故事還要追溯到上大學的時候,上彙編課程,老師教我們使用Debug命令,很多同學搞惡作劇(包括我),把copy, dir 等常見的命令改成了 format, delete等有攻擊性的命令。這樣如果運行dir,實際上就是執行的format, delete,一不小心就毀壞了作業系統,當時就在想為什麼這些檔案沒有保護起來,呵呵,想不明白,就放下了,畢業這麼多年就忘記了。
最近在看一些Windows 2003 Server的資料,忽然看到一個名詞Windows File Protection,幹嗎的呢?從名字看,就是保護Windows檔案系統的。想想看也是,Windows這麼大一個作業系統,有很多很多檔案,而這些檔案都是由Microsoft定義的,如果我們把裡面的檔案全部替換掉,檔案名稱字還是一樣的,作業系統會怎樣?很顯然,當然不能工作了。
那麼Microsoft是如何保護系統檔案的呢?查了一點資料,都是些皮毛,不過原理是這樣的,具體怎麼實現,就不曉得了。一句話概括,微軟使用了數位簽章。
It is a component that runs in the background and prevents replacement of system files. To verify a file, Windows File Protection checks its digital signature. If the file is not of the correct version, Windows File Protection replaces it with a copy from the Windows Server 2003 CD or the backup maintained in the DllCache folder on the hard disk. If the correct file cannot be found, Windows File Protection will promote the user for the file location.
It is a part of the Windows File Protection component. It is a command-line utility that scans and verifies all system files and device drivers. The command is sfc.
- File Signature Verification
It is also a command-line utility, and the command is sigverif.
You can use the File Signature Verification tool to identify the signed and unsigned files on your computer. You can use this tool to view the name, location, date of modification, type, and version number of each file.
有興趣地可以試試看上邊兩個cmd命令sfc 和 sigverif,呵呵,好玩啊!