Jump to content

Windows File Protection


Iain

Recommended Posts

I've been looking into WFP recently: how to disable it for a specific file and how to add a file that I'd like to be protected. I have XP Pro SP3 and understand that those files which are protected are listed in a .dll in c:\windows\system32. The .dll can be hex edited to alter one of the file names which will remove it's protection. However, I came across some comments about the PE Header checksum of the .dll requiring modification. I'm happy to use a hex editor to make the changes to the file name then use a live cd to move the .dll because I suspect that I can't do that whilst Windows is running. I'm afraid that editing the checksum in the PE Header is beyond me. Can anyone give any tips about how to do that?

The other side of my experiment is to add a file that I might want to protect. Does anyone have any ideas about that? I hasten to add that I do not have any malicious intent (though I realise that any techniques used could be adapted for wrongdoing) but I simply want to investigate how WFP works.

Link to comment
Share on other sites

look into the attrib commands. you can even hide files that administrator accounts wont be ble to see.

The adminstrator should be able to see and take ownership of all user files on the system. Attributes set to hidden and system do not hide them. To completely block and protect a file you should use cacls to set different permissions so lower restricted users can run files they need but can't delete or write to them.

Link to comment
Share on other sites

Sorry - I think I've been misunderstood. By "protect", I meant add a file to the list in the .dll so it will be restored automatically by WFP if the user deletes it. I realise that I'd have to put the backup copy of the file in the dllcache folder.

I'd still like to know how to find the PE Header checksum and change it so it matches the checksum when I've modified the .dll. I understand that, following hex editing the file, the value of the checksum in the PE Header won't match the actual checksum.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...