Always have a little more than a little. In addition, in Antockethed two years, the water actually in Angocwell documents, I can't find my name. I can't put the essence post, I can't reply to the essence of others. Also Calculate is a miracle.
To replace the system file being used quietly to solve two problems:
1. Replace the file being used.
2. Dialog box does not display the CD when replacing the system file.
Microsoft has two tools to replace the files, zap, and inuse that are being used. However, there is no source code, but it has to be reversely analyzed. Inuse is more 40K, Zap is small 7k. Analyze ZAP.
Use IDA to open ZAP. There is a core function. It turns out that its working principle is to move this file down, because it is simply applied directly to the code.
------------------- Cut zap.c ---------
#include
Bool Zapdelfile (Char * Szfiletodel)
{
Char ctempfilename [0x80];
CHAR CTEMPPATHNAME [0x100];
Char cfilename [0x100];
IF (SZFileTodel [1] == ':') {
Sprintf (CTEMPPATHNAME, "% C: //", SZFileTodel [0]);
}
Else {
GetModuleFileName (NULL, CFILENAME, 0X100);
Sprintf (CTEMPPATHNAME, "% C: //", cfilename [0]);
}
IF (CTempFileName, "_ @", 0, ctempFileName) == 0) {
Return False;
}
IF (MovefileEx (SzfileTodel, CTempFileName, 1) == 0) {
Return False;
}
IF (MovefileEx (CTempFileName, NULL, 4) == 0) {
Return False;
}
Return True;
}
Void usage (char * n) {
Printf ("USAGE:% s fileneedtodel / n", n);
exit (0);
}
Int main (int Argc, char * argv [])
{
Printf ("ZAP programd by bgate. :) * / n / n");
IF (argc! = 2)
USAGE (Argv [0]);
IF (zapdelfile (argv [1]) == true) {
Printf ("ok");
}
Else {
Printf ("Error% D", getLastError ());
}
Return 0;
}
------------------- End cat -----------
Now you can use it to delete the system file being used, but you will pop up the Windows CD dialog box after deleting.
Note: Do a good backup before deleting the system file, restore before reboot, and delete the corresponding backup in DLLCache before deleting the system file. Otherwise, the system will automatically recover.
The next time I want to go to this dialog, take out my magic weapon - Google. Search for two useful information.
1. The code to perform system file protection under Windows 2000 is in SFC.DLL, in the XP system in SFC_OS.DLL.
2. Setting a key called SFCDISABLE to fffffff9d in the registry to make the file protection function at the next startup.
The following analysis is performed on Win2K SP4 . The analysis of the SFC.dll version is 5.0.2195.6673
Open with ida sfc.dll find sfcdisable in the string, the string did not find a way to display Unicode This time to find a place to see SfcDisable reference code is as follows .text:!... 769269F9 call _SfcQueryRegDwordWithAlternate @ 16; SfcQueryRegDwordWithAlternate (x, x, X, x)
.TEXT: 769269FE PUSH EBX
.Text: 769269ff push offset ?? _ c @ _1bg @ hogg @? $ AAS? $ AAF? $ AAC? $ AAD ?; "sfcdisable"
.TEXT: 76926A04 PUSH EDI
.TEXT: 76926A05 PUSH ESI
.Text: 76926A06 MOV _SFCDEBUG, EAX
.text: 76926a0b call _sfcqueryregdwordwithalternate @ 16; sfcQueryregdwordwithalternate (x, x, x, x)
.TEXT: 76926A10 PUSH EBX
.Text: 76926a11 push offset ?? _ c @ _1ba @ hljh @? $ AAS? $ AAF? $ AAA? $ AAN? $ AA? $ AA @; "sfcscan"
.TEXT: 76926A16 PUSH EDI
.text: 76926A17 Push ESI
.Text: 76926A18 MOV _SFCDISABLE, EAX
.text: 76926a1d call _sfcqueryregdwordwithalternate @ 16; sfcqueryregdwordwithalternate (x, x, x, x)
.TEXT: 76926A22 PUSH EBX
.text: 76926a23 push offset ?? _ c @ _1bc @ Kfaj @? $ AAS? $ AAF? $ AAO? $ AAT? $ AAA? $ AA? $ AA @; "sfcquota"
.TEXT: 76926A28 PUSH EDI
.TEXT: 76926A29 PUSH ESI
.text: 76926a2a mov _sfcscan, EAX
Where _sfcqueryregdwordwithalternate @ 16 is a function of reading the registry. It is obvious that it reads the value of sfcdisable in the registry _SFCDISABLE. Ok, call up Softice. Set breakpoint on _sfcdisable. We have just written ZAP Go to delete the system file, Softice popped up. Disadd the following place, EIP is 7692A326, _sfcdisable is 2.
.TEXT: 7692A319 PUSH ECX
.TEXT: 7692A31A and [ESP 4 VAR_4], 0
.Text: 7692A31F CMP _SFCDISABLE, 3
.TEXT: 7692A326 PUSH EBX
.TEXT: 7692A327 PUSH EBP
.text: 7692A328 Push ESI
.text: 7692a329 Push EDI
.TEXT: 7692A32A JNZ Short Loc_7692A333
.Text: 7692A32C xor Eax, EAX
.TEXT: 7692A32E JMP LOC_7692A459
F5 exits, the dialog will be bounced out later, it will be quoted here. Very good, see the code "CMP _SFCDISABLE, 3" above. At this time _sfcdisable is 2, then I will change it. Try to delete the system with ZAP. Ha, luck is very good, this time did not have a dialog box for the CD. That is to say as long as we change _sfcdisable to 3, you can secretly replace the system file. However Different versions This address is different, and this is always not good with Switch. You have to write a common code.
Start I think about it is probably Winlogon discovered that there is an operation of the system file. This will use the output function in SFC.dll to check. We just get this output function entry and put this function "annotation" . Followed by the code above, find the last output from 76924544, and add a break point on 76924544, continue to delete the file. Softice jumped out, but not in the entrance of the function, but in turn on the right to settle _sfcdisable On the reading, the entry without running function runs the code in the function body. It seems that it encounters a high person. I have to force me to kill the skill, open the 2000 source code:). I haven't found the corresponding code for a long time. I have to return to the compilation, and finally I found this function ntwaitformultipleObjects. Oh, no wonder that there is no interrupt on the entrance to the function, and the entrance to the function has been run. It has not been exited in the function body. The method of the comment function is not.
At this time, I thought it was probably the output function in Winlogon called SFC.dll created a series of events when the system was started. Since Winlogon created, then it should be revoked. Use Depends to open Winlogon. Sure, from SFC. Two functions were entered in the DLL. One is the one of the analysis, created a series of events. Take a look at the other, the output address is 76926869, no effort, close a series of events. Now we just want to invoke the code call into Winlogon "Another" function will cancel the file protection function. But Winlogon cannot inject the code. 26A Magazine sixth issue There is an article mentioned injecting: "Adjust Debugger Access Rightz to Our Process". That is a sfcdisable Article, the method he uses is to search for signatures in memory, then modify. Generality should not be so good.
The following injection method is to copy from the Crazylord code, but the method is not. :), it is too lazy to check it after writing, and the level is limited, and the elegant place will look at it.
---------------- Cut Antisfc.c -----------
#include
#include "windows.h"
#include "tlhelp32.h"
#pragma comment (Lib, "Advapi32.lib")
Typedef void (_stdcall * closeevents) (void);
Typedef unsigned long dword;
Typedef dword anti-dword anti
/ *
* Antisfc Structure
* /
Typedef struct_antisfc_process {
DWORD PID; // Process PID
Handle ProcessHandle; // Process Handle
Char imagename [MAX_PATH]; // Image Name (Not Full Path)
Antisfc_process, * pantisfc_process;
__inline void errorMessageBox (char * szadditioninfo)
{
Printf ("ERROR ON% S, Error Code% D. / N", Szadditioninfo, getLastError ());}
Void usage (char * n) {
Printf ("USAGE:% s [/ d] / n", n);
Printf ("/ T / D: Disable SFC File Protecte Fuction./N");
exit (0);
}
DWORD init () {
DWORD RET = 0;
Handle htokeen;
Luid SedbugnameValue;
Token_Privileges TKP;
If (! openprocess (), token_adjust_privileges | token_query, & htokeen) {
ErrorMessageBox ("OpenProcessToken");
} else {
