Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Integrating patched system files without WFP Problems

- - - - - patches WFP

  • Please log in to reply
17 replies to this topic

#1
Xtremetic

Xtremetic
  • Member
  • 6 posts
  • Joined 09-October 14
  • OS:XP Home
  • Country: Country Flag

I have a patched version of tcpip.sys which enables 100 concurrent connection ports and I want to put it in my REPLACE\i386 folder.  There could be a problem with this patched version of tcpip.sys in the installed XP being replaced when I run System File Checker.  I assume that the file size would no longer tarry with the information in a security catalog. I wonder if there are addons for patched system files that would somehow make XP perceive them as legitimate and not be rejected by WFP.  For instance, there is an addon offered at the RyanVM forum to allow the integration of patched dlls into XP to enable software Raid-5.  I wonder if this would work with HFSLIP, the RyanVM Integrator and nLite, and would it resolve WFP problems.  You can obtain it here:

 

http://www.ryanvm.ne...topic.php?t=713

 

Name of file: Rikgale_XPRAID5_addon_v1.cab


Edited by Xtremetic, 19 October 2014 - 03:25 AM.



How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Well, you can disable WFP.

 

Or am I missing something? :unsure:

 

jaclaz



#3
Xtremetic

Xtremetic
  • Member
  • 6 posts
  • Joined 09-October 14
  • OS:XP Home
  • Country: Country Flag

I intend to have WFP runining as normal with my Windows installation made with a slipstreamed installation CD.  This seems like a good policy given my level of expertise.  If the installation includes patched system files they may be overwritten when I run System File Checker.  Unfortunately the Windows 2000/XP/2003 version of SFC does not ask the user if he wants to replace an incorrect system file in the way that the Win98SE version of SFC did.


Edited by Xtremetic, 19 October 2014 - 02:26 PM.


#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Possibly you can disable selectively SFC only for tcpip.sys. :unsure: using a modified SFCFILES.DLL:

http://www.vorck.com...dows/2ksp5.html

http://www.vorck.com...dows/xpsp4.html

 

jaclaz


Edited by jaclaz, 24 October 2014 - 01:18 PM.


#5
Xtremetic

Xtremetic
  • Member
  • 6 posts
  • Joined 09-October 14
  • OS:XP Home
  • Country: Country Flag

I looked at the article by Fred Vorck at http://www.vorck.com...dows/xpsp4.html and in the section called 'Random Notes' he recommends using Modifype to fix the headers of modified dlls so that they show an updated checksum, and WFP will not identify them as corrupt.  As far as I can make out ModifyPE is intended to prevent the "File was not copied correctly" error during Windows setup using an installation CD with hacked system files that are slipstreamed into it.  It may not aaddress the issue of of the hacked system files being detected as corrupt by WFP.

 

Another approach advocated by ElTorqiro here http://www.msfn.org/...mode=linearplus is to hack sfcfiles.dll so as to disable the entry for the system file you want excluded from protection.  Unfortunately, there does not seem to be an app that can do this for you so you have to use HexEdit to get the job done.  Then you can then insert the modified sfcfiles.dll into the REPLACE/i386 folder.


Edited by Xtremetic, Today, 08:11 AM.


#6
mukke

mukke

    Newbie

  • Member
  • 43 posts
  • Joined 25-January 08
I looked at the article by Fred Vorck at http://www.vorck.com...dows/xpsp4.html and in the section called 'Random Notes' [...]

 

I suppose you read that section again more carefully! Then read it again. And maybe once more. You are mixing up a few things!

 

Btw: fdv's new version of SFCFILES.DLL that is "empty," is just that other approach advocated by ElTorqiro (with all system files excluded)   ;)


Edited by mukke, 10 November 2014 - 05:50 PM.


#7
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
The generic idea is that the "main" parts of WFP/SFC are two files:
  • SFC.DLL
  • SFCFILES.DLL
The first one is the "engine" that compares the actual files with the "list of protected ones" which is the second file.
 
Traditionally one or the other can be "hacked" to completely disable WFP/SFC, i.e.:
  • IF SFC.DLL modification is used, it is a "hack" to make it do "nothing"
  • IF SFCFILES.DLL modification is used, it is a "hack" that simply is an "empty" file, i.e. it makes a completely empty list of protected files
The latter method allows however (as explained in the thread by ElTorqiro you referenced) for selectively remove one or more files from the list of protected files.
 
You do not really-really need to use an hex editor (though it would be convenient for a single filename removal from the list), you can use gsar (or any other suitable binary search/replace tool):
http://home.online.no/~tjaberg/
 
Inside SFCFILES.DLL you will find:
 
25 00 73 00 79 00 73 00 74 00 65 00 6D 00 72 00 
6F 00 6F 00 74 00 25 00 5C 00 73 00 79 00 73 00 
74 00 65 00 6D 00 33 00 32 00 5C 00 64 00 72 00 
69 00 76 00 65 00 72 00 73 00 5C 00 74 00 63 00 
70 00 69 00 70 00 2E 00 73 00 79 00 73 00 00 00 
 
i.e. Unicode for "%systemroot%\system32\drivers\tcpip.sys"

jaclaz

Edited by jaclaz, 11 November 2014 - 02:15 PM.


#8
mukke

mukke

    Newbie

  • Member
  • 43 posts
  • Joined 25-January 08

Unfortunately, there does not seem to be an app that can do this for you so you have to use HexEdit to get the job done.  Then you can then insert the modified sfcfiles.dll into the REPLACE/i386 folder.

Then do it yourself or even better let HFSLIP make it for you! Here's a quick'n dirty (and untested!) example to get you started using gsar:

@ECHO OFF
MD HFPOST 2>NUL
EXPAND -R SOURCESS\I386\SFCFILES.DL_ HFPOST >NUL
::tcpip.sys
%PREP%HFTOOLS\gsar -o HFPOST\SFCFILES.DLL -s:X25:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00 -r:X5C:X00:X00:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00
MAKECAB /D CompressionMemory=%COMPMEM% /D CompressionType=LZX HFPOST\SFCFILES.DLL /L SOURCESS\I386 >NUL
EXIT/B 0

Attached Files



#9
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
@mukke The link you posted to the "new" SFCFILES.DLL is dead, if you have a copy of it, post it, please. jaclaz

#10
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag

Hey, that's pretty slick.  (but didn't test it)


Posted Image

#11
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,015 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

@mukke The link you posted to the "new" SFCFILES.DLL is dead, if you have a copy of it, post it, please. jaclaz

 

The requested file is below. I've also added a modified version (as a .7z), to which a version resource was added, and which has been correctly checksummed, instead of having the checksum set to zero.

Attached Files



#12
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

 

The requested file is below.

Yes/No. :w00t:

 

There is a completely empty SFCFILES.DLL (which is STIILL available here on FdV's site: http://www.vorck.com...s/software.html http://www.vorck.com...ta/sfcfiles.zip )

 

mukke made reference to a (supposedly newer) SFCFILES.DLL version, that is seemingly missing.

The link on this page:

http://www.vorck.com...dows/xpsp4.html

 

does point to:

http://www.vorck.com/data/sfcfiles.zip

which is 404

 

What I suspect is that there is simply a "wrong" link above (typo by FdV or "moved file") and that only exists a single version of SFCFILES.DLL, that the "new version" that mukke used is still that same file and that it is still the same good ol' one completely empty derived from Damian's initial implementation. :unsure:

 

 

Guess WHO at the time (ten years ago! :w00t: :ph34r:) provided "critical insights" pointing FdV at Damian Bakowsky work?  :whistle:

https://web.archive....dows/about.html

http://www.911cd.net...showtopic=18556

 

;)

 

jaclaz


Edited by jaclaz, 13 November 2014 - 09:25 AM.


#13
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,015 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

The requested file is below.

Yes/No. :w00t:


Yes/No. :w00t:

Since there can be no underflow in our physical world, no file can be made more empty than already empty... dubbio.gif

But since a new file might be of interest, I thought it might be relevant to post the modded file with version ("5515") resource and correct checksum, which is also offered by MDGx.
 

Guess WHO at the time (ten years ago! :w00t: :ph34r:) provided "critical insights" pointing FdV at Damian Bakowsky work?  :whistle:


Of course it was you! Who else could it have been? :yes:

#14
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Since there can be no underflow in our physical world, no file can be made more empty than already empty... dubbio.gif

Now you tell me :w00t: ...

Spoiler


 

But since a new file might be of interest, I thought it might be relevant to post the modded file with version ("5515") resource and correct checksum, which is also offered by MDGx.

Sure :thumbup

jaclaz


  • mukke likes this

#15
mukke

mukke

    Newbie

  • Member
  • 43 posts
  • Joined 25-January 08

There is a completely empty SFCFILES.DLL (which is STIILL available here on FdV's site: http://www.vorck.com...s/software.html http://www.vorck.com...ta/sfcfiles.zip )

 

mukke made reference to a (supposedly newer) SFCFILES.DLL version, that is seemingly missing.

The link on this page:

http://www.vorck.com...dows/xpsp4.html

 

does point to:

http://www.vorck.com/data/sfcfiles.zip

which is 404

 

What I suspect is that there is simply a "wrong" link above (typo by FdV or "moved file") and that only exists a single version of SFCFILES.DLL, that the "new version" that mukke used is still that same file and that it is still the same good ol' one completely empty derived from Damian's initial implementation. :unsure:

 

 

Guess WHO at the time (ten years ago! :w00t: :ph34r:) provided "critical insights" pointing FdV at Damian Bakowsky work?  :whistle:

https://web.archive....dows/about.html

http://www.911cd.net...showtopic=18556

 

;)

 

jaclaz

 

just to clarify: jaclaz is perfectly right on what he is suspecting* - at least the copy of the 'sfcfiles.zip' on my hdd is last modified 2008.10.23 and binary identical with the one still available - so my vote is for 'moved file'.

 

*except i use(d) german version(s) created by myself :P

and will never forget the moment my son recognized his picture on the cards when he played solitaire back then..

..and enjoyed the fact windows was not prompting to replace the critical systemfile named 'cards.dll' :lol:

 

 

But since a new file might be of interest, I thought it might be relevant to post the modded file with version ("5515") resource and correct checksum, which is also offered by MDGx.
 

indeed - and most likely the preferable one



#16
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

*except i use(d) german version(s) created by myself :P

Be aware that on a German system, there is the risk that it may do something, at least Nada 0.9 (which shares most of the same code) has mixed reports when used on German systems ;), you may want to use the new 0.5 version:
http://www.bernardbe.../NaDa/index.php

 

jaclaz


Edited by jaclaz, 18 November 2014 - 05:16 AM.


#17
Xtremetic

Xtremetic
  • Member
  • 6 posts
  • Joined 09-October 14
  • OS:XP Home
  • Country: Country Flag

Thanks to jaclaz and mukke for lending their expertise to this thread.  The batch file provided by mukke looks interesting.  I assume that you have to change into the HFSLIP directory before starting the batch file, although I cannot understand how HFSLIP itself contributes anything to the modification of sfcfiles.dll.  I wonder what change is being made to the code for "%systemroot%\system32\drivers\tcpip.sys" inside sfcfiles.dll by mukke's batch file.  Does it 00 out the first letter of the filename part of the path in sfcfiles.dll, or does it put a \ (plus a 00 to terminate the string) at the start of the entry as ElTorqiro recommends?

 

I suppose for a n00b like me the best option would be to use an application on a live system that lets the user choose from a list which file he wants excluded from WFP monitoring.  I don't suppose such an application exists.

 

Another approach, apart from disabling the entry for tcpip.sys in sfcfiles.dll, would be to modify the relevant security catalogue in the {F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder.  For someone like me this looks like a formidable task as there are dozens of these .CAT files and I have no idea how I would identify the relevant cat file for tcpip.sys.  As far as I can see the .CAT files contain SHA1 hashes for each protected file, so I assume that these SHA1 values would need to be modified. 

 

Of course there is always the possibility that a Windows security update could over write my hacked version of tcpip.sys.  I did once see instructions for how to prevent the infamous KB971033 from being installed using the Group Policy Editor, so this could be one possibility for protecting my hacked tcpip.sys.


Edited by Xtremetic, Today, 09:00 AM.


#18
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Even if I could succeed in disabling the entry for tcpip.sys in sfcfiles.dll there is always the possibility that a Windows security update could over write my hacked version of tcpip.sys.  The ideal solution would be to modify the relevant security catalogue in the {F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder. 

It is also possible (though not very likely) that the CIA or other three-or-more-letters Government Agency :ph34r:, aliens or little green men enter overnight your system and replace your TCPIP.SYS with a weapon of mass file transfer :w00t:

 

I mean, and with all due respect :), I understand the need for making a detailed plan in advance :yes: and whenever possible foresee possible future issues :thumbup, but maybe you are a little overdoing it. 

 

Just replace the TCPIP.SYS, set a (say) weekly scheduled task to check (say) it's MD5, and alert you if it has been changed so that you can reset it to your version.

 

The small batch file by mukke essentially revolves around a single gsar command.

 

Gsar usage:

 

gsar, ver 1.21 -- Copyright © 1992-2008 Tormod Tjaberg & Hans Peter Verne

Usage: gsar [options] [infile(s)] [outfile]
Options are:
-s<string> Search string
-r[string] Replace string. Use '-r' to delete the search string from the file
-i Ignore case difference when comparing strings
-B just display search & replace Buffers
-f Force overwrite of an existing output file
-o Overwrite the existing input file
-c[n] show textual Context of match, 'n' is number of bytes in context
-x[n] show context as a heX dump, 'n' is number of bytes in context
-b display Byte offsets of matches in file
-l only List filespec and number of matches (default)
-h suppress display of filespec when displaying context or offsets
-du convert a DOS ASCII file to UNIX (strips carriage return)
-ud convert a UNIX ASCII file to DOS (adds carriage return)
-F 'Filter' mode, input from stdin and eventual output to stdout
-G display the GNU General Public Licence

Ctrl characters may be entered by using a ':' in the string followed by the
ASCII value of the character. The value is entered using ':' followed by three
decimal digits or ':x' followed by two hex numbers. To enter ':' use '::'

 

Get gsar, and extract gsar.exe in a directory, say C:\testgsar\.

 

 

This is the command in the batch in a "better" formatted way:

gsar

-o HFPOST\SFCFILES.DLL

-s

:X25:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00

:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00

:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00

:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00

:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00

-r

:X5C:X00:X00:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00

:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00

:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00

:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00

:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00

 

 

The notation used is :X followed by a hex code for each byte, since the strings are UNICODE the above "translates" to:

gsar 

open file HFPOST\SFCFILES.DLL and in it 

search for:

%systemroot%\system32\drivers\tcpip.sys

 

and replace with:

\ ystemroot%\system32\drivers\tcpip.sys

 

 

Only the first two bytes of the full path are changed (the second you said or what ElTorqiro recommends :yes:)

 

jaclaz






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users