How to make a tcpip.sys patch without press F8

yecho

本贴只为进阶用户演示如何为系统文件加数字签名。

菜鸟不用不要乱套用过程去做尝试！
How to make a tcpip.sys patch without press F8
A friend of mine asked me, how to make a Vista tcpip.sys File Patch not needing press F8 key.
This is not difficult, just sign tcpip.sys with a test signature.
More information about tcpip.sys File Patch, you can visit: TCP/IP Patcher Compare Technical Features.
http://deepxw.blogspot.com/2008/12/on-internet-there-are-all-kinds-of-tcp.html
Here is detail of patch tcpip.sys with test signature, perhaps these will help you.
1) All operation needs "Run as Administrator".
2) Set testsigning to on:
Bcdedit -set TESTSIGNING ON
All tcpip.sys File Patch must do this; otherwise, BSOD will occur after tcpip.sys has been modified.
After Testsigning on, "Test Mode" will dispaly in the 4 corners of desktop.
You can get rid of it through modify "user32.dll.mui". The string ID is 738 & 723.
3) Reboot, check if testsigning is on correctly. (This step is optional.)
You can check it by bcdedit, or check it in the registry.
4) Modify half open connection limited value in file "tcpip.sys".
First, make a temporary copy of tcpip.sys for modify.
You can disassemble tcpip.sys and get the limited offset.
In tcpip.sys, asm code like this:
NT5: mov     _ActiveOpenProgressThreshold, 0Ah
NT6: cmp     edx, 0Ah
NT5, you can set new value up to 0xFFFFFFFF.
NT6, new value is up to 0xFF! Only 1 byte available for use!
If you are a lazy guy, you can get these offset by the TCP-Z tool. In "patch" tab, you can get the limited offset.
Default, TCP-Z does not show the file offset.
But you can run tcpz.exe with argument: tcpz.exe -showoffset.
5) Re-Checksum tcpip.sys.
You can use setcsum.exe.
Or do it in your program by API CheckSumMappedFile().
6) Create a test certificate by the makecert.exe tool.
Makecert -r -pe -ss PrivateCertStore -n "CN=TcpipCert" tcpipcert.cer
7) Sign tcpip.sys with the signtool.exe.
signtool sign /a /s PrivateCertStore /n "TcpipCert" tcpip.sys
You can verify the signature of tcpip.sys:
signtool verify tcpip.sys
Because our signature is not a valid signature, so signtool will report "File not valid".
If returns "A certificate chain processed", it means the Test Signature is OK.
8) Now copy the temporary tcpip.sys to driver folder, overwrite the original tcpip.sys.
Before copy, takeown and icacls tcpip.sys is required.
9) All done, restart your computer to take effect!
(Reposted to other sites, please retain the original author information.)