阅读说明：本技术 一种文件防篡改方法及装置 (File tamper-proofing method and device ) 是由 孙家彦 刘仙跃 王暘 于 2020-09-08 设计创作，主要内容包括：本发明实施例提供一种文件防篡改方法及装置,能够实现文件防篡改、提高数据安全性的目的。方法包括：获取受保护文件所属的第一逻辑扇区地址范围；获取当前文件操作的第二逻辑扇区地址；若所述第二逻辑扇区地址在所述第一逻辑扇区地址范围之内,则拒绝执行所述操作。(The embodiment of the invention provides a file tamper-proofing method and device, which can achieve the purposes of file tamper-proofing and data security improvement. The method comprises the following steps: acquiring a first logic sector address range to which a protected file belongs; acquiring a second logical sector address of the current file operation; and if the second logical sector address is within the first logical sector address range, refusing to execute the operation.)

1. A method of tamper-proofing a document, comprising:

acquiring a first logic sector address range to which a protected file belongs;

acquiring a second logical sector address of the current file operation;

and if the second logical sector address is within the first logical sector address range, refusing to execute the operation.

2. The method according to claim 1, wherein the obtaining the first logical sector address range to which the protected file belongs comprises:

acquiring the file system type of a volume where a protected file is located;

obtaining DBR information of a partition boot sector of a volume where the protected file is located;

if the file system type is Fat32, acquiring a first cluster number occupied by the protected file, and acquiring a cluster number occupied by the protected file through the first cluster number; acquiring a first logical sector address range to which the protected file belongs based on the DBR information, the cluster number and a data area starting address determined based on the DBR information;

if the file system type is NTFS and the first cluster number occupied by the protected file is not successfully acquired, acquiring a first logical sector address range to which the protected file belongs based on the DBR information and the acquired file record number;

if the file system type is NTFS and the first cluster number occupied by the protected file is successfully acquired, acquiring the cluster number occupied by the protected file through the first cluster number; and acquiring a first logic sector address range to which the protected file belongs based on the DBR information and the cluster number.

3. The method according to claim 2, wherein the obtaining the first logical sector address range to which the protected file belongs based on the DBR information, the cluster number, and the data area start address determined based on the DBR information comprises:

reading the number of partition reserved sectors, the number of partition Fat tables, the number of sectors occupied by Fat tables and the size of the sectors based on the DBR information;

calculating the initial address of the data area based on the number of the partition reserved sectors, the number of the partition Fat tables, the number of sectors occupied by the Fat tables and the size of the sectors;

and calculating the first logic sector address range based on the data area starting address, the cluster number, the corresponding sector number of each cluster and the size of the sector.

4. The method for preventing file tampering as claimed in claim 3, wherein the calculating the starting address of the data area based on the number of the partition reserved sectors, the number of the partition Fat tables, the number of sectors occupied by the Fat tables and the sector size comprises:

calculating the starting address of the data area by the following expression:

data sector start address = (number of sector reserved for partition + number of sectors occupied by partition Fat table data ×) sector size.

5. The method of claim 3, wherein the calculating the first logical sector address range based on the data area start address, the cluster number, and the corresponding number of sectors per cluster and the sector size comprises:

calculating the first logical sector address range by the expression:

the first logical sector address range = data zone start address + cluster number data per cluster sector size.

6. The method according to claim 2, wherein the obtaining the first logical sector address range to which the protected file belongs based on the DBR information and the obtained file record number includes:

reading a partitioned MFT start cluster, a number of sectors per cluster, and a sector size based on the DBR information;

and calculating the first logical sector address range based on the partition MFT starting cluster, the number of sectors in each cluster, the size of the sectors and the acquired file recording number.

7. The file tamper-proofing method according to claim 6, wherein said calculating the first logical sector address range based on the partition MFT start cluster, the number of sectors per cluster, the sector size, and the obtained file record number comprises:

calculating the first logical sector address range by the expression:

the first logical sector address range = MFT start cluster × sectors per cluster size + file record number 1024.

8. The method according to claim 2, wherein the obtaining the first logical sector address range to which the protected file belongs based on the DBR information and the cluster number comprises:

reading the number of sectors and the size of the sectors in each cluster based on the DBR information;

and calculating to obtain the address range of the first logic sector based on the cluster number, the number of sectors in each cluster and the size of the sectors.

