Learning to force delete a running File

See snow software security forum> Software Security> Security programming Forum> [Share] Learning to force Delete running files
PDA

View the full version: [Share] Learn to force delete a running File
Yaolibing

First of all, I found the code from the Internet and added some understanding to help people who are enjoying the same course as me.
: P:
Http://hi.baidu.com/%C3%F7%ED%F8%B5%C4%D0%C4

Force delete a file. To put it simply, you construct an IRP by yourself, then send the IRP to NTFS. sys, set the attributes of the file, and then delete the file. When deleting a file, you will first go to the NTFS. sys dispatch routine and go to ntfssetdispositioninfo-"mmflushimagesection. The mmflushimagesection () function checks the section_object_pointer structure of the object in the file to check whether the object is empty. That is, if the object is not running, true is returned directly. Therefore, if you want to delete a running file, you can set the variable in the section_object_pointer structure to 0. In this case, mmflushimagesection () returns true, indicating that the image can be deleted. Another method is to hook the mmflushimagesection () function in the NTFS. sys import table. In the hook function, check whether the file is to be deleted. If yes, return true directly. The complete code is as follows:

# Include <ntddk. h>

# Define nt_device_name l "// device // superkill"
# Define dos_device_name l "// dosdevices // superkill"

Void
Skillunloaddriver (: P:
In pdriver_object driverobject
)
{
Pdevice_object deviceobject = driverobject-> deviceobject;
Unicode_string unisymlink;

Rtlinitunicodestring (& unisymlink, dos_device_name );

Iodeletesymboliclink (& unisymlink );

Iodeletedevice (deviceobject );
}

Handle
Skillioopenfile (
In pcwstr filename,
In access_mask desiredaccess,
In ulong internal access
)
{
Ntstatus;
Unicode_string unifilename;
Object_attributes objectattributes;
Handle ntfilehandle;
Io_status_block iostatus;

If (kegetcurrentirql ()> passive_level)
{
Return 0;
}

Rtlinitunicodestring (& uniilename, filename );

Initializeobjectattributes (& objectattributes, & unifilename,
Obj_kernel_handle | obj_case_insensitive, null, null );

Ntstatus = iocreatefile (& ntfilehandle,
Desiredaccess,
& Objectattributes,
& Iostatus,
0,
File_attribute_normal,
Administrative access,
File_open,
0,
Null,
0,
0,
Null,
Io_no_parameter_checking );

If (! Nt_success (ntstatus ))
{
Return 0;
}

Return ntfilehandle;
}

Ntstatus
Skillsetfilecompletion (
In pdevice_object deviceobject,
In pirp,
In pvoid Context
)
{
IRP-> useriosb-> Status = IRP-> iostatus. status;
IRP-> useriosb-> information = IRP-> iostatus. Information;

Kesetevent (IRP-> userevent, io_no_increment, false );

Iofreeirp (IRP );

Return status_more_processing_required;
}

Boolean
Skillstripfileattributes (
In handle filehandle
)
{
Ntstatus = STATUS_SUCCESS;
Pfile_object fileobject;
Pdevice_object deviceobject;
Pirp;
Kevent event1;
File_basic_information fileinformation;
Io_status_block iostatus;
Pio_stack_location irpsp;

Ntstatus = obreferenceobjectbyhandle (filehandle,
Delete,
* Iofileobjecttype,
Kernelmode,
& Fileobject,
Null); // I want to know which process the file handle is in.

If (! Nt_success (ntstatus ))
{
Return false;
}

Deviceobject = iogetrelateddeviceobject (fileobject );
IRP = ioallocateirp (deviceobject-> stacksize, true );

If (IRP = NULL)
{
Obdereferenceobject (fileobject );
Return false;
}

Keinitializeevent (& event1, synchronizationevent, false );

Memset (& fileinformation, 0, 0x28 );

Fileinformation. fileattributes = file_attribute_normal;
IRP-> associatedirp. systembuffer = & fileinformation;
IRP-> userevent = & event1;
IRP-> useriosb = & iostatus;
IRP-> tail. Overlay. originalfileobject = fileobject;
IRP-> tail. Overlay. Thread = (pethread) kegetcurrentthread ();
IRP-> requestormode = kernelmode;

Irpsp = iogetnextirpstacklocation (IRP );
Irpsp-> majorfunction = irp_mj_set_information;
Irpsp-> deviceobject = deviceobject;
Irpsp-> fileobject = fileobject;
Irpsp-> parameters. setfile. Length = sizeof (file_basic_information );
Irpsp-> parameters. setfile. fileinformationclass = filebasicinformation;
Irpsp-> parameters. setfile. fileobject = fileobject;

Iosetcompletionroutine (
IRP,
Skillsetfilecompletion,
& Event1,
True,
True,
True );

Iocalldriver (deviceobject, IRP); // calls the driver object of this device object, and io_stack_location will point to the next one, that is, the newly set
// If the device object created without the file system driver does not have attacked, call the irp_mj_set_information dispatch routine of the file system driver.

// Calls the ntfsfsdsetinformation routine driven by NTFS. sys, and then enters the ntfssetbasicinfo () function. Finally, it sets the FCB (File
// Some information about the block structure, which is used to set attributes representing this file. Finally, I don't know where iocompleterequest will be called. It will call the previously set callback function in sequence.
// The callback function releases the newly allocated IRP and sets the event object to the trusted state.
Kewaitforsingleobject (& event1, executive, kernelmode, true, null); // when the event object changes to the trusted state, it continues to run down.

Obdereferenceobject (fileobject );

Return true;
}

Boolean
Skilldeletefile (
In handle filehandle
)
{
Ntstatus = STATUS_SUCCESS;
Pfile_object fileobject;
Pdevice_object deviceobject;
Pirp;
Kevent event1;
File_disposition_information fileinformation;
Io_status_block iostatus;
Pio_stack_location irpsp;
Pseobjec_object_pointers pseobjectobjectpointer ;////////////////////

Skillstripfileattributes (filehandle); // Delete the read-only object

Ntstatus = obreferenceobjectbyhandle (filehandle,
Delete,
* Iofileobjecttype,
Kernelmode,
& Fileobject,
Null );

If (! Nt_success (ntstatus ))
{
Return false;
}

Deviceobject = iogetrelateddeviceobject (fileobject); // if no device object is attached to the device object created by the NTFS. SYS driver, the device object created by NTFS. sys is returned.
// Otherwise, the highest level device object of the device object is returned.
IRP = ioallocateirp (deviceobject-> stacksize, true); // if no value is attached, stacksize is 7

If (IRP = NULL)
{
Obdereferenceobject (fileobject );
Return false;
}

Keinitializeevent (& event1, synchronizationevent, false );

Fileinformation. deletefile = true;

IRP-> associatedirp. systembuffer = & fileinformation;
IRP-> userevent = & event1;
IRP-> useriosb = & iostatus;
IRP-> tail. Overlay. originalfileobject = fileobject;
IRP-> tail. Overlay. Thread = (pethread) kegetcurrentthread ();
IRP-> requestormode = kernelmode;

Irpsp = iogetnextirpstacklocation (IRP); // gets the io_stack_location Device Driven by the NTFS. SYS file system.
Irpsp-> majorfunction = irp_mj_set_information;
Irpsp-> deviceobject = deviceobject;
Irpsp-> fileobject = fileobject;
Irpsp-> parameters. setfile. Length = sizeof (file_disposition_information );
Irpsp-> parameters. setfile. fileinformationclass = filedispositioninformation;
Irpsp-> parameters. setfile. fileobject = fileobject;

Iosetcompletionroutine (
IRP,
Skillsetfilecompletion,
& Event1,
True,
True,
True );

// Add the following three lines of code. The mmflushimagesection function uses this structure to check whether files can be deleted.
Pseobjectobjectpointer = fileobject-> sectionobjectpointer;
Pseobjectobjectpointer-> imagesectionobject = 0;
Pseobjectobjectpointer-> datasectionobject = 0;

Iocalldriver (deviceobject, IRP); // enter the ntfsfsdsetinformation routine driven by NTFS. sys in sequence-> ntfssetdispositioninfo ()-> mmflushimagesection (),
// Mmflushimagesection () This function is used to check the variable of the section_object_pointer structure of the file_object object. Check this file.
// Whether the memory is mapped. That is, whether execution is performed. If it is set as above, the file can be deleted. You can also hook NTFS. sys to import
// Mmflushimagesection () to check whether the object is to be deleted. If yes, return true.
Kewaitforsingleobject (& event1, executive, kernelmode, true, null );

Obdereferenceobject (fileobject );

Return true;
}

Ntstatus DriverEntry (
In pdriver_object driverobject,
In punicode_string registrypath
)
{
Unicode_string unidevicename;
Unicode_string unisymlink;
Ntstatus;
Pdevice_object deviceobject = NULL;
Handle hfilehandle;

Rtlinitunicodestring (& unidevicename, nt_device_name );
Rtlinitunicodestring (& unisymlink, dos_device_name );

Ntstatus = iocreatedevice (
Driverobject,
0x100u,
& Unidevicename,
File_device_unknown,
File_device_secure_open,
True,
& Deviceobject );

If (! Nt_success (ntstatus ))
{
Return ntstatus;
}

Ntstatus = iocreatesymboliclink (& unisymlink, & unidevicename );

If (! Nt_success (ntstatus ))
{
Iodeletedevice (deviceobject );
Return ntstatus;
}

Driverobject-> driverunload = skillunloaddriver;

//
// Focus on this
//
Hfilehandle = skillioopenfile (L "// device // harddiskvolume1 // test.exe ",
File_read_attributes,
File_cmd_delete); // obtain the file handle.

If (hfilehandle! = NULL)
{
Skilldeletefile (hfilehandle );
Zwclose (hfilehandle );
}
Return STATUS_SUCCESS;
}
Achillis

Very classic code, worthy of favorites. I have seen it in several drivers ~~
Sand

Good... Added to favorites
Better

Great. learning ......
Deryope

I am also reading this. LZ is more detailed :):

The Code actually works with these three lines:
// Add the following three lines of code. The mmflushimagesection function uses this structure to check whether files can be deleted.
Pseobjectobjectpointer = fileobject-> sectionobjectpointer;
Pseobjectobjectpointer-> imagesectionobject = 0;
Pseobjectobjectpointer-> datasectionobject = 0;

Because the mmflushimagesection code performs this check:
Controlarea = (pcontrol_area) (sectionpointer-> datasectionobject );
If (controlarea! = NULL ){
...
Return false;
}
Therefore, clear 0 to delete the files in use.

If this code is used to delete files, you can hook mmflushimagesection to directly return false, but it is troublesome to handle the file (maybe no files can be deleted in this way ).
Qihoocom

I copied my code three years ago ~
Mkuymkuy

See ~~ Scary
Wangzheye

Why does no one consider writing code to delete files from the hardware? You can directly operate on the IDE to delete all system files. As long as there is one in the disk.
Weolar

Why does no one consider writing code to delete files from the hardware? You can directly operate on the IDE to delete all system files. As long as there is one in the disk.

It is not difficult for no one to consider. Different ide interfaces and file systems must be considered. The NTFS system is complex. Of course, we support you when you release it :):
Sudami

What else do you need? ntfs3g open-source. just go down and do it yourself...: 3:
Weolar

What else do you need? ntfs3g open-source. just go down and do it yourself...: 3:
: P: I know little about this. Let's take a look ~~
Dnybz

First of all, I found the code from the Internet and added some understanding to help people who are enjoying the same course as me.
: P:
Http://hi.baidu.com/%C3%F7%ED%F8%B5%C4%D0%C4

Force delete a file. To put it simply, you construct an IRP by yourself, then send the IRP to NTFS. sys, set the attributes of the file, and then delete the file ....

Are you a little different from the original one?
Bewideway

Mask mask
Thx for sharing
Cvcvxk

In the new era, is there an iocreatefile when opening a file? This is a new era. We need to use new methods to open files. In addition, we also need to prevent in-depth hooks of XX file methods and sudami. So we should resolve the files and then go to XX ~
Lin langjun

Thank you for sharing your post.

Favorites
Possible

Ntfs3g is nice.
Keweijie

Thank you for sharing it.
Wisteria

Very good code.
Worthy of favorites.
Thank you.
Tensai

I have installed 2008 DDK

How can I compile and run it?
Taday

Thank you for sharing your knowledge. For more information, see :):
Kangken

Learning and learning .. Thanks for sharing.
Sding

Add to favorites !!!
Bewideway

I just wonder if there is anyother approach to force delete those under using file so much as system files?
Windebug

Either way, or top down. :):