老早以前就知道了有一个windows未公开函数可以针对单独文件关闭WFP,然后想干啥干啥。网上有关的描述为
参数说明: dwUnknown0 未知,设为0
pwszFile 文件名
dwUnknown1 未知,设为-1
从参数可以看出SfcFileException只能对单个文件禁止Windows文件保护,注意pwszFile参数是UNICODE字符。函数成功返回0,失败返回1(一般是文件不受Windows文件保护保护)。在Windows XP里SfcFileException位于SFC_OS.DLL中,没有被导出函数名,只导出了序号,序号为5。
.model flat,stdcall
option casemap:none
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\macros\ucmacros.asm
lpProc typedef ptr ProtoDef
WSTR szFile,"C:\Windows\Explorer.exe"
.data?
SfcFileException lpProc ?
Main proc
invoke LoadLibrary,SADD('SFC_OS.DLL')
invoke GetProcAddress,eax,5
mov SfcFileException,eax
invoke SfcFileException,0,offset szFile,-1
.if eax
invoke MessageBox,NULL,SADD('Err'),SADD('Err'),MB_OK
.else
invoke MessageBox,NULL,SADD('OK'),SADD('OK'),MB_OK
.endif
ret
Main endp
end Main
如果在VB里用,声明的时候我不知道这个序号为5怎么处理,然后还想用GetProcAddress获取地址但是不知道为什么一直出错,我那个郁闷。后来闲着逛VBGOOD发现了一个代码眼睛一亮,
Private Declare Function SfcFileException Lib "sfc_os.dll" Alias "#5" (ByVal dwUnknown0 As Long, ByVal pwszFile As Long, ByVal dwUnknown1 As Long) As Long
突然就明白了,只导出出序号声明里就写序号就可以了么···我贴出来全部代码:
Option Explicit
Private Declare Function SfcFileException Lib "sfc_os.dll" Alias "#5" (ByVal dwUnknown0 As Long, ByVal pwszFile As Long, ByVal dwUnknown1 As Long) As Long
Private Sub Command1_Click()
On Error Resume Next
Dim s As String
Err.Clear
s = "c:\windows\system32\winmine.exe" + vbNullChar 'windows的扫雷程序
If SfcFileException(0, StrPtr(s), -1) = 0 Then 'ok!
DoEvents
Kill s
If Err.Number <> 0 Then MsgBox Err.Description
FileCopy "c:\windows\system32\notepad.exe", s 成功的话就用记事本程序替换了扫雷程序
If Err.Number <> 0 Then MsgBox Err.Description
Else
MsgBox "failed!"
End If
End Sub
有了这个东西,杀人行凶就更方便了~!