9. The method of claim 8, wherein the calculating the first logical sector address range based on the cluster number, the number of sectors per cluster, and the sector size comprises:

calculating the first logical sector address range by the expression:

the first logical sector address range = cluster number sector size per cluster sector.

10. A document anti-tampering device, comprising:

the first acquisition unit is used for acquiring a first logical sector address range to which the protected file belongs;

the second acquisition unit is used for acquiring a second logical sector address of the current file operation;

a rejecting unit configured to reject the operation if the second logical sector address is within the first logical sector address range.

Technical Field

The invention relates to the technical field of computers, in particular to a file tamper-proofing method and device.

Background

Since the modern society enters the information-based and digital era, the information-based office has profound influence on the work, study and life of people and becomes a great driving force for the development of culture. The file is used as a key part of information storage and record and a software program in the information age, and the read-write access and modification control on the file are particularly important in maintaining the safety life cycle of the system. In practical application, the security software needs to perform read-write access limitation on data files, program files and the like in the self directory so as to prevent the security software from being damaged or tampered by others or other programs and avoid influencing the functions of the software.

In the existing scheme, file tampering prevention is realized by adopting a file filtering driving technology. In use, some security policies, such as the full path of the file (folder) to be protected, the hash value of the file content, the corresponding control level, and the like, need to be set in advance. If the third-party software or program operates on the file, the file filter driver can capture the operation action, and then the routines such as IRP _ MJ _ CREATE, IRP _ MJ _ SET _ INFORMATION and the like are processed in the filter driver to obtain the full path name of the file being operated and the hash value of the file content of the file, and the full path name and the hash value are matched with the preset policy, and if the matching is successful, the ACCESS refusing identifier STATUS _ ACCESS _ reserved is returned, so that the anti-tampering purpose is achieved.

However, for hexadecimal tool software such as winhex, when the software is used for file operation, the existing scheme cannot be tamper-proof, and the data security is not high. Therefore, how to prevent the software from tampering with the file is a problem which needs to be solved urgently at present.

Disclosure of Invention

The embodiment of the invention provides a file tamper-proofing method and device, which are used for solving the defects that related software cannot be prevented from tampering files and the data security is not high in the prior art, and the purposes of file tamper-proofing and data security improvement are achieved.

The embodiment of the invention provides a file tamper-proofing method, which comprises the following steps:

acquiring a first logic sector address range to which a protected file belongs;

acquiring a second logical sector address of the current file operation;

and if the second logical sector address is within the first logical sector address range, refusing to execute the operation.

According to an embodiment of the present invention, the method for preventing file tampering, where the obtaining a first logical sector address range to which a protected file belongs, includes:

acquiring the file system type of a volume where a protected file is located;

obtaining DBR information of a partition boot sector of a volume where the protected file is located;

if the file system type is Fat32, acquiring a first cluster number occupied by the protected file, and acquiring a cluster number occupied by the protected file through the first cluster number; acquiring a first logical sector address range to which the protected file belongs based on the DBR information, the cluster number and a data area starting address determined based on the DBR information;

if the file system type is NTFS and the first cluster number occupied by the protected file is not successfully acquired, acquiring a first logical sector address range to which the protected file belongs based on the DBR information and the acquired file record number;

if the file system type is NTFS and the first cluster number occupied by the protected file is successfully acquired, acquiring the cluster number occupied by the protected file through the first cluster number; and acquiring a first logic sector address range to which the protected file belongs based on the DBR information and the cluster number.

According to an embodiment of the present invention, the obtaining a first logical sector address range to which the protected file belongs based on the DBR information, the cluster number, and a data area start address determined based on the DBR information includes:

reading the number of partition reserved sectors, the number of partition Fat tables, the number of sectors occupied by Fat tables and the size of the sectors based on the DBR information;

calculating the initial address of the data area based on the number of the partition reserved sectors, the number of the partition Fat tables, the number of sectors occupied by the Fat tables and the size of the sectors;

and calculating the first logic sector address range based on the data area starting address, the cluster number, the corresponding sector number of each cluster and the size of the sector.

According to an embodiment of the present invention, the method for preventing file tampering, where the first logical sector address range is obtained by calculation based on the starting address of the data area, the cluster number, the number of corresponding sectors per cluster, and the size of the sector, includes:

calculating the first logical sector address range by the expression:

the first logical sector address range = data zone start address + cluster number data per cluster sector size.

