CN117812068A - SMB protocol file restoration method and system - Google Patents
SMB protocol file restoration method and system Download PDFInfo
- Publication number
- CN117812068A CN117812068A CN202410024108.8A CN202410024108A CN117812068A CN 117812068 A CN117812068 A CN 117812068A CN 202410024108 A CN202410024108 A CN 202410024108A CN 117812068 A CN117812068 A CN 117812068A
- Authority
- CN
- China
- Prior art keywords
- file
- message
- field information
- restored
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000004044 response Effects 0.000 claims abstract description 57
- 230000002452 interceptive effect Effects 0.000 claims abstract description 44
- 238000001514 detection method Methods 0.000 claims description 10
- 230000006399 behavior Effects 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 abstract description 25
- 230000006870 function Effects 0.000 description 15
- 230000003993 interaction Effects 0.000 description 13
- 241000700605 Viruses Species 0.000 description 11
- 230000002155 anti-virotic effect Effects 0.000 description 7
- 238000012546 transfer Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000002265 prevention Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000004659 sterilization and disinfection Methods 0.000 description 1
- 230000014599 transmission of virus Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a method and a system for restoring an SMB protocol file, which are characterized in that restoring file field information of a message is obtained by obtaining a restoring instruction of a target file if the direction of the message requests the direction, and the restoring file field information is stored in a session control structure, wherein the restoring file field information at least comprises an interactive message number and a file offset. If the direction is the response direction, matching other restored file field information in the restored file field information through the interactive message number; writing a file block of a request direction message or a response direction message into a memory according to the file offset; if the total length of the written file blocks in the memory is the same as the total length of the files in the corresponding restored file field information, the target file restoration is represented. According to the method, the problem that file disorder blocks exist in SMB protocol file transmission is solved through interactive message numbers and file offsets, so that a complete target file is restored.
Description
Technical Field
The application relates to the technical field of communication, in particular to a method and a system for recovering SMB protocol files.
Background
The files transmitted in the network need to be subjected to functions such as auditing, virus prevention and the like, and the functions such as auditing, virus prevention and the like need to be analyzed on a transmission protocol, so that file names, file sizes, file contents and the like in the file transmission process are identified. For example: in some scenarios, control of the SMB (Server Message Block server message block) protocol for file transfer is required, anti-virus, which relies on file restoration during transfer.
In the SMB protocol file restoration, the information such as the file name, the file size and the like in the transmission process can be obtained by analyzing the SMB protocol. Controlling SMB file transfer based on the acquired information, for example: limiting file size, sensitive words in file names, etc. And the functions of identifying the real file type, virus prevention and the like based on the file content need a complete file.
In the SMB protocol transmission process, when a client transmits a file to a server, the file is divided into a plurality of file blocks, and then the file blocks are transmitted to the server one by one, but in the SMB protocol file transmission process, file blocks are out of order due to network delay, interruption or other reasons. In addition, the method can only obtain the file name, the file size and other contents in the file transmission process, and the file block can be disordered in the transmission process, so that the complete file cannot be restored.
Disclosure of Invention
The application provides a method and a system for restoring SMB protocol files, which are used for solving the problem that complete files cannot be restored.
In a first aspect, the present application provides a method for recovering an SMB protocol file, where the method includes:
acquiring a restoring instruction of a target file;
responding to the restoring instruction, and if the message type of the SMB protocol is a downloaded file, acquiring the direction of the message;
if the direction is the request direction, acquiring restored file field information of the request direction message, and storing the restored file field information to a session control structure, wherein the restored file field information comprises an interactive message number, a file offset, a file name, a file size and file total length information;
if the direction is the response direction, acquiring the interactive message number of the response direction message;
if the interactive message number of the response direction message exists in the session control structure, matching the other restored file field information except the interactive message number in the restored file field information;
writing the file block of the request direction message or the response direction message into a memory according to the file offset;
and reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the written total length is the same as the total length of the files, representing that the target file restoration is completed.
In some possible embodiments, after the responding to the restore instruction, the method includes:
if the message type of the SMB protocol is an uploading file, acquiring the direction of the message;
if the direction is the request direction, acquiring the restored file field information of the request direction message, and storing the restored file field information to the session control structure;
if the interactive message number in the restored file field information of the request direction message exists in the session control structure, matching the file offset in the session control structure;
and writing the file block of the request direction message into a memory according to the file offset.
In some possible embodiments, the writing the file block of the request direction message or the response direction message into the memory according to the file offset includes:
detecting a memory file structure body in the session control structure, wherein the session control structure comprises a plurality of structure bodies;
if the memory file structure is in a default initial state, writing the file block of the request direction message or the response direction message into a memory according to the file offset, wherein the memory comprises a plurality of fields.
In some possible embodiments, the writing the file block of the request direction message or the response direction message into the memory according to the file offset includes:
assigning the restored file field information in the session control structure to the field of the memory, wherein the restored file field information and the field have a mapping relation;
setting the file pointer to be shifted to the shifting field of the memory;
and writing the file block of the request direction message into an offset field corresponding to the memory according to the file offset of the request direction message.
In some possible embodiments, the writing the file block of the request direction message or the response direction message into the memory according to the file offset further includes:
applying for a memory from an operating system, wherein the memory comprises a plurality of memory blocks.
In some possible embodiments, after reading the total length of the written file blocks in the memory and the total length of the file corresponding to the restored file field information, the method includes:
searching restored file field information corresponding to the file block according to the written file block;
if the total length of the written file blocks is the same as the total length of the file in the restored file field information, representing that the target file is stored in the memory;
and writing the target file stored in the memory into a hard disk to complete the restoration of the target file.
In some possible embodiments, the saving the restored file field information to the session control structure includes:
acquiring the interval time of the request direction message;
if the interval time is smaller than the time threshold value, acquiring the number of the conversation which can be saved by the conversation control structure; and creating an integer array in the session control structure, wherein the array is used for storing the interactive message number, the file offset and the file size of the request direction message, and the size of the array is the same as the number of the session which can be saved by the session control structure.
In some possible embodiments, the method further comprises:
acquiring quintuple information;
and creating a session control structure according to the quintuple information.
In some possible embodiments, the writing the file block of the request direction message or the response direction message into the memory further includes:
acquiring the file block type;
if the file block type is an executable file, detecting the file block based on a behavior analysis detection method to obtain a detection result;
and if the detection result is that the malicious behavior is not detected, writing the content of the file block.
In a second aspect, the present application provides an SMB protocol file restore system, configured to perform the SMB protocol file restore method of any one of the first aspect, where the system includes:
the acquisition unit is used for acquiring a restoring instruction of the target file;
responding to the restoring instruction, and if the message type of the SMB protocol is a downloaded file, acquiring the direction of the message by the acquisition unit; if the direction is a request direction, acquiring restored file field information of the request direction message, and storing the restored file field information to a session control structure, wherein the restored file field information comprises an interactive message number, a file offset, a file name, a file size and file total length information; if the direction is the response direction, the interactive message number of the response direction message is obtained;
the matching unit is used for matching the restored file field information except the interactive message number in the restored file field information if the interactive message number of the response direction message exists in the session control structure;
the writing unit is used for writing the file block of the request direction message or the response direction message into a memory according to the file offset;
and the reading unit is used for reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the total length of the written file blocks is the same as the total length of the files, the target file restoration is represented.
According to the technical scheme, the application provides a method and a system for restoring the SMB protocol file, wherein a restoring instruction of a target file is obtained, and if the message type of the SMB protocol is a downloaded file, the direction of the message is obtained; if the direction is the request direction, acquiring restored file field information of the request direction message, and storing the restored file field information into a session control structure, wherein the restored file field information comprises an interactive message number, a file offset, a file name, a file size and file total length information. If the direction is the response direction, acquiring the interactive message number of the response direction message; if the interactive message number of the response direction message exists in the session control structure, matching the other restored file field information except the interactive message number in the restored file field information; writing a file block of a request direction message or a response direction message into a memory according to the file offset; and reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the total length of the written file blocks is the same as the total length of the files, representing that the target file restoration is completed. According to the method and the device, the restored file field information is stored in the session control structure, and the problem that file disorder blocks exist in SMB protocol file transmission is solved through the interactive message number and the file offset, so that the complete target file is restored.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a schematic structural diagram of an SMB protocol file restore method shown in this embodiment;
FIG. 2 is a schematic diagram illustrating an interaction process of a file downloading message according to the present embodiment;
fig. 3 is a schematic diagram of an interaction process of uploading a file message according to the embodiment;
fig. 4 is a schematic diagram of the offset position structure shown in the present embodiment.
Detailed Description
Reference will now be made in detail to the embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the examples below do not represent all embodiments consistent with the present application. Merely as examples of systems and methods consistent with some aspects of the present application as detailed in the claims.
