Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Force deletion of a file

elDimaselDimas Member Posts: 8
edited September 23 in NTFSD

I am writing a driver to force files to be deleted, but I am denied access when I try to delete a file protected by another minifilter, how can I force to delete the file even if it is being monitored by a minifilter driver? I am creating this driver to implement in my antivirus

here's my code:

VOID DeleteFileByName(PUNICODE_STRING FileName)
{
    HANDLE FileOpen;

    IO_STATUS_BLOCK StatusBlock;

    DEVICE_OBJECT* Device = NULL;

    FILE_OBJECT* Object;

    PEPROCESS eproc = IoGetCurrentProcess();
    KeAttachProcess(eproc);

    ANSI_STRING AS;

    OBJECT_ATTRIBUTES Attributes;
    UNICODE_STRING FileToDelete;

    RtlInitAnsiString(&AS, FileName);

    RtlAnsiStringToUnicodeString(&FileToDelete, &AS, TRUE);

    InitializeObjectAttributes(&Attributes, &FileToDelete, OBJ_CASE_INSENSITIVE, NULL, NULL);

    NTSTATUS result = IoCreateFileSpecifyDeviceObjectHint(
        &FileOpen,
        SYNCHRONIZE | FILE_WRITE_ATTRIBUTES | FILE_READ_ATTRIBUTES | FILE_READ_DATA, 
        &Attributes,
        &StatusBlock,
        NULL,
        FILE_ATTRIBUTE_NORMAL,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
        FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
        NULL,
        NULL,
        CreateFileTypeNone,
        NULL,
        IO_IGNORE_SHARE_ACCESS_CHECK | IO_IGNORE_READONLY_ATTRIBUTE, 
        Device
    );

    if (NT_SUCCESS(result))
    {
        result = ObReferenceObjectByHandle(
            FileOpen,
            0, 
            0,
            KernelMode,
            (PVOID*)&Object,
            0);

        if (NT_SUCCESS(result))
        {
            Object->SectionObjectPointer->ImageSectionObject = 0;
            Object->DeleteAccess = 1;

            ObDereferenceObject(Object);

            ZwClose(FileOpen);

            result = ZwDeleteFile(&Attributes);
        }
        else
        {
            ZwClose(FileOpen);
        }
    }

    KeDetachProcess();
}

I am not very experienced in kernel driver for Windows;
I'm sorry for any mistake, I'm also new to the forum

(Google translator)

Post edited by Peter_Viscarola_(OSR) on

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,089

    You want this posted over in the NTFSD category, where the file system people live.

    I’ll move it for you.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Pavel_APavel_A Member Posts: 2,738

    Now imagine another guy asking this: "How can I protect a file that other kernel driver wants to delete? I need to protect my antivirus against malware/competing antivirus" :)

    -- pa

  • elDimaselDimas Member Posts: 8

    @Pavel_A said:
    Now imagine another guy asking this: "How can I protect a file that other kernel driver wants to delete? I need to protect my antivirus against malware/competing antivirus" :)

    -- pa

    I don't want to be ignorant, but is that really your answer?

  • 0xrepnz0xrepnz Member Posts: 41

    I guess you just need to accept the simple fact that you cannot really protect against / bypass software that runs at the same privilege level as you.. If it's just for fun I guess you can try to send IRP_MJ_SET_INFORMATION(FileDispositionInformation) IRP directly to the file system driver.. I have never done such a thing so it may not even work but anyway I think this is a VERY BAD solution for a production environment because if a kernel driver assumes a file won't be deleted you'll cause system instability and potentially crash the system... ALSO it may break some filters on the stack that expect to get a notification for file deletion. Takeaway: If the Malware is already in kernel mode there's nothing you can do besides sending a notification about it (OR practically crashing the system)

    - Ori Damari
  • elDimaselDimas Member Posts: 8

    @0xrepnz said:
    I guess you just need to accept the simple fact that you cannot really protect against / bypass software that runs at the same privilege level as you.. If it's just for fun I guess you can try to send IRP_MJ_SET_INFORMATION(FileDispositionInformation) IRP directly to the file system driver.. I have never done such a thing so it may not even work but anyway I think this is a VERY BAD solution for a production environment because if a kernel driver assumes a file won't be deleted you'll cause system instability and potentially crash the system... ALSO it may break some filters on the stack that expect to get a notification for file deletion. Takeaway: If the Malware is already in kernel mode there's nothing you can do besides sending a notification about it (OR practically crashing the system)

    Thank you very much for the reply, I am grateful.

    In what you said: "it is not possible to remove if the malware is in the kernel", in reality it is yes, PC Hunter removes any file regardless of what it is, I have already tested some rootkits that used the kernel to protect itself, and the PC Hunter was able to eliminate it, so much so that I can remove any antivirus with it, the question is: how do I "copy" what the Hunter PC does? how can he simply delete any file, regardless of anything else?

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 350
    via Email
    Fire up Process Monitor and track how it does that?

    It might even do disk level stuff.
  • 0xrepnz0xrepnz Member Posts: 41
    edited September 24

    "it is not possible to remove if the malware is in the kernel"

    I did not say "it's not possible" - It is certainly possible. it's just an endless cat-and-mouse game because you run at the same privilege level. Consider this: What prevents the malicious kernel driver from unloading your driver?

    PC Hunter removes any file regardless of what it is

    I'm not familiar with PC hunter, but from a quick google search it looks like a "anti-rootkit" tool that implements other questionable things like removing kernel callbacks and deleting queued timers - These are the things you'll have to do if you want to "try" and remove a malicious kernel driver - This is your highway to BSOD. This is exactly why I said that trying to remove a Malware that enters kernel mode is practically impossible without harming the system. Removing a file does not mean you remove the entire Malware. For example: Imagine the Malware runs in kernel mode - The Malware tries to find some file you removed and does not handle the error path correctly leading to a blue screen.

    how can he simply delete any file, regardless of anything else?

    Well this is because this product has a kernel driver. I already mentioned a way to try to do it (again, something I would do only for fun and education and not integrate into a real product)

    I would consider an entirely different approach.

    Fire up Process Monitor and track how it does that?

    Process monitor is implemented using a minifilter. If PC hunter tries to bypass minifilter, you won't see this activity in process monitor.. Also there are legal issues with reverse engineering another product and copying implementation, I would check the license before doing this. I would not copy this code to a real product anyway (because of stability issues it may cause), the implementation does not matter that much...

    - Ori Damari
  • elDimaselDimas Member Posts: 8

    @0xrepnz said:

    "it is not possible to remove if the malware is in the kernel"

    I did not say "it's not possible" - It is certainly possible. it's just an endless cat-and-mouse game because you run at the same privilege level. Consider this: What prevents the malicious kernel driver from unloading your driver?

    PC Hunter removes any file regardless of what it is

    I'm not familiar with PC hunter, but from a quick google search it looks like a "anti-rootkit" tool that implements other questionable things like removing kernel callbacks and deleting queued timers - These are the things you'll have to do if you want to "try" and remove a malicious kernel driver - This is your highway to BSOD. This is exactly why I said that trying to remove a Malware that enters kernel mode is practically impossible without harming the system. Removing a file does not mean you remove the entire Malware. For example: Imagine the Malware runs in kernel mode - The Malware tries to find some file you removed and does not handle the error path correctly leading to a blue screen.

    how can he simply delete any file, regardless of anything else?

    Well this is because this product has a kernel driver. I already mentioned a way to try to do it (again, something I would do only for fun and education and not integrate into a real product)

    I would consider an entirely different approach.

    Fire up Process Monitor and track how it does that?

    Process monitor is implemented using a minifilter. If PC hunter tries to bypass minifilter, you won't see this activity in process monitor.. Also there are legal issues with reverse engineering another product and copying implementation, I would check the license before doing this. I would not copy this code to a real product anyway (because of stability issues it may cause), the implementation does not matter that much...

    Thank you very much for answering me and dedicating some of your time to this!

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE