[go: up one dir, main page]

CN115237352B - Hidden storage method, device, storage medium and electronic equipment - Google Patents

Hidden storage method, device, storage medium and electronic equipment Download PDF

Info

Publication number
CN115237352B
CN115237352B CN202210925658.8A CN202210925658A CN115237352B CN 115237352 B CN115237352 B CN 115237352B CN 202210925658 A CN202210925658 A CN 202210925658A CN 115237352 B CN115237352 B CN 115237352B
Authority
CN
China
Prior art keywords
storage space
fragment
file
fragmented
fragment storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210925658.8A
Other languages
Chinese (zh)
Other versions
CN115237352A (en
Inventor
方赴洋
徐桂忠
张淯舒
林倩如
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Science Research Institute of CETC
Original Assignee
Information Science Research Institute of CETC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Science Research Institute of CETC filed Critical Information Science Research Institute of CETC
Priority to CN202210925658.8A priority Critical patent/CN115237352B/en
Publication of CN115237352A publication Critical patent/CN115237352A/en
Application granted granted Critical
Publication of CN115237352B publication Critical patent/CN115237352B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/0608Saving storage space on storage systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/061Improving I/O performance
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0643Management of files
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0644Management of space entities, e.g. partitions, extents, pools
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0674Disk device
    • G06F3/0676Magnetic disk device

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本公开涉及一种隐匿存储方法、装置、存储介质和电子设备,其中方法包括:获取待存储的预设文件;确定磁盘上的目标碎片存储空间;将所述预设文件写入所述目标碎片存储空间。本公开的方案可以将需要隐匿存储的文件写入磁盘上的碎片存储空间,也即利用碎片存储空间来存储需要隐匿的文件,以提高在系统磁盘中存储攻击程序文件的隐蔽性。

The present disclosure relates to a concealed storage method, device, storage medium and electronic equipment, wherein the method includes: obtaining a preset file to be stored; determining a target fragment storage space on a disk; and writing the preset file into the target fragment storage. The scheme of the present disclosure can write the files that need to be stored secretly into the fragmented storage space on the disk, that is, use the fragmented storage space to store the files that need to be hidden, so as to improve the concealment of storing attack program files in the system disk.

Description

隐匿存储方法、装置、存储介质和电子设备Hidden storage method, device, storage medium and electronic equipment

技术领域technical field

本公开实施例涉及计算机技术领域,尤其涉及一种隐匿存储方法、隐匿存储装置、计算机可读存储介质和电子设备。The embodiments of the present disclosure relate to the technical field of computers, and in particular, to a hidden storage method, a hidden storage device, a computer-readable storage medium, and electronic equipment.

背景技术Background technique

目前实现程序在目标系统的隐匿,例如针对于Windows操作系统普遍使用的NTFS(New TechnologyFile System)文件系统,将程序文件安全隐匿地存储到系统磁盘中的方式主要包括属性隐藏、修改文件名、使用Hook技术、系统DLL文件的替换等方式进行隐藏,但是上述这些方式的隐蔽性较低,容易被磁盘检测工具检测到,因此目前亟需一种隐蔽性高的隐匿存储方案。At present, the concealment of the program in the target system is realized. For example, for the NTFS (New Technology File System) file system commonly used in the Windows operating system, the ways to store the program file safely and concealed in the system disk mainly include attribute hiding, modifying the file name, and using Hook technology, replacement of system DLL files, etc. are hidden, but the above-mentioned methods are low in concealment and are easily detected by disk detection tools. Therefore, a hidden storage solution with high concealment is urgently needed at present.

发明内容Contents of the invention

为了解决上述技术问题或者至少部分地解决上述技术问题,本公开实施例提供了一种隐匿存储方法、隐匿存储装置、计算机可读存储介质和电子设备。In order to solve the above technical problems or at least partly solve the above technical problems, embodiments of the present disclosure provide a hidden storage method, a hidden storage device, a computer-readable storage medium, and an electronic device.

第一方面,本公开实施例提供了一种隐匿存储方法,包括:In the first aspect, the embodiment of the present disclosure provides a hidden storage method, including:

获取待存储的预设文件;Obtain the preset file to be stored;

确定磁盘上的目标碎片存储空间;Determine the target fragment storage space on the disk;

将所述预设文件写入所述目标碎片存储空间。Writing the preset file into the target fragment storage space.

在一个实施例中,所述目标碎片存储空间包括第一碎片存储空间、第二碎片存储空间和第三碎片存储空间中的一个或多个;In one embodiment, the target fragment storage space includes one or more of the first fragment storage space, the second fragment storage space and the third fragment storage space;

其中,所述第一碎片存储空间包括磁盘上的一个或多个簇中的闲置存储空间,所述第二碎片存储空间包括磁盘上的主文件表(Master File Table,简称为MFT)的预留存储空间,所述第三碎片存储空间包括磁盘上的主文件表的保留存储空间。Wherein, the first fragmented storage space includes idle storage space in one or more clusters on the disk, and the second fragmented storage space includes the reserved space of the master file table (Master File Table, referred to as MFT) on the disk. storage space, the third fragmented storage space includes reserved storage space of the master file table on the disk.

在一个实施例中,所述一个或多个簇是用于存储指定系统文件的簇;其中,所述指定系统文件是NTFS文件系统中文件记录的属性为非常驻的系统文件。In one embodiment, the one or more clusters are clusters for storing specified system files; wherein, the specified system files are system files whose attribute of file records in the NTFS file system is non-resident.

在一个实施例中,所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间具有不同的优先级,所述将所述预设文件写入所述目标碎片存储空间,包括:In one embodiment, the first fragment storage space, the second fragment storage space and the third fragment storage space have different priorities, and the writing the preset file into the target fragment storage space, including:

获取所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间各自的优先级;Obtain respective priorities of the first fragmented storage space, the second fragmented storage space, and the third fragmented storage space;

将所述预设文件写入第一指定碎片存储空间;其中所述第一指定碎片存储空间是所述所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级最高的碎片存储空间。Writing the preset file into a first designated fragment storage space; wherein the first designated fragment storage space is the first fragment storage space, the second fragment storage space and the third fragment storage space The highest priority fragmented storage space.

在一个实施例中,所述方法还包括:In one embodiment, the method also includes:

确定所述预设文件的文件大小超过所述第一指定碎片存储空间的大小时,将所述预设文件写入第二指定碎片存储空间;其中所述第二指定碎片存储空间是所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级居中的碎片空间。When it is determined that the file size of the preset file exceeds the size of the first designated fragment storage space, write the preset file into a second designated fragment storage space; wherein the second designated fragment storage space is the first designated fragment storage space A fragmented storage space, the fragmented space with the middle priority among the second fragmented storage space and the third fragmented storage space.

在一个实施例中,所述第一碎片存储空间的优先级最高,所述第二碎片存储空间的优先级居中,所述第三碎片存储空间的优先级最低。In one embodiment, the first fragmented storage space has the highest priority, the second fragmented storage space has a middle priority, and the third fragmented storage space has the lowest priority.

在一个实施例中,所述预设文件是攻击程序所属的文件;所述获取待存储的预设文件,包括:In one embodiment, the preset file is a file to which the attack program belongs; the acquisition of the preset file to be stored includes:

获取所述攻击程序所属的一个或多个文件;Obtain one or more files to which the attack program belongs;

所述将所述预设文件写入所述目标碎片存储空间,包括:The writing the preset file into the target fragment storage space includes:

将所述攻击程序所属的所述一个或多个文件写入所述目标碎片存储空间中对应的存储单元,每个所述存储单元包括一个或多个扇区。Writing the one or more files to which the attack program belongs to corresponding storage units in the target fragment storage space, each of the storage units includes one or more sectors.

在一个实施例中,还包括:In one embodiment, also includes:

记录所述攻击程序的程序文件信息以及扇区信息,所述程序文件信息包括攻击程序的属性信息,所述扇区信息用于标识所述攻击程序所属的所述一个或多个文件在所述目标碎片存储空间中对应的存储单元对应的扇区;recording program file information and sector information of the attack program, the program file information including attribute information of the attack program, and the sector information is used to identify the one or more files to which the attack program belongs in the A sector corresponding to a corresponding storage unit in the target fragment storage space;

基于所述扇区信息,从所述目标碎片存储空间中对应的存储单元对应的扇区中读取所述攻击程序所属的所述一个或多个文件;Based on the sector information, read the one or more files to which the attack program belongs from a sector corresponding to a corresponding storage unit in the target fragment storage space;

基于读取的所述攻击程序所属的所述一个或多个文件,以及所述攻击程序的属性信息,恢复所述攻击程序。Restoring the attack program based on the read one or more files to which the attack program belongs and attribute information of the attack program.

第二方面,本公开实施例提供一种隐匿存储装置,包括:In a second aspect, an embodiment of the present disclosure provides a hidden storage device, including:

获取模块,用于获取待存储的预设文件;An acquisition module, configured to acquire preset files to be stored;

确定模块,用于确定磁盘上的目标碎片存储空间;A determining module, configured to determine the target fragmented storage space on the disk;

写入模块,用于将所述预设文件写入所述目标碎片存储空间。A writing module, configured to write the preset file into the target fragment storage space.

第三方面,本公开实施例提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述任一实施例所述隐匿存储方法的步骤。In a third aspect, an embodiment of the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the hidden storage method described in any of the above-mentioned embodiments are implemented.

第四方面,本公开实施例提供一种电子设备,包括:In a fourth aspect, an embodiment of the present disclosure provides an electronic device, including:

处理器;以及processor; and

存储器,用于存储计算机程序;memory for storing computer programs;

其中,所述处理器配置为经由执行所述计算机程序来执行上述任一实施例所述隐匿存储方法的步骤。Wherein, the processor is configured to execute the steps of the hidden storage method in any of the above embodiments by executing the computer program.

本公开实施例提供的技术方案与现有技术相比具有如下优点:Compared with the prior art, the technical solutions provided by the embodiments of the present disclosure have the following advantages:

本公开实施例提供的隐匿存储方法、装置、存储介质和电子设备,获取待存储的预设文件,确定磁盘上的目标碎片存储空间,将所述预设文件写入所述目标碎片存储空间。如此本实施例的方案可以将需要隐匿存储的文件写入磁盘上的碎片存储空间,也即利用碎片存储空间来存储需要隐匿的文件,这样存储的文件不易被检测出,从而提高在系统磁盘中存储文件的隐蔽性。The concealed storage method, device, storage medium and electronic device provided by the embodiments of the present disclosure acquire a preset file to be stored, determine a target fragment storage space on a disk, and write the preset file into the target fragment storage space. In this way, the solution of this embodiment can write the files that need to be concealed into the fragmented storage space on the disk, that is, use the fragmented storage space to store the files that need to be concealed, so that the stored files are not easy to be detected, thereby improving the storage capacity of the system disk. Privacy of stored files.

附图说明Description of drawings

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description serve to explain the principles of the disclosure.

为了更清楚地说明本公开实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,对于本领域普通技术人员而言,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present disclosure or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, for those of ordinary skill in the art, In other words, other drawings can also be obtained from these drawings without paying creative labor.

图1为本公开实施例隐匿存储方法流程图;FIG. 1 is a flowchart of a hidden storage method according to an embodiment of the present disclosure;

图2为本公开另一实施例隐匿存储方法流程图;FIG. 2 is a flowchart of a hidden storage method according to another embodiment of the present disclosure;

图3为本公开又一实施例隐匿存储方法流程图;FIG. 3 is a flowchart of a hidden storage method according to another embodiment of the present disclosure;

图4为本公开实施例隐匿存储装置示意图;FIG. 4 is a schematic diagram of a hidden storage device according to an embodiment of the present disclosure;

图5为本公开实施例实现隐匿存储方法的电子设备示意图。FIG. 5 is a schematic diagram of an electronic device implementing a hidden storage method according to an embodiment of the present disclosure.

具体实施方式Detailed ways

为了能够更清楚地理解本公开的上述目的、特征和优点,下面将对本公开的方案进行进一步描述。需要说明的是,在不冲突的情况下,本公开的实施例及实施例中的特征可以相互组合。In order to more clearly understand the above objects, features and advantages of the present disclosure, the solutions of the present disclosure will be further described below. It should be noted that, in the case of no conflict, the embodiments of the present disclosure and the features in the embodiments can be combined with each other.

在下面的描述中阐述了很多具体细节以便于充分理解本公开,但本公开还可以采用其他不同于在此描述的方式来实施;显然,说明书中的实施例只是本公开的一部分实施例,而不是全部的实施例。In the following description, many specific details are set forth in order to fully understand the present disclosure, but the present disclosure can also be implemented in other ways than described here; obviously, the embodiments in the description are only some of the embodiments of the present disclosure, and Not all examples.

应当理解,在下文中,“至少一个(项)”是指一个或者多个,“多个”是指两个或两个以上。“和/或”用于描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:只存在A,只存在B以及同时存在A和B三种情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a,b,c,“a和b”,“a和c”,“b和c”,或“a和b和c”,其中a,b,c可以是单个,也可以是多个。It should be understood that hereinafter, "at least one (item)" means one or more, and "multiple" means two or more. "And/or" is used to describe the association relationship of associated objects, which means that there can be three kinds of relationships, for example, "A and/or B" can mean: only A exists, only B exists, and A and B exist at the same time. Among them, A and B can be singular or plural. The character "/" generally indicates that the contextual objects are an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one item (piece) of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c ", where a, b, c can be single or multiple.

图1为本公开实施例的一种隐匿存储方法流程图,该方法包括以下步骤:Fig. 1 is a flow chart of a concealed storage method according to an embodiment of the present disclosure, the method includes the following steps:

步骤S101:获取待存储的预设文件。Step S101: Obtain a preset file to be stored.

示例性的,该预设文件可以是目标程序所属的文件,该目标程序例如是用于网络安全的攻击程序,其需要适时地隐匿在目标计算机设备的系统中。Exemplarily, the preset file may be a file belonging to a target program, such as an attack program for network security, which needs to be hidden in the system of the target computer device in a timely manner.

步骤S102:确定磁盘上的目标碎片存储空间。Step S102: Determine the target fragmented storage space on the disk.

示例性的,目标碎片存储空间可以是目标计算机设备上的NTFS文件系统为存储的文件分配的存储空间中的空闲存储空间,但也不限于此。Exemplarily, the target fragmented storage space may be free storage space in the storage space allocated for stored files by the NTFS file system on the target computer device, but it is not limited thereto.

步骤S103:将所述预设文件写入所述目标碎片存储空间。Step S103: Write the preset file into the target fragment storage space.

示例性的,确定目标碎片存储空间之后,即可将例如攻击程序的文件写入所述目标碎片存储空间。Exemplarily, after the target fragment storage space is determined, files such as attack programs can be written into the target fragment storage space.

本实施例的方案可以将需要隐匿存储的文件写入磁盘上的碎片存储空间,也即利用碎片存储空间来存储需要隐匿的文件,这样存储的文件不易被检测出,从而提高在系统磁盘中存储文件的隐蔽性。The scheme of this embodiment can write the files that need to be concealed into the fragmented storage space on the disk, that is, use the fragmented storage space to store the files that need to be concealed, so that the stored files are not easy to be detected, thereby improving the storage capacity of the system disk. file concealment.

在一个实施例中,所述目标碎片存储空间可以包括但不限于第一碎片存储空间、第二碎片存储空间和第三碎片存储空间中的一个或多个。其中,所述第一碎片存储空间包括磁盘上的一个或多个簇中的闲置存储空间即slack空间,所述第二碎片存储空间包括磁盘上的主文件表(Master File Table,简称为MFT)的预留存储空间,所述第三碎片存储空间包括磁盘上的主文件表的保留存储空间。In an embodiment, the target fragment storage space may include but not limited to one or more of the first fragment storage space, the second fragment storage space and the third fragment storage space. Wherein, the first fragmented storage space includes idle storage space in one or more clusters on the disk, that is, slack space, and the second fragmented storage space includes a master file table (Master File Table, MFT for short) on the disk reserved storage space, the third fragmented storage space includes the reserved storage space of the master file table on the disk.

具体的,作为示例,为了实现在目标计算机设备系统中对攻击程序的隐匿存储,需要在分析目标计算机设备系统NTFS文件系统的基础上,在NTFS文件系统中寻找可以用于存储攻击程序的空间,下面列举了NTFS中常见的一些碎片存储空间如slack空间,MFT的预留存储空间,MFT的保留存储空间等。Specifically, as an example, in order to realize the hidden storage of the attack program in the target computer equipment system, it is necessary to find a space that can be used to store the attack program in the NTFS file system on the basis of analyzing the NTFS file system of the target computer equipment system, The following lists some common fragmented storage spaces in NTFS, such as slack space, MFT reserved storage space, MFT reserved storage space, etc.

为提高攻击程序在目标系统中隐署存储的隐蔽性,本实施例中不直接在文件系统创建文件的形,因为一旦在系统中创建了文件,便会在MFT中留下相应的记录,而是通过选取slack空间、MFT文件的预留存储空间和MFT文件的保留存储空间作为目标系统中存储攻击程序文件的“碎片”存储空间。In order to improve the concealment of the hidden storage of the attack program in the target system, the form of the file is not directly created in the file system in this embodiment, because once the file is created in the system, a corresponding record will be left in the MFT, and By selecting the slack space, the reserved storage space of the MFT file and the reserved storage space of the MFT file as the "fragment" storage space for storing the attack program files in the target system.

由于系统在为一个文件分配磁盘存储空间的时候是以簇为单位的,若文件的大小不是簇的整数倍,系统仍会为其分配簇的整数倍的存储空间,由于一般的文件长度都不是簇的整数倍,因此就产生了可以利用的slack空间即第一碎片存储空间,这部分空间通常不会被系统再使用,因此将攻击程序的文件存放进slack空间更安全、更稳定。Since the system uses clusters as the unit when allocating disk storage space for a file, if the size of the file is not an integer multiple of the cluster, the system will still allocate storage space for it that is an integer multiple of the cluster. Integer multiples of the cluster, so the slack space that can be used is the first fragment storage space. This part of the space is usually not used by the system, so it is safer and more stable to store the files of the attack program in the slack space.

MFT的预留存储空间是可变的,即当MFT的存储空间不足时,系统会将这部分预留存储空间分配给MFT,而MFT的存储空间足够时,系统会再次保留这部分预留存储空间。因此,将攻击程序的文件存放进MFT文件的预留存储空间不会引起异常,并且由于在一般情况下,该空间不会被分配,因此将攻击程序的文件存放进此位置比较安全和稳定。The reserved storage space of the MFT is variable, that is, when the storage space of the MFT is insufficient, the system will allocate this part of the reserved storage space to the MFT, and when the storage space of the MFT is sufficient, the system will reserve this part of the reserved storage space again space. Therefore, storing the file of the attack program in the reserved storage space of the MFT file will not cause abnormality, and since this space will not be allocated under normal circumstances, it is safer and more stable to store the file of the attack program in this location.

MFT的保留存储空间为文件保留空间,因此,将攻击程序的文件存放进目标系统NTFS文件系统的MFT文件的保留存储空间不会被覆盖,因此将攻击程序的文件存放进此位置也比较安全和稳定。The reserved storage space of the MFT is reserved for files. Therefore, the reserved storage space of the MFT file that stores the file of the attack program in the NTFS file system of the target system will not be overwritten. Therefore, it is safer to store the file of the attack program in this location. Stablize.

在一个实施例中,所述一个或多个簇是用于存储指定系统文件的簇;其中,所述指定系统文件是NTFS文件系统中文件记录的属性为非常驻的系统文件。In one embodiment, the one or more clusters are clusters for storing specified system files; wherein, the specified system files are system files whose attribute of file records in the NTFS file system is non-resident.

具体的,系统元数据文件大小一般情况下是固定的,因此该空间的大小也固定,且这部分空间不会被系统再使用,因此将攻击程序存放进目标系统NTFS文件系统的元数据文件的slack空间更安全、更稳定。Specifically, the size of the system metadata file is generally fixed, so the size of this space is also fixed, and this part of the space will not be reused by the system, so the attack program is stored in the metadata file of the NTFS file system of the target system The slack space is safer and more stable.

在一个具体示例中,当确定好目标碎片存储空间(下文简称为碎片)之后,接下来可以记录这些碎片宿主的相应信息,除了记录所有碎片的数量外,还需要记录每个碎片的基本信息,具体包括:碎片序号、碎片的起始扇区号、空闲扇区数、是否已分配标志。具体记录步骤如下:In a specific example, after the target fragment storage space (hereinafter referred to as fragment) is determined, the corresponding information of these fragment hosts can be recorded next. In addition to recording the number of all fragments, it is also necessary to record the basic information of each fragment. Concretely include: the serial number of the fragment, the starting sector number of the fragment, the number of free sectors, and whether the flag has been allocated. The specific recording steps are as follows:

找到MFT表位置,准备读取表的内容。读取DBR的内容(由于DBR位于NTFS文件系统分区的第一个扇区,因此直接读取第一个扇区即可),找到BPB的位置,在BPB中找到MFT表的起始逻辑簇号,根据该起始逻辑簇号开始读取MFT表的内容。Find the location of the MFT table and prepare to read the contents of the table. Read the contents of the DBR (since the DBR is located in the first sector of the NTFS file system partition, so just read the first sector directly), find the location of the BPB, and find the starting logical cluster number of the MFT table in the BPB , start to read the contents of the MFT table according to the starting logical cluster number.

首先记录系统文件的slack空间。MFT表前的16个记录保存的是16个系统元数据文件的相应信息,因此要记录系统文件的slack空间依靠依次读取MFT表的前16个记录来获取相应的信息。First record the slack space of the system files. The first 16 records of the MFT table store the corresponding information of 16 system metadata files, so the slack space for recording system files depends on reading the first 16 records of the MFT table in order to obtain the corresponding information.

系统文件的slack空间指的是数据运行的slack空间,将系统文件的非常驻08H属性(数据属性)运行的slack空间作为目标碎片。在记录系统文件非常驻08H属性运行的slack空间时,首先查看08H属性的常驻属性标志,如果为常驻属性则此系统文件不能作为目标碎片,继续转至下一个系统文件的记录,为非常驻属性则根据记录中的关键字信息,计算出系统文件的slack空间预期起始扇区号以及该区域的扇区数量,并将是否分配标志设为未分配状态。当记录完有关信息后,开始下一个系统元数据文件slack空间的记录,记录方法重复上述步骤,直到记录完15个系统文件(除去MET系统文件)的slack空间为止。The slack space of the system file refers to the slack space where the data runs, and the slack space where the non-resident 08H attribute (data attribute) of the system file runs is used as the target fragment. When recording the slack space where the system file is not a resident 08H attribute, first check the resident attribute flag of the 08H attribute. If it is a resident attribute, this system file cannot be used as a target fragment. Continue to the next system file record, which is very The resident attribute calculates the expected starting sector number of the slack space of the system file and the number of sectors in this area according to the keyword information in the record, and sets the allocation flag to an unallocated state. After recording the relevant information, start the recording of the next system metadata file slack space, the recording method repeats the above steps until the slack space of 15 system files (removing MET system files) has been recorded.

在一个实施例中,针对MFT的预留存储空间,可以记录该预留存储空间的起始扇区号以及该区域的扇区数量。目前当MFT的存储空间不足时,NTFS文件系统在将MFT的预留存储空间分配给MFT时,首先将预留存储空间划分为两部分即前一存储空间和后一存储空间,系统从第二部分即后一存储空间开始分配,因此预留存储空间的前一存储空间被使用的几率小于第二部分。因此本实施例中可以选用预留存储空间的1/4存储空间作为第二碎片存储空间,但也不限于此。In one embodiment, for the reserved storage space of the MFT, the starting sector number of the reserved storage space and the number of sectors in the area may be recorded. At present, when the storage space of the MFT is insufficient, when the NTFS file system allocates the reserved storage space of the MFT to the MFT, it first divides the reserved storage space into two parts, namely the former storage space and the latter storage space, and the system starts from the second Part, that is, the subsequent storage space starts to be allocated, so the former storage space of the reserved storage space is less likely to be used than the second part. Therefore, in this embodiment, 1/4 of the reserved storage space may be selected as the second fragmented storage space, but it is not limited thereto.

在一个实施例中,所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间具有不同的优先级,示例性的,所述第一碎片存储空间即slack空间的优先级最高,所述第二碎片存储空间即MFT的预留存储空间的优先级居中,所述第三碎片存储空间即MFT的保留存储空间的优先级最低,但也不限于此。如图2所示,所述将所述预设文件写入所述目标碎片存储空间,包括以下步骤:In one embodiment, the first fragmented storage space, the second fragmented storage space and the third fragmented storage space have different priorities. Exemplarily, the first fragmented storage space is the slack space The priority is the highest, the priority of the reserved storage space of the second fragmented storage space is the middle, and the priority of the reserved storage space of the third fragmented storage space is the lowest, but it is not limited thereto. As shown in Figure 2, writing the preset file into the target fragment storage space includes the following steps:

步骤S201:获取所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间各自的优先级。Step S201: Obtain respective priorities of the first fragmented storage space, the second fragmented storage space and the third fragmented storage space.

示例性的,获取第一碎片存储空间即slack空间的优先级,第二碎片存储空间即MFT的预留存储空间的优先级,第三碎片存储空间即MFT的保留存储空间的优先级。Exemplarily, the priority of the first fragmented storage space is slack space, the priority of the second fragmented storage space is the reserved storage space of MFT, and the priority of the third fragmented storage space is the reserved storage space of MFT.

步骤S202:将所述预设文件写入第一指定碎片存储空间;其中所述第一指定碎片存储空间是所述所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级最高的碎片存储空间。Step S202: Write the preset file into the first designated fragment storage space; wherein the first designated fragment storage space is the first fragment storage space, the second fragment storage space and the third fragment storage space The fragmented storage space with the highest priority in the fragmented storage space.

示例性的,由于第一碎片存储空间即slack空间的优先级最高,因此第一指定碎片存储空间是slack空间,于是将攻击程序的文件写入slack空间。Exemplarily, since the first fragmented storage space, that is, the slack space has the highest priority, the first designated fragmented storage space is the slack space, and then the file of the attack program is written into the slack space.

本实施例中根据在碎片存储空间中存储文件的安全性为其定义相应的优先级,优先级越高,存储文件的安全性越高。当选取碎片时根据其优先级优先选择级别高的碎片存储空间,如此可以提供隐匿存储的安全性。In this embodiment, corresponding priorities are defined for files stored in the fragmented storage space according to their security. The higher the priority, the higher the security of the stored files. When selecting fragments, the high-level fragment storage space is selected according to its priority, which can provide the security of hidden storage.

在一个实施例中,所述方法还包括以下步骤:In one embodiment, the method further includes the steps of:

步骤A:确定所述预设文件的文件大小超过所述第一指定碎片存储空间的大小时,将所述预设文件写入第二指定碎片存储空间;其中所述第二指定碎片存储空间是所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级居中的碎片空间。Step A: When it is determined that the file size of the preset file exceeds the size of the first designated fragment storage space, write the preset file into a second designated fragment storage space; wherein the second designated fragment storage space is The fragment space with the middle priority among the first fragment storage space, the second fragment storage space and the third fragment storage space.

示例性的,当确定攻击程序的文件大小超过slack空间时,可以将攻击程序的文件写入第二指定碎片存储空间即MFT的预留存储空间,也即第二优先级的碎片存储空间。Exemplarily, when it is determined that the file size of the attack program exceeds the slack space, the file of the attack program may be written into the second designated fragment storage space, that is, the reserved storage space of the MFT, that is, the fragment storage space of the second priority.

在一个实施例中,所述预设文件是攻击程序所属的文件,相应的,所述获取待存储的预设文件,包括以下步骤:获取所述攻击程序所属的一个或多个文件;所述将所述预设文件写入所述目标碎片存储空间,包括:将所述攻击程序所属的所述一个或多个文件写入所述目标碎片存储空间中对应的存储单元,每个所述存储单元包括一个或多个扇区。In one embodiment, the preset file is a file to which the attack program belongs, and correspondingly, the acquiring the preset file to be stored includes the following steps: acquiring one or more files to which the attack program belongs; Writing the preset file into the target fragment storage space includes: writing the one or more files to which the attack program belongs to a corresponding storage unit in the target fragment storage space, each of the storage A unit consists of one or more sectors.

示例性的,本实施例中实现将攻击程序包含的多个文件分块存储于目标碎片存储空间如slack空间、MFT的预留存储空间等中,如此实现攻击程序的隐匿存储,提高隐匿存储的隐蔽性,使得攻击程序不易被检测到。Exemplarily, in this embodiment, multiple files contained in the attack program are stored in blocks in the target fragment storage space such as slack space, MFT reserved storage space, etc., so that the hidden storage of the attack program is realized, and the efficiency of hidden storage is improved. Concealment makes the attack program difficult to be detected.

在一个实施例中,如图3所示,该方法还包括以下步骤:In one embodiment, as shown in Figure 3, the method also includes the following steps:

步骤S301:记录所述攻击程序的程序文件信息以及扇区信息,所述程序文件信息包括攻击程序的属性信息,所述扇区信息用于标识所述攻击程序所属的所述一个或多个文件在所述目标碎片存储空间中对应的存储单元对应的扇区。Step S301: Record the program file information and sector information of the attack program, the program file information includes the attribute information of the attack program, and the sector information is used to identify the one or more files to which the attack program belongs A sector corresponding to a corresponding storage unit in the target fragment storage space.