According to the file tamper-proofing method of an embodiment of the present invention, the obtaining the first logical sector address range to which the protected file belongs based on the DBR information and the obtained file record number includes:

reading a partitioned MFT start cluster, a number of sectors per cluster, and a sector size based on the DBR information;

and calculating the first logical sector address range based on the partition MFT starting cluster, the number of sectors in each cluster, the size of the sectors and the acquired file recording number.

According to an embodiment of the present invention, the method for preventing file tampering, where the first logical sector address range is obtained by calculation based on the partition MFT start cluster, the number of sectors per cluster, the size of sectors, and the obtained file record number, includes:

calculating the first logical sector address range by the expression:

the first logical sector address range = MFT start cluster × sectors per cluster size + file record number 1024.

According to an embodiment of the present invention, the obtaining a first logical sector address range to which the protected file belongs based on the DBR information and the cluster number includes:

reading the number of sectors and the size of the sectors in each cluster based on the DBR information;

and calculating to obtain the address range of the first logic sector based on the cluster number, the number of sectors in each cluster and the size of the sectors.

According to an embodiment of the present invention, the method for preventing file tampering, where the first logical sector address range is obtained by calculation based on the cluster number, the number of sectors per cluster, and the size of sectors, includes:

calculating the first logical sector address range by the expression:

the first logical sector address range = cluster number sector size per cluster sector.

An embodiment of the present invention further provides a file tamper-proofing device, including:

the first acquisition unit is used for acquiring a first logical sector address range to which the protected file belongs;

the second acquisition unit is used for acquiring a second logical sector address of the current file operation;

a rejecting unit configured to reject the operation if the second logical sector address is within the first logical sector address range.

According to the file tamper-proofing method and device provided by the embodiment of the invention, the related hexadecimal tool software is controlled to perform read-write operation on the file through the logical sector in a logical sector matching mode, so that the file can be prevented from being tampered, and the data security is improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a schematic flowchart of a file tamper-proofing method according to an embodiment of the present invention;

fig. 2 is a flowchart illustrating a method for obtaining a first logical sector address range to which a protected file belongs according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a document anti-tampering device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, a method for preventing file tampering according to an embodiment of the present invention is described below with reference to fig. 1 and fig. 2, where the embodiment of the present invention discloses a method for preventing file tampering, including:

101. acquiring a first logic sector address range to which a protected file belongs;

protected files, i.e., files that need to be protected, which files need to be protected can be user-defined. The user can decide which files can be randomly accessed and modified and which files cannot be randomly accessed and modified according to the actual requirements of the user.

The logical sector address range is operating system defined and is independent of the physical disk (e.g., cylinder, track, sector).

102. Acquiring a second logical sector address of the current file operation;

the current operation includes a write operation or a read operation. Step 101 and step 102 do not have a sequential execution sequence, it should be noted that the expression "second" and "first" are used to distinguish the logical sector address range to which the protected file belongs from the logical sector address of the current file operation, and should not be construed as limiting.

When the target machine performs a file operation for a logical sector, the corresponding input/output Request packet (IRP, I/O Request packet) is captured in the driver layer, and the logical sector address (second logical sector address) of the operated file can be directly obtained.

103. And if the second logical sector address is within the first logical sector address range, refusing to execute the operation.

After the first logical sector address range and the second logical sector address are obtained, if the second logical sector address is within the first logical sector address range, the second logical sector address is refused to continue operation. It should be noted that, if the second logical sector address is not within the first logical sector address range, the operation is allowed.

Therefore, the related hexadecimal tool software is controlled to read and write the file through the logical sector in a logical sector matching mode, so that the file can be prevented from being tampered, and the data security is improved.

Further, referring to fig. 2, an embodiment of the present invention discloses a method for obtaining an address range of a first logical sector to which a protected file belongs, including:

201. acquiring the file system type of a volume where a protected file is located;

typically, the file system type is Fat32 or NTFS.

202. Obtaining DBR information of a partition boot sector of a volume where the protected file is located;

consider that obtaining the first logical sector address range to which the protected file belongs requires some information in the partition Boot sector (DBR), which is automatically generated by the operating system when formatting the partition. Thus, the DBR information of the volume where the protected file is located needs to be acquired.

