CN100568812C - The Registry Protection method - Google Patents
The Registry Protection method Download PDFInfo
- Publication number
- CN100568812C CN100568812C CNB2004100355503A CN200410035550A CN100568812C CN 100568812 C CN100568812 C CN 100568812C CN B2004100355503 A CNB2004100355503 A CN B2004100355503A CN 200410035550 A CN200410035550 A CN 200410035550A CN 100568812 C CN100568812 C CN 100568812C
- Authority
- CN
- China
- Prior art keywords
- protection
- registry
- application program
- module
- program module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
A kind of brand-new Registry Protection system and method for the present invention; be mainly used in the HIDS HIDS; its purpose is to fill up prior art blank and the nucleus module that adapts to as the HIDS HIDS; realize functions such as registration table daily record filtration and removing, and the protection of appointment is provided to protected key assignments according to the information of protection chained list.Described Registry Protection system mainly includes application program module, driver module.Described Registry Protection method; after application program module starts, read the registration table profile information and this document is formed application program protection chained list; the user can send control routine and driver module is mutual by menucommand, with beginning and time-out, daily record filtration, the automatic rolling of controlling and driving program module, daily record empties and end operations such as driver.
Description
Technical field
The present invention relates to Registry Protection method at the network security detection.
Background technology
Inseparable along with development of computer and network and existing economy, daily life had higher requirement for the security performance of network self.For taking precautions against the malicious attack at network, website using all is equipped with Network Intrusion Detection System, guarantees the safe operation of network by monitoring hacker port.
The development of existing network attack technology at present makes that intrusion behavior is more and more general and the invasion means are also complicated day by day.At Auto-Sensing, analysis and the interception of intrusion behavior, become the important need of network security.Mainly be to adopt the based on network intruding detection system of NIDS (Network-basedIntrusion Detection System) to realize real-time monitoring in the market to intrusion behavior.
But along with being extensive use of of switch, and the popularizing of IPV6, NIDS can't satisfy the demand in market.Relate to HIDS (Host-based Intrusion Detection System), HIDS, actually rare in the market, and blank is still arranged at aspects such as file protect and Registry Protections.Because Registry Protection is the core technology category of HIDS, so the enforcement of Registry Protection method is determining the quality of HIDS system operation.
Summary of the invention
A kind of brand-new Registry Protection system and method for the present invention; be mainly used in the HIDS HIDS; its purpose is to fill up prior art blank and the nucleus module that adapts to as the HIDS HIDS; realize functions such as registration table daily record filtration and removing, and the protection of appointment is provided to protected key assignments according to the information of protection chained list.
Described Registry Protection system mainly includes application program module, driver module.Wherein,
Application program module includes user interface, rule parsing module, driven management module and journal displaying module.Application program module is responsible for load operating HOOK API driver.
Driver module includes intermediate layer HOOK API driving interface, rule parsing module, access control module and logger module.Driver module is responsible for the HOOK system to the calling of registry operations api function, and carries out real-time analysis and log record.
Described Registry Protection method is responsible for reading the registration table profile information by application program module, and document formatting is input in the user control interface, and tabulation can be sent to driver module.
Driver module utilizes the mechanism of HOOK api function, tackles the operation that all read registration table, and the registration table key assignments that these operations relate to is compared with the key assignments name in the protection tabulation, according to the difference of protection type, tackles different api functions.
Letter is carried out if rule allows registry operations API, and then driver module parameter that application program module is provided passes to registry operations API; If rule does not allow this function to carry out; then driver module directly returns error flag; so just can the controlling application program module to the calling of registry operations api function, thereby realize defencive function to the registration table key assignments in the tabulation, and send alarm log to application program module.
Described Registry Protection method; after application program module starts, read the registration table profile information and this document is formed application program protection chained list; the user can send control routine and driver module is mutual by menucommand, with beginning and time-out, daily record filtration, the automatic rolling of controlling and driving program module, daily record empties and end operations such as driver.
Described Registry Protection method, driver module is started by application program module, is articulated on the system registry by accepting the control code order that application program module sends over, and filters the api function of appointment.And read the registration table profile information from disk, form the protected key assignments chained list of core resident.And amended chained list is write in the configuration file of disk again.
Below promptly be the main contents of Registry Protection system and method for the present invention.
As above-mentioned Registry Protection system and method; mainly be to monitor in real time at newly-built, the modification and the deletion action of registration table; realization to the newly-built key in the registration table, revise the protection of registration table key assignments such as key, deletion are strong, newly-built value, modification value, deletion value, and can send alarm log.Thereby realize and can provide the protection of appointment to protected key assignments, monitor in real time at operations such as the filtration of registration table log information and removings according to the information of protection chained list, guarantee registration table can be not newly-built by malice, revise and deletion.
Description of drawings
Fig. 1 is the structured flowchart of described Registry Protection system;
Fig. 2 is the application program module data flowchart of described Registry Protection method;
Fig. 3 is the driver module data flowchart of described Registry Protection method.
Embodiment
As shown in Figure 1, described Registry Protection system mainly includes application program module, driver module.Wherein,
Application program module includes user interface, rule parsing module, driven management module and journal displaying module.Application program module is responsible for load operating HOOK API driver.Wherein,
User interface is used for show log information, calls the operation of driven management module controls driver module, loading rule etc.;
The journal displaying module, the log information of display driving software module generation in real time;
The rule parsing module is responsible for reading configuration information from configuration file, and the regulation linked of resolving is passed to driver module by the driven management module;
The driven management module, be responsible for the controlling and driving program module startup, stop, the functions such as interpolation deletion of rule.
Driver module includes intermediate layer HOOK API driving interface, rule analysis module, access control module and logger module.Driver module is responsible for the HOOK system to the calling of registry operations api function, and carries out real-time analysis and log record.Wherein,
Intermediate layer HOOK API driving interface is responsible for calling to registry operations AIP function by the HOOK system in real time;
The rule analysis module, the authority of corresponding operating AIP function in the analysis rule chained list;
Access control module, the control user is to the execution of registry operations api function, if rule allows then function parameter is passed to Windows system bottom api function further to handle; If the rule refusal then returns error message, call logger module simultaneously, produce log record.
In addition, Windows system bottom API is the api function that registration table is operated that system provides.
Structure as above-mentioned Registry Protection system; Registry Protection method of the present invention is to be responsible for reading the registration table profile information by application program module; and document formatting is input in the user control interface, and tabulation can be sent to driver module.
Driver module utilizes the mechanism of HOOK api function, tackles the operation that all read registration table, and the registration table key assignments that these operations relate to is compared with the key assignments name in the protection tabulation, according to the difference of protection type, tackles different api functions.
If rule allows the registry operations api function to carry out, then driver module parameter that application program module the is provided registry operations API that passes to operating system and provide further handles; If rule does not allow this function to carry out; then driver module directly returns error flag; so just can the controlling application program module to the calling of registry operations api function, thereby realize defencive function to the registration table key assignments in the tabulation, and send alarm log to application program module.
As shown in Figure 2, in the application program module data flow of described Registry Protection method,
Application program module starts operation, at first enumerates the registry information of main frame, comprises several base keies of registration table, and these registry information are organized in a Tree control the inside according to original relation.
By menucommand, can read registration table profile information (INI-reg.cfg), and the information sets of this document is made into application program protection chained list, be presented at a ListView control the inside.The protection type that shielded like this registration table key assignments and this key-value pair are answered has just come into plain view.
In this ListView control the inside, can realize revising shielded key assignments protection type by the shortcut menu of right mouse button ejection, perhaps realize increasing, deleting functions such as protected protection by means of a plurality of CheckBox controls.
Simultaneously, the user can send control routine and driver is mutual by menucommand, and beginning and time-out, daily record filtration, automatic rolling that can the controlling and driving program, daily record empties and end operations such as driver.
The registration table read-write alarm log that driver module sends all is presented at another ListView control the inside in real time.Can locate this selected position of file in system registry, ListView control the inside fast by double-clicking mouse.
As shown in Figure 3; in the driver module data flow of described Registry Protection method, driver module is started by application program module, by accepting the control code order that application program module sends over; be articulated on the system registry, and filter the api function of appointment.
Read the registration table profile information from disk, form the protected key assignments chained list of core resident.
Accept order and information that application program module sends, increase, delete or revise and protect chained list, also can realize functions such as daily record filtration, daily record removing.
And amended chained list is write again in the configuration file of disk, thereby provide the protection of appointment to protected key assignments according to the information of protection chained list.
Claims (3)
1, the Registry Protection method of application registry protection system, it is characterized in that: be responsible for reading the registration table profile information by application program module, and document formatting is input in the user control interface, and can be sent to driver module by the protection chained list;
Driver module utilizes the mechanism of HOOK api function, tackles the operation that all read registration table, and the registration table key assignments that these operations relate to is compared with the key assignments name in the protection chained list, according to the difference of protection type, tackles different api functions;
If the rule in the described protection chained list allows the registry operations api function to carry out, then driver module parameter that application program module the is provided registry operations API that passes to operating system and provide further handles; If the rule in the described protection chained list does not allow this function to carry out, then driver module directly returns error flag, so just can the controlling application program module to the calling of registry operations api function, and to application program module transmission alarm log.
2, Registry Protection method according to claim 1 is characterized in that: in the workflow of described application program module,
Application program module starts operation, at first enumerates the registry information of main frame, comprises several base keies of registration table, and these registry information are organized in a Tree control the inside according to original relation; It is mutual with driver to send control routine by menucommand, and the beginning of controlling and driving program and time-out, daily record filtration, automatic rolling, daily record empties and end driver and operate; The registration table read-write alarm log that driver module sends all is presented at another ListView control the inside that is different from the ListView control that shows described protection chained list in real time.
3, Registry Protection method according to claim 2 is characterized in that: in the workflow of described driver module,
Driver module is started by application program module, by accepting the control code order that application program module sends over, is articulated on the system registry, and filters the api function of appointment; Read the registration table profile information from disk, form core resident protection chained list; Accept order and information that application program module sends, increase, deletion or modification protection chained list, or realize daily record filtration, daily record removing; And amended chained list is write again in the configuration file of disk.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100355503A CN100568812C (en) | 2004-08-12 | 2004-08-12 | The Registry Protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100355503A CN100568812C (en) | 2004-08-12 | 2004-08-12 | The Registry Protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1735029A CN1735029A (en) | 2006-02-15 |
| CN100568812C true CN100568812C (en) | 2009-12-09 |
Family
ID=36077241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100355503A Expired - Fee Related CN100568812C (en) | 2004-08-12 | 2004-08-12 | The Registry Protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100568812C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102262716A (en) * | 2010-05-25 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Real-time protection method and device |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102467625B (en) * | 2010-11-09 | 2015-02-11 | 深圳大学 | Data protection method, device and system |
