一种NTFS文件隐藏方式研究
|
摘要
保护电脑上文件的安全已经成为大家很关心的问题。文件隐藏技术从一个方面解决了这个问题,这种技术逐渐被国内外学术界关注和重视。
设计了一种NTFS(New Technology File System)文件隐藏方式,它包括三个关键技术的研究,分别是在根目录下搜索目标文件的方式,隐藏文件相关信息的保存以及修正值技术。根目录下目标文件的搜索,是通过遍历索引根属性值和索引分配属性值来实现;隐藏文件相关信息的保存,将相关信息写到卷上的保留扇区,实现了隐藏保存;修正值技术,通过分析NTFS卷,将更新序列数组(USA)改写成适当的值,否则前面的任何修改都不能生效。
实现隐藏文件的同时,也实现了基于这种方式所隐藏文件的恢复。并在恢复的时候,针对隐藏文件的上层目录名发生变化的情况,提出了基于ObjectId的文件匹配方法。能够在隐藏文件的上层目录名发生变化的时候,将隐藏的文件恢复到相应的改变后的目录下。
这种NTFS卷上的文件隐藏和恢复的方式,它的优点包括:操作系统无关,换成任何别的操作系统,同样的方法也可实现隐藏;能隐藏NTFS卷上的任何文件,与文件的特性无关;它不需要搬移隐藏文件的数据,只修改MFT记录中的内容,因此隐藏文件的效率与文件的大小无关;隐藏的文件隐蔽性好,不会被轻易发现;它对文件系统改动很少,却达到了很好的效果,实现方便。
在计算机应用越来越广泛,数据安全越来越重要的今天,所做的工作具有一定的现实意义。
To protect the security of computer files has become a matter of great concern to everyone. The file hiding technique solves the problem to some extent, and it has been paid attention and recognition by home and abroad academe.
The design of file hidden research on NTFS, includes research on three key technologies. They are the pattern of target file search under root, the way of keeping the related information of hidden files and the technology of checksum. The search of target file, realizes by traversal of index root properties and index allocation properties; the preservation of the hidden file information, achieves by writing to the reservation sectors; checksum technology, though parsing NTFS, updating the USA, otherwise any modify has no effect.
At the same time realize the recovery of the hidden file or folder base on this file hidden method. In the recovery, aim to the changes of the upper layer’s folder name, put forward a solution based on the matching method of ObjectId. It can recovery hidden file to the corresponding changed directory.
The design of the NTFS file hidden research, has effect on: unrelated to the Operating System, it can achieve hidden function in any types of Operating Systems; it is effective to any file on NTFS file system, and unrelated to the features of the file; The method do not need to move the data stream of the hidden file, only need to modify the content of MFT record, so the speed of file hidden has no relation ship to the size of file. It has high hidden strength, and can not be easily found. It has few changes on file system, but achieves good results.
At present more and more applications are used in a wide range of computer and data security is more and more important, the task this article acted has practical significance.
设计了一种NTFS(New Technology File System)文件隐藏方式,它包括三个关键技术的研究,分别是在根目录下搜索目标文件的方式,隐藏文件相关信息的保存以及修正值技术。根目录下目标文件的搜索,是通过遍历索引根属性值和索引分配属性值来实现;隐藏文件相关信息的保存,将相关信息写到卷上的保留扇区,实现了隐藏保存;修正值技术,通过分析NTFS卷,将更新序列数组(USA)改写成适当的值,否则前面的任何修改都不能生效。
实现隐藏文件的同时,也实现了基于这种方式所隐藏文件的恢复。并在恢复的时候,针对隐藏文件的上层目录名发生变化的情况,提出了基于ObjectId的文件匹配方法。能够在隐藏文件的上层目录名发生变化的时候,将隐藏的文件恢复到相应的改变后的目录下。
这种NTFS卷上的文件隐藏和恢复的方式,它的优点包括:操作系统无关,换成任何别的操作系统,同样的方法也可实现隐藏;能隐藏NTFS卷上的任何文件,与文件的特性无关;它不需要搬移隐藏文件的数据,只修改MFT记录中的内容,因此隐藏文件的效率与文件的大小无关;隐藏的文件隐蔽性好,不会被轻易发现;它对文件系统改动很少,却达到了很好的效果,实现方便。
在计算机应用越来越广泛,数据安全越来越重要的今天,所做的工作具有一定的现实意义。
To protect the security of computer files has become a matter of great concern to everyone. The file hiding technique solves the problem to some extent, and it has been paid attention and recognition by home and abroad academe.
