Jump to content

Integrating patched system files without WFP Problems


Xtremetic

Recommended Posts

I have a patched version of tcpip.sys which enables 100 concurrent connection ports and I want to put it in my REPLACE\i386 folder.  There could be a problem with this patched version of tcpip.sys in the installed XP being replaced when I run System File Checker.  I assume that the file size would no longer tarry with the information in a security catalog. I wonder if there are addons for patched system files that would somehow make XP perceive them as legitimate and not be rejected by WFP.  For instance, there is an addon offered at the RyanVM forum to allow the integration of patched dlls into XP to enable software Raid-5.  I wonder if this would work with HFSLIP, the RyanVM Integrator and nLite, and would it resolve WFP problems.  You can obtain it here:

 

http://www.ryanvm.net/forum/viewtopic.php?t=713

 

Name of file: Rikgale_XPRAID5_addon_v1.cab

Edited by Xtremetic
Link to comment
Share on other sites


I intend to have WFP runining as normal with my Windows installation made with a slipstreamed installation CD.  This seems like a good policy given my level of expertise.  If the installation includes patched system files they may be overwritten when I run System File Checker.  Unfortunately the Windows 2000/XP/2003 version of SFC does not ask the user if he wants to replace an incorrect system file in the way that the Win98SE version of SFC did.

Edited by Xtremetic
Link to comment
Share on other sites

I looked at the article by Fred Vorck at http://www.vorck.com/windows/xpsp4.html and in the section called 'Random Notes' he recommends using Modifype to fix the headers of modified dlls so that they show an updated checksum, and WFP will not identify them as corrupt.  As far as I can make out ModifyPE is intended to prevent the "File was not copied correctly" error during Windows setup using an installation CD with hacked system files that are slipstreamed into it.  It may not aaddress the issue of of the hacked system files being detected as corrupt by WFP.

 

Another approach advocated by ElTorqiro here http://www.msfn.org/board/topic/98306-wfp-app-for-removing-individual-files-from-monitoring/?mode=linearplus is to hack sfcfiles.dll so as to disable the entry for the system file you want excluded from protection.  Unfortunately, there does not seem to be an app that can do this for you so you have to use HexEdit to get the job done.  Then you can then insert the modified sfcfiles.dll into the REPLACE/i386 folder.

Edited by Xtremetic
Link to comment
Share on other sites

  • 2 weeks later...
I looked at the article by Fred Vorck at http://www.vorck.com/windows/xpsp4.html and in the section called 'Random Notes' [...]

 

I suppose you read that section again more carefully! Then read it again. And maybe once more. You are mixing up a few things!

 

Btw: fdv's new version of SFCFILES.DLL that is "empty," is just that other approach advocated by ElTorqiro (with all system files excluded)   ;)

Edited by mukke
Link to comment
Share on other sites

The generic idea is that the "main" parts of WFP/SFC are two files:

  • SFC.DLL
  • SFCFILES.DLL
The first one is the "engine" that compares the actual files with the "list of protected ones" which is the second file.

 

Traditionally one or the other can be "hacked" to completely disable WFP/SFC, i.e.:

  • IF SFC.DLL modification is used, it is a "hack" to make it do "nothing"
  • IF SFCFILES.DLL modification is used, it is a "hack" that simply is an "empty" file, i.e. it makes a completely empty list of protected files
The latter method allows however (as explained in the thread by ElTorqiro you referenced) for selectively remove one or more files from the list of protected files.

 

You do not really-really need to use an hex editor (though it would be convenient for a single filename removal from the list), you can use gsar (or any other suitable binary search/replace tool):

http://home.online.no/~tjaberg/

 

Inside SFCFILES.DLL you will find:

 

25 00 73 00 79 00 73 00 74 00 65 00 6D 00 72 00 6F 00 6F 00 74 00 25 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 64 00 72 00 69 00 76 00 65 00 72 00 73 00 5C 00 74 00 63 00 70 00 69 00 70 00 2E 00 73 00 79 00 73 00 00 00 
 

i.e. Unicode for "%systemroot%\system32\drivers\tcpip.sys"

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Unfortunately, there does not seem to be an app that can do this for you so you have to use HexEdit to get the job done.  Then you can then insert the modified sfcfiles.dll into the REPLACE/i386 folder.

Then do it yourself or even better let HFSLIP make it for you! Here's a quick'n dirty (and untested!) example to get you started using gsar:

@ECHO OFFMD HFPOST 2>NULEXPAND -R SOURCESS\I386\SFCFILES.DL_ HFPOST >NUL::tcpip.sys%PREP%HFTOOLS\gsar -o HFPOST\SFCFILES.DLL -s:X25:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00 -r:X5C:X00:X00:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X72:X00:X6F:X00:X6F:X00:X74:X00:X25:X00:X5C:X00:X73:X00:X79:X00:X73:X00:X74:X00:X65:X00:X6D:X00:X33:X00:X32:X00:X5C:X00:X64:X00:X72:X00:X69:X00:X76:X00:X65:X00:X72:X00:X73:X00:X5C:X00:X74:X00:X63:X00:X70:X00:X69:X00:X70:X00:X2E:X00:X73:X00:X79:X00:X73:X00MAKECAB /D CompressionMemory=%COMPMEM% /D CompressionType=LZX HFPOST\SFCFILES.DLL /L SOURCESS\I386 >NULEXIT/B 0

HFSLIP_POST_SFCFILES.CMD

Link to comment
Share on other sites

@mukke The link you posted to the "new" SFCFILES.DLL is dead, if you have a copy of it, post it, please. jaclaz

 

The requested file is below. I've also added a modified version (as a .7z), to which a version resource was added, and which has been correctly checksummed, instead of having the checksum set to zero.

sfcfiles.zip

SFCFILES_with_version_info.7z

Link to comment
Share on other sites

 

The requested file is below.

Yes/No. :w00t:

 

There is a completely empty SFCFILES.DLL (which is STIILL available here on FdV's site: http://www.vorck.com/windows/software.html http://www.vorck.com/windows/data/sfcfiles.zip )

 

mukke made reference to a (supposedly newer) SFCFILES.DLL version, that is seemingly missing.

The link on this page:

http://www.vorck.com/windows/xpsp4.html

 

does point to:

http://www.vorck.com/data/sfcfiles.zip

which is 404

 

What I suspect is that there is simply a "wrong" link above (typo by FdV or "moved file") and that only exists a single version of SFCFILES.DLL, that the "new version" that mukke used is still that same file and that it is still the same good ol' one completely empty derived from Damian's initial implementation. :unsure:

 

 

Guess WHO at the time (ten years ago! :w00t::ph34r:) provided "critical insights" pointing FdV at Damian Bakowsky work?  :whistle:

https://web.archive.org/web/20080120145002/http://www.vorck.com/windows/about.html

http://www.911cd.net/forums//index.php?showtopic=18556

 

;)

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

The requested file is below.

Yes/No. :w00t:

Yes/No. :w00t:

Since there can be no underflow in our physical world, no file can be made more empty than already empty... dubbio.gif

But since a new file might be of interest, I thought it might be relevant to post the modded file with version ("5515") resource and correct checksum, which is also offered by MDGx.

 

Guess WHO at the time (ten years ago! :w00t::ph34r:) provided "critical insights" pointing FdV at Damian Bakowsky work?  :whistle:

Of course it was you! Who else could it have been? :yes:

Link to comment
Share on other sites

Since there can be no underflow in our physical world, no file can be made more empty than already empty... dubbio.gif

Now you tell me :w00t: ...

demotivational-poster-18673.jpg

;)

 

But since a new file might be of interest, I thought it might be relevant to post the modded file with version ("5515") resource and correct checksum, which is also offered by MDGx.

Sure :thumbup

jaclaz

Link to comment
Share on other sites

There is a completely empty SFCFILES.DLL (which is STIILL available here on FdV's site: http://www.vorck.com/windows/software.html http://www.vorck.com/windows/data/sfcfiles.zip )

 

mukke made reference to a (supposedly newer) SFCFILES.DLL version, that is seemingly missing.

The link on this page:

http://www.vorck.com/windows/xpsp4.html

 

does point to:

http://www.vorck.com/data/sfcfiles.zip

which is 404

 

What I suspect is that there is simply a "wrong" link above (typo by FdV or "moved file") and that only exists a single version of SFCFILES.DLL, that the "new version" that mukke used is still that same file and that it is still the same good ol' one completely empty derived from Damian's initial implementation. :unsure:

 

 

Guess WHO at the time (ten years ago! :w00t::ph34r:) provided "critical insights" pointing FdV at Damian Bakowsky work?  :whistle:

https://web.archive.org/web/20080120145002/http://www.vorck.com/windows/about.html

http://www.911cd.net/forums//index.php?showtopic=18556

 

;)

 

jaclaz

 

just to clarify: jaclaz is perfectly right on what he is suspecting* - at least the copy of the 'sfcfiles.zip' on my hdd is last modified 2008.10.23 and binary identical with the one still available - so my vote is for 'moved file'.

 

*except i use(d) german version(s) created by myself :P

and will never forget the moment my son recognized his picture on the cards when he played solitaire back then..

..and enjoyed the fact windows was not prompting to replace the critical systemfile named 'cards.dll' :lol:

 

 

But since a new file might be of interest, I thought it might be relevant to post the modded file with version ("5515") resource and correct checksum, which is also offered by MDGx.

 

indeed - and most likely the preferable one

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...