Delete yourself (C #)

A clever way to remove a program by itself
Keyword A clever removal of the program's Own method


As we all know, when a general program is running, the executable itself is protected by the operating system and cannot be accessed in a rewritten way, let alone when it is still running. See a Undocument method on Lu0 's home page to remove yourself by changing the file access mode at the bottom of the system, which is really kung fu. I looked very admire. But is there a function that can be found on MSDN? Yes! Jeffrey Richter gave us an example:
　
DeleteMe.CPP
　
Module Name:DeleteMe.cpp
Written By:jeffrey Richter
Description:allows an executable file to delete itself
**************************************************/
　
#include
#include
#include
　
/////////////////////////////////////////////////
　
int WINAPI WinMain (hinstance H, hinstance B, LPSTR psz, int n) {
　
Is this the Original exe or the clone EXE?
If the command-line 1 argument, this is the Original EXE
If the command-line >1 argument, this is the clone EXE
　
if (__ARGC = = 1) {
　
Original exe:spawn clone exe to delete this EXE
Copy this executable image into the user ' s temp directory
　
TCHAR Szpathorig[_max_path], Szpathclone[_max_path];
GetModuleFileName (NULL, Szpathorig, _max_path);
GetTempPath (_max_path, Szpathclone);
GetTempFileName (Szpathclone, __text ("Del"), 0, Szpathclone);
CopyFile (Szpathorig, Szpathclone, FALSE);
　
Note the * * *:
Open the clone EXE using File_flag_delete_on_close
HANDLE hfile = CreateFile (szpathclone, 0, File_share_read, NULL, Open_existi
NG, File_flag_delete_on_close, NULL);
　
Spawn The clone exe passing it our EXE ' s process handle
and the full path name to the Original EXE file.
TCHAR szcmdline[512];
HANDLE Hprocessorig = OpenProcess (SYNCHRONIZE, TRUE, GetCurrentProcessId ());

wsprintf (szCmdLine, __text ("%s%d \%s\"), Szpathclone, Hprocessorig, Szpat
Horig);
Startupinfo si;
ZeroMemory (&si, sizeof (SI));
SI.CB = sizeof (SI);
Process_information Pi;
CreateProcess (NULL, szcmdline, NULL, NULL, TRUE, 0, NULL, NULL, &SI, &PI);
CloseHandle (Hprocessorig);
CloseHandle (hfile);
　
This original process can now terminate.
} else {
　
Clone Exe:when Original EXE terminates, delete it
HANDLE Hprocessorig = (HANDLE) _ttoi (__targv[1));
WaitForSingleObject (Hprocessorig, INFINITE);
CloseHandle (Hprocessorig);
DeleteFile (__targv[2]);
Insert code here to remove the subdirectory too (if desired).
　
The system would delete the clone EXE automatically
Because it is opened with File_flag_delete_on_close
}
return (0);
}
　
Do you understand me?
　
This part of the program is simple: is not not the runtime can delete itself directly? Good, then the program first copy (clone) one itself, with a replica start another process, and then end their own operation, then the original EXE file is not protected by the system. At this time, the new process as a killer delete the original EXE file, and continue to complete the program other functions.

　
The replica is automatically deleted after the new process has finished running. This is another trick to be introduced, note:
Open the clone EXE using File_flag_delete_on_close
HANDLE hfile = CreateFile (szpathclone, 0, File_share_read, null,open_existin
G, File_flag_delete_on_close, NULL);
Here's the FILE_FLAG_DELETE_ON_CLOSE flag, which tells the operating system to delete this file when all the handles associated with the file are closed (including the one created by the CreateFile above). Almost all temporary files indicate this flag when they are created. Also note that you should wait for the original process to exit before the replica process has been applied to the original program. Here is the process synchronization technique. Handle Hprocessorig = OpenProcess (SYNCHRONIZE, TRUE, GetCurrentProcessId ()); Get the original process handle. The SYNCHRONICE flag is valid under NT, and the function is to make the handle that the openprocess get can be synchronized object. The replica process is synchronized with the WaitForSingleObject function, and then a deletefile, and other destruction evidence (Jeffrey said: such as the deletion of the catalogue) work, finish the job!
　
The program is based on the console, determining whether the process is original or replica by passing parameters, and obtaining the information (mainly the path) of the target file that needs to be manipulated, and the replica is placed in the system's Temp directory (GetTempPath). You can also find a place that you think is safe (for example, Windows\System32, etc.). There is no deep technology in this. Look at some other implementations to delete their own examples, such as the process before the exit, with Fwrite and other methods to output one. BAT file, write a few del in it, and then winexec the bat file. Most of the bugs that play Dos are. Learn another trick today, cool.