The design of file hidden research on NTFS, includes research on three key technologies. They are the pattern of target file search under root, the way of keeping the related information of hidden files and the technology of checksum. The search of target file, realizes by traversal of index root properties and index allocation properties; the preservation of the hidden file information, achieves by writing to the reservation sectors; checksum technology, though parsing NTFS, updating the USA, otherwise any modify has no effect.
At the same time realize the recovery of the hidden file or folder base on this file hidden method. In the recovery, aim to the changes of the upper layer’s folder name, put forward a solution based on the matching method of ObjectId. It can recovery hidden file to the corresponding changed directory.
The design of the NTFS file hidden research, has effect on: unrelated to the Operating System, it can achieve hidden function in any types of Operating Systems; it is effective to any file on NTFS file system, and unrelated to the features of the file; The method do not need to move the data stream of the hidden file, only need to modify the content of MFT record, so the speed of file hidden has no relation ship to the size of file. It has high hidden strength, and can not be easily found. It has few changes on file system, but achieves good results.
At present more and more applications are used in a wide range of computer and data security is more and more important, the task this article acted has practical significance.
引文
[1]刘智,张晓瑜.让机密文件隐藏“自救”.信息安全, 2008, 6(1): 89~91
[2]刘爱平.安全文件系统的研究与实现: [硕士学位论文].成都:西南交通大学, 2002
[3]张正秋. Windows应用程序捆绑核心编程.第1版.北京:清华大学出版社, 2006. 193~216
[4]胡宏银,姚峰,何成万.一种基于文件过滤驱动的Windows文件安全保护方案.计算机应用, 2009, 29(1): 168~171
[5]张春荣.基于图像的隐藏信息的分析及检测技术: [硕士学位论文].成都:电子科技大学, 2007
[6]李飞达. NTFS交换数据流打造文件隐藏死角.黑客防线, 2006, 3(2): 24~27
[7]华中科技大学.基于NTFS磁盘文件系统结构的文件隐藏方法.中华人民共和国,发明专利申请公开说明书,ZL03118546.0,2003. 1~7
[8]彭谐波. RootkitRevealer揭露NTFS下的隐藏文件.黑客防线, 2008, 8(1): 78~82
[9]肖必武,刘军.突破磁盘低级检测实现文件隐藏.计算机工程与设计, 2006, 27(2): 245~247
[10]宋群生,宋亚琼.用WIN32程序探秘NTFS扇区存储.第1版.济南:济南华顿软件创作室, 2005. 187~200
[11]郎锐. VC++实现Win2000下直接读写磁盘扇区.中国电波传播研究所青岛分所, 2004, 8(1): 1~6
[12]王兰英,居锦武. NTFS文件系统结构分析.计算机工程与设计, 2006, 27(3): 418~420
[13]孙维连,胡佳山,张启来等. NTFS文件系统的INDX文件结构.电脑学习, 2006, 4(2): 57~59
[14]邓健. NTFS文件系统规范.硬件白皮书, 2005, 9(1): 17~18
[15]戴坚锋,高静.系统数据区散布坏道磁盘的数据恢复.微电子学与计算机, 2006, 23(1): 147~152
[16]双世勇. Windows Rootkit检测方法研究: [硕士学位论文].郑州:解放军信息工程大学, 2005
[17] David Geer. Malicious bots threaten network security. Computer, 2005, 38(1): 18~20
[18] Liu Naiqi, Wang Zhongshan, Hao Yujie et al. Computer Forensics Research and Implementation Based on NTFS File System. Computing, Communication, Control, and Management, 2008, 1(3): 519~523
[19] Jeffrey Richter. Programming Applications for Microsoft Windows. Fourth Edition. Redmond, Washington: Microsoft Press, 2000. 546~551
[20] Reddy, K. Pavan, S. Fundamental Limitations of Continuous-Time Delta-Sigma Modulators Due to Clock Jitter. Circuits and Systems, 2007, 54(10): 2184~2194
[21] Chow, K.P. Law, Frank Y.W. Kwan, Michael et al. The Rules of Time on NTFS File System. Systematic Approaches to Digital Forensic Engineering, 2007, 10(12): 71~85
[22] Heasman J. Rootkit threats. Network Security, 2006, 4(1): 18~19
[23]郭果. NTFS分区上数据的特殊恢复方法探讨.信息科学, 2008, 1(1): 25~26
[24]黄步根. NTFS系统存储介质上文件操作痕迹分析.计算机工程, 2007, 12(1): 281~283
[25]李民.基于Windows文件系统过滤驱动的文件加/解密技术研究与实现: [硕士学位论文].成都:四川大学电子信息学院, 2006
[26]郭传鹏.计算机操作痕迹清除系统的研究与实现: [硕士学位论文].郑州:中国人民解放军信息工程大学电子技术学院, 2006
[27]居锦武,王兰英. NTFS文件系统剖析.计算机工程与设计, 2007, 28(22): 5437~5439
[28] Seokhee Lee, Savoldi, A. Sangjin Lee et al. Windows Pagefile Collection andAnalysis for a Live Forensics Context. Future generation communication and networking, 2007, 2(6): 97~101
[29] Sitaraman, S. Venkatesan, S. Low-intrusive consistent disk checkpointing a tool for digital forensics. Information Technology Coding and Computing, 2004,1(1): 414~418
[30] Hollander Yona, Agostini R. Stop hacker attacks at the OS level. Internet Security Advisor Magazine, 2000, 9(10): 6~10
[31] Willassen, S.Y. Finding Evidence of Antedating in Digital Investigations. Availability, Reliablity and Security, 2008, 4(7): 26~32
[32] Davidson, S. Towards an understanding of no trouble found devices. VLSI Test Symposium, 2005, 1(5): 147~152
[33]王丽娜,杨墨,王辉等.基于NTFS文件系统的计算机取证.武汉大学学报, 2006, 52(5): 519~522
[34]梁金千,张跃. NTFS文件系统的主要数据结构.计算机工程与应用, 2003, 8(1): 116~118
[35]华铎.信息隐藏与检测技术的研究与应用: [硕士学位论文],杭州:浙江大学, 2006
[36]高伟.磁盘数据安全保护技术研究: [硕士学位论文],上海:上海交通大学, 2008
[37]雷校勇,黄小平. WindowsRootKit技术原理及防御策略.微型电脑应用, 2006, 22(7): 4~6
[38] Aziz, P.M. Sorensen, H.V. Van der Spiegel, J. Performance of complex noise transfer functions in bandpass and multi band sigma delta systems. Circuits and Systems, 1995, 1(3): 641~644
[39] Paulson, L.D. News Briefs. Computer, 2006, 39(8): 25~27
[40] Rajeev Nagar. Windows NT File System Internals. First Edition. Sebastopol, California: O'Reilly, 1997. 56~84
[2]刘爱平.安全文件系统的研究与实现: [硕士学位论文].成都:西南交通大学, 2002
[3]张正秋. Windows应用程序捆绑核心编程.第1版.北京:清华大学出版社, 2006. 193~216
[4]胡宏银,姚峰,何成万.一种基于文件过滤驱动的Windows文件安全保护方案.计算机应用, 2009, 29(1): 168~171
[5]张春荣.基于图像的隐藏信息的分析及检测技术: [硕士学位论文].成都:电子科技大学, 2007
[6]李飞达. NTFS交换数据流打造文件隐藏死角.黑客防线, 2006, 3(2): 24~27
[7]华中科技大学.基于NTFS磁盘文件系统结构的文件隐藏方法.中华人民共和国,发明专利申请公开说明书,ZL03118546.0,2003. 1~7
[8]彭谐波. RootkitRevealer揭露NTFS下的隐藏文件.黑客防线, 2008, 8(1): 78~82
[9]肖必武,刘军.突破磁盘低级检测实现文件隐藏.计算机工程与设计, 2006, 27(2): 245~247
[10]宋群生,宋亚琼.用WIN32程序探秘NTFS扇区存储.第1版.济南:济南华顿软件创作室, 2005. 187~200
[11]郎锐. VC++实现Win2000下直接读写磁盘扇区.中国电波传播研究所青岛分所, 2004, 8(1): 1~6
