"Turn" core no hook file anti-delete, can over ice blade, Xuetr,easydelete

Originally intended to write the program of violence to delete files, the results unexpectedly found that only need to send an IRP in the kernel to open a file, and then do not close the object, the other program to deny access, easydelete This tool is still relatively strong, but can not be deleted, the key is not hook any function, Do not repair the system kernel, look at the properties of the time only to see a regular, and other things can not see, of course, 360 (7.0) version of the file Shredder is also uncertain, other tools have not tried, you can try to play their own, open the file using the Stove code:

Code:

Ntstatusiocompletionroutine (in Pdevice_object deviceobject, in Pirp Irp, in PVOID Context) {*irp->userio SB = irp->Iostatus;if (irp->userevent) kesetevent (irp->userevent, io_no_increment, 0); if (irp->mdladdress) {iofreemdl (irp->MdlAddress); Irp->mdladdress =NULL;} IOFREEIRP (IRP); returnstatus_more_processing_required;} Ntstatusirpcreatefile (Out Pfile_object *FileObject, in Access_mask desiredaccess, in Punicode_string FilePath, out Pio_status_block iostatusblock, in PLARGE_INTE GER allocationsize OPTIONAL, in ulong fileattributes, in ulong shareaccess, in ulong createdisposition, in ULONG createopt Ions, in PVOID eabuffer OPTIONAL, in ULONG ealength) {NTSTATUS NTSTATUS; HANDLE hfile; Pfile_object PFILE, _fileobject; Unicode_string unidevicenamestring;object_attributes objectattributes; Pdevice_object DeviceObject, Realdevice; PIRP IRP; KEVENT KEVENT; Pio_stack_location IRPSP; Access_state accessstate; Aux_access_data Auxdata;io_security_context SecurityContext; WCHAR devicenamestring[]=l "\\dosdevices\\*:\\"; if (Filepath->length < 6) returnstatus_invalid_parameter;//\ \?? \c:\xxxxDevicenamestring[12]=filepath->buffer[0]; Rtlinitunicodestring (&Unidevicenamestring, devicenamestring); Initializeobjectattributes (&objectattributes, &unidevicenamestring, obj_kernel_handle, NULL, NULL); ntStatus = Iocreatefile (&hfile, generic_read|SYNCHRONIZE, &Objectattributes, Iostatusblock, NULL, File_attribute_normal, file_share_read| file_share_write|File_share_delete, File_open, File_synchronous_io_nonalert, NULL, 0, Createfiletypenone, NULL, io_no_parameter_checking);Nt_success (NtStatus)) {kdprint ("Irpcreatefile:iocreatefile 0x%x.\n", NtStatus)); ReturnNtStatus;} Recoveronekernelroutine ("Obreferenceobjectbyhandle"); ntStatus =Obreferenceobjectbyhandle (hfile, file_read_access,//Access_mask *Iofileobjecttype, KernelMode, (pvoid*) &PFile, 0); NtClose (hfile); if (!Nt_success (NtStatus)) {kdprint ("Irpcreatefile:obreferenceobjectbyhandle 0x%x.\n", NtStatus)); ReturnNtStatus;} DeviceObject = pfile->vpb->DeviceObject; Realdevice = pfile->vpb->Realdevice;obdereferenceobject (PFile); Initializeobjectattributes (&objectattributes, NULL, OBJ_CASE_ Insensitive, 0, NULL); ntStatus =Obcreateobject (KernelMode, *Iofileobjecttype, &Objectattributes, KernelMode, NULL, sizeof(File_object), 0, 0, (pvoid*) &_fileobject); if (!Nt_success (NtStatus)) {kdprint ("Irpcreatefile:obcreateobject 0x%x.\n", NtStatus)); ReturnNtStatus;} IRP = IoAllocateIrp (deviceobject->StackSize, FALSE); if (IRP = =NULL) {kdprint ("Irpcreatefile:ioallocateirp 0x%x.