Research and implementation of file security mechanisms based on file system filter driver

2017 Annual Reliability and Maintainability Symposium (RAMS) Pub Date : 1900-01-01 DOI:10.1109/RAM.2017.7889772

Cong Zhang, Yumei Wu, Zhengwei Yu, Zhiqiang Li

{"title":"Research and implementation of file security mechanisms based on file system filter driver","authors":"Cong Zhang, Yumei Wu, Zhengwei Yu, Zhiqiang Li","doi":"10.1109/RAM.2017.7889772","DOIUrl":null,"url":null,"abstract":"First of all, from the aspect of key component in the Windows kernel, using the related tools of operating system kernel, to analyze and debug each kernel component by combining with the verification procedures, and objects of individual component in executable level is analyzed deeply, to be familiar with the internal principles of each executable component, and learn to use the kernel debugger, laying the foundations for subsequent in-depth kernel development. Then, this paper studied the techniques commonly used by malicious programs, including the hidden process, images, files and various hook techniques. On this basis, for all kinds of malicious behavior, this paper gives the principle of counter-measures, which is taken by file system filter driven. A file system filter driver module is designed and implemented in this paper. This module realizes the basic encryption and decryption, however a simple XOR operation is used in encryption operation. Because it does not affect research ideas through developing file system filter driver to study the Windows kernel. In the implement of transparent encryption and decryption modules, mainly introduce how to achieve each core routine problem according to the custom data structure combining with the kernel file operation process. The detailed logic flow diagrams and text description are given for each core processing routine. This paper explains basic data structure which is developed by the Windows kernel driver, combing this with the knowledge of the Windows kernel components and the understanding of functional needs permits the customization of a number of important data types. These customized data types include description disk file encryption identification, as well as the process control block in memory that is used to safeguard legitimate processes. The core of this paper is to sort out the processing of files operating the in the kernel, and using this to achieve a core based processing flow of transparent encryption and decryption of code modules.","PeriodicalId":138871,"journal":{"name":"2017 Annual Reliability and Maintainability Symposium (RAMS)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 Annual Reliability and Maintainability Symposium (RAMS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RAM.2017.7889772","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

First of all, from the aspect of key component in the Windows kernel, using the related tools of operating system kernel, to analyze and debug each kernel component by combining with the verification procedures, and objects of individual component in executable level is analyzed deeply, to be familiar with the internal principles of each executable component, and learn to use the kernel debugger, laying the foundations for subsequent in-depth kernel development. Then, this paper studied the techniques commonly used by malicious programs, including the hidden process, images, files and various hook techniques. On this basis, for all kinds of malicious behavior, this paper gives the principle of counter-measures, which is taken by file system filter driven. A file system filter driver module is designed and implemented in this paper. This module realizes the basic encryption and decryption, however a simple XOR operation is used in encryption operation. Because it does not affect research ideas through developing file system filter driver to study the Windows kernel. In the implement of transparent encryption and decryption modules, mainly introduce how to achieve each core routine problem according to the custom data structure combining with the kernel file operation process. The detailed logic flow diagrams and text description are given for each core processing routine. This paper explains basic data structure which is developed by the Windows kernel driver, combing this with the knowledge of the Windows kernel components and the understanding of functional needs permits the customization of a number of important data types. These customized data types include description disk file encryption identification, as well as the process control block in memory that is used to safeguard legitimate processes. The core of this paper is to sort out the processing of files operating the in the kernel, and using this to achieve a core based processing flow of transparent encryption and decryption of code modules.

查看原文本刊更多论文

基于文件系统过滤驱动程序的文件安全机制研究与实现

首先，从Windows内核中的关键组件方面出发，利用操作系统内核的相关工具，结合验证程序，对各个内核组件进行分析和调试，并对可执行层各个组件的对象进行深入分析，熟悉各个可执行组件的内部原理，学会使用内核调试器，为后续深入的内核开发奠定基础。然后，本文研究了恶意程序常用的技术，包括隐藏进程、隐藏图像、隐藏文件和各种钩子技术。在此基础上，针对各种恶意行为，本文给出了采用文件系统过滤器驱动的对策原理。本文设计并实现了一个文件系统过滤器驱动模块。该模块实现了基本的加解密功能，但在加密操作中使用了简单的异或操作。由于不影响研究思路，通过开发文件系统过滤驱动程序来研究Windows内核。在透明加解密模块的实现中，主要介绍了如何根据自定义的数据结构结合内核文件的操作过程来实现各个核心例程问题。给出了每个核心处理程序的详细逻辑流程图和文字说明。本文介绍了由Windows内核驱动程序开发的基本数据结构，结合Windows内核组件的知识和对功能需求的理解，可以定制一些重要的数据类型。这些自定义数据类型包括描述磁盘文件加密标识，以及用于保护合法进程的内存中的进程控制块。本文的核心是对内核中文件操作的处理进行梳理，并利用此实现一个基于内核的透明加解密代码模块的处理流程。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 Annual Reliability and Maintainability Symposium (RAMS)

自引率

0.00%

发文量