API) intercepting method and device and mobile terminal
CN105550582A (en) * 2015-12-11 2016-05-04 福建联迪商用设备有限公司 Method and system for accessing to virtual disk
CN105653980A (en) * 2015-12-30 2016-06-08 福建联迪商用设备有限公司 Virtual memory data protection method and system

Also Published As

Publication number Publication date
CN105653980B (en) 2019-06-11
CN105653980A (en) 2016-06-08

Similar Documents

Publication Publication Date Title
WO2017113781A1 (en) Virtual memory data protection method and system
US9516056B2 (en) Detecting a malware process
CN109828827A (en) A kind of detection method, device and relevant device
Kwon et al. Sego: Pervasive trusted metadata for efficiently verified untrusted system services
JP2003345654A (en) Data protection system
CN110532767B (en) Internal isolation method for SGX (secure gateway) security application
TW201337589A (en) Systems and methods for providing dynamic file system awareness on storage devices
CN108920253B (en) Agent-free virtual machine monitoring system and monitoring method
CN112639789A (en) Integrity tree for memory integrity checking
JP2022503972A (en) Trusted intermediary realm
WO2015101148A1 (en) Method and device for realizing virtual machine introspection
CN108229190B (en) Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
JP2022503952A (en) Parameter signature for realm security configuration parameters
WO2019037521A1 (en) Security detection method, device, system, and server
WO2015176531A1 (en) Terminal data writing and reading methods and devices
CN105930728A (en) Application examining method and device
CN103309819A (en) Embedded system and safety managing method for internal storage thereof
US8250263B2 (en) Apparatus and method for securing data of USB devices
Newsham et al. Breaking forensics software: Weaknesses in critical evidence collection
US20110167276A1 (en) Method and device for detecting if a computer file has been copied and method and device for enabling such detection
CN101819619A (en) Method for preventing virus and Trojan horse
CN104036197B (en) Vector map data protection and access control method based on file filter driver
US10691586B2 (en) Apparatus and method for software self-test
JP2009169868A (en) Storage area access device and method for accessing storage area
CN112486880B (en) USB storage device based on database access interface

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16880576

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16880576

Country of ref document: EP

Kind code of ref document: A1