Iain Posted January 27, 2009 Share Posted January 27, 2009 I've been looking into WFP recently: how to disable it for a specific file and how to add a file that I'd like to be protected. I have XP Pro SP3 and understand that those files which are protected are listed in a .dll in c:\windows\system32. The .dll can be hex edited to alter one of the file names which will remove it's protection. However, I came across some comments about the PE Header checksum of the .dll requiring modification. I'm happy to use a hex editor to make the changes to the file name then use a live cd to move the .dll because I suspect that I can't do that whilst Windows is running. I'm afraid that editing the checksum in the PE Header is beyond me. Can anyone give any tips about how to do that? The other side of my experiment is to add a file that I might want to protect. Does anyone have any ideas about that? I hasten to add that I do not have any malicious intent (though I realise that any techniques used could be adapted for wrongdoing) but I simply want to investigate how WFP works. Quote Link to comment Share on other sites More sharing options...
vector Posted January 27, 2009 Share Posted January 27, 2009 look into the attrib commands. you can even hide files that administrator accounts wont be ble to see. Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 27, 2009 Share Posted January 27, 2009 look into the attrib commands. you can even hide files that administrator accounts wont be ble to see. unless you tell explorer to show them. Quote Link to comment Share on other sites More sharing options...
digip Posted January 28, 2009 Share Posted January 28, 2009 look into the attrib commands. you can even hide files that administrator accounts wont be ble to see. The adminstrator should be able to see and take ownership of all user files on the system. Attributes set to hidden and system do not hide them. To completely block and protect a file you should use cacls to set different permissions so lower restricted users can run files they need but can't delete or write to them. Quote Link to comment Share on other sites More sharing options...
Iain Posted January 28, 2009 Author Share Posted January 28, 2009 Sorry - I think I've been misunderstood. By "protect", I meant add a file to the list in the .dll so it will be restored automatically by WFP if the user deletes it. I realise that I'd have to put the backup copy of the file in the dllcache folder. I'd still like to know how to find the PE Header checksum and change it so it matches the checksum when I've modified the .dll. I understand that, following hex editing the file, the value of the checksum in the PE Header won't match the actual checksum. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.