Delete Self exe before process exits

Delete Self exe before process exits

The following code is written by Gary Nebbett. Gary Nebbett is the author of the Windows nt/2000 NATIVE API Reference. Is the NT system first-class master. Here's an analysis of some of his code.
This code deletes the EXE file that started the process before the process is finished.

int main (int argc, char *argv[])
{
hmodule module = getmodulehandle (0);
CHAR Buf[max_path];
GetModuleFileName (module, buf, sizeof buf);
CloseHandle (HANDLE (4));
__asm {
Lea EAX, BUF
Push 0
Push 0
Push EAX
Push ExitProcess
Push module
Push DeleteFile
Push UnmapViewOfFile
Ret
}
return 0;
}
Now, let's take a look at what's in the stack.

Offset content
24 0
20 0
Offset BUF
Address of ExitProcess
8 Module
4 Address of DeleteFile
0 Address of UnmapViewOfFile

The call to RET returns to UnmapViewOfFile, which is where the offset 0 in the stack refers. When entering the unmapviewoffile process, the stack sees the return address DeleteFile and Hmodul module. That is, it returns to the entry address of the DeleteFile when the call is complete. When you return to DeleteFile, you see the address of exitprocess, which is the return address. and parameter eax, The EAX is the filename of the EXE buffer.buffer. Returned by GetModuleFileName (module, buf, sizeof buf). After DeleteFile was executed, It returns to the function entry of the exitprocess. and the parameter is 0 and the return address is 0.0 is an illegal address. If you return to address 0, you will get an error. The call to ExitProcess should not be returned.
The subtlety of this piece of code is:
1. If the file HANDLE is open, the file deletion will fail, so CloseHandle (HANDLE (4)) is a very ingenious hand. HANDLE4 is the hard-coded OS that corresponds to the EXE's image. By default, the OS assumes that no calls will close the handle of the image section, and now the handle is closed. Deleting a file removes a handle to the file.
2. Since UnmapViewOfFile lifted another handle corresponding to the image, and the image in memory mapping is lifted. So, No subsequent code can refer to any code within the image map address. Otherwise the OS will error. And now the code is not referenced to any code in any image after UnmapViewOfFile.
3. Before exitprocess, exe files are deleted. That is, the process is still there, and the EXE file where the main thread is located is gone. (winnt/9x protects these WIN32 image mappings to memory from being deleted.)

Gary Nebbett is one of the top players in the win series platform. Can write such code.

http://blog.csdn.net/jiangxinyu/article/details/5270232

Delete Self exe before process exits