\n", NtStatus)); Obdereferenceobject (_fileobject); ReturnStatus_insufficient_resources;} Keinitializeevent (&KEvent, SynchronizationEvent, FALSE); RtlZeroMemory (_fileobject, sizeof(File_object)); _fileobject->type =io_type_file;_fileobject->size = sizeof(file_object); _fileobject->deviceobject =Realdevice;_fileobject->flags =Fo_synchronous_io;////////\\?? \c:\xxxxxrtlinitunicodestring (&_fileobject->filename, &filepath->buffer[2]); Kdprint (("Ready to open File:%ws\n",_fileobject->Filename.buffer)); Keinitializeevent (&_FileObject->Lock, SynchronizationEvent, FALSE); Keinitializeevent (&_FileObject->Event, NotificationEvent, FALSE); RtlZeroMemory (&auxdata, sizeof(Aux_access_data)); NtStatus = Secreateaccessstate (&Accessstate, &Auxdata, Desiredaccess, iogetfileobjectgenericmapping ());Nt_success (NtStatus)) {kdprint ("Irpcreatefile:secreateaccessstate 0x%x.\n", NtStatus)); IOFREEIRP (IRP); Obdereferenceobject (_fileobject); ReturnNtStatus;} Securitycontext.securityqos =NULL; Securitycontext.accessstate = &Accessstate; Securitycontext.desiredaccess =desiredaccess; securitycontext.fullcreateoptions = 0; irp->mdladdress =Null;irp->associatedirp.systembuffer =Eabuffer;irp->flags = irp_create_operation|Irp_synchronous_api;irp->requestormode =KERNELMODE;IRP-&GT;USERIOSB =Iostatusblock;irp->userevent = &kevent;irp->pendingreturned =False;irp->cancel =False;irp->cancelroutine =Null;irp->tail.overlay.thread =Psgetcurrentthread (); irp->tail.overlay.auxiliarybuffer =Null;irp->tail.overlay.originalfileobject =_FILEOBJECT;IRPSP =Iogetnextirpstacklocation (IRP); irpsp->majorfunction =Irp_mj_create;irpsp->deviceobject =Deviceobject;irpsp->fileobject =_fileobject;irpsp->parameters.create.securitycontext = &Securitycontext;irpsp->parameters.create.options = (createdisposition << 24) |Createoptions;irpsp->parameters.create.fileattributes =(USHORT) Fileattributes;irpsp->parameters.create.shareaccess =(USHORT) Shareaccess;irpsp->parameters.create.ealength =Ealength;iosetcompletionroutine (IRP, iocompletionroutine, 0, True, True, true);//addRecoveriopfcompleterequest (); ntStatus =Iofcalldriverex (DeviceObject, IRP); if (NtStatus = = status_pending) KeWaitForSingleObject (&kevent, Executive, KernelMode, TRUE, 0 ); ntStatus = Iostatusblock->  Status; if (!  Nt_success (NtStatus)) {Kdprint (("Irpcreatefile:iocalldriver 0x%x.\n" , NtStatus)); _fileobject-> DeviceObject =  NULL; Obdereferenceobject (_fileobject);} else  {interlockedincrement (volatile LONG *) &_fileobject->deviceobject->  referencecount); if ( _fileobject->  Vpb) interlockedincrement ((volatile LONG *) &_fileobject->vpb->  Referencecount); *fileobject =  _fileobject;} return  NtStatus;} Unicode_string name;//io_status_block ioblock;//rtlinitunicodestring (&name,l "C:\\test1.exe");//Status= Irpcreatefile (&fileobj,generic_read| delete,&name,&ioblock,0,file_attribute_normal,file_share_read| file_share_write| file_share_delete,file_open,0,0,0)            

The above is the test code, open after not obdereferenceobject, directly back, and then the file is protected

"Turn" core no hook file anti-delete, can over ice blade, Xuetr,easydelete