|
Recently, on the foundation of computer culture, I feel a little bored, it happens that the computer room is Win7 32-bit system, the freezing point 7.5 version, which is relatively new, in the face of the freezing point cracking tool of 6.X, those Anti or something, for 7. X is basically immune. But after all, can you learn computers, can you not toss it? So, a little understanding, he is not the same as the restore card and Lenovo's hard disk restore, his boot time is when the system boots and loads, or after, that is, he does not modify the MBR to hijack the boot. Well, it's much easier to do, just kill him in the registry and delete his driver files and his service launcher. Then the general structure of the freezing point file structure is as follows: - X:\Program Files\Faronics\DF5Serv.exe冰点的管理和设置程序,加载为系统服务,注册表中加载位置为“[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DF5Serv]”
- X:\Program Files\Faronics\_$Df\FrzState2k.exe
- X:\$Persi0.sys设置文件,保存了程序用户密码及所保护分区
- X:\windows\system32\drivers\DeepFrz.sys冰点内核文件,以驱动的形式加载,注册表中加载位置为[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DeepFrz],最关键的东东,工作于系统最高级,不能被结束,在任务管理器中也看不到,可以用冰刃IceSWord看到它在XP的内核模块中。在开机时已接替(过滤监控)了系统的磁盘管理、卷偖存管理、键盘、鼠标,你对硬盘的任何存取操作都已经在冰点的掌握中了,都必须经过它,再传到系统的驱动。
- X:\windows\system32\LogonDll.dll
Because freezing point hijacks the hard disk and other device drivers, those hijacked device drivers must also be changed back: A) The key value of the disk drive is determined by HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\UpperFilters=PartMgr
Changed back to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\UpperFilters=DeepFrz PartMgr
B) The corresponding key value of the keyboard is determined by
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters=DeepFrz kbdclass
Corrected back
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters=kbdclass
C) The corresponding key value of the mouse and other pointer devices is determined by
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96F-E325-11CE-BFC1-08002BE10318}\UpperFilters=DeepFrz mouclass
Corrected back
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96F-E325-11CE-BFC1-08002BE10318}\UpperFilters=mouclass
D) The corresponding key value of the storage volume is by
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\UpperFilters=DeepFrz VolSnap
Corrected back
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\UpperFilters=VolSnap
(Note: Except for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet key, there are the same content under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002 and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001, all of which need to be modified.) )
Delete the key where LogonDll.dll is located, registry location [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DfLogon] Or directly search for the DeepFrz key value, and fix it all. But now, the modification in the original system is invalid, but it still doesn't work to try in safe mode, because, when you start safe mode, it is still hijacked, Sang Xin. Is it really fruitless--restart F8 has a repair mode, it seems that another repair system is loaded, not the original system foundation, after entering, select the command line, use Del to delete those files, and then enter regedit to mount the main system's SYSTEM. Let's start the operation. Because of negligence, I didn't pay attention to the hijacking of the device drive, so the computer in the computer room can't start at the moment – ( ▼-▼ ) - I'm really funny - the registry is a bit complicated That, the principle of freezing point needs to be further understood, and the device hijacking part has not been thoroughly studied. Wait for further analysis.
| 
Posted on 10/23/2014 10:22:22 PM
|
|
|
