Let's first understand how WFP works. The related files are sfc_ OS .dll (SFC. dll in 2000 and SFC. dll in XP, but all of them call sfc_ OS .dll) and winlogon.exe.
The winlogo process calls the function exported by sfc dll to protect files. The latter uses the findfirstchangenotification function to monitor the directory to be protected in the user State, and then waits for the event to occur through waitforsingleobject. In fact, if you observe this process through the object viewer, you will find the handle for each protected directory. Here I use process explorer to observe:
Event/basenamedobjects/wfp_idle_trigger
File d:/Windows/system32/dllcache
File d:/Windows/system32
......
Then, we can stop the WFP monitoring system directory through findclosechangenotification or closehandle (the two are actually the same.
The procedure is as follows:
1. Run the program as an administrator to improve the sedebugprivileges permission of the process.
2. Find the winlogo process ID
3. Open the winlogo process with process_dup_handle permission (copy the handle in the winlogo process later)
4. Use the ntquerysysteminformation function to traverse all opened handles in the winlogo process.
5. query the name of the handle object through ntqueryobject. If the name is the directory we need to stop protecting, use duplicatehandle to copy the handle to our process,
With the duplicate_close_source flag, and then call closehandle to close the handle.
Detailed code reference: http://bbs.driverdevelop.com/htm_data/101/0705/101763.html
The setsfcfileexception function exported by sfc_ OS .dll can also be used to Disable Windows File Protection. Generally, this function allows the protected file specified by the parameter to be modified and replaced within 60 seconds. After testing, it is found that there is no such time limit in XP. Function prototype:
Setsfcfileexception (DWORD param1, pwchar param2, DWORD param3 );
Param1: always set to 0
Param2: the full path of the file to modify later
Param3: always set to-1
Code example:
Typedef DWORD (_ stdcall * CPP) (DWORD param1, pwchar param2, DWORD param3 );
Void disable_wfp ()
{
Hinstance hmod = loadlibrary ("sfc_ OS .dll ");
CPP setsfcfileexception;
// The function is stored at the specified th ordinal in sfc_ OS .dll
Setsfcfileexception = (CPP) getprocaddress (hmod, (lpcstr) 5 );
Setsfcfileexception (0, l "C: // windows // system32 // calc.exe",-1 );
// Now we can modify the system file in a complete stealth.
}