File access filtering method

Abstract

The invention discloses a file access filtering method which belongs to the technical field of network safety. The file access filtering method comprises the following steps: S1) processing an IRP (input/output request package) request category and a request of withdrawing from drive, and mounting a corresponding dispatch function; S2) processing calling of a user layer, and emitting a calling command to an inner nuclear layer; S3) getting an afferent Handle through a parameter when calling a Windows inner nuclear function in user-defined functions, and inquiring whether a path corresponding to the Handle is a file folder path or not by calling the inner nuclear function of a system, if the path is the file holder path and does not contain a magnetic disk drive, not performing contrast, if the path is a file path, comparing in a white list; and S4) notifying an application program of the user layer of retrieving illegal access file information recorded in a BackList through a shared event created between the user layer and the inner nuclear layer, and using the application program of the user layer to write the illegal access file information into a log file. By adopting the file access filtering method, a user can conveniently further adopt measures for protecting personal files.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a file access filtering method. Background technique [0002] As computers and the Internet have increasingly become an indispensable part of people's lives, personal file security issues have received more and more attention. Many malicious programs or Trojan horses secretly scan the user's files without the user's knowledge, and even upload the files to the designated server. [0003] Under the Windows platform, the operating system is divided into two parts: the user layer (also called Ring3 layer) and the kernel layer (also called Ring0 layer). The API interfaces provided by Windows all call the kernel functions of the Ring0 layer from the Ring3 layer to realize the functions. It can be said that if you want to protect your computer and files, it is essential to take measures at the Ring0 layer. [0004] Currently, file protection products developed on the market ...

AI Technical Summary

Problems solved by technology

[0006] The disadvantages of the above implementation methods are: 1. The efficiency is relatively low: since the access of files and folders must pass through the ZwCreateFile function, the comparison of many paths is actually for the comparison of device and folder paths

Due to the relatively long white list, the efficiency will naturally drop a lot if you want to do a complete comparison, and these comparisons will bring about redundant memory and CPU resource consumption, increasing the risk of system instability

2. There is no record of those files that have been illegally operated: the user’s files have been illegally operated, and the product is used to protect them, but the user does not know that those files have been illegally operated by that process, so this process will have the opportunity to operate the file again

Images