SMB is a protocol for file sharing, printer sharing, and general network communication, by which a client application can read and write files on a server under various network environments, and make service requests to the server program. In addition, through the SMB protocol, the application program can access the remote server-side files and the printer and other resources.
However, the SMB protocol may also be utilized by malicious users to conduct attacks, such as man-in-the-middle attacks, or to spread viruses through shared files. In order to realize the functions of controlling file transmission, preventing viruses and the like of the SMB protocol, the files in the transmission process need to be restored, and when the functions of preventing viruses and the like are controlled, the file name, the file size, the file content and the like in the file transmission process need to be identified by analyzing the transmission protocol.
Network security devices such as: IP protocol ciphers, security routers, line ciphers, firewalls, etc. can only regulate traffic by file name, file size, and at the same time, the anti-virus function is also matched by computing MD5 (Message Digest Algorithm 5 message digest algorithm version 5) for each message.
The functions of identifying the real file type based on the file content, preventing viruses and the like require a complete file. Such as: the file type identification function is based on the real file content, and the function needs to identify the header information of the file, so that the header content of the file is not necessarily in the first file transmission message in the uploading or downloading process of the SMB protocol, and the file type cannot be accurately identified. Based on the antivirus function of the flow MD5, the problem of disordered file blocks exists in the SMB protocol transmission process, and the calculation error of the MD5 can be caused, so that the message disinfection recognition rate is inaccurate. In summary, the complete file cannot be restored due to the problems of header information of the file, disordered file blocks and the like.
In order to solve the problem that complete files cannot be restored due to file block disorder in the process of file transmission of the SMB protocol, some embodiments of the present application provide a method for restoring files by the SMB protocol, referring to fig. 1, the method includes:
s100: and obtaining a restoring instruction of the target file.
The target file is a deleted file, a damaged file, a file infected by viruses, and the like, and when the condition of the target file is detected, a restoring instruction for restoring the whole file can be sent, namely the whole file is the data of the complete target file.
The method can acquire whether the complete file is needed for the function needed in the SMB protocol file transmission process when the target file is restored based on the requirement, for example: an antivirus function, an auditing function and a complete file; the function of the SMB protocol file transmission process is judged first, and then a restoration instruction is obtained.
When the SMB protocol is utilized to transmit the file, the client sends a request, the server receives and responds to the request sent by the client, the server sends the target file to the client, and when the anti-virus function needs to be realized, the server can generate a restoring instruction. For example, when a client receives an alert from antivirus software, and detects that a target file may carry the antivirus software, the client may request the server to delete or quarantine the file. The server then performs this operation to restore the corresponding file, for example: delete the virus file or move it to the quarantine area.
S200: responding to the restoring instruction, and if the message type of the SMB protocol is a downloaded file, acquiring the direction of the message.
The message types of the SMB include uploading a write file and downloading a read file, for the SMB protocol, file restoration includes file restoration of the uploaded file and file restoration of the downloaded file, according to RFC (Request For Comments ) documents, the message format in the transmission process of the SMB protocol includes a NETBIOS (Network Basic Input/Output System) header, an SMB header and text content; for file restoration of the SMB protocol, fields such as operation command in the SMB header (to distinguish between read download and write upload), interaction message ID, offset length of file transfer, total length of file, etc. may be used. The downloading and uploading are different due to the difference of message formats in the interaction process, the data of each field of the message is different, and the data structures used in the processing process are also different. Thus, the upload and download are restored separately.
The client is configured to respond to the restoring instruction of the server to acquire the direction of the message in the transmission process, wherein the direction of the message comprises a request direction and a response direction. The direction is the role and communication order between the sender and the receiver of the message, in the SMB protocol, the request direction is the sending of the message from the client to the server, and the response direction is the sending of the message from the server to the client as a response to the request.
S210: if the direction is the request direction, acquiring the restored file field information of the request direction message, and storing the restored file field information to the session control structure.
The restored file field information includes the interactive message number message-id, the file offset, the file name, the file size, and the file total length information. When the message of the SMB is a downloaded read file and the direction of the message is a request direction, analyzing the request direction message, and acquiring the interactive message number message_id, the file offset, the file name, the file size and the file total length information of the request direction message. The session control structure comprises a plurality of structures, and different structures are used for storing different restored file field information.
In some embodiments, the session control structure further comprises a linked list for storing and managing a plurality of message_ids in the session structure.
Illustratively, when a request message is received, the server assigns a unique message_id to the request message and adds the unique message_id to a linked list of the session structure, where each node in the linked list contains information about the message_id. Through the session control structure linked list, the server can track and manage a plurality of request messages, and when a certain request needs to be processed or responded, the server can acquire the corresponding message_id and related information by searching the linked list, and then execute corresponding operations.
In the transmission process of the SMB protocol, if the message continuously receives a plurality of request messages, when the server continuously receives the plurality of request messages, the server searches corresponding message_id and related information from the session control structure linked list, and then carries out corresponding processing according to the type of the request and the executed operation.
After the restored file field information of the request direction message is obtained, the information is saved in a Session control structure, and a Session (Session) is defined as an interaction process between the client and the server in network communication. This interaction involves the exchange of one or more data packets. The establishment of a session typically begins with the client sending a request to the server, for example: an HTTP request. The server responds to the request and sends one or more data packets in response. This process may contain some specific information such as: source IP address, destination IP address, source port, destination port, protocol type, i.e., five tuple information, which is used to uniquely identify a session.
Because the session control structure is used for storing information on the same session, it can be understood that other instructions are already present before the present storage and the instructions are the same instructions, and then the session control structure is already present before the present storage, and the restored file field information is stored in the existing session control structure.
In network communications, quintuple information can be used to determine a particular network connection or session. That is, if the five-tuple information of two network connections is the same, they are connections in the same session. For the first occurrence of session information, in some embodiments, five-tuple information is obtained; and creating a session control structure according to the quintuple information. Messages with the same quintuple information belong to the same session.
Because the interaction of the SMB protocol is not constant, a plurality of request messages can be sequentially sent in the message interaction process, and then response message writing files are sent. Referring to the message exchange mode of fig. 2, the offset file offset in the request process is not necessarily a sequential read file, and the read file may be skipped, so the message_id in each request needs to be recorded and the file offset matched with the message_id. The session control structure can be searched for the offset information matched with the session control structure through the message_id.
When the file restoring field information such as the file offset is searched, the file restoring field information is obtained through the message_id, and because the message_id needs to be frequently searched, the message_id information of each request can be stored in the form of an array, and the array can efficiently access and operate data. In some embodiments, the interval time of the request direction message can be obtained; if the interval time is smaller than the time threshold value, acquiring the number of the conversation which can be saved by the conversation control structure; and creating an integer array in the session control structure, wherein the array is used for storing the interactive message number, the file offset and the file size of the request direction message, and the size of the array is the same as the number of the session which can be stored in the session control structure.
By setting the session control structure and the size of the data group, the number of simultaneous sessions can be limited, and excessive consumption of system resources caused by excessive concurrent requests can be prevented.
And storing the file restoring field information into a session control structure, judging whether the session- > mem_file structure is empty, if so, representing that the received first request message is received, and applying for a memory with a corresponding size in a memory system at the moment so as to store the file block of the request message according to the file offset.
It will be appreciated that each message_id will only be used once during a complete file transfer interaction, and that during a file download or upload, the client will send a request to the server requesting the server to send or receive the file. This request contains a message_id that identifies the request. After receiving the request, the server performs corresponding processing according to the message_id in the request and sends a response to the client. In this process, the purpose of the message_id is to identify the uniqueness of each request or response. Since each message_id is unique, each message_id will only be used once during a complete file transfer interaction. When a message_id is sent, it is discarded and not reused. Therefore, in the file downloading and uploading process of the SMB protocol, there is no case that after the client and the server end complete one interaction, the next message_id is performed, unlike the process of restoring the file in other protocols. Each message_id is independent and unique and is associated with only one specific file transfer interaction procedure.
S220: and if the direction is the response direction, acquiring the interactive message number of the response direction message.
For message_id information, each request message corresponds to a message_id, and the response message also carries the same message_id field for explaining that the message_id information is a complete interaction request. Therefore, the message_id of the response direction message is acquired and is the same message_id as the message_id of the request direction message, and the restored file field information of the same session is already stored in the session control structure in the response direction message, if the same message_id can be acquired, it is stated that other restored file field information stored together with the message_id can be acquired.
S300: if the interactive message number of the response direction message exists in the session control structure, the other restored file field information except the interactive message number in the restored file field information is matched.
