Quote:
Originally posted by volodya
Got that. Thanks. You info was really helpful. I was able to find more information (on Russian, sorry) and now I can more or less imagine what is going on.
SfcValidateFileSignature loads some API from mscat32.dll/WinTrust.dll:
CryptCATAdminCalcHashFromFileHandle - undocumented
CryptCATAdminEnumCatalogFromHash - documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptcatadminenumcatalogfromhash.asp
CryptCATCatalogInfoFromContext - undocumented
WinVerifyTrust
- documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winverifytrust.asp
CryptCATAdminReleaseCatalogContext - documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptcatadminreleasecatalogcontext.asp
|
For the "undocumented" functions, see:
hxxp://msdn.microsoft.com/library/en-us/security/security/cryptcatadmincalchashfromfilehandle.asp
hxxp://msdn.microsoft.com/library/en-us/security/security/cryptcatcataloginfofromcontext.asp
What the function seems to do (never used the CryptoAPI myself) is to first calculate the hash of the protected file and then search the catalogs for that hash.
Quote:
|
Let me remind you that you can completely disable WFP by setting SFCScan value to the undocumented one described by Collake and patch sfc.dll (sfc_os.dll in XP+) with the patch I gave you above.
|
Yeah, I know about that. But I wouldn't do that without also changing the magic value to something other than what's already in that dll file.