203. If the file system type is Fat32, acquiring a first cluster number occupied by the protected file, acquiring a cluster number occupied by the protected file through the first cluster number, and then executing step 204;

if the file system type is Fat32, an IoControl code is sent to the protected file (the file system used by the protected file) to obtain a first cluster number occupied by the protected file, and all continuous or discontinuous cluster numbers occupied by the protected file can be sequentially obtained through the first cluster number (each partition has its own cluster number, which is defined by the operating system for each partition, and is determined when the protected file is written into the disk).

204. Acquiring a first logical sector address range to which the protected file belongs based on the DBR information, the cluster number and a data area starting address determined based on the DBR information;

specifically, the number of partition reserved sectors, the number of partition Fat tables, the number of sectors occupied by Fat tables, and the size of the sectors are read based on the DBR information;

calculating the initial address of the data area based on the number of the partition reserved sectors, the number of the partition Fat tables, the number of sectors occupied by the Fat tables and the size of the sectors;

and calculating the first logic sector address range based on the data area starting address, the cluster number, the corresponding sector number of each cluster and the size of the sector.

Wherein the calculating the starting address of the data area based on the number of the partition reserved sectors, the number of the partition Fat tables, the number of sectors occupied by the Fat tables and the size of the sectors comprises:

calculating the starting address of the data area by the following expression:

data sector start address = (number of sector reserved for partition + number of sectors occupied by partition Fat table data ×) sector size.

Wherein the calculating the first logical sector address range based on the data area start address, the cluster number, the corresponding number of sectors per cluster, and the sector size includes:

calculating the first logical sector address range by the expression:

the first logical sector address range = data zone start address + cluster number data per cluster sector size.

Typically, the sector size is typically 512 bytes.

205. If the file system type is NTFS and the first cluster number occupied by the protected file is not successfully acquired, acquiring a first logical sector address range to which the protected file belongs based on the DBR information and the acquired file record number;

specifically, a partitioned MFT start cluster, a number of sectors per cluster, and a sector size are read based on the DBR information;

and calculating the first logical sector address range based on the partition MFT starting cluster, the number of sectors in each cluster, the size of the sectors and the acquired file recording number.

Wherein the calculating the first logical sector address range based on the partition MFT start cluster, the number of sectors per cluster, the sector size, and the obtained file record number includes:

calculating the first logical sector address range by the expression:

the first logical sector address range = MFT start cluster × sectors per cluster size + file record number 1024.

It should be understood that in the NTFS file system, the file content is stored as an attribute of the file, and the concept is the same as whether the file is a system file, whether it is hidden, etc., and the file type is attribute No. 30 of the file. Each file occupies 1K in the MFT table, and if the file content is long, it will exceed 1K.

If the acquisition OF the first cluster number fails and the error code is STATUS _ END _ OF _ FILE, the FILE content is within 1K.

The FILE RECORD number, i.e., the index in the MFT table, may be obtained by the send FSCTL _ GET _ NTFS _ FILE _ RECORD code.

206. If the file system type is NTFS and the first cluster number occupied by the protected file is successfully obtained, obtaining the cluster number occupied by the protected file through the first cluster number, and then executing step 207;

if the first cluster number is successfully acquired, the file content of the protected file is larger than 1K.

207. And acquiring a first logic sector address range to which the protected file belongs based on the DBR information and the cluster number.

Specifically, the number of sectors and the size of the sectors per cluster are read based on the DBR information;

and calculating to obtain the address range of the first logic sector based on the cluster number, the number of sectors in each cluster and the size of the sectors.

Wherein the calculating the first logical sector address range based on the cluster number, the number of sectors per cluster, and the size of sectors comprises:

calculating the first logical sector address range by the expression:

the first logical sector address range = cluster number sector size per cluster sector.

The following describes the file tamper-proofing device provided by the embodiment of the present invention, and the file tamper-proofing device described below and the file tamper-proofing method described above may be referred to correspondingly.

Referring to fig. 3, the document tamper-proofing device includes:

a first obtaining unit 301, configured to obtain a first logical sector address range to which a protected file belongs;

a second obtaining unit 302, configured to obtain a second logical sector address of the current file operation;

a rejecting unit 303, configured to reject to execute the operation if the second logical sector address is within the first logical sector address range.

Therefore, the related hexadecimal tool software is controlled to read and write the file through the logical sector in a logical sector matching mode, so that the file can be prevented from being tampered, and the data security is improved.

The file tamper-proofing device of the embodiment of the invention can be used for executing the technical scheme of the method embodiment, the implementation principle and the technical effect are similar, and the details are not repeated here.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.