Referring to the message exchange process of fig. 3, other restored file field information besides the exchange message number includes file offset, file name, file size and file total length information. The file offset is used for indicating the position of the current read-write position in the file. Every time a read or write operation is performed, the current file offset is started, and the offset is increased by the number of bytes read and written.
S400: and writing the file blocks of the request direction message or the response direction message into the memory according to the file offset.
Because the message format in the SMB protocol transmission process comprises a NETBIOS header, an SMB header and text content, wherein the text content is file data. It will be appreciated that the messages in the uploading or downloading process contain text content, and this part of text content is the file that needs to be restored in this embodiment. Therefore, when the request direction message or the response direction message is matched, the text content in the message comprises a plurality of file blocks. As can be seen from the above, by determining that the session- > mem_file structure is empty, that is, detecting the memory file structure mem_file in the session control structure, if the memory file structure is in a default initial state, applying for the memory of the file size in the restored file field information in the memory, where the memory structure is exemplary is as follows:
{
void_file; content pointer for/(and/or file
Int mem_len; /(currently written file length)
Int mem_offset; offset value of/(write file)
Char_mem_file_name; file name
}
When the memory file structure is in a default initial state, each member variable representing the structure is set to a default value. For example, if an integer variable is included in the structure, the integer variable may be initialized to 0; if a character type variable is included, the character type variable may be initialized to null character '\0'; if a pointer variable is included, the pointer variable may be initialized to NULL.
To dynamically adjust the size of the memory, in some embodiments, the memory may be applied to the operating system. The memory comprises a plurality of memory blocks, the memory blocks apply for a memory space with a fixed size in advance and divide the memory space into a plurality of small blocks to provide the memory space of the small blocks, and it is understood that the memory blocks can be used for storing one file block or a plurality of file blocks. Each memory block may have a unique identifier to facilitate tracking and management thereof. Meanwhile, the size of the memory block can be dynamically adjusted, and can be dynamically adjusted according to the size of the target file.
After the memory block application is completed, file names and file offset data in the session control structure can be distributed and assigned to different memory blocks, and in some embodiments, the restored file field information in the session control structure is assigned to the field of the memory; setting the offset of the file pointer to an offset field of the memory; and writing the file block of the request direction message into an offset field corresponding to the memory according to the file offset of the request direction message.
Restoring the mapping relation between the file field information and the field; illustratively, the file name is assigned to mem_file_name and the file offset is assigned to mem_offset.
After assignment, the pointer of the file is shifted to the mem_offset, and when the response direction message is processed, the content of the target file can be written to the correct position only according to the file offset of the request direction, for example: offset1 in fig. 4.
In some embodiments, the type of file block may also be obtained before writing the file block into memory; if the file type of the file block is an executable file, detecting the file block based on a behavior analysis detection method to obtain a detection result; if the detection result is that the malicious behavior is not detected, writing the content of the file block.
By setting file type restrictions, transmission of viruses and other malicious files can be prevented. For example, transmission of certain types of executable files (e.g.,. Exe,. Com,. Dll, etc.) may be prohibited, thereby reducing the risk of virus transmission. And then the transmitted file content is checked to identify potential malicious codes. This can be achieved by file scanning, virus feature matching or detection methods based on behavioral analysis. The behavioral analysis may detect malicious behavior of the file, such as theft of sensitive data, destruction of systems, remote control, etc., and may discover potential malicious activity. If no malicious activity is detected, the contents of the file block may be safely written to the file.
S500: and reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the total length of the written file blocks is the same as the total length of the files, representing that the target file restoration is completed.
After the file blocks are gradually written into the memory, if the total length of the written file blocks is the same as the total length of the file, representing the target file and storing the target file into the memory; writing the file blocks stored in the memory into the hard disk to complete the restoration of the target file. After the target file is written into the memory, the hard disk is written again, so that the performance can be improved and the IO operation can be reduced, wherein it can be understood that the file blocks stored in the memory comprise a plurality of file blocks, the target file can be written into the hard disk by judging whether the length of the written file blocks in the memory is the same as the total length of the file in the restored file field information or not, and if the length of the written file blocks in the memory is the same as the total length of the file in the restored file field information, the target file can be written into the hard disk.