IF (! LookupprivileGevalue (NULL, SE_DEBUG_NAME, & SEDEBUGNAMEVALUE) {
ErrorMessageBox ("LookuppprivileGeValue);
} else {
Tkp.priVilegect = 1;
Tkp.privileges [0] .luid = sedebugnameValue;
Tkp.privileges [0] .attributes = se_privilege_enabled;
IF (! AdjustTokenprivilegeges (Htoken, False, & Tkp, Sizeof TKP, NULL, NULL) {
ErrorMessageBox ("AdjustTokenPrivileges);
} else {
Ret = 1;
}
}
CloseHandle (HTOKEN);
}
Return (RET);
}
DWORD getPIDEX (Char * proc_name, char * full_path) {
DWORD dWPID = 0;
Handle hsnapshot;
Processentry32 PE;
Bool ret;
IF (isdigit (Proc_name [0]))
DWPID = Strtoul (Proc_name, NULL, 0);
Else
DWPID = -1;
HSnapshot = CreateToolHelp32Snapshot (TH32CS_SNAPPROCESS, 0);
IF (HSnapshot == (Handle) -1) {
ErrorMessageBox ("CreateToolhelp32Snapshot");
Return (0);
}
Pe.dwsize = sizeof (Processentry32);
RET = Process32First (HSnapshot, & PE);
While (re) {
IF ((Strncmp (strlwr (pe.szexefile), strlwr (proc_name), strlen (proc_name) == 0)
|| (pe.th32processid == dWPID)) {
DWPID = pe.th32processid;
STRCPY (full_path, pe.szexefile);
Break;
}
Pe.dwsize = sizeof (Processentry32);
Ret = process32next (hsnapshot, & PE);
CloseHandle (HSnapshot);
IF (dWPID == -1)
DWPID = 0;
Return (dWPID);
}
DWORD INTPROCESS (Pantisfc_Process Process, Char * Proc_name, Antisfc_Access Access) {
DWORD RET = 0;
Process-> pid = getpidex (proc_name, process-> means);
IF (Process-> PID! = 0 && process-> iMageName [0]! = 0) {
Process-> processhandle = openprocess (access, false, process-> pid);
IF (Process-> ProcessHandle == NULL)
ErrorMessageBox ("OpenProcess");
Else
Ret = 1;
}
Return (RET);
}
DWORD INJECTTHREAD (PANTISFC_PROCESS Process,
PVOID function) {
Handle hthread;
DWORD DWTHREADPID = 0, DWSTATE;
hthread = creteremoteThread (Process-> ProcessHandle,
NULL,
0,
(DWORD (__stdcall *) (void *)) Function,
NULL,
0,
& dwthreadPid;
IF (hthread == null) {
ErrorMessageBox ("CreateRemoteThread");
Goto cleanup;
}
DWState = WaitforsingleObject (hthread, 4000); // Attends 4 seconds
Switch (dWState) {
Case Wait_Timeout:
Case Wait_Failed:
ErrorMessageBox ("WaitForsingleObject");
Goto cleanup;
Case Wait_Object_0:
Break;
DEFAULT:
ErrorMessageBox ("WaitForsingleObject");
Goto cleanup;
}
CloseHandle (HTHREAD);
Return DWTHREADPID;
Cleanup:
CloseHandle (HTHREAD);
Return 0;
}
Int main (int Argc, char * argv [])
{
Antisfc_Process Process;
HModule HSFC;
DWORD DWTHREAD;
CloseEvents pfncloseevents;
DWORD DWVERSION;
Printf ("Antisfc programd by bgate. :) * / n / n");
IF (argc! = 2)
USAGE (Argv [0]);
IF (strcmp (argv [1], "/ d")! = 0) {
USAGE (Argv [0]);
}
IF (init ()) {
Printf ("Debug Privilege Set / N);
} else {
Printf ("ERROR ON GET Debug Privilege / N"); Return (0);
}
IF (Initprocess, "Winlogon.exe", Process_all_access) == 0) {
Printf ("Error On Get Process Info. / N);
Return (0);
}
DWVersion = getVersion ();
IF ((DWORD)) == 5) {// Windows 2000 / XP
IF ((DWORD)) == 0) {// Windows 2000
HSFC = LoadLibrary ("sfc.dll");
Printf ("Win2000 / N");
}
ELSE {// IF ((DWORD)) = 1) // Windows XP
HSFC = loadingLibrary ("sfc_os.dll");
Printf ("Windows XP / N");
}
}
// else IF () // 2003?
Else {
Printf ("unsupported version / n");
}
PfnCloseevents = (CloseEvents) GetProcaddress (HSFC,
MakeintResource (2));
IF (PfnCloseevents == NULL) {
Printf ("Load the sfc fuction failed / n");
Freelibrary (HSFC);
Return (0);
}
Freelibrary (HSFC);
DWTHREAD = INJECTTHREAD (& Process,
PfnCloseevents;
IF (dwthread == 0) {
Printf ("failed / n");
}
Else {
Printf ("ok / n");
}
CloseHandle (Process.ProcessHandle);
Return (0);
}
------------------ End Cut ---------
If you run the Antisfc before running the zap replacement system file, you can also write them together. In theory he can use any version of 2000, XP, 2003? But I only test on Win2K SP4 , WinXP SP1 Over.
The disadvantage of this article is that the replacement system file can only take effect after reboot, it is written.
