How delete files/folders even still in use by some program?

Forum for discussion about kernel-mode development.

Re: How delete files/folders even still in use by some progr

Postby fl4shc0d3r » Sat Jun 10, 2017 7:23 pm


IIRC, I successfully used the Force Delete feature of the GMER antirootkit in the past. And it was implemented as content overwritting (with zeroes).


And also i think that Avenger ( http://swandog46.geekstogo.com/avenger2/avenger2.html ) anti rootkit works deleting persistents rootkit using this idea of
"content overwrite (with zeroes)" or somethink like this, because also after execution, computer is rebooted.

Now i not have any notion about how make ( in C/C++ ).
And also i not found any reference on web until now.
fl4shc0d3r
 
Posts: 20
Joined: Fri Jan 20, 2017 3:10 am
Reputation point: 0

Re: How delete files/folders even still in use by some progr

Postby Brock » Sun Jun 11, 2017 5:05 am

If rebooting you can make your driver load at boot and call ZwDeleteFile() on any files you wish to delete, perhaps store the paths in the registry and look them up come deletion time. Alternatively, you could just take the easy approach and call MoveFileEx(MOVEFILE_DELAY_UNTIL_REBOOT) which will execute immediately after AutoChk and before any paging files are available to the system. IMHO it's much safer from a stability perspective to overwrite the file's content as opposed to forcefully deleting it by parsing raw NTFS structure data but ultimately this is your choice.
Accept nothing less than STATUS_SUCCESS
User avatar
Brock
 
Posts: 194
Joined: Wed Apr 28, 2010 3:13 am
Location: Navarre, Florida USA
Reputation point: 19

Re: How delete files/folders even still in use by some progr

Postby fl4shc0d3r » Sun Jun 11, 2017 1:36 pm

@Brock,

i think that MoveFileEx(MOVFILE_DELAY_UNTIL_REBOOT) or ZwDeleteFile() not will delete rootkit file if rootkit driver also was defined to

SERVICE_BOOT_START or SERVICE_SYSTEM_START
fl4shc0d3r
 
Posts: 20
Joined: Fri Jan 20, 2017 3:10 am
Reputation point: 0

Re: How delete files/folders even still in use by some progr

Postby Vrtule » Sun Jun 11, 2017 3:38 pm

i think that MoveFileEx(MOVFILE_DELAY_UNTIL_REBOOT) or ZwDeleteFile() not will delete rootkit file if rootkit driver also was defined to

SERVICE_BOOT_START or SERVICE_SYSTEM_START


Not true for ZwDeleteFile. If you call it earlier the rootkit is loaded, you can delete its file(s). AFAIK Avenger worked this way in the past (I am not sure how it works now, since it is a long time I was playing with its driver in IDA).
User avatar
Vrtule
 
Posts: 397
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Reputation point: 84

Re: How delete files/folders even still in use by some progr

Postby fl4shc0d3r » Sun Jun 11, 2017 4:32 pm

perhaps store the paths in the registry and look them up come deletion time.


Then, how make this for i test with ZDeleteFile()?
fl4shc0d3r
 
Posts: 20
Joined: Fri Jan 20, 2017 3:10 am
Reputation point: 0

Re: How delete files/folders even still in use by some progr

Postby Brock » Sun Jun 11, 2017 6:36 pm

How to what, read registry data at boot? Use ZwQueryValueKey() on a registry area that is *accessible* to your boot driver such as HKLM\SYSTEM\CurrentControlSet\Services\XXX "ValueName: DeleteFiles" etc. and store the filenames that you want to delete in a single registry value with ending delimiters to separate the filenames. Read them into the boot driver and call ZwDeleteFile() on each filename respectively. You could even encrypt or encode the filenames if you're the paranoid type and decrypt or decode them from your boot driver prior to deletion. Nobody here is going to hand you ready-made solutions, this isn't Experts-Exchange or Rent-A-Coder :lol: However, we all can point you in the right direction and have been
Accept nothing less than STATUS_SUCCESS
User avatar
Brock
 
Posts: 194
Joined: Wed Apr 28, 2010 3:13 am
Location: Navarre, Florida USA
Reputation point: 19

Re: How delete files/folders even still in use by some progr

Postby fl4shc0d3r » Sun Jun 11, 2017 6:48 pm

Brock wrote:How to what, read registry data at boot? Use ZwQueryValueKey() on a registry area that is *accessible* to your boot driver such as HKLM\SYSTEM\CurrentControlSet\Services\XXX "ValueName: DeleteFiles" etc. and store the filenames that you want to delete in a single registry value with ending delimiters to separate the filenames. Read them into the boot driver and call ZwDeleteFile() on each filename respectively. You could even encrypt or encode the filenames if you're the paranoid type and decrypt or decode them from your boot driver prior to deletion.


@Brock,

okay, I understood. Thank you very much by this explanation.
I will return with result ( positive or negative ).
fl4shc0d3r
 
Posts: 20
Joined: Fri Jan 20, 2017 3:10 am
Reputation point: 0

Re: How delete files/folders even still in use by some progr

Postby fl4shc0d3r » Tue Jun 13, 2017 2:06 pm

@Brock,

ZwDeleteFile(), will delete only files ( like you already know :) ), so if rootkit have several files, can be unfeasible ( and also nothing elegant ) put on registry entry all these complete file path (including filename + extension) for each file. So, exists something that i can use to delete only folder in this case? this code that i posted on begin of this topic make this, but i not know if can work on system boot. There are how make something similar (in negative case ), if yes, how?

* Avenger, have option to delete only folder (s);

Thank you very much.
fl4shc0d3r
 
Posts: 20
Joined: Fri Jan 20, 2017 3:10 am
Reputation point: 0

Re: How delete files/folders even still in use by some progr

Postby Brock » Wed Jun 14, 2017 10:44 am

In regards to ZwDeleteFile() - it can delete a "folder" just fine but you have to enumerate any files/folders in directories you want deleted and call ZwDeleteFile on each one until you reach the return value of STATUS_NO_MORE_FILES given to you by an API such as ZwQueryDirectoryFile. ZwDeleteFile must be called recursively, do you understand what I mean? If you encounter any sub-folders within the target root folder you then have to enumerate/traverse these as well and repeat this process until all "inner" files/folders are removed before the root directory can be removed. Look back at the code you posted to open this thread, you'll see similar logic when it comes to traversing sub-dirs and enumerating files within a root directory. If your boot driver plans to remove entire folders then just write the folder location to the registry instead of each individual filename, which would be unnecessary and only useful if you wanted to delete some, not all, files.

I used the terms directory and folder somewhat interchangeably, the real difference is perception and level of operation in order to accurately discern between the two. Directory is system level (kernel mode) terminology whereas Folder is a visual/graphical representation at a higher level (user mode).I think if you look at it this way it may help you in understanding what you'll actually be needing to do in order to accomplish your task. In usermode APIs such as SHFileOperation() make deleting non-empty folders in one swoop a simple task however this isn't usermode in which you'll be operating. If you've never written recursive code that walks a tree-like structure then it's a good idea to try this in usermode first before you attempt this from within a boot driver otherwise you may render your machine unbootable. Best regards
Accept nothing less than STATUS_SUCCESS
User avatar
Brock
 
Posts: 194
Joined: Wed Apr 28, 2010 3:13 am
Location: Navarre, Florida USA
Reputation point: 19

Previous

Return to Kernel-Mode Development

Who is online

Users browsing this forum: No registered users and 2 guests