示例性的,属性信息可以包括但不限于攻击程序的名称、数据长度,是否在内存标志等。扇区信息可以是扇区标识如扇区序号等唯一编号。该扇区信息可以被预先记录下来,也即当将一个文件写入目标碎片存储空间时,记录该文件在目标碎片存储空间中所在的一个或多个扇区序号。Exemplarily, the attribute information may include, but not limited to, the name of the attacking program, the length of the data, and whether it is in memory or not. The sector information may be a unique number such as a sector identifier such as a sector serial number. The sector information can be pre-recorded, that is, when a file is written into the target fragment storage space, one or more sector numbers where the file is located in the target fragment storage space are recorded.

步骤S302:基于所述扇区信息,从所述目标碎片存储空间中对应的存储单元对应的扇区中读取所述攻击程序所属的所述一个或多个文件。Step S302: Based on the sector information, read the one or more files to which the attack program belongs from the sector corresponding to the corresponding storage unit in the target fragment storage space.

示例性的,当隐匿的攻击程序需要恢复时,基于记录的该扇区信息如扇区序号从目标碎片存储空间中读取攻击程序所属的多个文件。Exemplarily, when the hidden attack program needs to be recovered, multiple files belonging to the attack program are read from the target fragment storage space based on the recorded sector information such as the sector sequence number.

步骤S303:基于读取的所述攻击程序所属的所述一个或多个文件,以及所述攻击程序的属性信息,恢复所述攻击程序。Step S303: Restoring the attack program based on the read one or more files to which the attack program belongs and the attribute information of the attack program.

示例性的,基于读取的攻击程序所属的多个文件以及攻击程序的属性信息如攻击程序的名称等来恢复攻击程序。Exemplarily, the attack program is restored based on the read multiple files to which the attack program belongs and the attribute information of the attack program such as the name of the attack program.

在一个具体示例中,隐匿存储攻击程序时,需要攻击程序的一些基本信息如属性信息,比如攻击程序的名字、数据长度等。具体的,可以记录攻击程序的基本信息包括但不限于:攻击程序名字、攻击程序长度、攻击程序文件的数量、攻击程序文件在相应的碎片存储空间中的扇区序号、是否在内存标志等。当将攻击程序存储到相应碎片存储空间后,基于记录的存储攻击程序文件的扇区在碎片存储空间中的序号,可以方便地在对攻击程序进行恢复时根据该序号在碎片存储空间中找到相应的起始扇区号和扇区数量,进而读取攻击程序文件进行恢复处理。In a specific example, some basic information of the attack program, such as attribute information, such as the name and data length of the attack program, is needed when the attack program is hidden and stored. Specifically, the basic information of the attack program that can be recorded includes but is not limited to: the name of the attack program, the length of the attack program, the number of attack program files, the sector number of the attack program file in the corresponding fragment storage space, whether it is in memory or not. After the attack program is stored in the corresponding fragment storage space, based on the recorded sequence number of the sector storing the attack program file in the fragment storage space, it is convenient to find the corresponding file in the fragment storage space according to the sequence number when restoring the attack program. The starting sector number and the number of sectors, and then read the attack program file for recovery processing.

在一个具体示例中,当确定并记录好相应的目标碎片存储空间的信息后,就可以对攻击程序的文件进行分块存储。若一个攻击程序长期未被主进程所加载,则系统会选择将攻击程序隐匿存储到磁盘中。在存储的过程中,根据确定的碎片存储空间的优先级,优先选择优先级高的未被分配的碎片存储空间中的扇区进行存储并将相应的信息记录下来。具体过程为:In a specific example, after the information of the corresponding target fragment storage space is determined and recorded, the file of the attack program can be stored in blocks. If an attack program has not been loaded by the main process for a long time, the system will choose to store the attack program hidden in the disk. During the storage process, according to the determined priority of the fragmented storage space, sectors in the unallocated fragmented storage space with high priority are preferentially selected for storage and corresponding information is recorded. The specific process is:

首先读取碎片存储空间信息,例如从记录的碎片存储空间信息表格的第一项开始依次读取。碎片存储空间信息表可以记录目标碎片存储空间中各个扇区的扇区序号以及分配状态如扇区已分配(即已写入数据)和扇区未分配(即空闲未写入数据)。First read the fragmented storage space information, for example, sequentially read from the first item in the recorded fragmented storage space information table. The fragmented storage space information table can record the sector number and allocation status of each sector in the target fragmented storage space, such as allocated sectors (that is, written data) and unallocated sectors (that is, free and unwritten data).

然后判断当前读取的碎片存储单元是否已分配,若已经分配则继续读取下一项,若未分配则记录下其起始扇区序号和扇区数。Then judge whether the currently read fragment storage unit has been allocated, if allocated, continue to read the next item, if not allocated, record its starting sector number and sector number.

接着,根据上述扇区数计算出空闲区域的字节数并与当前内存中剩余的攻击程序文件的字节数进行比较,若剩余的攻击程序文件的字节数小于或等于空闲区域的字节数,则把内存中的攻击程序文件全部写进空闲区域,并结束存储。若剩余的攻击程序文件字节数大于空闲区域的字节数,则将攻击程序文件进行分块,先截取长度为空闲区域字节数的攻击程序文件,并将这部分文件存储进空闲区域,基于当前内存中剩余的攻击程序文件再重复前面的步骤进行存储。Then, calculate the number of bytes in the free area according to the number of sectors above and compare it with the number of bytes of the remaining attack program file in the current memory, if the number of bytes in the remaining attack program file is less than or equal to the number of bytes in the free area number, write all the attack program files in the memory into the free area, and end the storage. If the number of bytes of the remaining attack program file is greater than the number of bytes in the free area, the attack program file is divided into blocks, and the attack program file whose length is the number of bytes in the free area is first intercepted, and this part of the file is stored in the free area. Based on the remaining attack program files in the current memory, the previous steps are repeated for storage.

每当攻击程序的文件存储到一个碎片存储空间后,可以将该碎片存储空间中存储该文件的扇区在碎片存储空间信息表格中记录的对应扇区序号记录到存储攻击程序基本信息的另一表格中,以便于之后恢复攻击程序。Whenever the file of the attacking program is stored in a fragmented storage space, the corresponding sector serial number recorded in the fragmented storage space information table of the sector storing the file in the fragmented storage space can be recorded in another storage space for storing the basic information of the attacking program. table, so that the attack program can be resumed later.

需要说明的是,尽管在附图中以特定顺序描述了本公开中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。另外,也易于理解的是,这些步骤可以是例如在多个模块/进程/线程中同步或异步执行。It should be noted that although the steps of the method in the present disclosure are described in a specific order in the drawings, this does not require or imply that these steps must be performed in this specific order, or that all shown steps must be performed to achieve achieve the desired result. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution, etc. In addition, it is easy to understand that these steps may be executed synchronously or asynchronously in multiple modules/processes/threads, for example.

如图4所示,本公开实施例提供一种隐匿存储装置,包括:As shown in Figure 4, an embodiment of the present disclosure provides a hidden storage device, including:

获取模块401,用于获取待存储的预设文件;An acquisition module 401, configured to acquire a preset file to be stored;

确定模块402,用于确定磁盘上的目标碎片存储空间;A determining module 402, configured to determine the target fragmented storage space on the disk;

写入模块403,用于将所述预设文件写入所述目标碎片存储空间。A writing module 403, configured to write the preset file into the target fragment storage space.

本实施例的方案可以将需要隐匿存储的文件写入磁盘上的碎片存储空间,也即利用碎片存储空间来存储需要隐匿的文件,这样存储的文件不易被检测出,从而提高在系统磁盘中存储文件的隐蔽性。The scheme of this embodiment can write the files that need to be concealed into the fragmented storage space on the disk, that is, use the fragmented storage space to store the files that need to be concealed, so that the stored files are not easy to be detected, thereby improving the storage capacity of the system disk. file concealment.

在一个实施例中,所述目标碎片存储空间包括第一碎片存储空间、第二碎片存储空间和第三碎片存储空间中的一个或多个;其中,所述第一碎片存储空间包括磁盘上的一个或多个簇中的闲置存储空间,所述第二碎片存储空间包括磁盘上的主文件表(MasterFile Table,简称为MFT)的预留存储空间,所述第三碎片存储空间包括磁盘上的主文件表的保留存储空间。In one embodiment, the target fragmented storage space includes one or more of the first fragmented storage space, the second fragmented storage space, and the third fragmented storage space; wherein, the first fragmented storage space includes Idle storage space in one or more clusters, the second fragmented storage space includes the reserved storage space of the master file table (MasterFile Table, referred to as MFT) on the disk, and the third fragmented storage space includes the reserved storage space on the disk Reserved storage space for the master file table.

在一个实施例中,所述一个或多个簇是用于存储指定系统文件的簇;其中,所述指定系统文件是NTFS文件系统中文件记录的属性为非常驻的系统文件。In one embodiment, the one or more clusters are clusters for storing specified system files; wherein, the specified system files are system files whose attribute of file records in the NTFS file system is non-resident.

在一个实施例中,所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间具有不同的优先级,所述写入模块403用于:获取所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间各自的优先级;将所述预设文件写入第一指定碎片存储空间;其中所述第一指定碎片存储空间是所述所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级最高的碎片存储空间。In one embodiment, the first fragment storage space, the second fragment storage space and the third fragment storage space have different priorities, and the writing module 403 is configured to: acquire the first fragment storage space, the respective priorities of the second fragment storage space and the third fragment storage space; write the preset file into the first designated fragment storage space; wherein the first designated fragment storage space is the The fragment storage space with the highest priority among the first fragment storage space, the second fragment storage space and the third fragment storage space.

在一个实施例中,所述写入模块403还用于:确定所述预设文件的文件大小超过所述第一指定碎片存储空间的大小时,将所述预设文件写入第二指定碎片存储空间;其中所述第二指定碎片存储空间是所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级居中的碎片空间。In one embodiment, the writing module 403 is further configured to: write the preset file into the second designated fragment when determining that the file size of the preset file exceeds the storage space of the first designated fragment Storage space; wherein the second designated fragmented storage space is the fragmented space with the middle priority among the first fragmented storage space, the second fragmented storage space and the third fragmented storage space.

在一个实施例中,所述第一碎片存储空间的优先级最高,所述第二碎片存储空间的优先级居中,所述第三碎片存储空间的优先级最低。In one embodiment, the first fragmented storage space has the highest priority, the second fragmented storage space has a middle priority, and the third fragmented storage space has the lowest priority.

在一个实施例中,所述预设文件是攻击程序所属的文件;所述获取模块,用于获取所述攻击程序所属的一个或多个文件。所述写入模块,用于将所述攻击程序所属的所述一个或多个文件写入所述目标碎片存储空间中对应的存储单元,每个所述存储单元包括一个或多个扇区。In one embodiment, the preset file is a file to which the attack program belongs; the obtaining module is configured to obtain one or more files to which the attack program belongs. The writing module is configured to write the one or more files to which the attack program belongs to corresponding storage units in the target fragment storage space, each storage unit including one or more sectors.

在一个实施例中,该装置还包括记录模块,用于:记录所述攻击程序的程序文件信息以及扇区信息,所述程序文件信息包括攻击程序的属性信息,所述扇区信息用于标识所述攻击程序所属的所述一个或多个文件在所述目标碎片存储空间中对应的存储单元对应的扇区;读取模块,用于基于所述扇区信息,从所述目标碎片存储空间中对应的存储单元对应的扇区中读取所述攻击程序所属的所述一个或多个文件;恢复模块,用于基于读取的所述攻击程序所属的所述一个或多个文件,以及所述攻击程序的属性信息,恢复所述攻击程序。In one embodiment, the device further includes a recording module, configured to: record the program file information and sector information of the attack program, the program file information includes attribute information of the attack program, and the sector information is used to identify A sector corresponding to a storage unit corresponding to the one or more files to which the attack program belongs in the target fragment storage space; a reading module, configured to read from the target fragment storage space based on the sector information Read the one or more files to which the attack program belongs in the sector corresponding to the corresponding storage unit in the storage unit; the recovery module is used to read the one or more files to which the attack program belongs, and The attribute information of the attack program restores the attack program.

关于上述实施例中的装置,其中各个模块执行操作的具体方式以及带来的相应技术效果已经在有关该方法的实施例中进行了对应的详细描述,此处将不做详细阐述说明。With regard to the apparatus in the above embodiments, the specific manner in which each module performs operations and the corresponding technical effects brought about have been described in detail in the embodiments related to the method, and will not be described in detail here.

应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本公开的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。作为模块或单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现木公开方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。It should be noted that although several modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory. Actually, according to the embodiment of the present disclosure, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided to be embodied by a plurality of modules or units. Components shown as modules or units may or may not be physical units, may be located in one place, or may be distributed over multiple network elements. Part or all of the modules can be selected according to actual needs to realize the purpose of the disclosed scheme. It can be understood and implemented by those skilled in the art without creative effort.

本公开实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述任一项实施例所述隐匿存储方法的步骤。An embodiment of the present disclosure further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the hidden storage method described in any one of the above-mentioned embodiments are implemented.

示例性的,该可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。Exemplarily, the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples (non-exhaustive list) of readable storage media include: electrical connection with one or more conductors, portable disk, hard disk, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

所述计算机可读存储介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读存储介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。可读存储介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。The computer readable storage medium may include a data signal carrying readable program code in baseband or as part of a carrier wave traveling as a data signal. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium other than a readable storage medium that can send, propagate or transport a program for use by or in conjunction with an instruction execution system, apparatus or device. The program code contained on the readable storage medium may be transmitted by any suitable medium, including but not limited to wireless, cable, optical cable, RF, etc., or any suitable combination of the above.

本公开实施例还提供一种电子设备,包括处理器以及存储器,存储器用于存储计算机程序。其中,所述处理器配置为经由执行所述计算机程序来执行上述任一项实施例中所述隐匿存储方法的步骤。An embodiment of the present disclosure also provides an electronic device, including a processor and a memory, where the memory is used to store a computer program. Wherein, the processor is configured to execute the steps of the hidden storage method in any one of the above embodiments by executing the computer program.

下面参照图5来描述根据本发明的这种实施方式的电子设备600。图5显示的电子设备600仅仅是一个示例,不应对本发明实施例的功能和使用范围带来任何限制。An electronic device 600 according to this embodiment of the present invention is described below with reference to FIG. 5 . The electronic device 600 shown in FIG. 5 is only an example, and should not limit the functions and scope of use of this embodiment of the present invention.

如图5所示,电子设备600以通用计算设备的形式表现。电子设备600的组件可以包括但不限于:至少一个处理单元610、至少一个存储单元620、连接不同系统组件(包括存储单元620和处理单元610)的总线630、显示单元640等。As shown in FIG. 5, electronic device 600 takes the form of a general-purpose computing device. Components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 connecting different system components (including the storage unit 620 and the processing unit 610), a display unit 640, and the like.

其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元610执行,使得所述处理单元610执行本说明书上述隐匿存储方法部分中描述的根据本发明各种示例性实施方式的步骤。例如,所述处理单元610可以执行如图1中所示隐匿存储方法的步骤。Wherein, the storage unit stores program codes, and the program codes can be executed by the processing unit 610, so that the processing unit 610 executes the various exemplary implementations according to the present invention described in the hidden storage method section of this specification. A step of. For example, the processing unit 610 may execute the steps of the hidden storage method as shown in FIG. 1 .

所述存储单元620可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)6201和/或高速缓存存储单元6202,还可以进一步包括只读存储单元(ROM)6203。The storage unit 620 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 6201 and/or a cache storage unit 6202 , and may further include a read-only storage unit (ROM) 6203 .

所述存储单元620还可以包括具有一组(至少一个)程序模块6205的程序/实用工具6204,这样的程序模块6205包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。The storage unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include the realization of the network environment.

总线630可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。Bus 630 may represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local area using any of a variety of bus structures. bus.

电子设备600也可以与一个或多个外部设备700(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得用户能与该电子设备600交互的设备通信,和/或与使得该电子设备600能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口650进行。并且,电子设备600还可以通过网络适配器660与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。网络适配器660可以通过总线630与电子设备600的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备600使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。The electronic device 600 can also communicate with one or more external devices 700 (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable the user to interact with the electronic device 600, and/or communicate with Any device (eg, router, modem, etc.) that enables the electronic device 600 to communicate with one or more other computing devices. Such communication may occur through input/output (I/O) interface 650 . Moreover, the electronic device 600 can also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN) and/or a public network such as the Internet) through the network adapter 660 . The network adapter 660 can communicate with other modules of the electronic device 600 through the bus 630 . It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.

通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、或者网络设备等)执行根据本公开实施方式的上述隐匿存储方法。Through the description of the above implementations, those skilled in the art can easily understand that the example implementations described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above-mentioned hidden storage method according to the embodiments of the present disclosure.

需要说明的是,在本文中,诸如“第一”和“第二”等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that in this article, relative terms such as "first" and "second" are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these No such actual relationship or order exists between entities or operations. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

以上所述仅是本公开的具体实施方式,使本领域技术人员能够理解或实现本公开。对这些实施例的多种修改对本领域的技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本公开的精神或范围的情况下,在其它实施例中实现。因此,本公开将不会被限制于本文所述的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above descriptions are only specific implementation manners of the present disclosure, so that those skilled in the art can understand or implement the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the present disclosure. Therefore, the present disclosure will not be limited to the embodiments described herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1.一种隐匿存储方法,其特征在于,包括:1. A concealed storage method, characterized in that, comprising: 获取待存储的预设文件,所述预设文件是攻击程序所属的文件;Obtaining a preset file to be stored, where the preset file is a file to which the attack program belongs; 确定磁盘上的目标碎片存储空间;Determine the target fragment storage space on the disk; 将所述预设文件写入所述目标碎片存储空间;Writing the preset file into the target fragment storage space; 所述目标碎片存储空间包括第一碎片存储空间、第二碎片存储空间和第三碎片存储空间中的一个或多个;The target fragment storage space includes one or more of the first fragment storage space, the second fragment storage space and the third fragment storage space; 其中,所述第一碎片存储空间包括磁盘上的一个或多个簇中的闲置存储空间,所述第二碎片存储空间包括磁盘上的主文件表的预留存储空间,所述第三碎片存储空间包括磁盘上的主文件表的保留存储空间;Wherein, the first fragment storage space includes idle storage space in one or more clusters on the disk, the second fragment storage space includes the reserved storage space of the master file table on the disk, and the third fragment storage Space includes reserved storage for the main file table on disk; 所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间具有不同的优先级,所述将所述预设文件写入所述目标碎片存储空间,包括:The first fragment storage space, the second fragment storage space and the third fragment storage space have different priorities, and writing the preset file into the target fragment storage space includes: 获取所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间各自的优先级;Obtain respective priorities of the first fragmented storage space, the second fragmented storage space, and the third fragmented storage space; 将所述预设文件写入第一指定碎片存储空间;其中所述第一指定碎片存储空间是所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级最高的碎片存储空间。Writing the preset file into the first designated fragment storage space; wherein the first designated fragment storage space is the priority among the first fragment storage space, the second fragment storage space and the third fragment storage space The highest level of fragmented storage space. 2.根据权利要求1所述的方法,其特征在于,所述一个或多个簇是用于存储指定系统文件的簇;其中,所述指定系统文件是NTFS文件系统中文件记录的属性为非常驻的系统文件。2. The method according to claim 1, wherein the one or more clusters are clusters for storing specified system files; wherein, the specified system files are file records in the NTFS file system whose attributes are very resident system files. 3.根据权利要求1所述的方法,其特征在于,所述方法还包括:3. The method according to claim 1, wherein the method further comprises: 确定所述预设文件的文件大小超过所述第一指定碎片存储空间的大小时,将所述预设文件写入第二指定碎片存储空间;其中所述第二指定碎片存储空间是所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级居中的碎片空间。When it is determined that the file size of the preset file exceeds the size of the first designated fragment storage space, write the preset file into a second designated fragment storage space; wherein the second designated fragment storage space is the first designated fragment storage space A fragmented storage space, the fragmented space with the middle priority among the second fragmented storage space and the third fragmented storage space. 4.根据权利要求1或3所述的方法,其特征在于,所述第一碎片存储空间的优先级最高,所述第二碎片存储空间的优先级居中,所述第三碎片存储空间的优先级最低。4. The method according to claim 1 or 3, wherein the priority of the first fragmented storage space is the highest, the priority of the second fragmented storage space is in the middle, and the priority of the third fragmented storage space is lowest level. 5.根据权利要求1~3任一项所述的方法,其特征在于,所述获取待存储的预设文件,包括:5. The method according to any one of claims 1 to 3, wherein said obtaining the preset file to be stored comprises: 获取所述攻击程序所属的一个或多个文件;Obtain one or more files to which the attack program belongs; 所述将所述预设文件写入所述目标碎片存储空间,包括:The writing the preset file into the target fragment storage space includes: 将所述攻击程序所属的所述一个或多个文件写入所述目标碎片存储空间中对应的存储单元,每个所述存储单元包括一个或多个扇区。Writing the one or more files to which the attack program belongs to corresponding storage units in the target fragment storage space, each of the storage units includes one or more sectors. 6.根据权利要求4所述的方法,其特征在于,还包括:6. The method according to claim 4, further comprising: 记录所述攻击程序的程序文件信息以及扇区信息,所述程序文件信息包括攻击程序的属性信息,所述扇区信息用于标识所述攻击程序所属的所述一个或多个文件在所述目标碎片存储空间中对应的存储单元对应的扇区;recording program file information and sector information of the attack program, the program file information including attribute information of the attack program, and the sector information is used to identify the one or more files to which the attack program belongs in the A sector corresponding to a corresponding storage unit in the target fragment storage space; 基于所述扇区信息,从所述目标碎片存储空间中对应的存储单元对应的扇区中读取所述攻击程序所属的所述一个或多个文件;Based on the sector information, read the one or more files to which the attack program belongs from a sector corresponding to a corresponding storage unit in the target fragment storage space; 基于读取的所述攻击程序所属的所述一个或多个文件,以及所述攻击程序的属性信息,恢复所述攻击程序。Restoring the attack program based on the read one or more files to which the attack program belongs and attribute information of the attack program. 7.一种隐匿存储装置,其特征在于,包括:7. A hidden storage device, comprising: 获取模块,用于获取待存储的预设文件,所述预设文件是攻击程序所属的文件;An acquisition module, configured to acquire a preset file to be stored, where the preset file is the file to which the attack program belongs; 确定模块,用于确定磁盘上的目标碎片存储空间;A determining module, configured to determine the target fragmented storage space on the disk; 写入模块,用于将所述预设文件写入所述目标碎片存储空间;A writing module, configured to write the preset file into the target fragment storage space; 所述目标碎片存储空间包括第一碎片存储空间、第二碎片存储空间和第三碎片存储空间中的一个或多个;The target fragment storage space includes one or more of the first fragment storage space, the second fragment storage space and the third fragment storage space; 其中,所述第一碎片存储空间包括磁盘上的一个或多个簇中的闲置存储空间,所述第二碎片存储空间包括磁盘上的主文件表的预留存储空间,所述第三碎片存储空间包括磁盘上的主文件表的保留存储空间;Wherein, the first fragment storage space includes idle storage space in one or more clusters on the disk, the second fragment storage space includes the reserved storage space of the master file table on the disk, and the third fragment storage Space includes reserved storage for the main file table on disk; 所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间具有不同的优先级,所述写入模块,用于将所述预设文件写入所述目标碎片存储空间,包括:The first fragment storage space, the second fragment storage space and the third fragment storage space have different priorities, and the writing module is configured to write the preset file into the target fragment storage space, including: 所述写入模块,用于:The write module is used for: 获取所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间各自的优先级;Obtain respective priorities of the first fragmented storage space, the second fragmented storage space, and the third fragmented storage space; 将所述预设文件写入第一指定碎片存储空间;其中所述第一指定碎片存储空间是所述第一碎片存储空间、所述第二碎片存储空间和所述第三碎片存储空间中优先级最高的碎片存储空间。Writing the preset file into the first designated fragment storage space; wherein the first designated fragment storage space is the priority among the first fragment storage space, the second fragment storage space and the third fragment storage space The highest level of fragmented storage space. 8.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1~6任一项所述隐匿存储方法的步骤。8. A computer-readable storage medium, on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the steps of the concealed storage method according to any one of claims 1 to 6 are implemented. 9.一种电子设备,其特征在于,包括:9. An electronic device, characterized in that it comprises: 处理器;以及processor; and 存储器,用于存储计算机程序;memory for storing computer programs; 其中,所述处理器配置为经由执行所述计算机程序来执行权利要求1~6任一项所述隐匿存储方法的步骤。Wherein, the processor is configured to execute the steps of the hidden storage method according to any one of claims 1 to 6 by executing the computer program.
CN202210925658.8A 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment Active CN115237352B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210925658.8A CN115237352B (en) 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210925658.8A CN115237352B (en) 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN115237352A CN115237352A (en) 2022-10-25
CN115237352B true CN115237352B (en) 2023-08-15

Family

ID=83676972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210925658.8A Active CN115237352B (en) 2022-08-03 2022-08-03 Hidden storage method, device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115237352B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1975935A (en) * 2006-12-15 2007-06-06 北京中星微电子有限公司 External storing performance testing method and apparatus
CN101770809A (en) * 2008-12-31 2010-07-07 J·埃金顿 Recovery after power down of non-volatile memory
CN103176911A (en) * 2011-12-20 2013-06-26 陕西银河网电科技有限公司 Embedded type software security memory management method
CN104751076A (en) * 2015-04-15 2015-07-01 四川神琥科技有限公司 Method for recovering disk data
CN110908596A (en) * 2018-09-18 2020-03-24 爱思开海力士有限公司 Data storage device, method of operating the same, and storage system including the storage device
CN114328373A (en) * 2020-09-29 2022-04-12 伊姆西Ip控股有限责任公司 Method, electronic device and computer program product for managing file system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9208335B2 (en) * 2013-09-17 2015-12-08 Auburn University Space-time separated and jointly evolving relationship-based network access and data protection system
CN110245119B (en) * 2018-11-02 2023-01-31 浙江大华技术股份有限公司 File sorting method and storage system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1975935A (en) * 2006-12-15 2007-06-06 北京中星微电子有限公司 External storing performance testing method and apparatus
CN101770809A (en) * 2008-12-31 2010-07-07 J·埃金顿 Recovery after power down of non-volatile memory
CN103176911A (en) * 2011-12-20 2013-06-26 陕西银河网电科技有限公司 Embedded type software security memory management method
CN104751076A (en) * 2015-04-15 2015-07-01 四川神琥科技有限公司 Method for recovering disk data
CN110908596A (en) * 2018-09-18 2020-03-24 爱思开海力士有限公司 Data storage device, method of operating the same, and storage system including the storage device
CN114328373A (en) * 2020-09-29 2022-04-12 伊姆西Ip控股有限责任公司 Method, electronic device and computer program product for managing file system

Also Published As

Publication number Publication date
CN115237352A (en) 2022-10-25

Similar Documents

Publication Publication Date Title
CN103761190B (en) Data processing method and apparatus
US8977812B1 (en) Iterating in parallel for deduplication
CN103761053B (en) A kind of data processing method and device
CN111506269B (en) Disk storage space allocation method, device, equipment and storage medium
WO2017185579A1 (en) Method and apparatus for data storage
EP2216710A2 (en) Methods and apparatus for performing efficient data deduplication by metadata grouping
CN101826109B (en) A large-capacity file segmentation method, device and system
WO2017107015A1 (en) Storage space allocation method, and storage device
US11119912B2 (en) Ordering data updates for improving garbage collection being performed while performing the set of data updates
US20140359238A1 (en) Storage apparatus and volume management method
CN109918352B (en) Memory system and method of storing data
WO2020192710A1 (en) Method for processing garbage based on lsm database, solid state hard disk, and storage apparatus
WO2021082422A1 (en) Compatibility processing method, system and device for space reclamation of storage system
CN103955433A (en) Shingled magnetic recording hard disk, and method and device for writing data in shingled magnetic recording hard disk
JP2006195960A (en) Method and system for managing data inside hierarchical storage subsystem and computer program (data migration accompanied by reduction in contention and increase in speed)
CN116257460B (en) Trim command processing method based on solid state disk and solid state disk
CN104461384B (en) A kind of method for writing data and storage device
US8131966B2 (en) System and method for storage structure reorganization
CN118444849A (en) Data storage method, apparatus, electronic device and computer program product
WO2019084917A1 (en) Method and apparatus for calculating available capacity of storage system
CN115237352B (en) Hidden storage method, device, storage medium and electronic equipment
CN114047886A (en) NVME command processing method, system, electronic equipment and storage medium
US20040225855A1 (en) Method, system, and program for allocating storage units to a data set
CN103713860A (en) Method and system for building virtual disk base on basis of backup architecture
US7669031B2 (en) Computer system, storage area allocation method, and management computer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant