为什么需要自定义一个微文件系统(高仿可以不考虑很多硬件的特性例如磁头或是磁盘单位大小),何时需要定义又使用在什么地方,我想说的是地方很多,先不说需要用到的地方就单单说微文件系统是驻扎在内存的一个块“缓存”,效率之高且具有一定的安全性(注意逻辑BUG导致的漏洞);例如文件加密或者说WEB服务器,特别是WEB服务器,无论是对于静态文件(高效访问,上传临时文件到服务器)还是动态CGI(执行二进制安全,上传恶意脚本)而言都具有一定的优势(在微系统内由于只有读写功能不存在内核镜像加载执行),让服务器访问属于一个自定义的微文件系统内,可以读取任何数据甚至修改任何数据(例如压缩数据),但我们不会保存(当然有存储功能);高仿微文件系统可以支持各种逻辑卷名与路径名。
【例如通过服务器进程0Day上传的恶意文件在隔离的微文件系统内,实际硬盘是不存在,执行自然失败】
这里会能充分利用空缝隙块(排除空间不足),也就是支持单个文件数据散乱无序(分块)存储,重要的是注意块对齐。
#define BOOT_AREA_SIZE (512)
#define ZONE_NAME_SIZE (16)
#define DISK_ZONE_COUNT (16) //最大创建逻辑磁盘总数
#define USER_NAME_SIZE (20)
#define USER_NAME_COUNT (64) //UACL 用户上限总数
#define FOLDER_NAME_SIZE (128)
#define FOLDER_NAME_COUNT (256) //每层文件夹最大创建数
#define FOLDER_DIR_COUNT (16) //子文件夹最大数
#define FOLDER_MASK_SIZE FOLDER_DIR_COUNT
#define FILE_NAME_SIZE (128)
#define FILE_MASK_SIZE FOLDER_DIR_COUNT
#define FILE_SYSTEM_NAME_SIZE (8)
#define SINGLE_CLUSTER_SIZE (1024)
#define SINGLE_SECTION_SIZE (512)
#define FILE_SYSTEM_TYPE (0x0CC99)
#define FILE_SYSTEM_VERSION (0x0100)
#define RESERVED_AREA_SIZE (908) //(SINGLE_CLUSTER_SIZE - (sizeof(_FALS_LOGICDISK_HEADER) % SINGLE_CLUSTER_SIZE))
#define RESERVED_SECTION_SIZE (24) //(SINGLE_CLUSTER_SIZE - (sizeof(_FALS_PHYSICSDISK_HEADER) % SINGLE_CLUSTER_SIZE))
#define FILE_SYSTEM_NAME ("FALS")
#define INITVALUE (0x0FFFF)
#pragma pack(1)
typedef struct _FALS_ACE_USER {
unsigned char uUserName[USER_NAME_SIZE];
union _USER_CONTROL_ {
struct _CONTROL_ {
unsigned char uRead : 1;
unsigned char uWrite : 1;
unsigned char uReadOrWrite : 1;
unsigned char uDelete : 1; //标记用户已被删除
unsigned char uDisableAccess : 1;
unsigned char uNotAllowExecution : 1; //不允许执行操作
unsigned char uAllowAccessFolders : 1; //是否允许打开文件夹
unsigned char uUserActivate : 1; //是否已激活
unsigned char uRootPower : 1; //该权限可以直接对逻辑磁盘数据结构进行读写
unsigned int uReservedAttreib : 23;
} CTL;
unsigned int uUserAttreib;
} USER;
} FALS_ACE_USER, *PFALS_ACE_USER;
typedef struct _FALS_ZONE_INFO {
unsigned char uLogicDiskName[ZONE_NAME_SIZE];
ULONG_PTR uStartLogicDiskPoint;
LONG_PTR lLogicDiskSize; //分配的逻辑磁盘大小
union _ZONE_ATTREIB_ {
struct _ATTREIB_ {
unsigned char uRead : 1;
unsigned char uWrite : 1;
unsigned char uReadOrWrite : 1;
unsigned char uShutDown : 1; //未使用
unsigned char uDisableAccess : 1;
unsigned char uOpenedUserAccessControl : 1; //开启用户访问权限
unsigned char uOpenedDataCompress : 1; //开启磁盘压缩加密
unsigned char uShareZone : 1;
unsigned int uReservedAttreib : 24;
} ATB;
unsigned int uZoneAttreib;
} ZONE;
FALS_ACE_USER stFalsAceUser[USER_NAME_COUNT]; //用户控制列表
} FALS_ZONE_INFO, *PFALS_ZONE_INFO;
typedef struct _FALS_FILE_INFO {
unsigned char uFileName[FILE_NAME_SIZE];
unsigned short uFileMask[FILE_MASK_SIZE]; //文件夹伪识别码
LONG_PTR lFileSize; //文件实际大小
LONG_PTR lFileLogicSize; //实际占用空间对齐大小,不包括FALS_FILE_INFO头大小
union _FILE_ATTREIB_ {
struct _ATTREIB_ {
unsigned char uRead : 1;
unsigned char uWrite : 1;
unsigned char uReadOrWrite : 1;
unsigned char uIsDelete : 1; //已被删除
unsigned char uDisableAccess : 1;
unsigned char uOpenedUserAccessControl : 1; //开启用户访问权限
unsigned char uOpenedDataCompress : 1; //开启磁盘压缩加密
unsigned char uSliverData : 1; //是一个分片的文件数据
unsigned short uFileMaskSize;
unsigned char uShareFile : 1;
unsigned int uReservedAttreib : 7;
} ATB;
unsigned int uFileAttreib;
} FILE;
//FALS_ACE_USER stFalsAceUser[USER_NAME_COUNT]; //用户控制列表
ULONG_PTR uNextFilePoint; //下一个文件位置
ULONG_PTR uBeforeFilePoint; //先前文件的位置
struct _FILE_SLIVER_ {
LONG_PTR lFileDataSize; //实际数据大小,排除_FILE_SLIVER_的大小
LONG_PTR lFileLogicSize; //实际占用的总大小,包括_FILE_SLIVER_的大小
//ULONG_PTR uFileDataPoint;
ULONG_PTR uNextFileSliver;
} FS;
unsigned char uFileData[0];
} FALS_FILE_INFO, *PFALS_FILE_INFO;
typedef struct _FALS_FOLDER_INFO {
unsigned char uFolderName[FOLDER_NAME_SIZE];
unsigned short uFolderMask[FOLDER_MASK_SIZE];
union _FOLDER_ATTREIB_ {
struct _ATTREIB_ {
unsigned char uRead : 1;
unsigned char uWrite : 1;
unsigned char uReadOrWrite : 1;
unsigned char uIsDelete : 1; //已被删除
unsigned char uDisableAccess : 1;
unsigned char uOpenedUserAccessControl : 1; //开启用户访问权限
unsigned short uFolderMaskSize;
unsigned char uShareFolder : 1;
unsigned int uReservedAttreib : 9;
} ATB;
unsigned int uFolderAttreib;
} FOLDER;
unsigned short uSubFolderCount; //子目录总数
ULONG_PTR uFileCacheListPoint; //用于快速定位查找
//FALS_ACE_USER stFalsAceUser[USER_NAME_COUNT]; //用户控制列表
} FALS_FOLDER_INFO, *PFALS_FOLDER_INFO;
typedef struct _FALS_FOLDER_LIST {
unsigned int uUseFolderListCount; //已使用总数
FALS_FOLDER_INFO stFalsFolderInfo[FOLDER_NAME_COUNT]; //当前目录数
} FALS_FOLDER_LIST, *PFALS_FOLDER_LIST;
typedef struct _FALS_LOGICDISK_HEADER {
unsigned char uFileSystemName[FILE_SYSTEM_NAME_SIZE];
unsigned long uSingleClusterSize; //每簇大小
unsigned long uSingleSectionSize; //每个扇区的大小
unsigned int uSingleClusterCount; //逻辑磁盘簇总数
unsigned int uSingleSectionCount; //逻辑磁盘扇区总数
LONG_PTR llogicDiskSurplusSize; //逻辑磁盘剩余空间
LONG_PTR lLogicDiskDeleteSize; //已删除的数据大小
FALS_FOLDER_LIST stFalsFolderDirList[FOLDER_DIR_COUNT]; //逻辑磁盘目录层数
struct _FILE_LIST_POS_ {
ULONG_PTR uStartFileListPoint; //文件数据起始头
ULONG_PTR uStartFileDeleteList; //删除的文件信息
ULONG_PTR uFinalFileListPoint; //最后一个文件链
ULONG_PTR uNextFileDataPoint; //当前可用的文件数据位置
ULONG_PTR uNextFileDeletePoint; //当前可保存的删除链接点
} FLP;
unsigned char uReservedArea[RESERVED_AREA_SIZE]; //保留的对齐区域
unsigned char uFileListData[0]; //this->FALS_FILE_INFO
} FALS_LOGICDISK_HEADER, *PFALS_LOGICDISK_HEADER;
typedef struct _FALS_PHYSICSDISK_HEADER {
unsigned char uBootAreaOpcodes[BOOT_AREA_SIZE];
unsigned short uFileSystemType; //文件系统类型
unsigned short uFileSystemVersion; //文件系统版本
unsigned long uSingleClusterSize; //每簇大小
unsigned long uSingleSectionSize; //每个扇区的大小
unsigned int uSingleClusterCount; //硬盘簇总数
unsigned int uSingleSectionCount; //硬盘扇区总数
LONG_PTR lPhysicsDiskSurplusSize; //硬盘剩余空间
FALS_ZONE_INFO stFalsZoneInfo[DISK_ZONE_COUNT]; //逻辑磁盘列表信息
unsigned char uReservedSection[RESERVED_SECTION_SIZE]; //保留的对齐区间
unsigned char uFalsLogicDiskData[0]; // this->FALS_LOGICDISK_HEADER
} FALS_PHYSICSDISK_HEADER, *PFALS_PHYSICSDISK_HEADER;
typedef struct _FALS_SLIVER_INFO {
LONG_PTR lFileDataSize;
