Jump to content

WFP in Windows XP SP2 RC1 Hacked!

Denney
 Share

Recommended Posts

Denney

Denney

Posted
Posted

This is actually rather simple (thanks to big poppa pump).

All you need to do is follow my old steps and just replace the SFC_OS.DL_ file in SP2 RC1 with my hacked SFC_OS.DL_ file for SP1. :)

That's it. From everything we've done, nothing seems to be awry.

The SFC_OS.DLL file from SP2 is 3kb smaller than the one from SP1 and Windows Setup accepted it gracefully. As usual, there's the error in the setuperr.log file about it not being signed (no biggy). :D

So until we find a suitable hack for the SP2 SFC_OS.DLL file, this is a perfect replacement. So to recap...

Use my hacked SFC_OS.DLL file from the unattended site (for SP1) and add the SFCSetting registry entry. Just overwrite the SP2 SFC_OS.DL_ file.

If anyone has the actual edits for the SP2 file or wants to help out finding a way, PM me and let's talk. :rolleyes:

For anyone who hasn't got the hacked SFC_OS.DL_ file, I attached it below:

sfc_os.dl_


Spheris

Spheris

Posted
Posted

Interesting, looks like it will have to be hardened a little more

But I'm curious Rave, why disable the WFP susbsystem in the first place?

Other than to allow malicious overwrites to system files or sub components, it doesn't seem to serve much of a purpose.

Or is it just one of those things to be able to do?

I'd like a technically good answer to it - if its valid, it might just see a way into something that doesn't require any rewiring of the dlls at all. Not in XP per sey, but as longhorn comes along there might be an option added for use later down the line.

Alanoll

Alanoll

Posted
Posted

i personally just like to have alittle control over my system.

I remember one time I deleted i think a screensaver and WFP popped up saying a critical system file has been modified. Now seriously, a screensaver?

I understand like actual critical files, but only the bare minimum ones. There are some that just don't have a point.

Then comes along the uxtheme.dll file, but then again Microsoft didn't want us writing our own themes anyway :)

big poppa pump

big poppa pump

Posted
Posted

The sfc_os.dll in SP2 is not the same as the one in SP1. Right now I am comparing both the dll files to see the difference between them. Hopefully this should give us some clues to try and hack the sfc_os from SP2. :)

neophyte

neophyte

Posted
Posted
Interesting, looks like it will have to be hardened a little more

But I'm curious Rave, why disable the WFP susbsystem in the first place?

Other than to allow malicious overwrites to system files or sub components, it doesn't seem to serve much of a purpose.

Or is it just one of those things to be able to do?

I'd like a technically good answer to it - if its valid, it might just see a way into something that doesn't require any rewiring of the dlls at all. Not in XP per sey, but as longhorn comes along there might be an option added for use later down the line.

Whilst I don't have a technically proficient answer, I do have an idea that perhaps could be implemented with either the next service pack, or perhaps in Longhorn.

Instead of simply protecting all files by default, why not have zones setup to protect certain files, something akin to how Internet Explorer uses zones to determine what a webpage is allowed to do on the client side (ie, run java, activex, etc).

For each level of security, you can apply pre-determined rulesets, or create your own.

There would be four levels, Low, Medium, High, Custom.

Within each level you can specify what sort of files you want protected (ie, system files such as the kernel, and other proprietary windows dll files), as well as how you want them protected (ie, alert and replace, replace quietly, do nothing).

Within the custom level, you would be able to select rules from all other levels, as well as create your own rulesets, such as, if file modified by [application], do [action] (similar to how Outlook creates its rules). One would also be able to create an exceptions list, in which one specifies which files/folders you wish to exclude from SFP.

This setup could also be configured during unattended installations, or via group policy (for those that like AD).

I would prefer to have control over what SFP does, rather than have it take an all out approach to things (which in itself is good, but probably a wee bit to restrictive for my liking).

Anyway, just an idea.

Denney

Denney

Posted
  • Author
Posted

The reason I disable WFP is because for the programs I use, Windows takes up WAY to much bloat.

I normally install Windows on my computer and then delete all the extra stuff I don't use (stuff protected by WFP for some reason :rolleyes: ). I normally manage to get my install down to ~650MB. Better than the over 800MB install (allows me to uninstall accessibility rather than disable it only to have it popup again if I hold down shift :) ).

I also like to have FULL control over my computer systems. I figure, if you monitor what is installed, have AV software, have a decent firewall (one that detects changes to components) and are resonsible in what you do/download you shouldn't have the problem of malicious system files.

I've had SFC turned off since I first bought Windows XP (in 1998 I think) and I've NEVER had a system file overwritten by a malicious one (because I'm causious and resonsible in what I do).

Phew, there's my rant/reason for turning WFP off. The other reason is because it's **** annoying. :D

  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...