Multi-level File Operations Recording System Based on Minifilter Driver

doi:10.3969/j.issn.1671-1122.2014.11.007

Abstract

Abstract:

This paper studied for different levels of extraction and monitoring the behavior of file operations, aimed at the existing bypass filter drivers detection method was improved, more effective against malicious software behavior, multi-level technology to extract the file operations. Firstly the paper introduces the file filter driver technology , principle and current application situation, then introduces the widely application of micro file filter driver (Minifilter) technology development principle, steps and application field. Subsequent to the underlying behavior of file operations process are analyzed, and the Minifilter detection principle of the related introduction. To analyze its security and puts forward several methods of current can bypass the filter drivers detection principle. Including by adding filter drivers and send Hook function principle to bypass filter drivers, which the filter driver behavior cannot be detected.Lists the existing several attack methods from different levels to bypass the filter driver, including attached new filter drivers, direct access to the kernel, the sending of the underlying file structure function of different hook skills and so on. According to its attack principle is analyzed, puts forward corresponding detection methods.By adding the above on the basis of the original Minifilter several detection methods, which can realize to test the present a variety of means of attack, so as to add multi-layered protective measures. And then the improved filter drivers for targeted on the function and performance test, shows that the improved test drive to be able to use a smaller time cost to complete more deeper detection. Therefore the behavior of the improved extraction technology can bypass the normal file filter driver to expand to detect malicious behavior, the extraction of deeper malicious software file operations, so as to realize the target of suspicious file operations for a more comprehensive monitoring.

Key words: minifilter driver, multi-level, file monitoring, record behavior

CLC Number:

TP309

ZHANG Chen-lei, ZHOU An-min, LIU Liang, QING Lin-bo. Multi-level File Operations Recording System Based on Minifilter Driver[J]. Netinfo Security, 2014, 14(11): 41-45.

Figures/Tables 4

References 15

[1]	SUN Ying-ying, ZHENG Kou-gen,Filemonitoringsystem based on minifilter[J]. Journal of Computer Applications, 2010,30(11):3115-3117.
[2]	FileSystemFilterDrivers[EB/OL]..
[3]	XUE Sheng-jun, CAO Feng-yan.Security Software Files Protection Based on Minifilter[J]. JOURNAL OF WUHAN UNIVERSITY OF TECHNOLOGY, 2011,33(4):130-133.
[4]	FileSystemMinifilterDrivers[EB/OL]. .
[5]	ZHANG Fan,SHI Cai-cheng.Windows Driver Development Internals[M]. Beijing: Publishing House of Electronics Industry,2008.
[6]	TAN Wen,YANG Xiao,SHAO Jian-lei.Windows Kernel security programming[M].Beijing: BEIJING Publishing House of Electronics Industry,2009.
[7]	CHEN Jian-xiong,JIE She,ZHANG Xin.Implementation of Virus Prevention Method Based on File System Filter Driver[J].COMPUTER TECHNOLOGY AND DEVELOPMENT,2013,23(3):143-146.
[8]	GE Yang-yang,MAO Yu-guang,File Security Protection System Based on Minifilter[J]. Computer & Digital Engineering, 2013,(4):631-634.
[9]	YAN Zhen, LIU Ming,File monitoring system based on file filter driver design and implementation[D].Chengdu:University of electronic science and technology of computer system structure. 2012.
[10]	HU Ji-ying, ZHAI Jian-song, SONG Yang.A file system based on Minifilter framework design and implementation of security module[D].Ha Er-bin:Harbin industrial university, 2013.
[11]	PI Chang-di, LIU Nai-qi.Secure file system based on filter drivers in the research and implementation[D].Chengdu:Department of electronic science and technology of large software engineering,2010.
[12]	LIU Sheng,ZHOU An-min, JIANG Lei.File operations detecting system based on minifilter driver[J].Information and electronic engineering,2012,10(6):779-782.
[13]	LI Min, FANG Yong, LIU Lin-chao, XIONG Fan.File Driver on FSD and its Applications[J].Information and electronic engineering, 2005, 3(4):290-292.
[14]	CHEN Ling, TANG Zhen-min.Redirect implementation and its application in file system filter driver[J].The information technology,The China science and technology information 2007, (22):92-93.
[15]	WANG Yang,WANG Qin,The development of the sandbox security technology research[J].Software Guide,2009,8(8):152-153.