Click here to Skip to main content
12,698,410 members (24,231 online)
Click here to Skip to main content
Add your own
alternative version

Stats

58.2K views
19 bookmarked
Posted

A simple way to hack Windows File Protection (WFP) using the SetSfcFileException undocumented function

, 1 Sep 2007 CPOL
Rate this:
Please Sign up or sign in to vote.
How to delete/modify a system file which is protected by Windows without being detected by the OS protection.

Introduction

There are many ways to disable WFP. Among them is setting the Registry value SFCDisable found at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to 2, patching sfc.dll.

But, there is another method which will be discussed in this article. This is using the SetSfcFileException Win32 API function.

SetSfcFileException function

This function is exported by sfc_os.dll. Normally, it makes Windows to allow modification of any protected file given in the parameter during a 60 second period. But I tested it under WinXP and I discovered that its effect is unlimited!

Of course, this function is used in a privileged session! Its main role is to disable the Windows warning dialog when a protected file is modified; this is stealthier than terminating/patching services or changing Registry values.

The prototype of the SetSfcFileException function is:

SetSfcFileException(DWORD param1 , PWCHAR param2 , DWORD param3);
  • param1: Always set to 0
  • param2: The full path of the file to modify later
  • param3: Always set to -1

A small demonstrative program

Let's try to disable the WFP concerning the "c:\windows\system32\calc.exe" file:

typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);

void Disable_WFP() {
    hmod=LoadLibrary("sfc_os.dll");
    CPP SetSfcFileException;
    // the function is stored at the fifth ordinal in sfc_os.dll
    SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
    SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
    // Now we can modify the system file in a complete stealth.
}

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Abdellatif_El_Khlifi
Engineer
Tunisia Tunisia
- Software / Hardware / Embedded engineer - C/C++ engineer

- IEEE computer society member

- Web page: http://www.abdellatif.netcv.com

You may also be interested in...

Pro
Pro

Comments and Discussions

 
GeneralMy vote of 5 Pin
JJMatthews13-Dec-12 21:29
memberJJMatthews13-Dec-12 21:29 
GeneralSetSfcFileException needed in VB Pin
Cisco R.26-Aug-08 4:53
memberCisco R.26-Aug-08 4:53 
Generalvaluable article Pin
echosong12-Sep-07 22:28
memberechosong12-Sep-07 22:28 
GeneralRe: valuable article Pin
Abdellatif_El_Khlifi13-Sep-07 4:54
memberAbdellatif_El_Khlifi13-Sep-07 4:54 
GeneralRe: We need more articles like this! Pin
Abdellatif_El_Khlifi10-Sep-07 7:13
memberAbdellatif_El_Khlifi10-Sep-07 7:13 
GeneralFollow Up Pin
BTrabon31-May-07 17:16
memberBTrabon31-May-07 17:16 
GeneralRe: Follow Up [modified] Pin
El_Khlifi_Abdellatif3-Jun-07 11:13
memberEl_Khlifi_Abdellatif3-Jun-07 11:13 
GeneralRe: Follow Up Pin
BTrabon3-Jun-07 11:22
memberBTrabon3-Jun-07 11:22 
GeneralRe: Follow Up Pin
Bogdan Apostol17-Jun-08 23:53
memberBogdan Apostol17-Jun-08 23:53 
GeneralRe: Follow Up Pin
Abdellatif_El_Khlifi18-Jun-08 5:32
memberAbdellatif_El_Khlifi18-Jun-08 5:32 
QuestionError code? Pin
psu8223-Oct-06 0:07
memberpsu8223-Oct-06 0:07 
QuestionWindows 2000 ? Pin
psu8222-Oct-06 22:20
memberpsu8222-Oct-06 22:20 
AnswerRe: Windows 2000 ? Pin
Hansa4Ever15-Nov-06 5:35
memberHansa4Ever15-Nov-06 5:35 
QuestionRe: Windows 2000 ? Pin
faceold4-Jul-07 18:27
memberfaceold4-Jul-07 18:27 
GeneralNo SetSfcFileException exported in sfc_os.dll Pin
wang_xiaopin24-Aug-06 21:30
memberwang_xiaopin24-Aug-06 21:30 
GeneralRe: No SetSfcFileException exported in sfc_os.dll Pin
El_Khlifi_Abdellatif25-Aug-06 1:45
memberEl_Khlifi_Abdellatif25-Aug-06 1:45 
GeneralAdmin Privs needed??!! Pin
dbaier25-Jul-06 14:40
memberdbaier25-Jul-06 14:40 
GeneralRe: Admin Privs needed??!! Pin
El_Khlifi_Abdellatif26-Jul-06 0:20
memberEl_Khlifi_Abdellatif26-Jul-06 0:20 
QuestionWhy? Pin
Dave Goodman25-Jul-06 8:52
memberDave Goodman25-Jul-06 8:52 
AnswerRe: Why? Pin
Jim Crafton26-Jul-06 7:58
memberJim Crafton26-Jul-06 7:58 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170118.1 | Last Updated 1 Sep 2007
Article Copyright 2006 by Abdellatif_El_Khlifi
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid