Exemplo n.º 1
0
        private void PatchWindowsXP2003SetupBootLoader(string setupldrPath)
        {
            var bytes        = File.ReadAllBytes(setupldrPath);
            var dosSignature = BitConverter.GetBytes(DOSHeader.DOSSignature);

            // setupldr.bin and ntldr are regular executables that are preceded by a special loader
            // we use the MZ DOS signature to determine where the executable start.
            // Note that we must update the executable checksum, because the loader will verify that the executable checksum is correct
            var executableOffset = IndexOfSequence(ref bytes, dosSignature);

            if (executableOffset == -1)
            {
                Console.WriteLine("Error: setupldr.bin is corrupted.");
                Program.Exit();
            }

            var loader = new byte[executableOffset];

            Array.Copy(bytes, loader, executableOffset);

            var executableLength = bytes.Length - executableOffset;
            var executable       = new byte[executableLength];

            Array.Copy(bytes, executableOffset, executable, 0, executableLength);

            var peInfo = new PortableExecutableInfo(executable);

            // update executable byte array
            var oldSequence = Encoding.ASCII.GetBytes("ntkrnlmp.exe");
            var newSequence = Encoding.ASCII.GetBytes("ntoskrnl.exe");
            // the kernel filename appears in the first PE section
            var section = peInfo.Sections[0];

            ReplaceInBytes(ref section, oldSequence, newSequence);
            peInfo.Sections[0] = section;

            var peStream = new MemoryStream();

            PortableExecutableInfo.WritePortableExecutable(peInfo, peStream);
            executable = peStream.ToArray();
            // finished updating executable byte array

            FileSystemUtils.ClearReadOnlyAttribute(setupldrPath);
            var stream = new FileStream(setupldrPath, FileMode.Create, FileAccess.ReadWrite);
            var writer = new BinaryWriter(stream);

            writer.Write(loader);
            writer.Write(executable);
            writer.Close();
        }
Exemplo n.º 2
0
        // Windows File Protection may restore a newer unsigned driver file to an older in-box signed driver file (sfc.exe is executed at the end of GUI-mode setup).
        // The list of files that is being protected is stored in sfcfiles.sys, and we can prevent a file from being protected by making sure it's not in that list.
        public static void DisableInBoxDeviceDriverFile(string setupDirectory, string fileName)
        {
            fileName = fileName.ToLower(); // sfcfiles.dll stores all file names in lowercase
            string path = setupDirectory + "sfcfiles.dl_";

            byte[] packed   = File.ReadAllBytes(path);
            byte[] unpacked = HiveINIFile.Unpack(packed, "sfcfiles.dll");
            PortableExecutableInfo peInfo = new PortableExecutableInfo(unpacked);
            string oldValue = @"%systemroot%\system32\drivers\" + fileName;
            string newValue = @"%systemroot%\system32\drivers\" + fileName.Substring(0, fileName.Length - 1) + "0"; // e.g. e1000325.sys => e1000325.sy0

            byte[] oldSequence = Encoding.Unicode.GetBytes(oldValue);
            byte[] newSequence = Encoding.Unicode.GetBytes(newValue);

            bool replaced = false;

            for (int index = 0; index < peInfo.Sections.Count; index++)// XP uses the .text section while Windows 2000 uses the .data section
            {
                byte[] section           = peInfo.Sections[index];
                bool   replacedInSection = KernelAndHalIntegrator.ReplaceInBytes(ref section, oldSequence, newSequence);

                if (replacedInSection)
                {
                    peInfo.Sections[index] = section;
                    replaced = true;
                }
            }

            if (replaced)
            {
                Console.WriteLine();
                Console.WriteLine("'{0}' has been removed from Windows File Protection file list.", fileName);

                MemoryStream peStream = new MemoryStream();
                PortableExecutableInfo.WritePortableExecutable(peInfo, peStream);
                unpacked = peStream.ToArray();
                packed   = HiveINIFile.Pack(unpacked, "sfcfiles.dll");

                FileSystemUtils.ClearReadOnlyAttribute(path);
                File.WriteAllBytes(path, packed);
            }
        }