How Do I Replace A System File? Try .KDFILES

关于我们用自己的sys去替代系统的sys文件时遇到的系统的文件保护的问题

How Do I Replace A System File? Try .KDFILES
Getting Your Work Done In Spite of System File Protection OSR Staff | Published: 24-Aug-04| Modified: 24-Aug-04

While the Windows DDK includes numerous buildable driver samples, including a number of "in the box" drivers, any attempt to copy a driver built from the DDK onto an existing version of the driver will be thwarted by "system file protection".

Windows maintains an extra copy of critical system files including signed drivers, in the %systemroot%/system32/dllcache subdirectory. If you attempt to delete or modify any of the protected files, system file protection will copy the original version from the dllcache to the driver location.  If you attempt to delete or modify the version of the protected file in the dllcache, it will copy the original into the dllcache.

Note that system file protection isn't perfect - you can copy notepad.exe on ntoskrnl.exe and system file protection will not "fix" your system.  That is because it merely looks to ensure the binary is signed.  This doesn't mean it is the correct binary!

The Windows Debugger provides a mechanism for replacing files on a debugee by using the ".kdfiles" directive.  This is well documented in the debugger documentation, although it doesn't exactly highlight the fact that this feature can be used to bypass system file protection in the process.

If you haven't discovered ".kdfiles" yet, read up on it -- You'll be very glad you did!  This debugger command is one of the best features ever implemented.  It allows you to have the debugger automagically replace an executable image on the target system (the one that you're debugging) with an executable image from your host system (the one from which you're running the debugger).  That means that with this command, there's no longer any need to manually copy you're newly built version of fred.sys (or whatever your driver is) to /windows/system32/drivers/ while you debug.

Plus, as previously mentioned, a bonus feature of .kdfiles is that it will allow you to replace a system file.  Which is very useful for replacing the supplied version of disk.sys with the checked version built from the sources in the DDK, for example, when you're trying to figure out what's going on in the storage stack.

 

我们可以用.KDFILES这个命令在windbg中去消除系统文件保护的

.kdfiles (Set Driver Replacement Map)

.kdfiles 命令读取一个文件并将它的内容作为驱动替换映射。

语法

.kdfiles MapFile 
.kdfiles -m OldDriver NewDriver
.kdfiles -s SaveFile 
.kdfiles -c 
.kdfiles 

参数

MapFile

指定要读取的驱动替换映射文件。

-m

在当前关联列表(association list)中添加驱动替换关联。

OldDriver

指定目标机上的旧驱动的路径和文件名。OldDriver和语法和驱动替换文件中map之后的第一行相同。该语法的更多信息，查看映射驱动文件。

NewDriver

指定新驱动的路径和文件名。该驱动可以在主控机上或者其他的网络路径中。NewDriver 的语法和驱动替换文件中map之后的第二行相同。该语法的更多信息，查看映射驱动文件。

-s

创建一个文件并将当前的驱动替换连接写入进去。

SaveFile

指定要创建的文件名。

-c

删除已存在的驱动替换映射。 (该选项并不改变映射文件本身，而是清除调试器的当前映射设置。)

环境

可以在Microsoft Windows XP和之后版本的Windows中使用.kdfiles 命令。如果在之前的Windows中使用，命令不会产生错误但是也不会有任何作用。

模式	仅内核模式
目标	仅活动调试
平台	仅x86和Itanium处理器

注释

如果不带参数使用 .kdfiles ，调试器显示当前的驱动替换映射文件的路径和名字以及当前的替换关联的集合。

运行该命令时，会读取指定的MapFile文件。如果找不到文件或者没有包含适当格式的文本，调试器会显示一个状态信息"Unable to load file associations"。

如果指定文件是以正确的驱动替换映射文件格式的，调试器加载该文件并将它们作为驱动替换映射。该映射一直保持到退出调试器或者执行了另一个.kdfiles 命令为止。

读取该文件后，后来对它的改变不会作用于驱动替换映射。 (除非改变之后再次使用.kdfiles 命令)。

需求

版本： 在Windows XP之后的Windows操作系统中支持。

附加信息

驱动替换和其他内核模块的示例、驱动替换映射文件格式的说明，以及使用该功能的限制，查看映射驱动文件。

 

原文：http://www.osronline.com/article.cfm?article=238