Analysis: Self-deletion Implementation of exe program based on hacker skills

Program Self-deletion is no longer a new topic. It is widely used in Trojans and viruses. Think about it. When your program is still running (usually with resident and infected modules completed), it will automatically delete itself from the disk, so that you can be unaware of it, haha, isn't it? What about cool?

The earliest Method of Self-deletion was written by Gary nebbett, which is too classic. The procedure is as follows:

 

# Include"Windows. H"

Int main (INT argc, char * argv [])

{

Char Buf [max_path];

Hmodule module;

Module = getmodulehandle (0 );

Getmodulefilename (module, Buf, max_path );

Closehandle (handle) 4 );

_ ASM

{

Lea eax, Buf

Push 0

Push 0

Push eax

Push exitProCESS

Push Module

Push deletefile

Push UNMAPVIEWoffile

RET

}

Return 0;

}

Compile it and run it. How is it? It disappears from your eyes, right? Is it amazing?

Gary nebbett drilled a system vulnerability. His program closed the image of the EXE file (hard-coded as 4), and then unmapviewoffile the image of the EXE file in the memory, then, the handle of the current program is passed to deletefile () through the stack to realize the auto-deletion of the program.

Gary nebbett is indeed the top bottom-layer expert in the win system. Is there any other way to implement the auto-deletion of programs? The answer is yes.

In Win9x/Me, some features of wininit. ini can also be used. In wininit. there is a section [rename] In the INI file. If you want to write "NUL = file to be deleted" in it, the next time the system restarts, the file will be automatically deleted. The following is an example:

 

[Rename]

Nul = c: \ selfdelete.exe

With this feature, we can operate this INI file in the program. It is worth noting that when you need to delete more than one file, you cannot use writeprivateprofilestring, because this API will prevent more than one "NUL =" entry from appearing in the same section, it is best to implement it manually.

The third method is to process files in batches. Let's first make a test:

Create a. BAT and write the following content to it:

 

Del % 0.bat

Run it now, and the screen will flash, leaving a string of characters: "The batch fileCANnot be found ". At this time it has been removed from yourHard Disk.

This shows that batch files can be deleted, so we can apply this tips to our programs:

 

: Repeat

Del "C: \ mydir \ selfdelete.exe"

If exist "selfdelete.exe" Goto repeat

Rmdir "C: \ mydir"

Del "\ delus. Bat"

It repeatedly searches for whether the file selfdelete.exe exists until it is deleted. After deletion, the batch file will be deleted.

(Note: This method supports all Windows versions, that is, Win9x/ME/NT/2000/XP)

One drawback of using the batch file processing method is that a DOS window will pop up suddenly, which is an easy-to-use method. However, as far as I know, this is the only method that can work under WINXP. Of course, the best way is to use Gary nebbett, but its defect is that it cannot work under WINXP.

Source: jieshiwang