Integrating patched system files without WFP Problems

[jaclaz]

*except i use(d) german version(s) created by myself

Be aware that on a German system, there is the risk that it may do something, at least Nada 0.9 (which shares most of the same code) has mixed reports when used on German systems , you may want to use the new 0.5 version:

http://www.bernardbelanger.com/computing/NaDa/index.php

 

jaclaz

Edited November 18, 2014 by jaclaz

[Xtremetic]

Thanks to jaclaz and mukke for lending their expertise to this thread.  The batch file provided by mukke looks interesting.  I assume that you have to change into the HFSLIP directory before starting the batch file, although I cannot understand how HFSLIP itself contributes anything to the modification of sfcfiles.dll.  I wonder what change is being made to the code for "%systemroot%\system32\drivers\tcpip.sys" inside sfcfiles.dll by mukke's batch file.  Does it 00 out the first letter of the filename part of the path in sfcfiles.dll, or does it put a \ (plus a 00 to terminate the string) at the start of the entry as ElTorqiro recommends?

 

I suppose for a n00b like me the best option would be to use an application on a live system that lets the user choose from a list which file he wants excluded from WFP monitoring.  I don't suppose such an application exists.

 

Another approach, apart from disabling the entry for tcpip.sys in sfcfiles.dll, would be to modify the relevant security catalogue in the {F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder.  For someone like me this looks like a formidable task as there are dozens of these .CAT files and I have no idea how I would identify the relevant cat file for tcpip.sys.  As far as I can see the .CAT files contain SHA1 hashes for each protected file, so I assume that these SHA1 values would need to be modified. 

 

Of course there is always the possibility that a Windows security update could over write my hacked version of tcpip.sys.  I did once see instructions for how to prevent the infamous KB971033 from being installed using the Group Policy Editor, so this could be one possibility for protecting my hacked tcpip.sys.

Edited November 22, 2014 by Xtremetic

[jaclaz]

Even if I could succeed in disabling the entry for tcpip.sys in sfcfiles.dll there is always the possibility that a Windows security update could over write my hacked version of tcpip.sys.  The ideal solution would be to modify the relevant security catalogue in the {F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder. 

It is also possible (though not very likely) that the CIA or other three-or-more-letters Government Agency , aliens or little green men enter overnight your system and replace your TCPIP.SYS with a weapon of mass file transfer

 

I mean, and with all due respect , I understand the need for making a detailed plan in advance and whenever possible foresee possible future issues , but maybe you are a little overdoing it. 

 

Just replace the TCPIP.SYS, set a (say) weekly scheduled task to check (say) it's MD5, and alert you if it has been changed so that you can reset it to your version.

 

The small batch file by mukke essentially revolves around a single gsar command.

 

Gsar usage:

 

gsar, ver 1.21 -- Copyright © 1992-2008 Tormod Tjaberg & Hans Peter Verne

Usage: gsar [options] [infile(s)] [outfile]

Options are:

-s<string> Search string

-r[string] Replace string. Use '-r' to delete the search string from the file

-i Ignore case difference when comparing strings

-B just display search & replace Buffers

-f Force overwrite of an existing output file

-o Overwrite the existing input file

-c[n] show textual Context of match, 'n' is number of bytes in context

-x[n] show context as a heX dump, 'n' is number of bytes in context

-b display Byte offsets of matches in file

-l only List filespec and number of matches (default)

-h suppress display of filespec when displaying context or offsets

-du convert a DOS ASCII file to UNIX (strips carriage return)

-ud convert a UNIX ASCII file to DOS (adds carriage return)

-F 'Filter' mode, input from stdin and eventual output to stdout

-G display the GNU General Public Licence

Ctrl characters may be entered by using a ':' in the string followed by the

ASCII value of the character. The value is entered using ':' followed by three

decimal digits or ':x' followed by two hex numbers. To enter ':' use '::'

 

Get gsar, and extract gsar.exe in a directory, say C:\testgsar\.

 

 

This is the command in the batch in a "better" formatted way:

gsar

-o HFPOST\SFCFILES.DLL

-s

:X25:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00

:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00

:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00

:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00

:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00

-r

:X5C:X00:X00:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00

:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00

:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00

:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00

:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00

 

 

The notation used is :X followed by a hex code for each byte, since the strings are UNICODE the above "translates" to:

gsar 

open file HFPOST\SFCFILES.DLL and in it 

search for:

%systemroot%\system32\drivers\tcpip.sys

 

and replace with:

\ ystemroot%\system32\drivers\tcpip.sys

 

 

Only the first two bytes of the full path are changed (the second you said or what ElTorqiro recommends )

 

jaclaz