how to delete driver file and still Keep communication

Forum for discussion about kernel-mode development.
lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

how to delete driver file and still Keep communication

Post by lwbkm » Sat Apr 28, 2018 4:51 am

hi,
Recently I am writing a rootkit software, but I have a function that I can not realization.
that is delete have been loaded driver file sys.and still Keep communication.
like this soft,I want to implement this function,who can help me,thanks vevrymuch.
1.png
You do not have the required permissions to view the files attached to this post.

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: how to delete driver file and still Keep communication

Post by Brock » Sat Apr 28, 2018 4:31 pm

Recently I am writing a rootkit software
This board doesn't support authoring of rootkits.
Accept nothing less than STATUS_SUCCESS

lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

Re: how to delete driver file and still Keep communication

Post by lwbkm » Sun Apr 29, 2018 12:06 am

Brock wrote:
Sat Apr 28, 2018 4:31 pm
This board doesn't support authoring of rootkits.
oh my god......

lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

Re: how to delete driver file and still Keep communication

Post by lwbkm » Sun Apr 29, 2018 12:20 am

Brock wrote:
Sat Apr 28, 2018 4:31 pm
Recently I am writing a rootkit software
This board doesn't support authoring of rootkits.
i sad error,i am write ark software,like this http://www.kernelmode.info/forum/viewto ... =11&t=1691

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: how to delete driver file and still Keep communication

Post by EP_X0FF » Sun Apr 29, 2018 4:05 am

Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk.
If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10.
Ring0 - the source of inspiration

Li Yong
Posts: 28
Joined: Sun Feb 18, 2018 9:49 pm

Re: how to delete driver file and still Keep communication

Post by Li Yong » Tue May 01, 2018 4:40 pm

EP_X0FF wrote:
Sun Apr 29, 2018 4:05 am
Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk.
If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10.
Good suggestion EP_X0FF, i already made a question here about this approach, but until now i still not understood what's commands i must send to ntifs.sys (and that he be able to recognize). For example in KSBinSword, to kill a determinated process, is sent from usermode app (via DeviceIOControl the following request that contain the pid:

Code: Select all

case IOCTL_KSBINSWORD_KILLPROCESS://强制杀掉 进程
{		
     status=STATUS_SUCCESS;
     DbgPrint("IOCTL_KSBINSWORD_KILLPROCESS");
   //DbgBreakPoint();
			
     KillPro(*(int*)ioBuf);
    outBufLength=inBufLength;
    Irp->IoStatus.Information = inBufLength;
    break;
}
Obviously the .sys file of KSBinSword will understand that is a request to kill a determinated process because this already was previously coded in your .sys file.
Then my main doubt is what request name (having as example IOCTL_KSBINSWORD_KILLPROCESS of KSBinSword) i must send (including a folder name or file name) to ntifs.sys, since that i not know how he was coded?

If possible could provide a code snnipet about how do this?

Thank.

lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

Re: how to delete driver file and still Keep communication

Post by lwbkm » Wed May 02, 2018 1:41 am

EP_X0FF wrote:
Sun Apr 29, 2018 4:05 am
Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk.
If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10.
thank you. let me try.

Li Yong
Posts: 28
Joined: Sun Feb 18, 2018 9:49 pm

Re: how to delete driver file and still Keep communication

Post by Li Yong » Wed May 02, 2018 12:18 pm

If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)

lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

Re: how to delete driver file and still Keep communication

Post by lwbkm » Thu May 03, 2018 2:19 am

Li Yong wrote:
Wed May 02, 2018 12:18 pm
If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)
I still do not understand, maybe close the kernel handle can be deleted, you can try.

Li Yong
Posts: 28
Joined: Sun Feb 18, 2018 9:49 pm

Re: how to delete driver file and still Keep communication

Post by Li Yong » Thu May 03, 2018 3:35 am

lwbkm wrote:
Thu May 03, 2018 2:19 am
Li Yong wrote:
Wed May 02, 2018 12:18 pm
If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)
I still do not understand, maybe close the kernel handle can be deleted, you can try.
Only closing opened handles not will solve to files locked by a FSD (File System Driver) or Minifilter, i already tested :D
I think that suggestion of EP_X0FF gave here, can solve my last question and this your question here.
Even least for me, now the question is: - Someone could share a code snippet about how send IRP's directly to ntifs.sys requesting remotion of a file/folder please?

Eg: i never tested this ARK of image above, but already that you have, probably will can see a option of Force Delete on File section.
Choise a folder that you know that have a FSD protecting these files and try use normal exclusion, obviously not will work, already with option Force Delete (probably present in WIN64AST) the file can be deleted with success ;) . So i have almost by
sure, that great part of these chinese ARK's, use (or he already used) something based on suggestion of EP_X0FF (or the same approach).

Then by all this, i belive that we can solve our questions with this approach, but i not have a idea about how must be in source code :-(

Post Reply