故事还要追溯到上大学的时候,上汇编课程,老师教我们使用Debug命令,很多同学搞恶作剧(包括我),把copy, dir 等常见的命令改成了 format, delete等有攻击性的命令。这样如果运行dir,实际上就是执行的format, delete,一不小心就毁坏了操作系统,当时就在想为什么这些文件没有保护起来,呵呵,想不明白,就放下了,毕业这么多年就忘记了。
最近在看一些Windows 2003 Server的资料,忽然看到一个名词Windows File Protection,干吗的呢?从名字看,就是保护Windows文件系统的。想想看也是,Windows这么大一个操作系统,有很多很多文件,而这些文件都是由Microsoft定义的,如果我们把里面的文件全部替换掉,文件名字还是一样的,操作系统会怎样?很显然,当然不能工作了。
那么Microsoft是如何保护系统文件的呢?查了一点资料,都是些皮毛,不过原理是这样的,具体怎么实现,就不晓得了。一句话概括,微软使用了数字签名。
- Windows File Protection
It is a component that runs in the background and prevents replacement of system files. To verify a file, Windows File Protection checks its digital signature. If the file is not of the correct version, Windows File Protection replaces it with a copy from the Windows Server 2003 CD or the backup maintained in the DllCache folder on the hard disk. If the correct file cannot be found, Windows File Protection will promote the user for the file location.
- System File Checker
It is a part of the Windows File Protection component. It is a command-line utility that scans and verifies all system files and device drivers. The command is sfc.
- File Signature Verification
It is also a command-line utility, and the command is sigverif.
You can use the File Signature Verification tool to identify the signed and unsigned files on your computer. You can use this tool to view the name, location, date of modification, type, and version number of each file.
有兴趣地可以试试看上边两个cmd命令sfc 和 sigverif,呵呵,好玩啊!