LONG_PTR lFileLogicSize;
//ULONG_PTR uFileDataPoint;
ULONG_PTR uNextFileSliver;
unsigned char uFileData[0];
} FALS_SLIVER_INFO, *PFALS_SLIVER_INFO;
typedef struct _FALS_FOLDER_DATA {
unsigned short uDataMaskSize;
unsigned short uDataMask[FOLDER_MASK_SIZE];
PFALS_FOLDER_LIST lpFolderList; //当前目录下的文件夹信息
PFALS_FILE_INFO lpFileInfo; //当前目录下的文件信息
} FALS_FOLDER_DATA, *PFALS_FOLDER_DATA;
#pragma pack()
enum _FALS_ERROR_CODE_ {
FALS_SUCCRESS,
FALS_FAILURE,
FALS_NULL_PARAM,
FALS_SIZE_PARAM, //参数大小不正确
FALS_FOLDER_CAP, //文件夹总数已上线
FALS_FOLDER_NOT_FIND,
FALS_FOLDER_EXISTS,
FALS_FOLDER_DIR,
FALS_FILE_EXISTS,
FALS_NOT_FIND_LOGICDISK,
FALS_NOT_FIND_FOLDER,
FALS_NOT_FIND_FILE,
FALS_NOT_FIND_USER,
WRITE_FILE_DATA_FAIL
} ;
#define FALS_PATH TEXT("D:\\TDDownload\\Fals.sys")
#define MAX_SUPPORT_AREA_SIZE (SINGLE_CLUSTER_SIZE * 2 - 1)
void * __cdecl InitFalsSystem(LONG_PTR * lpPhysicsDiskSize);
void * __cdecl CreateFalsLogicDisk(PFALS_PHYSICSDISK_HEADER lpFalsPhyDiskHeader,
const char * lpLogicName, const char * lpDefaultUserName, LONG_PTR * lpLogicDiskSize);
void * __cdecl GetFalsLogicDiskZoneInfo(PFALS_PHYSICSDISK_HEADER lpFalsPhyDiskHeader, const char * lpLogicName);
void __cdecl FormatFalsLogicDisk(PFALS_PHYSICSDISK_HEADER lpFalsPhyDiskHeader);
void * __cdecl GetLogicDiskSpecifyUserInfo(PFALS_PHYSICSDISK_HEADER lpFalsPhyDiskHeader,
const char * lpLogicName, const char * lpszUserName);
void * __cdecl CreateLogicDiskSpecifyUserName(PFALS_PHYSICSDISK_HEADER lpFalsPhyDiskHeader,
const char * lpLogicName, const char * lpszUserName);
int __cdecl DeleteLogicDiskSpecifyUser(PFALS_PHYSICSDISK_HEADER lpFalsPhyDiskHeader,
const char * lpLogicName, const char * lpszUserName);
int __cdecl CreateLogicDiskFolder(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader, const char * lpszFolderPath);
int __cdecl DeleteLogicDiskFolder(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader, const char * lpszFolderPath);
int __cdecl CreateLogicDiskFile(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader,
const char * lpszFilePath, const void * lpFileData, LONG_PTR uFileDataSize);
int __cdecl DeleteLogicDiskFile(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader, const char * lpszFilePath);
int __cdecl ReadLogicDiskFile(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader,
const char * lpszFilePath, LONG_PTR lStartReadFilePos, void * lpReadBuffer, LONG_PTR * lpReadSize);
int __cdecl WriteLogicDiskFile(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader,
const char * lpszFilePath, LONG_PTR lStartWriteFilePos, void * lpWriteBuffer, LONG_PTR uWriteSize);
LONG_PTR __cdecl GetLogicDiskSpecifyFileSize(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader, const char * lpszFilePath);
int __cdecl GetLogicDiskSpecifyFolderData(PFALS_LOGICDISK_HEADER lpFalsLogDiskHeader,
const char * lpszFolderPath, PFALS_FOLDER_DATA lpFalsFolderData);
void * __cdecl OpenFalsSystem(LONG_PTR * lpPhysicsDiskSize);
bool __cdecl SaveFalsSystem(PFALS_PHYSICSDISK_HEADER lpFalsPhyDiskHeader);
......