[lwbkm]

hi,
Recently I am writing a rootkit software, but I have a function that I can not realization.
that is delete have been loaded driver file sys.and still Keep communication.
like this soft,I want to implement this function,who can help me,thanks vevrymuch.

1.png (152.81 KiB) Viewed 660 times

[Brock]

Recently I am writing a rootkit software

This board doesn't support authoring of rootkits.

[lwbkm]

This board doesn't support authoring of rootkits.

oh my god......

[lwbkm]

Recently I am writing a rootkit software

This board doesn't support authoring of rootkits.

i sad error,i am write ark software,like this http://www.kernelmode.info/forum/viewto ... =11&t=1691

[EP_X0FF]

Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk.
If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10.

[Li Yong]

Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk.
If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10.

Good suggestion EP_X0FF, i already made a question here about this approach, but until now i still not understood what's commands i must send to ntifs.sys (and that he be able to recognize). For example in KSBinSword, to kill a determinated process, is sent from usermode app (via DeviceIOControl the following request that contain the pid:

Code: Select all

case IOCTL_KSBINSWORD_KILLPROCESS://强制杀掉 进程
{		
     status=STATUS_SUCCESS;
     DbgPrint("IOCTL_KSBINSWORD_KILLPROCESS");
   //DbgBreakPoint();
			
     KillPro(*(int*)ioBuf);
    outBufLength=inBufLength;
    Irp->IoStatus.Information = inBufLength;
    break;
}

Obviously the .sys file of KSBinSword will understand that is a request to kill a determinated process because this already was previously coded in your .sys file.
Then my main doubt is what request name (having as example IOCTL_KSBINSWORD_KILLPROCESS of KSBinSword) i must send (including a folder name or file name) to ntifs.sys, since that i not know how he was coded?

If possible could provide a code snnipet about how do this?

Thank.

[lwbkm]

Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk.
If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10.

thank you. let me try.

[Li Yong]

If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)

[lwbkm]

If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)

I still do not understand, maybe close the kernel handle can be deleted, you can try.

[Li Yong]

If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)

I still do not understand, maybe close the kernel handle can be deleted, you can try.

Only closing opened handles not will solve to files locked by a FSD (File System Driver) or Minifilter, i already tested :D
I think that suggestion of EP_X0FF gave here, can solve my last question and this your question here.
Even least for me, now the question is: - Someone could share a code snippet about how send IRP's directly to ntifs.sys requesting remotion of a file/folder please?

Eg: i never tested this ARK of image above, but already that you have, probably will can see a option of Force Delete on File section.
Choise a folder that you know that have a FSD protecting these files and try use normal exclusion, obviously not will work, already with option Force Delete (probably present in WIN64AST) the file can be deleted with success ;) . So i have almost by
sure, that great part of these chinese ARK's, use (or he already used) something based on suggestion of EP_X0FF (or the same approach).

Then by all this, i belive that we can solve our questions with this approach, but i not have a idea about how must be in source code