Taking a read to download a 2M size file as an example, the data structure according to S200-S500 is as follows:
the method comprises the steps that the method is the same as a downloaded file, and the direction of a message is also obtained after the message type of an SMB protocol is judged to be an uploaded file; in some embodiments, if the message type of the SMB protocol is an upload file, the direction of the message is obtained; if the direction is the request direction, acquiring the restored file field information of the request direction message, and storing the restored file field information to the session control structure; if the interactive message number in the restored file field information of the request direction message exists in the session control structure, matching the file offset in the session control structure; and writing the file block of the request direction message into the memory according to the file offset.
However, unlike downloading the file, in this embodiment, the restoring field information of the request direction message is directly obtained without considering the response direction message in the process of uploading the file, and after the restoring field information is stored in the session control structure, the file offset is directly obtained through the message_id, and the file block is written into the memory.
In order to facilitate the execution of the method described above, some embodiments of the present application further provide an SMB protocol file restore system, including:
the acquisition unit is used for acquiring a restoring instruction of the target file;
responding to the restoring instruction, and if the message type of the SMB protocol is a downloaded file, acquiring the direction of the message by the acquisition unit; if the direction is the request direction, the method is used for acquiring restored file field information of a request direction message and storing the restored file field information into a session control structure, wherein the restored file field information comprises an interactive message number, a file offset, a file name, a file size and file total length information; if the direction is the response direction, the interactive message number of the response direction message is obtained;
the matching unit is used for matching the restored file field information except the interactive message number in the restored file field information if the interactive message number of the response direction message exists in the session control structure;
the writing unit is used for writing the file blocks of the request direction message or the response direction message into the memory according to the file offset;
the reading unit is used for reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the total length of the written file blocks is the same as the total length of the files, the target file restoration is represented.
According to the technical scheme, the application provides a method and a system for restoring the SMB protocol file, wherein a restoring instruction of a target file is obtained, and if the message type of the SMB protocol is a downloaded file, the direction of the message is obtained; if the direction is the request direction, acquiring restored file field information of the request direction message, and storing the restored file field information into a session control structure, wherein the restored file field information comprises an interactive message number, a file offset, a file name, a file size and file total length information. If the direction is the response direction, acquiring the interactive message number of the response direction message; if the interactive message number of the response direction message exists in the session control structure, matching the other restored file field information except the interactive message number in the restored file field information; writing a file block of a request direction message or a response direction message into a memory according to the file offset; and reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the total length of the written file blocks is the same as the total length of the files, indicating that the target file restoration is completed. According to the method and the device, the restored file field information is stored in the session control structure, and the problem that file disorder blocks exist in SMB protocol file transmission is solved through the interactive message number and the file offset, so that the complete target file is restored.
The foregoing detailed description of the embodiments is merely illustrative of the general principles of the present application and should not be taken in any way as limiting the scope of the invention. Any other embodiments developed in accordance with the present application without inventive effort are within the scope of the present application for those skilled in the art.
Claims (10)
1. An SMB protocol file restoration method, comprising:
acquiring a restoring instruction of a target file;
responding to the restoring instruction, and if the message type of the SMB protocol is a downloaded file, acquiring the direction of the message;
if the direction is the request direction, acquiring restored file field information of the request direction message, and storing the restored file field information to a session control structure, wherein the restored file field information comprises an interactive message number, a file offset, a file name, a file size and file total length information;
if the direction is the response direction, acquiring the interactive message number of the response direction message;
if the interactive message number of the response direction message exists in the session control structure, matching the other restored file field information except the interactive message number in the restored file field information;
writing the file block of the request direction message or the response direction message into a memory according to the file offset;
and reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the total length of the written file blocks is the same as the total length of the files, indicating that the target file restoration is completed.
2. The SMB protocol file restore method according to claim 1, wherein said responding to said restore instruction comprises:
if the message type of the SMB protocol is an uploading file, acquiring the direction of the message;
if the direction is the request direction, acquiring the restored file field information of the request direction message, and storing the restored file field information to the session control structure;
if the interactive message number in the restored file field information of the request direction message exists in the session control structure, matching the file offset in the session control structure;
and writing the file block of the request direction message into a memory according to the file offset.
3. The SMB protocol file restore method according to claim 1, wherein writing the file block of the request direction message or the response direction message into the memory according to the file offset includes:
detecting a memory file structure body in the session control structure, wherein the session control structure comprises a plurality of structure bodies;
if the memory file structure is in a default initial state, writing the file block of the request direction message or the response direction message into a memory according to the file offset, wherein the memory comprises a plurality of fields.
