Summary of the invention
A kind of brand-new Registry Protection system and method for the present invention; be mainly used in the HIDS HIDS; its purpose is to fill up prior art blank and the nucleus module that adapts to as the HIDS HIDS; realize functions such as registration table daily record filtration and removing, and the protection of appointment is provided to protected key assignments according to the information of protection chained list.
Described Registry Protection system mainly includes application program module, driver module.Wherein,
Application program module includes user interface, rule parsing module, driven management module and journal displaying module.Application program module is responsible for load operating HOOK API driver.
Driver module includes intermediate layer HOOK API driving interface, rule parsing module, access control module and logger module.Driver module is responsible for the HOOK system to the calling of registry operations api function, and carries out real-time analysis and log record.
Described Registry Protection method is responsible for reading the registration table profile information by application program module, and document formatting is input in the user control interface, and tabulation can be sent to driver module.
Driver module utilizes the mechanism of HOOK api function, tackles the operation that all read registration table, and the registration table key assignments that these operations relate to is compared with the key assignments name in the protection tabulation, according to the difference of protection type, tackles different api functions.
Letter is carried out if rule allows registry operations API, and then driver module parameter that application program module is provided passes to registry operations API; If rule does not allow this function to carry out; then driver module directly returns error flag; so just can the controlling application program module to the calling of registry operations api function, thereby realize defencive function to the registration table key assignments in the tabulation, and send alarm log to application program module.
Described Registry Protection method; after application program module starts, read the registration table profile information and this document is formed application program protection chained list; the user can send control routine and driver module is mutual by menucommand, with beginning and time-out, daily record filtration, the automatic rolling of controlling and driving program module, daily record empties and end operations such as driver.
Described Registry Protection method, driver module is started by application program module, is articulated on the system registry by accepting the control code order that application program module sends over, and filters the api function of appointment.And read the registration table profile information from disk, form the protected key assignments chained list of core resident.And amended chained list is write in the configuration file of disk again.
Below promptly be the main contents of Registry Protection system and method for the present invention.
As above-mentioned Registry Protection system and method; mainly be to monitor in real time at newly-built, the modification and the deletion action of registration table; realization to the newly-built key in the registration table, revise the protection of registration table key assignments such as key, deletion are strong, newly-built value, modification value, deletion value, and can send alarm log.Thereby realize and can provide the protection of appointment to protected key assignments, monitor in real time at operations such as the filtration of registration table log information and removings according to the information of protection chained list, guarantee registration table can be not newly-built by malice, revise and deletion.
Embodiment
As shown in Figure 1, described Registry Protection system mainly includes application program module, driver module.Wherein,
Application program module includes user interface, rule parsing module, driven management module and journal displaying module.Application program module is responsible for load operating HOOK API driver.Wherein,
User interface is used for show log information, calls the operation of driven management module controls driver module, loading rule etc.;
The journal displaying module, the log information of display driving software module generation in real time;
The rule parsing module is responsible for reading configuration information from configuration file, and the regulation linked of resolving is passed to driver module by the driven management module;
The driven management module, be responsible for the controlling and driving program module startup, stop, the functions such as interpolation deletion of rule.
Driver module includes intermediate layer HOOK API driving interface, rule analysis module, access control module and logger module.Driver module is responsible for the HOOK system to the calling of registry operations api function, and carries out real-time analysis and log record.Wherein,
Intermediate layer HOOK API driving interface is responsible for calling to registry operations AIP function by the HOOK system in real time;
The rule analysis module, the authority of corresponding operating AIP function in the analysis rule chained list;
Access control module, the control user is to the execution of registry operations api function, if rule allows then function parameter is passed to Windows system bottom api function further to handle; If the rule refusal then returns error message, call logger module simultaneously, produce log record.
In addition, Windows system bottom API is the api function that registration table is operated that system provides.
Structure as above-mentioned Registry Protection system; Registry Protection method of the present invention is to be responsible for reading the registration table profile information by application program module; and document formatting is input in the user control interface, and tabulation can be sent to driver module.
Driver module utilizes the mechanism of HOOK api function, tackles the operation that all read registration table, and the registration table key assignments that these operations relate to is compared with the key assignments name in the protection tabulation, according to the difference of protection type, tackles different api functions.
If rule allows the registry operations api function to carry out, then driver module parameter that application program module the is provided registry operations API that passes to operating system and provide further handles; If rule does not allow this function to carry out; then driver module directly returns error flag; so just can the controlling application program module to the calling of registry operations api function, thereby realize defencive function to the registration table key assignments in the tabulation, and send alarm log to application program module.
As shown in Figure 2, in the application program module data flow of described Registry Protection method,
Application program module starts operation, at first enumerates the registry information of main frame, comprises several base keies of registration table, and these registry information are organized in a Tree control the inside according to original relation.
By menucommand, can read registration table profile information (INI-reg.cfg), and the information sets of this document is made into application program protection chained list, be presented at a ListView control the inside.The protection type that shielded like this registration table key assignments and this key-value pair are answered has just come into plain view.
In this ListView control the inside, can realize revising shielded key assignments protection type by the shortcut menu of right mouse button ejection, perhaps realize increasing, deleting functions such as protected protection by means of a plurality of CheckBox controls.
Simultaneously, the user can send control routine and driver is mutual by menucommand, and beginning and time-out, daily record filtration, automatic rolling that can the controlling and driving program, daily record empties and end operations such as driver.
The registration table read-write alarm log that driver module sends all is presented at another ListView control the inside in real time.Can locate this selected position of file in system registry, ListView control the inside fast by double-clicking mouse.
As shown in Figure 3; in the driver module data flow of described Registry Protection method, driver module is started by application program module, by accepting the control code order that application program module sends over; be articulated on the system registry, and filter the api function of appointment.
Read the registration table profile information from disk, form the protected key assignments chained list of core resident.
Accept order and information that application program module sends, increase, delete or revise and protect chained list, also can realize functions such as daily record filtration, daily record removing.
And amended chained list is write again in the configuration file of disk, thereby provide the protection of appointment to protected key assignments according to the information of protection chained list.