[12]王兰英,居锦武. NTFS文件系统结构分析.计算机工程与设计, 2006, 27(3): 418~420
[13]孙维连,胡佳山,张启来等. NTFS文件系统的INDX文件结构.电脑学习, 2006, 4(2): 57~59
[14]邓健. NTFS文件系统规范.硬件白皮书, 2005, 9(1): 17~18
[15]戴坚锋,高静.系统数据区散布坏道磁盘的数据恢复.微电子学与计算机, 2006, 23(1): 147~152
[16]双世勇. Windows Rootkit检测方法研究: [硕士学位论文].郑州:解放军信息工程大学, 2005
[17] David Geer. Malicious bots threaten network security. Computer, 2005, 38(1): 18~20
[18] Liu Naiqi, Wang Zhongshan, Hao Yujie et al. Computer Forensics Research and Implementation Based on NTFS File System. Computing, Communication, Control, and Management, 2008, 1(3): 519~523
[19] Jeffrey Richter. Programming Applications for Microsoft Windows. Fourth Edition. Redmond, Washington: Microsoft Press, 2000. 546~551
[20] Reddy, K. Pavan, S. Fundamental Limitations of Continuous-Time Delta-Sigma Modulators Due to Clock Jitter. Circuits and Systems, 2007, 54(10): 2184~2194
[21] Chow, K.P. Law, Frank Y.W. Kwan, Michael et al. The Rules of Time on NTFS File System. Systematic Approaches to Digital Forensic Engineering, 2007, 10(12): 71~85
[22] Heasman J. Rootkit threats. Network Security, 2006, 4(1): 18~19
[23]郭果. NTFS分区上数据的特殊恢复方法探讨.信息科学, 2008, 1(1): 25~26
[24]黄步根. NTFS系统存储介质上文件操作痕迹分析.计算机工程, 2007, 12(1): 281~283
[25]李民.基于Windows文件系统过滤驱动的文件加/解密技术研究与实现: [硕士学位论文].成都:四川大学电子信息学院, 2006
[26]郭传鹏.计算机操作痕迹清除系统的研究与实现: [硕士学位论文].郑州:中国人民解放军信息工程大学电子技术学院, 2006
[27]居锦武,王兰英. NTFS文件系统剖析.计算机工程与设计, 2007, 28(22): 5437~5439
[28] Seokhee Lee, Savoldi, A. Sangjin Lee et al. Windows Pagefile Collection andAnalysis for a Live Forensics Context. Future generation communication and networking, 2007, 2(6): 97~101
[29] Sitaraman, S. Venkatesan, S. Low-intrusive consistent disk checkpointing a tool for digital forensics. Information Technology Coding and Computing, 2004,1(1): 414~418
[30] Hollander Yona, Agostini R. Stop hacker attacks at the OS level. Internet Security Advisor Magazine, 2000, 9(10): 6~10
[31] Willassen, S.Y. Finding Evidence of Antedating in Digital Investigations. Availability, Reliablity and Security, 2008, 4(7): 26~32
[32] Davidson, S. Towards an understanding of no trouble found devices. VLSI Test Symposium, 2005, 1(5): 147~152
[33]王丽娜,杨墨,王辉等.基于NTFS文件系统的计算机取证.武汉大学学报, 2006, 52(5): 519~522
[34]梁金千,张跃. NTFS文件系统的主要数据结构.计算机工程与应用, 2003, 8(1): 116~118
[35]华铎.信息隐藏与检测技术的研究与应用: [硕士学位论文],杭州:浙江大学, 2006
[36]高伟.磁盘数据安全保护技术研究: [硕士学位论文],上海:上海交通大学, 2008
[37]雷校勇,黄小平. WindowsRootKit技术原理及防御策略.微型电脑应用, 2006, 22(7): 4~6
[38] Aziz, P.M. Sorensen, H.V. Van der Spiegel, J. Performance of complex noise transfer functions in bandpass and multi band sigma delta systems. Circuits and Systems, 1995, 1(3): 641~644
[39] Paulson, L.D. News Briefs. Computer, 2006, 39(8): 25~27
[40] Rajeev Nagar. Windows NT File System Internals. First Edition. Sebastopol, California: O'Reilly, 1997. 56~84