A clever method to delete the program itself

Recently, I saw a netizen asking me how to delete myself after running the program. I don't know what kind of interest you have in Trojans. I still want this effect: As long as a user runs a program, the executable file is gone, but the program is still running. The timid one is afraid to shout "ghost! "," Wife, come out and see God"

. In fact, the most typical usage is to write the anti-installation program. It's nothing to worry about. Bear is a clever "delete yourself" method.

As we all know, when running a program, the executable file itself is protected by the operating system and cannot be accessed in a rewrite mode, not to mention deleting itself when it is still running. On the homepage of lu0, we can see an undocument method. By changing the underlying File Access Mode of the system, we can delete ourselves. I admire it. But is there a function implementation that can be found on msdn? Yes! Jeffrey Richter gave us an example:

　　Deleteme. CPP Module name: deleteme. CPP written by: Jeffrey Richter description: allows an executable file to delete itself ********************************* * ****************/# include //////////////// /// // int winapi winmain (hinstance H, hinstance B, lpstr psz, int N) {// is this original EXE or the clone EXE? // If the command-line 1 argument, this is the original EXE // If the command-line> 1 argument, This is the clone EXE if (_ argc = 1) {// original EXE: spawn clone EXE to delete this EXE // copy this executable image into the user's temp directory tchar szpathorig [_ max_path], szpathclone [_ max_path]; getmodulefilename (null, szpathorig, _ max_path); gettemppath (_ max_path, szpathclone); gettempfilename (partition, _ text ("Del"), 0, szpathclone); copyfile (szpathorig, szpathclone, false); // *** note ***: // open the clone EXE using file_flag_delete_on_close handle hfile = createfile (szpathclone, 0, file_share_read, null, open_existi ng, file_flag_delete_on_close, null); // spawn the clone EXE passing it our EXE's Process Handle // and the full path name to the original EXE file. tchar szcmdline [512]; handle hprocessorig = OpenProcess (synchronize, true, getcurrentprocessid (); wsprintf (szcmdline, _ text ("% S % d/" % S/""), szpathclone, hprocessorig, szpat horig); startupinfo Si; zeromemory (& Si, sizeof (SI )); si. CB = sizeof (SI); process_information PI; CreateProcess (null, szcmdline, null, null, true, 0, null, null, & Si, & PI); closehandle (hprocessorig ); closehandle (hfile); // This original process can now terminate .} else {// clone EXE: When original EXE terminates, delete it handle hprocessorig = (handle) _ ttoi (_ targv [1]); waitforsingleobject (hprocessorig, infinite ); closehandle (hprocessorig); deletefile (_ targv [2]); // insert code here to remove the subdirectory too (if desired ). // The system will delete the clone EXE automatically // because it was opened with file_flag_delete_on_close} return (0 );}

Do you understand?

The idea of this program is simple: Isn't it possible to directly delete itself at runtime? Well, the program will first clone itself, start another process with the replica, and then run it on its own, then the original EXE file will not be protected by the system. at this time, the new process is used as the killer to delete the original EXE file and continue to complete other functions of the program.

After the new process is completed, the replica is automatically deleted. This is another trick worth introducing. Note:

// Open the clone EXE using file_flag_delete_on_close

Handle hfile = createfile (szpathclone, 0, file_assist_read, null, open_existin

G, file_flag_delete_on_close, null );

The file_flag_delete_on_close flag tells the operating system that when all the handles related to the file are closed (including the statement Bing created in the createfile above ), delete the file. This flag is specified when almost all temporary files are created.

In addition, you should wait for the original process to exit before the replica process performs operations on the original program. the process synchronization technology is used here. use handle hprocessorig = OpenProcess (synchronize, true, getcurrentprocessid (); to obtain the original process handle. the synchronice flag is valid in NT so that the handles obtained by OpenProcess can be used as synchronization objects. the replica process uses the waitforsingleobject function for synchronization, then a deletefile, and other destruction evidence (Jeffrey said: such as Directory deletion!

The program is based on the console. The input parameters are used to determine whether the process is the original process or the new copying process, and the information of the target file to be operated (mainly the path) is obtained ), put the copies in the temp directory of the system (obtained by gettemppath). You can also find a safe place (such as Windows/system32 ).

There is no deep technology here. let's look at other examples of how to delete itself. For example, before the process exits, use fwrite or other methods to output one. BAT file, write a few del statements in it, and then winexec the BAT file.

 

Most of the worms that have played with DOS will. I learned another trick today.