http://eyuanhermit.blog.hexun.com/29625080_d.html
.方法1 兼容的方法
这是个非常兼容的方法我通过逆向一些微软的工具得到的。这个方法被那些工具所使用,用于修改被保护的文件。
下面将讲述它是如何工作的:
它使用了一个从sfc.dll中导出的未公开的函数SfcTerminateWatcherThread,序号是2。
正如函数名表达的意思一样:-)它可以终止监视线程比如那些处理目录变化通知的线程。
所以我们将在winlogon上下文里调用这个函数从而关闭掉SFP。我写过一篇文章是关于
感染winlogon的,回忆一下:
首先你需要提升权限,使SeDebugPrivilege函数可用。administrator用户或者一个有
SeDebugPrivilege权限的用户可以做到这一点。剩下的就是在远程线程里调用函数,
读取代码。
这个方法在Win2k,WinXP可用,我打赌他在W2k3上也可用,但是现在还不行所以没有测试。
如果你测试过了请告诉我。
BTW 你可能会问,sfc.dll不处理SFP的时候它怎么可能还起作用?
好吧,其实从sfc.dll导出的2号函数被重定向到了sfc_os.dll:-)
#include <windows.h>
#include <assert.h>
#include <stdio.h>
#pragma check_stack (off)
DWORD thread_func (FARPROC sfc_terminate)
{
sfc_terminate();
return 0;
}
void after_thread_func(void)
{
}
#pragma check_stack
int adjust_privileges(void)//提升权限
{
HANDLE token_handle;
int ret=0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token_handle))
{
LUID luid;
if(LookupPrivilegeValue(NULL, "SeDebugPrivilege", &luid))
{
TOKEN_PRIVILEGES tk_priv;
tk_priv.PrivilegeCount=1;
tk_priv.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tk_priv.Privileges[0].Luid=luid;
if(AdjustTokenPrivileges(token_handle,
FALSE,
&tk_priv,
0,
NULL,
NULL)) ret=1;
}
CloseHandle(token_handle);
}
return ret;
}
void main(int argc, char **argv)
{
HANDLE remote_thread;
if(argc!=2)
{
printf("Usage: sfc_disable <winlogon_pid>/n");
exit(0);
}
DWORD wpid=atoi(argv[1]);
assert(wpid);
HMODULE sfc=LoadLibrary("sfc.dll");
assert(sfc);
FARPROC sfc_terminate=GetProcAddress(sfc, (char *) 2);
assert(sfc_terminate);
assert(adjust_privileges());
HANDLE process=OpenProcess(PROCESS_ALL_ACCESS, FALSE, wpid);
if(!process)
{
printf("Error while opening process/n");
exit(0);
}
LPVOID remote_mem=VirtualAllocEx(process,
NULL,
(SIZE_T) ((char *)after_thread_func-(char *)thread_func),
MEM_COMMIT,
PAGE_READWRITE);
if(!remote_mem)
{
printf("Error while commiting memory in the remote process/n");
goto clean_up;
}
if(!WriteProcessMemory(process,
remote_mem,
(char *) thread_func,
(SIZE_T) ((char *)after_thread_func-(char *)thread_func),
(SIZE_T *) 0))
{
printf("Error %d while writing to the remote process/n", GetLastError());
goto clean_up;
}
remote_thread=CreateRemoteThread(process,
NULL,
0,
(LPTHREAD_START_ROUTINE) remote_mem,
// (LPTHREAD_START_ROUTINE) sfc_terminate
(LPVOID) sfc_terminate,
0,
NULL);
if(!remote_thread)
{
printf("Error while creating remote thread in the process/n");
goto clean_up;
}
if(WaitForSingleObject(remote_thread, 10*1000)==WAIT_TIMEOUT)
printf("Timeout occured while waiting for the remote thread/n");
CloseHandle(remote_thread);
clean_up:
if(remote_mem) VirtualFreeEx(process, remote_mem, 0, MEM_RELEASE);
CloseHandle(process);
}
.方法2 更好的方法
这个方法是我现在知道的最好的方法。它只能在XP下用(w2k3可能也行??)
而且它没准是微软的某种后门:-),关键在哪?
当我寻找WINXP在实现SFP上的变化时,首先我发现SFP现在已经不再sfc.dll里了
更多的是在sfc_os.dll里所以我打开IDA开始浏览代码。没花多少时间我找到了。
XP的SFP实现里有一个简洁的方法可以基于文件禁用SFP一分钟。不相信我?测试
一下吧:-)
[cpp]//---- beginning of sfp_exc.c ----
#include <windows.h>
#include <assert.h>
#include <stdio.h>
typedef DWORD (* SFPEXC)(DWORD, wchar_t *, DWORD);
void wmain(int argc, wchar_t **argv)
{
HMODULE sfc_os;
SFPEXC sfp_exc;
assert(argc==2);
assert(sfc_os=LoadLibrary("sfc_os.dll"));
assert(sfp_exc=(SFPEXC) GetProcAddress(sfc_os, (char *) 5));
assert(!sfp_exc(0, argv[1], -1));
wprintf(L"File %s should now be unprotected for 1 minute", argv[1]);
}
//---- end of sfp_exc.c ----[/cpp]
用这种方法必须使用administrator用户,因为代码会检查。它使用了一个
未公开的5号导出函数SfcFileException,如其名。它首先检查文件是不是被保护
如果是,它分配一个标志给文件。现在当监视线程因替换、修改、删除原因被调用
来保护文件时,它首先检查这个文件是否应该被排除。如果有标志的话就检查是否到达
一分钟的间隔时间。如果没有标志那就什么也不干,只是继续执行:-)
.最后
希望我这篇文章里的两个小程序可以帮助我们比以前更愉快的干掉SFP。
刚才去Google上搜了一下,居然还有如此简单的办法!sfc_os.dll导出的第五号函数!
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);
void Disable_WFP()
{
HINSTANCE hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;
// the function is stored at the fifth ordinal in sfc_os.dll
SetSfcFileException= (CPP)GetProcAddress(hmod,(LPCSTR)5);
SetSfcFileException(0, L"c://windows//system32//calc.exe",-1);
//Now we can modify the system file in a complete stealth.
}
http://www.bitsum.com/aboutwfp.asp
Hacking Windows File Protection Windows File Protection (WFP) is a mechanism that protects system files from being modified or deleted. Introduced in Windows 2000, Windows File Protection was a leap forward in operating system stability since it protected the core modules from being corrupted or updated except by service packs or hotfixes sent from Microsoft. A big problem prior to Windows 2000 was 'DLL Hell'. Applications would often update system modules with their own versions, regardless if other applications already installed were depending on a different version of that same module. Although Microsoft recommended that application programmers place modules into the program's folder instead of the system folder, few programmers did. WFP solved DLL Hell, along with many other issues. In order to protect the integrity of the system, Microsoft did not document a way to disable WFP. If they had, programmers would surely begin to circumvent it and have their application installers overwrite system modules with their own versions. Booting to Safe Mode was the only way Microsoft provided for replacing a protected file. In theory, this was a good idea. However, programmers and power users sometimes desire the power to replace or delete protected modules without the cumbersome process of booting to safe mode and back. Enter the hacks. In Windows 2000, a hidden registry value to fully disable WFP existed. Unfortunately, this didn't last long after I discovered and posted it to NTBugTraq. Microsoft soon tweaked their code so that the hidden registry value was neutralized (curiously, it wasn't completely removed from the code). I then created patches to re-enable this undocumented value. Appendix A describes the history of the discovery of the undocumented registry value and creation of the patches to re-enable it. Since that time, many other techniques to disable or circumvent Windows File Protection have been discovered.
Hack Method 1 : Disable WFP for specific folders until the computer is next rebooted via manual handle manipulation The first technique to disable WFP is to close the directory change notification handles by enumerating the handles that winlogon has opened, determining which ones correspond to the folder(s) we wish to deprotect by querying and comparing the handle names, then closing those handles via ntdll.NtDuplicateHandle (or kernel32.DuplicateHandle). This method is used by WfpAdmin. Hack Method 2 : Disable WFP completely until the computer is next rebooted via undocumented SFC API The second technique is to terminate the SFC Watcher Thread that continually waits for and responds to the directory change notification events to be signalled. Doing this manually isn't very practical since it is diffucult to be sure the right thread has been located. Fortunately, the SFC_OS.DLL exposes a nice unnamed export at ordinal 2: SfcTerminateWatcherThread .. This API accepts no parameters and does exactly as its name implies. However, there is one caveat to using this function: It must be invoked in the process that created the SFC Watcher Thread: winlogon. To accomplish this, virtual memory needs to be allocated in the winlogon process space and a thread procedure that invokes SfcTerminateWatcherThread copied into that memory. The thread procedure should then be invoked using kernel32.CreateRemoteThread and WFP will be disabled until the winlogon process restarts (computer is rebooted). Ordinal 2: The return value is 0 if success, or 1 if an error occurred . Hack Method 3 : Disable WFP on a specific file for 1 minute via undocumented SFC API The SFC_OS.DLL module exports another very useful undocumented, unnamed API at oridinal 5: SfcFileException . This handy API will register a temporary SFC exception for specific file, allowing the file to be updated. The period the exception is in place is currently one minute.
The return value is 0 if success, or 1 if an error occurred (usually that the file is not protected by WFP). Prior to Windows 2000 SP1 there was an undocumented registry value that would fully disable WFP. This is the famous 0xffffff9d value I discovered while reverse engineering SFC.DLL in Windows2000. Unfortunately, soon after its discovery Microsoft disabled it. Fortunately, the core code to disable WFP was left in SFC.DLL (later moved to SFC_OS.DLL). Therefore, a simple patch to SFC.DLL or SFC_OS.DLL will re-enable this value. I've created patches for 2K and XP and have generalized the patching procedure so the patch may be applied to all current and (hopefully) future versions of the SFC module without having to worry about a specific patch address. General patch procedure: Copy the target file to a temporary one. Search for the bytes '83 F8 9D 75 07 8B C6'. You must correct the checksum of the image by using our PEChkSum utility. It can be obtained here . Now set the temporary file to replace the original at boot-time by using our MoveLatr utility. It can be obtained here . Set the SFCDisable value described below and then reboot the computer to complete the process. Undocumented SFCDisable value: Key: HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/Windows NT/Windows File Protection Hack Method 5 : Disable WFP permanently for specific files via patching the protected file list More simple than patching executable code is simply patching the list of files contained in SFCFILES.DLL. First, copy SFCFILES.DLL to a temporary file. Using a hex editor (i.e. UltraEdit), search for files to disable protection on inside the temporary file. Once found, replacing the first character of the file name with 0 (that is: value 0 NOT ascii '0' character). After completing the modifications, correct the checksum using our PEChkSum utility and set the temporary file to replace the original at boot-time using our MoveLatr utility. Reboot the computer to finish the process. -Jeremy Collake Like this article? Please feed me by donating to jeremy@bitsum.com via paypal ;). The End | ||||||||||||||||||
Appendix A : Original publication of undocumented registry setting to fully disable WFP
W2k undocumented registry setting fully disables Windows File ProtectionFrom: Jeremy Collake (collake@CHARTER.NET )
| ||||||||||||||||||
Appendix B: Original publication of binary patches to SFC.DLL or SFC_OS.DLL
Binary Patches: If you would like to re-enable the undocumented value to disable Windows File Protection, you may apply the appropriate patch and then replace the DLL in the 2k/XP recovery console (boot to CD). Be sure to set the checksum in the PE header by using Bitsum Technology's SetCSUM utility after patching. How to find the patch offset yourself for current and hopefully future version of SFC.DLL or SFC_OS.DLL: file: SFC.DLL Windows 2000 SP4:
file: SFC_OS.DLL WindowsXP SP1: file: SFC_OS.DLL |