Netinfo Security ›› 2014, Vol. 14 ›› Issue (11): 41-45.doi: 10.3969/j.issn.1671-1122.2014.11.007

• Orginal Article • Previous Articles     Next Articles

Multi-level File Operations Recording System Based on Minifilter Driver

ZHANG Chen-lei, ZHOU An-min, LIU Liang, QING Lin-bo   

  1. College of Electronics and Information Engineering, Sichuan University, Chengdu Sichuan 610065, China
  • Received:2014-06-23 Online:2014-11-01 Published:2020-05-18

Abstract:

This paper studied for different levels of extraction and monitoring the behavior of file operations, aimed at the existing bypass filter drivers detection method was improved, more effective against malicious software behavior, multi-level technology to extract the file operations. Firstly the paper introduces the file filter driver technology , principle and current application situation, then introduces the widely application of micro file filter driver (Minifilter) technology development principle, steps and application field. Subsequent to the underlying behavior of file operations process are analyzed, and the Minifilter detection principle of the related introduction. To analyze its security and puts forward several methods of current can bypass the filter drivers detection principle. Including by adding filter drivers and send Hook function principle to bypass filter drivers, which the filter driver behavior cannot be detected.Lists the existing several attack methods from different levels to bypass the filter driver, including attached new filter drivers, direct access to the kernel, the sending of the underlying file structure function of different hook skills and so on. According to its attack principle is analyzed, puts forward corresponding detection methods.By adding the above on the basis of the original Minifilter several detection methods, which can realize to test the present a variety of means of attack, so as to add multi-layered protective measures. And then the improved filter drivers for targeted on the function and performance test, shows that the improved test drive to be able to use a smaller time cost to complete more deeper detection. Therefore the behavior of the improved extraction technology can bypass the normal file filter driver to expand to detect malicious behavior, the extraction of deeper malicious software file operations, so as to realize the target of suspicious file operations for a more comprehensive monitoring.

Key words: minifilter driver, multi-level, file monitoring, record behavior

CLC Number: