See snow software security forum> Software Security> Security programming Forum> [Share] Learning to force Delete running files
PDA
View the full version: [Share] Learn to force delete a running File
Yaolibing
First of all, I found the code from the Internet and added some understanding to help people who are enjoying the same course as me.
: P:
Http://hi.baidu.com/%C3%F7%ED%F8%B5%C4%D0%C4
Force delete a file. To put it simply, you construct an IRP by yourself, then send the IRP to NTFS. sys, set the attributes of the file, and then delete the file. When deleting a file, you will first go to the NTFS. sys dispatch routine and go to ntfssetdispositioninfo-"mmflushimagesection. The mmflushimagesection () function checks the section_object_pointer structure of the object in the file to check whether the object is empty. That is, if the object is not running, true is returned directly. Therefore, if you want to delete a running file, you can set the variable in the section_object_pointer structure to 0. In this case, mmflushimagesection () returns true, indicating that the image can be deleted. Another method is to hook the mmflushimagesection () function in the NTFS. sys import table. In the hook function, check whether the file is to be deleted. If yes, return true directly. The complete code is as follows:
# Include <ntddk. h>
# Define nt_device_name l "// device // superkill"
# Define dos_device_name l "// dosdevices // superkill"
Void
Skillunloaddriver (: P:
In pdriver_object driverobject
)
{
Pdevice_object deviceobject = driverobject-> deviceobject;
Unicode_string unisymlink;
Rtlinitunicodestring (& unisymlink, dos_device_name );
Iodeletesymboliclink (& unisymlink );
Iodeletedevice (deviceobject );
}
Handle
Skillioopenfile (
In pcwstr filename,
In access_mask desiredaccess,
In ulong internal access
)
{
Ntstatus;
Unicode_string unifilename;
Object_attributes objectattributes;
Handle ntfilehandle;
Io_status_block iostatus;
If (kegetcurrentirql ()> passive_level)
{
Return 0;
}
Rtlinitunicodestring (& uniilename, filename );
Initializeobjectattributes (& objectattributes, & unifilename,
Obj_kernel_handle | obj_case_insensitive, null, null );
Ntstatus = iocreatefile (& ntfilehandle,
Desiredaccess,
& Objectattributes,
& Iostatus,
0,
File_attribute_normal,
Administrative access,
File_open,
0,
Null,
0,
0,
Null,
Io_no_parameter_checking );
If (! Nt_success (ntstatus ))
{
Return 0;
}
Return ntfilehandle;
}
Ntstatus
Skillsetfilecompletion (
In pdevice_object deviceobject,
In pirp,
In pvoid Context
)
{
IRP-> useriosb-> Status = IRP-> iostatus. status;
IRP-> useriosb-> information = IRP-> iostatus. Information;
Kesetevent (IRP-> userevent, io_no_increment, false );
Iofreeirp (IRP );
Return status_more_processing_required;
}
Boolean
Skillstripfileattributes (
In handle filehandle
)
{
Ntstatus = STATUS_SUCCESS;
Pfile_object fileobject;
Pdevice_object deviceobject;
Pirp;
Kevent event1;
File_basic_information fileinformation;
Io_status_block iostatus;
Pio_stack_location irpsp;
Ntstatus = obreferenceobjectbyhandle (filehandle,
Delete,
* Iofileobjecttype,
Kernelmode,
& Fileobject,
Null); // I want to know which process the file handle is in.
If (! Nt_success (ntstatus ))
{
Return false;
}
Deviceobject = iogetrelateddeviceobject (fileobject );
IRP = ioallocateirp (deviceobject-> stacksize, true );
If (IRP = NULL)
{
Obdereferenceobject (fileobject );
Return false;
}
Keinitializeevent (& event1, synchronizationevent, false );
Memset (& fileinformation, 0, 0x28 );
Fileinformation. fileattributes = file_attribute_normal;
IRP-> associatedirp. systembuffer = & fileinformation;
IRP-> userevent = & event1;
IRP-> useriosb = & iostatus;
IRP-> tail. Overlay. originalfileobject = fileobject;
IRP-> tail. Overlay. Thread = (pethread) kegetcurrentthread ();
IRP-> requestormode = kernelmode;
Irpsp = iogetnextirpstacklocation (IRP );
Irpsp-> majorfunction = irp_mj_set_information;
Irpsp-> deviceobject = deviceobject;
Irpsp-> fileobject = fileobject;
Irpsp-> parameters. setfile. Length = sizeof (file_basic_information );
Irpsp-> parameters. setfile. fileinformationclass = filebasicinformation;
Irpsp-> parameters. setfile. fileobject = fileobject;
Iosetcompletionroutine (
IRP,
Skillsetfilecompletion,
& Event1,
True,
True,
True );
Iocalldriver (deviceobject, IRP); // calls the driver object of this device object, and io_stack_location will point to the next one, that is, the newly set
// If the device object created without the file system driver does not have attacked, call the irp_mj_set_information dispatch routine of the file system driver.
