Click here to Skip to main content
8,860,308 members and growing!
  
Email Password   Lost password?
Search within:



add
Add to your CodeProject bookmarks
Print Article
Site map
 » General Reading » Hardware & System » Security
Licence CPOL
First Posted 25 Jul 2006
Views 44,222
Bookmarked 14 times

A simple way to hack Windows File Protection (WFP) using the SetSfcFileException undocumented function

By | 1 Sep 2007 | Article
, +
How to delete/modify a system file which is protected by Windows without being detected by the OS protection.
ArticleBrowse CodeStatsRevisions (2)Alternatives
  Discuss
Discuss this article
 19  

Introduction

There are many ways to disable WFP. Among them is setting the Registry value SFCDisable found at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to 2, patching sfc.dll.

But, there is another method which will be discussed in this article. This is using the SetSfcFileException Win32 API function.

SetSfcFileException function

This function is exported by sfc_os.dll. Normally, it makes Windows to allow modification of any protected file given in the parameter during a 60 second period. But I tested it under WinXP and I discovered that its effect is unlimited!

Of course, this function is used in a privileged session! Its main role is to disable the Windows warning dialog when a protected file is modified; this is stealthier than terminating/patching services or changing Registry values.

The prototype of the SetSfcFileException function is:

SetSfcFileException(DWORD param1 , PWCHAR param2 , DWORD param3);
  • param1: Always set to 0
  • param2: The full path of the file to modify later
  • param3: Always set to -1

A small demonstrative program

Let's try to disable the WFP concerning the "c:\windows\system32\calc.exe" file:

typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);

void Disable_WFP() {
    hmod=LoadLibrary("sfc_os.dll");
    CPP SetSfcFileException;
    // the function is stored at the fifth ordinal in sfc_os.dll
    SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
    SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
    // Now we can modify the system file in a complete stealth.
}

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Abdellatif_El_Khlifi

Engineer

Tunisia Tunisia

Member

 - Software / Hardware / Embedded engineer - C/C++ engineer
 
- IEEE computer society member
 
- Web page: http://www.abdellatif.netcv.com

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board. (secure sign-in)
 
Search this forum  
 FAQ
    Noise  Layout  Per page   
  RefreshFirst Prev Next
GeneralSetSfcFileException needed in VB PinmemberCisco R.3:53 26 Aug '08  
Generalvaluable article Pinmemberechosong21:28 12 Sep '07  
GeneralRe: valuable article PinmemberAbdellatif_El_Khlifi3:54 13 Sep '07  
GeneralRe: We need more articles like this! PinmemberAbdellatif_El_Khlifi6:13 10 Sep '07  
GeneralFollow Up PinmemberBTrabon16:16 31 May '07  
GeneralRe: Follow Up [modified] PinmemberEl_Khlifi_Abdellatif10:13 3 Jun '07  
GeneralRe: Follow Up PinmemberBTrabon10:22 3 Jun '07  
GeneralRe: Follow Up PinmemberBogdan Apostol22:53 17 Jun '08  
GeneralRe: Follow Up PinmemberAbdellatif_El_Khlifi4:32 18 Jun '08  
QuestionError code? Pinmemberpsu8223:07 22 Oct '06  
QuestionWindows 2000 ? Pinmemberpsu8221:20 22 Oct '06  
AnswerRe: Windows 2000 ? PinmemberHansa4Ever4:35 15 Nov '06  
QuestionRe: Windows 2000 ? Pinmemberfaceold17:27 4 Jul '07  
GeneralNo SetSfcFileException exported in sfc_os.dll Pinmemberwang_xiaopin20:30 24 Aug '06  
GeneralRe: No SetSfcFileException exported in sfc_os.dll PinmemberEl_Khlifi_Abdellatif0:45 25 Aug '06  
GeneralAdmin Privs needed??!! Pinmemberdbaier13:40 25 Jul '06  
GeneralRe: Admin Privs needed??!! PinmemberEl_Khlifi_Abdellatif23:20 25 Jul '06  
QuestionWhy? PinmemberDave Goodman7:52 25 Jul '06  
AnswerRe: Why? PinmemberJim Crafton6:58 26 Jul '06  
Last Visit: 18:44 24 May '12     Last Update: 14:44 24 May '12 1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Mobile
Web04 | 2.5.120517.1 | Last Updated 1 Sep 2007
Article Copyright 2006 by Abdellatif_El_Khlifi
Everything else Copyright © CodeProject, 1999-2012
Terms of Use
Layout: fixed | fluid

The Code Project Insider. Free each morning.
Http 500 Error resolution
ScrollBar Control with Different Visual Style using VB.NET 2008
Iterating through menustrip items
Mocking the generic repository
LINQ on the command-line
Stored Procedure Data Gateway
User Feedback For Long Running Tasks in ASP.NET
8-Puzzle solving using the A* algorithm using Python and PyGame
A Look At The Growing Need For Anti-virus Software
Authoring Documentation with DocProject and Sandcastle
ASP.NET automatic Object to UI Binding
Logging information in Oracle
Using DataPlotter implementing three kinds of Scan-converting Line Segments algorithm
Dynamically Pointing to Shared Data Sources on SQL Reporting Services using a Report Definition Customization Extension (RDCE)
Design the WCF service without implementing interface
Snail Run For Windows Phone
How to get current function return type using __FUNCDNAME__
Merge DataGrid Header
Wcf.js: Call WCF web services from Node.js
Simple C Hashtable
NodeJS REST server trials to validate effective scripting