Got that. Thanks. You info was really helpful. I was able to find more information (on Russian, sorry) and now I can more or less imagine what is going on.
SfcValidateFileSignature loads some API from mscat32.dll/WinTrust.dll:
CryptCATAdminCalcHashFromFileHandle - undocumented
CryptCATAdminEnumCatalogFromHash - documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptcatadminenumcatalogfromhash.asp
CryptCATCatalogInfoFromContext - undocumented
WinVerifyTrust
- documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winverifytrust.asp
CryptCATAdminReleaseCatalogContext - documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptcatadminreleasecatalogcontext.asp
Let me remind you that you can completely disable WFP by setting SFCScan value to the undocumented one described by Collake and patch sfc.dll (sfc_os.dll in XP+) with the patch I gave you above.
Last edited by volodya; 02-06-2004 at 01:02.
|