// Calls the ntfsfsdsetinformation routine driven by NTFS. sys, and then enters the ntfssetbasicinfo () function. Finally, it sets the FCB (File
// Some information about the block structure, which is used to set attributes representing this file. Finally, I don't know where iocompleterequest will be called. It will call the previously set callback function in sequence.
// The callback function releases the newly allocated IRP and sets the event object to the trusted state.
Kewaitforsingleobject (& event1, executive, kernelmode, true, null); // when the event object changes to the trusted state, it continues to run down.
Obdereferenceobject (fileobject );
Return true;
}
Boolean
Skilldeletefile (
In handle filehandle
)
{
Ntstatus = STATUS_SUCCESS;
Pfile_object fileobject;
Pdevice_object deviceobject;
Pirp;
Kevent event1;
File_disposition_information fileinformation;
Io_status_block iostatus;
Pio_stack_location irpsp;
Pseobjec_object_pointers pseobjectobjectpointer ;////////////////////
Skillstripfileattributes (filehandle); // Delete the read-only object
Ntstatus = obreferenceobjectbyhandle (filehandle,
Delete,
* Iofileobjecttype,
Kernelmode,
& Fileobject,
Null );
If (! Nt_success (ntstatus ))
{
Return false;
}
Deviceobject = iogetrelateddeviceobject (fileobject); // if no device object is attached to the device object created by the NTFS. SYS driver, the device object created by NTFS. sys is returned.
// Otherwise, the highest level device object of the device object is returned.
IRP = ioallocateirp (deviceobject-> stacksize, true); // if no value is attached, stacksize is 7
If (IRP = NULL)
{
Obdereferenceobject (fileobject );
Return false;
}
Keinitializeevent (& event1, synchronizationevent, false );
Fileinformation. deletefile = true;
IRP-> associatedirp. systembuffer = & fileinformation;
IRP-> userevent = & event1;
IRP-> useriosb = & iostatus;
IRP-> tail. Overlay. originalfileobject = fileobject;
IRP-> tail. Overlay. Thread = (pethread) kegetcurrentthread ();
IRP-> requestormode = kernelmode;
Irpsp = iogetnextirpstacklocation (IRP); // gets the io_stack_location Device Driven by the NTFS. SYS file system.
Irpsp-> majorfunction = irp_mj_set_information;
Irpsp-> deviceobject = deviceobject;
Irpsp-> fileobject = fileobject;
Irpsp-> parameters. setfile. Length = sizeof (file_disposition_information );
Irpsp-> parameters. setfile. fileinformationclass = filedispositioninformation;
Irpsp-> parameters. setfile. fileobject = fileobject;
Iosetcompletionroutine (
IRP,
Skillsetfilecompletion,
& Event1,
True,
True,
True );
// Add the following three lines of code. The mmflushimagesection function uses this structure to check whether files can be deleted.
Pseobjectobjectpointer = fileobject-> sectionobjectpointer;
Pseobjectobjectpointer-> imagesectionobject = 0;
Pseobjectobjectpointer-> datasectionobject = 0;
Iocalldriver (deviceobject, IRP); // enter the ntfsfsdsetinformation routine driven by NTFS. sys in sequence-> ntfssetdispositioninfo ()-> mmflushimagesection (),
// Mmflushimagesection () This function is used to check the variable of the section_object_pointer structure of the file_object object. Check this file.
// Whether the memory is mapped. That is, whether execution is performed. If it is set as above, the file can be deleted. You can also hook NTFS. sys to import
// Mmflushimagesection () to check whether the object is to be deleted. If yes, return true.
Kewaitforsingleobject (& event1, executive, kernelmode, true, null );
Obdereferenceobject (fileobject );
Return true;
}
Ntstatus DriverEntry (
In pdriver_object driverobject,
In punicode_string registrypath
)
{
Unicode_string unidevicename;
Unicode_string unisymlink;
Ntstatus;
Pdevice_object deviceobject = NULL;
Handle hfilehandle;
Rtlinitunicodestring (& unidevicename, nt_device_name );
Rtlinitunicodestring (& unisymlink, dos_device_name );
Ntstatus = iocreatedevice (
Driverobject,
0x100u,
& Unidevicename,
File_device_unknown,
File_device_secure_open,
True,
& Deviceobject );
If (! Nt_success (ntstatus ))
{
Return ntstatus;
}
Ntstatus = iocreatesymboliclink (& unisymlink, & unidevicename );
If (! Nt_success (ntstatus ))
{
Iodeletedevice (deviceobject );
Return ntstatus;
}
Driverobject-> driverunload = skillunloaddriver;
//
// Focus on this
//
Hfilehandle = skillioopenfile (L "// device // harddiskvolume1 // test.exe ",
File_read_attributes,
File_cmd_delete); // obtain the file handle.
If (hfilehandle! = NULL)
{
Skilldeletefile (hfilehandle );
Zwclose (hfilehandle );
}
Return STATUS_SUCCESS;
}
Achillis
Very classic code, worthy of favorites. I have seen it in several drivers ~~
Sand
Good... Added to favorites
Better
Great. learning ......
Deryope
I am also reading this. LZ is more detailed :):
The Code actually works with these three lines:
// Add the following three lines of code. The mmflushimagesection function uses this structure to check whether files can be deleted.
Pseobjectobjectpointer = fileobject-> sectionobjectpointer;
Pseobjectobjectpointer-> imagesectionobject = 0;
Pseobjectobjectpointer-> datasectionobject = 0;
Because the mmflushimagesection code performs this check:
Controlarea = (pcontrol_area) (sectionpointer-> datasectionobject );
If (controlarea! = NULL ){
...
Return false;
}
Therefore, clear 0 to delete the files in use.
If this code is used to delete files, you can hook mmflushimagesection to directly return false, but it is troublesome to handle the file (maybe no files can be deleted in this way ).
Qihoocom
I copied my code three years ago ~
Mkuymkuy
See ~~ Scary
Wangzheye
Why does no one consider writing code to delete files from the hardware? You can directly operate on the IDE to delete all system files. As long as there is one in the disk.
Weolar
Why does no one consider writing code to delete files from the hardware? You can directly operate on the IDE to delete all system files. As long as there is one in the disk.
It is not difficult for no one to consider. Different ide interfaces and file systems must be considered. The NTFS system is complex. Of course, we support you when you release it :):
Sudami
What else do you need? ntfs3g open-source. just go down and do it yourself...: 3:
Weolar
What else do you need? ntfs3g open-source. just go down and do it yourself...: 3:
: P: I know little about this. Let's take a look ~~
Dnybz
First of all, I found the code from the Internet and added some understanding to help people who are enjoying the same course as me.
: P:
Http://hi.baidu.com/%C3%F7%ED%F8%B5%C4%D0%C4
Force delete a file. To put it simply, you construct an IRP by yourself, then send the IRP to NTFS. sys, set the attributes of the file, and then delete the file ....
Are you a little different from the original one?
Bewideway
Mask mask
Thx for sharing
Cvcvxk
In the new era, is there an iocreatefile when opening a file? This is a new era. We need to use new methods to open files. In addition, we also need to prevent in-depth hooks of XX file methods and sudami. So we should resolve the files and then go to XX ~
Lin langjun
Thank you for sharing your post.
Favorites
Possible
Ntfs3g is nice.
Keweijie
Thank you for sharing it.
Wisteria
Very good code.
Worthy of favorites.
Thank you.
Tensai
I have installed 2008 DDK
How can I compile and run it?
Taday
Thank you for sharing your knowledge. For more information, see :):
Kangken
Learning and learning .. Thanks for sharing.
Sding
Add to favorites !!!
Bewideway
I just wonder if there is anyother approach to force delete those under using file so much as system files?
Windebug
Either way, or top down. :):