4. The SMB protocol file restore method according to claim 3, wherein writing the file block of the request direction message or the response direction message into the memory according to the file offset includes:
assigning the restored file field information in the session control structure to the field of the memory, wherein the restored file field information and the field have a mapping relation;
setting the file pointer to be shifted to the shifting field of the memory;
and writing the file block of the request direction message into an offset field corresponding to the memory according to the file offset of the request direction message.
5. The SMB protocol file restore method according to claim 3, wherein said writing a file block of said request direction message or said response direction message into a memory according to said file offset, further comprises:
applying for a memory from an operating system, wherein the memory comprises a plurality of memory blocks.
6. The SMB protocol file restore method according to claim 1, wherein after reading the total length of the written file block in the memory and the total length of the file corresponding to the restored file field information, the method includes:
searching restored file field information corresponding to the file block according to the written file block;
if the total length of the written file blocks is the same as the total length of the file in the restored file field information, representing that the target file is stored in the memory;
and writing the target file stored in the memory into a hard disk to complete the restoration of the target file.
7. The SMB protocol file restore method according to claim 1, wherein said saving said restore file field information to a session control structure comprises:
acquiring the interval time of the request direction message;
if the interval time is smaller than the time threshold value, acquiring the number of the conversation which can be saved by the conversation control structure; and creating an integer array in the session control structure, wherein the array is used for storing the interactive message number, the file offset and the file size of the request direction message, and the size of the array is the same as the number of the session which can be saved by the session control structure.
8. The SMB protocol file restore method of claim 1, further comprising:
acquiring quintuple information;
and creating a session control structure according to the quintuple information.
9. The SMB protocol file restore method according to claim 1, wherein writing a file block of said request direction message or said response direction message into a memory, further comprises:
acquiring the file block type;
if the file block type is an executable file, detecting the file block based on a behavior analysis detection method to obtain a detection result;
and if the detection result is that the malicious behavior is not detected, writing the content of the file block.
10. An SMB protocol file restore system for performing the SMB protocol file restore method of any of claims 1-9, said system comprising:
the acquisition unit is used for acquiring a restoring instruction of the target file;
responding to the restoring instruction, and if the message type of the SMB protocol is a downloaded file, acquiring the direction of the message by the acquisition unit; if the direction is a request direction, acquiring restored file field information of the request direction message, and storing the restored file field information to a session control structure, wherein the restored file field information comprises an interactive message number, a file offset, a file name, a file size and file total length information; if the direction is the response direction, the interactive message number of the response direction message is obtained;
the matching unit is used for matching the restored file field information except the interactive message number in the restored file field information if the interactive message number of the response direction message exists in the session control structure;
the writing unit is used for writing the file block of the request direction message or the response direction message into a memory according to the file offset;
and the reading unit is used for reading the total length of the written file blocks in the memory and the total length of the files in the corresponding restored file field information, and if the total length of the written file blocks is the same as the total length of the files, the target file restoration is represented.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410024108.8A CN117812068B (en) | 2024-01-05 | 2024-01-05 | SMB protocol file restoration method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410024108.8A CN117812068B (en) | 2024-01-05 | 2024-01-05 | SMB protocol file restoration method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117812068A true CN117812068A (en) | 2024-04-02 |
| CN117812068B CN117812068B (en) | 2025-01-07 |
Family
ID=90431607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410024108.8A Active CN117812068B (en) | 2024-01-05 | 2024-01-05 | SMB protocol file restoration method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117812068B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020065924A1 (en) * | 1999-10-14 | 2002-05-30 | Barrall Geoffrey S. | Apparatus and method for hardware implementation or acceleration of operating system functions |
| US20060129537A1 (en) * | 2004-11-12 | 2006-06-15 | Nec Corporation | Storage management system and method and program |
| CN102316074A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids |
| CN110545271A (en) * | 2019-08-28 | 2019-12-06 | 北京天融信网络安全技术有限公司 | method and system for restoring file |
| CN110839060A (en) * | 2019-10-16 | 2020-02-25 | 武汉绿色网络信息服务有限责任公司 | A kind of file restoration method and device for HTTP multi-session in DPI scene |
| CN112583936A (en) * | 2020-12-29 | 2021-03-30 | 上海阅维科技股份有限公司 | Method for recombining transmission conversation flow |
| CN112995184A (en) * | 2021-03-05 | 2021-06-18 | 中电积至(海南)信息技术有限公司 | Multi-source network flow content complete restoration method and device |
| CN115277058A (en) * | 2022-06-10 | 2022-11-01 | 新华三信息安全技术有限公司 | Communication method and device |
| CN115865951A (en) * | 2022-10-31 | 2023-03-28 | 上证所信息网络有限公司 | A file sharing system and method based on blockchain and IPFS |
-
2024
- 2024-01-05 CN CN202410024108.8A patent/CN117812068B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020065924A1 (en) * | 1999-10-14 | 2002-05-30 | Barrall Geoffrey S. | Apparatus and method for hardware implementation or acceleration of operating system functions |
| US20060129537A1 (en) * | 2004-11-12 | 2006-06-15 | Nec Corporation | Storage management system and method and program |
| CN102316074A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids |
| CN110545271A (en) * | 2019-08-28 | 2019-12-06 | 北京天融信网络安全技术有限公司 | method and system for restoring file |
| CN110839060A (en) * | 2019-10-16 | 2020-02-25 | 武汉绿色网络信息服务有限责任公司 | A kind of file restoration method and device for HTTP multi-session in DPI scene |
| CN112583936A (en) * | 2020-12-29 | 2021-03-30 | 上海阅维科技股份有限公司 | Method for recombining transmission conversation flow |
| CN112995184A (en) * | 2021-03-05 | 2021-06-18 | 中电积至(海南)信息技术有限公司 | Multi-source network flow content complete restoration method and device |
| CN115277058A (en) * | 2022-06-10 | 2022-11-01 | 新华三信息安全技术有限公司 | Communication method and device |
| CN115865951A (en) * | 2022-10-31 | 2023-03-28 | 上证所信息网络有限公司 | A file sharing system and method based on blockchain and IPFS |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117812068B (en) | 2025-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8856884B2 (en) | Method, apparatus, signals, and medium for managing transfer of data in a data network | |
| JP5280436B2 (en) | Antivirus scanning of partially available content | |
| KR102580898B1 (en) | System and method for selectively collecting computer forensics data using DNS messages | |
| JP6298849B2 (en) | System and method for detection of malicious data encryption program | |
| US7716306B2 (en) | Data caching based on data contents | |
| US9178940B2 (en) | System and method for detecting peer-to-peer network software | |
| US7167979B2 (en) | Invoking mutual anonymity by electing to become head of a return path | |
| CN110888838A (en) | Object storage based request processing method, device, equipment and storage medium | |
| KR102125966B1 (en) | System for collecting traffic and feature of TOR network using private network and virtual machine | |
| CN108512898B (en) | File pushing method and device, computer equipment and storage medium | |
| CN110740144B (en) | Method, device, equipment and storage medium for determining attack target | |
| CN106656966B (en) | Method and device for intercepting service processing request | |
| US20100332592A1 (en) | Data processing device and data retriever | |
| KR102014741B1 (en) | Matching method of high speed snort rule and yara rule based on fpga | |
| US7774847B2 (en) | Tracking computer infections | |
| CN114390044B (en) | File uploading method, system, equipment and storage medium | |
| EP2348686A1 (en) | Information processing device, method and computer program for decide an address | |
| CN117812068B (en) | SMB protocol file restoration method and system | |
| CN114244610A (en) | File transmission method and device, network security equipment and storage medium | |
| US20030053421A1 (en) | Method and apparatus for transferring packets in network | |
| CN113342275B (en) | Method, apparatus and computer readable storage medium for accessing data at block link points | |
| CN113973093B (en) | Data transmission methods and devices, electronic equipment, readable storage media | |
| CN114116631A (en) | File management method, program product, master control node and storage medium | |
| US10819614B2 (en) | Network monitoring apparatus and network monitoring method | |
| JP2006330783A (en) | Device and method for specifying overlay network generation application starting node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: Room 01, 1st Floor, Building 11, Phase I, Guanggu Power Energy saving and Environmental Protection Technology Enterprise Incubator (Accelerator), No. 308 Guanggu Avenue, Donghu New Technology Development Zone, Wuhan City, Hubei Province 430074 Applicant after: Anbotong Junshi Digital Technology (Hubei) Co.,Ltd. Address before: Room 01, 1st Floor, Building 11, Phase I, Optics Valley Power Energy Conservation and Environmental Protection Technology Enterprise Incubator (Accelerator), No. 308 Optics Valley Avenue, Donghu New Technology Development Zone, Wuhan City, Hubei Province, 430070 Applicant before: Hubei Anbotong Technology Co.,Ltd. Country or region before: China |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |