Force deletion of a file

I am writing a driver to force files to be deleted, but I am denied access when I try to delete a file protected by another minifilter, how can I force to delete the file even if it is being monitored by a minifilter driver? I am creating this driver to implement in my antivirus

here’s my code:

VOID DeleteFileByName(PUNICODE_STRING FileName)
{
	HANDLE FileOpen;

	IO_STATUS_BLOCK StatusBlock;

	DEVICE_OBJECT* Device = NULL;

	FILE_OBJECT* Object;

	PEPROCESS eproc = IoGetCurrentProcess();
	KeAttachProcess(eproc);

	ANSI_STRING AS;

	OBJECT_ATTRIBUTES Attributes;
	UNICODE_STRING FileToDelete;

	RtlInitAnsiString(&AS, FileName);

	RtlAnsiStringToUnicodeString(&FileToDelete, &AS, TRUE);

	InitializeObjectAttributes(&Attributes, &FileToDelete, OBJ_CASE_INSENSITIVE, NULL, NULL);

	NTSTATUS result = IoCreateFileSpecifyDeviceObjectHint(
		&FileOpen,
		SYNCHRONIZE | FILE_WRITE_ATTRIBUTES | FILE_READ_ATTRIBUTES | FILE_READ_DATA, 
		&Attributes,
		&StatusBlock,
		NULL,
		FILE_ATTRIBUTE_NORMAL,
		FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
		FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
		NULL,
		NULL,
		CreateFileTypeNone,
		NULL,
		IO_IGNORE_SHARE_ACCESS_CHECK | IO_IGNORE_READONLY_ATTRIBUTE, 
		Device
	);

	if (NT_SUCCESS(result))
	{
		result = ObReferenceObjectByHandle(
			FileOpen,
			0, 
			0,
			KernelMode,
			(PVOID*)&Object,
			0);

		if (NT_SUCCESS(result))
		{
			Object->SectionObjectPointer->ImageSectionObject = 0;
			Object->DeleteAccess = 1;

			ObDereferenceObject(Object);

			ZwClose(FileOpen);

			result = ZwDeleteFile(&Attributes);
		}
		else
		{
			ZwClose(FileOpen);
		}
	}

	KeDetachProcess();
}

I am not very experienced in kernel driver for Windows;
I’m sorry for any mistake, I’m also new to the forum

(Google translator)

You want this posted over in the NTFSD category, where the file system people live.

I’ll move it for you.

Peter

1 Like

Now imagine another guy asking this: “How can I protect a file that other kernel driver wants to delete? I need to protect my antivirus against malware/competing antivirus” :slight_smile:

– pa

@Pavel_A said:
Now imagine another guy asking this: “How can I protect a file that other kernel driver wants to delete? I need to protect my antivirus against malware/competing antivirus” :slight_smile:

– pa

I don’t want to be ignorant, but is that really your answer?

I guess you just need to accept the simple fact that you cannot really protect against / bypass software that runs at the same privilege level as you… If it’s just for fun I guess you can try to send IRP_MJ_SET_INFORMATION(FileDispositionInformation) IRP directly to the file system driver… I have never done such a thing so it may not even work but anyway I think this is a VERY BAD solution for a production environment because if a kernel driver assumes a file won’t be deleted you’ll cause system instability and potentially crash the system… ALSO it may break some filters on the stack that expect to get a notification for file deletion. Takeaway: If the Malware is already in kernel mode there’s nothing you can do besides sending a notification about it (OR practically crashing the system)

@0xrepnz said:
I guess you just need to accept the simple fact that you cannot really protect against / bypass software that runs at the same privilege level as you… If it’s just for fun I guess you can try to send IRP_MJ_SET_INFORMATION(FileDispositionInformation) IRP directly to the file system driver… I have never done such a thing so it may not even work but anyway I think this is a VERY BAD solution for a production environment because if a kernel driver assumes a file won’t be deleted you’ll cause system instability and potentially crash the system… ALSO it may break some filters on the stack that expect to get a notification for file deletion. Takeaway: If the Malware is already in kernel mode there’s nothing you can do besides sending a notification about it (OR practically crashing the system)

Thank you very much for the reply, I am grateful.

In what you said: “it is not possible to remove if the malware is in the kernel”, in reality it is yes, PC Hunter removes any file regardless of what it is, I have already tested some rootkits that used the kernel to protect itself, and the PC Hunter was able to eliminate it, so much so that I can remove any antivirus with it, the question is: how do I “copy” what the Hunter PC does? how can he simply delete any file, regardless of anything else?

Fire up Process Monitor and track how it does that?

It might even do disk level stuff.

“it is not possible to remove if the malware is in the kernel”

I did not say “it’s not possible” - It is certainly possible. it’s just an endless cat-and-mouse game because you run at the same privilege level. Consider this: What prevents the malicious kernel driver from unloading your driver?

PC Hunter removes any file regardless of what it is

I’m not familiar with PC hunter, but from a quick google search it looks like a “anti-rootkit” tool that implements other questionable things like removing kernel callbacks and deleting queued timers - These are the things you’ll have to do if you want to “try” and remove a malicious kernel driver - This is your highway to BSOD. This is exactly why I said that trying to remove a Malware that enters kernel mode is practically impossible without harming the system. Removing a file does not mean you remove the entire Malware. For example: Imagine the Malware runs in kernel mode - The Malware tries to find some file you removed and does not handle the error path correctly leading to a blue screen.

how can he simply delete any file, regardless of anything else?

Well this is because this product has a kernel driver. I already mentioned a way to try to do it (again, something I would do only for fun and education and not integrate into a real product)

I would consider an entirely different approach.

Fire up Process Monitor and track how it does that?

Process monitor is implemented using a minifilter. If PC hunter tries to bypass minifilter, you won’t see this activity in process monitor… Also there are legal issues with reverse engineering another product and copying implementation, I would check the license before doing this. I would not copy this code to a real product anyway (because of stability issues it may cause), the implementation does not matter that much…

@0xrepnz said:

“it is not possible to remove if the malware is in the kernel”

I did not say “it’s not possible” - It is certainly possible. it’s just an endless cat-and-mouse game because you run at the same privilege level. Consider this: What prevents the malicious kernel driver from unloading your driver?

PC Hunter removes any file regardless of what it is

I’m not familiar with PC hunter, but from a quick google search it looks like a “anti-rootkit” tool that implements other questionable things like removing kernel callbacks and deleting queued timers - These are the things you’ll have to do if you want to “try” and remove a malicious kernel driver - This is your highway to BSOD. This is exactly why I said that trying to remove a Malware that enters kernel mode is practically impossible without harming the system. Removing a file does not mean you remove the entire Malware. For example: Imagine the Malware runs in kernel mode - The Malware tries to find some file you removed and does not handle the error path correctly leading to a blue screen.

how can he simply delete any file, regardless of anything else?

Well this is because this product has a kernel driver. I already mentioned a way to try to do it (again, something I would do only for fun and education and not integrate into a real product)

I would consider an entirely different approach.

Fire up Process Monitor and track how it does that?

Process monitor is implemented using a minifilter. If PC hunter tries to bypass minifilter, you won’t see this activity in process monitor… Also there are legal issues with reverse engineering another product and copying implementation, I would check the license before doing this. I would not copy this code to a real product anyway (because of stability issues it may cause), the implementation does not matter that much…

Thank you very much for answering me and dedicating some of your time to this!