Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Saturday, August 19 2017 @ 11:23 AM CEST

Replacing windows system files

   

TutorialsLevel : newbie

Intro:
You all probably know about the windows file protection? No? Let me explain. The files in the directory system32(or system) are critical for windows. Therefore, windows has it own file protection system managed by sfc.exe. (Start -> Run -> cmd.exe -> sfc.exe and you see its parameters). This file is activate during windows. It checks if the files are the original ones, otherwise, the not original files get replaced by the original ones.

SFC scans the filetimes (creation and last modification time) and the file its size to check for originality. SFC does not check for actually changed (patched) bytes. I will describe two ways to get around this problem so you can replace the files with your patched ones.


Figure 1. Showing the parameters of SFC

First option:
You can disable this file its purpose by changing the CACHSIZE to 0. And then PURGECACHE so it has no files in his memory anymore so it can not copy the good files over the bad files anymore when it runs into a wrong file in the system dirs. So by doing this (first reboot after the modifications) you can copy modified files to the system dirs, replacing the originals. For example you have patched taskmgr.exe so it quits right away, and you have copied it to the systemdir so the CTRL ALT DEL will not pop up taskmgr.exe

Second option:
The second way, without disabling SFC is coding a little program. I have made a very simple application, its all API wrapping. See the download below. The app gets the filetime of the file to be replaced, then the app replaces the original file with the one specified and sets the new filetime of the copied file to the original filetime attained earlier.

Advantages & Disadvantages:
When you want to play around with your own system and you have internet connection and you are using the current windows installation for other things then messing around with Windows, it is dangerous to totally disable SFC. Because malicious programs can also easily replace the system files. On remote computers this maybe doesn’t matter. Another thing to consider is that the file size of the not original file must be exactly the same as the original one or else it gets replaced again by the original one if you leave SFC on.

Hopefully you have learned something!
Devoney

Download attachment:here




What's Related

Story Options

Replacing windows system files | 1 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Replacing windows system files
Authored by: eXanock on Tuesday, September 11 2007 @ 04:19 PM CEST
Great article. Before reading this, I knew nothing about the windows file protection system. Very understandable, even for us newbies. Thank you so much.

---
eXanock - Another blog on ethical hacking, coding and (legal) reverse engineering. http://exanock.blogspot.com/

 Copyright © 2017 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.06 seconds