| CN102214287A (en) * | 2011-06-09 | 2011-10-12 | 北京思创银联科技股份有限公司 | Method for protecting Windows system registry |
| CN102968359B (en) * | 2012-11-13 | 2015-11-04 | 福建升腾资讯有限公司 | Registration table transparent penetration method under disk operating system |
| CN104050418B (en) * | 2013-03-13 | 2017-10-13 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of web browser text background secure print |
| CN106201579B (en) * | 2016-06-28 | 2019-06-21 | 珠海豹趣科技有限公司 | A kind of method, apparatus and electronic equipment for deleting registry boot item |
| CN106203189A (en) * | 2016-07-04 | 2016-12-07 | 北京金山安全软件有限公司 | Equipment data acquisition method and device and terminal equipment |
-
2004
- 2004-08-12 CN CNB2004100355503A patent/CN100568812C/en not_active Expired - Fee Related
Non-Patent Citations (7)
| Title |
|---|
| . . |
| Windows NT注册表的动态监控与静态分析研究. 余昌盛等.计算机应用,第vol.23卷第no.3期. 2003 |
| Windows NT注册表的动态监控与静态分析研究. 余昌盛等.计算机应用,第23卷第3期. 2003 * |
| 主机防护系统中系统调用截获机制的实现. 高岩等.计算机工程与设计,第vol.24卷第no.11期. 2003 |
| 主机防护系统中系统调用截获机制的实现. 高岩等.计算机工程与设计,第24卷第11期. 2003 * |
| 基于API HOOK技术的个人防火墙. 余玉堂等.南京航空航天大学学报,第vol.36卷第no.1期. 2004 |
| 基于API HOOK技术的个人防火墙. 余玉堂等.南京航空航天大学学报,第36卷第1期. 2004 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102262716A (en) * | 2010-05-25 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Real-time protection method and device |
| CN102262716B (en) * | 2010-05-25 | 2014-03-05 | 腾讯科技(深圳)有限公司 | Real-time protection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1735029A (en) | 2006-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9037960B2 (en) | Monitoring and tracking application usage | |
| US8635285B2 (en) | Email categorization methods, coding, and tools | |
| US7673324B2 (en) | Method and system for tracking an operating performed on an information asset with metadata associated therewith | |
| CN108121914B (en) | Document divulgence protection tracking system | |
| US20060123101A1 (en) | Application instrumentation and monitoring | |
| US20100064375A1 (en) | Method, system and apparatus for secure data editing | |
| CN102567667A (en) | Intelligent information equipment and operation system thereof | |
| CN106503551A (en) | A kind of for the processing method and system of extorting software | |
| CN100568812C (en) | The Registry Protection method | |
| CN109639726A (en) | Intrusion detection method, device, system, equipment and storage medium | |
| JP2006350464A (en) | Data collection system, data extraction server, data collection method and data collection program | |
| CN106599115A (en) | Data protection method and device and terminal | |
| US9230004B2 (en) | Data processing method, system, and computer program product | |
| CN108717516A (en) | File label method, terminal and medium | |
| CN112506424A (en) | Kernel-based method for preventing hard disk partition from being deleted under window operating system | |
| KR101104300B1 (en) | System of access management comprising exclusive tool for accessing of personal information database and method thereof | |
| JP4769241B2 (en) | Access authority control system | |
| CN106022096A (en) | Information processing method and device and terminal | |
| KR101153969B1 (en) | Query tool control method for preventing inner users from leaking the personal information and query tool control system therefor | |
| US9779237B2 (en) | Detection of non-volatile changes to a resource | |
| JP4690226B2 (en) | Information processing apparatus, confidential data monitoring method and program | |
| KR100676912B1 (en) | Apparatus for protecting file illegal accessing and sending in network computers | |
| CN102024116A (en) | Access control method for user data files | |
| CN102446165A (en) | Method for selecting document contents and replacing document names and system adopting same | |
| EP2506196A1 (en) | Method and apparatus for management and control of information incidents and digital evidence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| ASS | Succession or assignment of patent right |
Owner name: HAIXIN GROUP CO., LTD. Free format text: FORMER OWNER: HAIXIN GROUP CO., LTD.; APPLICANT Effective date: 20071214 |
|
| C10 | Entry into substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20071214 Address after: 151, Zhuzhou Road, Laoshan District, Shandong City, Qingdao Province, China: 266100 Applicant after: Hisense Group Co., Ltd. Address before: Zip code 11, Jiangxi Road, Qingdao, Shandong, China: 266071 Applicant before: Hisense Group Co-applicant before: Beijing Hisense Digital Technology Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091209 Termination date: 20190812 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |