Deleting a .exe file which is running

Aditya_Shrivastava · December 5, 2008, 8:05am

Hi,

I was running a tool (rootkit detector).(not sure if I can name it or not)

In this tool If I choose “force delete” option to delete a exe file which is currently running. It successfully deletes that and it is not terminating that exe. i.e. the exe is still running but the file on disk is marked as deleted. I read in some book that a running process is actually backs by its image on disk and not on pagefile. So it means that the running process is still backed by the on disk image and some how it is marked as deleted silently.

I think/searched and the single method to which I reached is probably it can be achieved by modifying MFT directly.

Otherwise how one can delete a file legally if it is in use. Tried with a opened doc file and it is able to delete that too.

Is MFT the only way to do this or some other methods also exist(Preferably form user mode )?

Thanks in advance for your help,
Aditya

OSR_Community_User · December 5, 2008, 8:37am

Look up the DeleteFile function on MSDN. Not sure if this is what you’re
looking for exactly, but at least it allows you to mark a file to be
deleted. If you use that function on a running .exe, it will mark the file
for deletion, but the actual deleting will only happen once the running
process is terminated.

On Fri, Dec 5, 2008 at 2:04 PM, wrote:

> Hi,
>
> I was running a tool (rootkit detector).(not sure if I can name it or not)
>
> In this tool If I choose “force delete” option to delete a exe file which
> is currently running. It successfully deletes that and it is not terminating
> that exe. i.e. the exe is still running but the file on disk is marked as
> deleted. I read in some book that a running process is actually backs by its
> image on disk and not on pagefile. So it means that the running process is
> still backed by the on disk image and some how it is marked as deleted
> silently.
>
> I think/searched and the single method to which I reached is probably it
> can be achieved by modifying MFT directly.
>
> Otherwise how one can delete a file legally if it is in use. Tried with a
> opened doc file and it is able to delete that too.
>
> Is MFT the only way to do this or some other methods also exist(Preferably
> form user mode )?
>
> Thanks in advance for your help,
> Aditya
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Aditya_Shrivastava · December 5, 2008, 8:40am

No it will surly fails as the file is in use. DeleteFile is even not able to delete read only a file.

It is possibly not as simple as DeleteFile at least.

Aditya_Shrivastava · December 5, 2008, 8:41am

>>If you use that function on a running .exe, it will mark the file for deletion, but the actual deleting will only happen once the running process is terminated.

I do not think so, DeleteFile will fail in this case with some error code.

Rune_Moberg · December 5, 2008, 8:43am

How about: rename the file, and schedule it for deletion next boot?

You could use Process Monitor (nee Filemon)…

I doubt messing directly with the MFT is particulary future proof.

–
Rune

On Fri, Dec 5, 2008 at 2:39 PM, wrote:
> No it will surly fails as the file is in use. DeleteFile is even not able to delete read only a file.
>
> It is possibly not as simple as DeleteFile at least.

Aditya_Shrivastava · December 5, 2008, 8:52am

Yes, that is a possible solution but with possible flaws(will discuss it some other day).

But the specific tool is able to delete it, its not renaming it for sure. I watched the MFT record while deleting and found that after few moments record’s flag changed to deleted. So it is a Delete and not a rename.

So there must exist a way, still looking for what is it.

Aditya_Shrivastava · December 5, 2008, 8:57am

Even explorer is not displaying the file. I checked the record of directory which originally contains the deleted file. And it is updated as no reference of the deleted file found at INDEX_ROOT attribute.

OSR_Community_User · December 5, 2008, 10:06am

Plenty of clues in a VB project Alex Ionescu posted many years ago.

Surprised I remember seeing this 5 years ago (and where).

http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
Id=1

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, December 05, 2008 5:57 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Deleting a .exe file which is running

Even explorer is not displaying the file. I checked the record of directory
which originally contains the deleted file. And it is updated as no
reference of the deleted file found at INDEX_ROOT attribute.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Scott_Noone_OSR · December 5, 2008, 10:08am

Did you try running FileSpy (or any other monitoring utility)?

If they really are just ripping the file out, they must be doing something
pretty untoward in order to do this and keep the system happy. The FSDs
typically protect against this by making sure MmFlushImageSection succeeeds
before letting the caller do anything that would delete the file from the
disk (see FastFat source as a reference).

-scott

–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
,
wrote in message news:xxxxx@ntdev…
> Yes, that is a possible solution but with possible flaws(will discuss it
> some other day).
>
> But the specific tool is able to delete it, its not renaming it for sure.
> I watched the MFT record while deleting and found that after few moments
> record’s flag changed to deleted. So it is a Delete and not a rename.
>
> So there must exist a way, still looking for what is it.
>

Cay_Bremer · December 5, 2008, 10:20am

Hello,

this is only speculation, but said tool could work by marking all the
process’ pages dirty, thus causing them to be backed by the page file
instead, and then by forcefully decreasing the file object’s references in
order to allow regular deletion. Of course, this latter step would be
highly unsafe.

Cay

On Fri, 05 Dec 2008 14:56:51 +0100, wrote:
> Even explorer is not displaying the file. I checked the record of
> directory which originally contains the deleted file. And it is updated
> as no reference of the deleted file found at INDEX_ROOT attribute.

OSR_Community_User · December 5, 2008, 11:19am

> Surprised I remember seeing this 5 years ago (and where).
What a link!

“You can also … call some (not all) VB functions…”
“It is also possible to use this method in order to Hook system API calls,
which is what I’ll be working on for next month.”

Sounds promising.

Thanks, Matt [what a memory!:-)]

----- Original Message -----
From: “Matt”
To: “Windows System Software Devs Interest List”
Sent: Friday, December 05, 2008 12:05 PM
Subject: RE: [ntdev] Deleting a .exe file which is running

> Plenty of clues in a VB project Alex Ionescu posted many years ago.
>
> Surprised I remember seeing this 5 years ago (and where).
>
> http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
> Id=1
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Friday, December 05, 2008 5:57 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Deleting a .exe file which is running
>
> Even explorer is not displaying the file. I checked the record of
> directory
> which originally contains the deleted file. And it is updated as no
> reference of the deleted file found at INDEX_ROOT attribute.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · December 6, 2008, 8:07am

Regardless of any mistakes, quite a few of your earlier post
shed light into the dark areas of UM memory manipulation, etc…

Perhaps you’re the “Green Lantern” of VB?

Matt

Surprised I remember seeing this 5 years ago (and where).
What a link!

“You can also … call some (not all) VB functions…”
“It is also possible to use this method in order to Hook system API calls,
which is what I’ll be working on for next month.”

Sounds promising.

Thanks, Matt [what a memory!:-)]

----- Original Message -----
From: “Matt”
To: “Windows System Software Devs Interest List”
Sent: Friday, December 05, 2008 12:05 PM
Subject: RE: [ntdev] Deleting a .exe file which is running

> Plenty of clues in a VB project Alex Ionescu posted many years ago.
>
> Surprised I remember seeing this 5 years ago (and where).
>
>
http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
> Id=1
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Friday, December 05, 2008 5:57 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Deleting a .exe file which is running
>
> Even explorer is not displaying the file. I checked the record of
> directory
> which originally contains the deleted file. And it is updated as no
> reference of the deleted file found at INDEX_ROOT attribute.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Cay_Bremer · December 6, 2008, 10:37am

Maybe I’ve missed something, but that link doesn’t appear to offer any
clues regarding the original question.
This VB sample shows how to implement a self-deleting executable by
injecting code into foreign processes, but Aditya’s actual question was
about deleting currently running executable files the own process is not
associated with.

Cay

On Fri, 05 Dec 2008 18:05:49 +0100, Matt wrote:
> Plenty of clues in a VB project Alex Ionescu posted many years ago.
>
> Surprised I remember seeing this 5 years ago (and where).
>
> http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
> Id=1
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Friday, December 05, 2008 5:57 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Deleting a .exe file which is running
>
> Even explorer is not displaying the file. I checked the record of
> directory
> which originally contains the deleted file. And it is updated as no
> reference of the deleted file found at INDEX_ROOT attribute.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

anton_bassov · December 6, 2008, 9:51pm

> Otherwise how one can delete a file legally if it is in use.

I just wonder if modifying every page of the target process may be of help here…

The thing is, all pages that are backed up by executable section are given copy-on-write protection, for understandable reasons - otherwise, any modification of a program would result in change of on-disk file.
Therefore, by trying to modify a page, you will dissociate it from a section - from now on a page in question will be backed up by pagefile. If you do it for every page, then you will dissociate the whole process from executable section…

Although I do see quite a few potential issues with this approach, it could be a good fun to try it just for the sake of experiment and see what happens…

Anton Bassov

Aditya_Shrivastava · December 7, 2008, 11:38pm

Thanks a lot for all the answers, I checked and found that this tool is a freeware and its name is mentioned on many website. So i guess it should be ok to name it. It is IceSword

@Anton Bassov,

Will give it a try and update. In this I have a query;
Do you think it has something to do with the reference count maintained by OS. Like even if somehow I mark all page as dirty, reference count for that file will still be greater than zero. Will OS allows deleting a file with non zero reference count.

@Scott Noone
Yes i did, and found that only query_security IRP was generated on the deleted file. I can not check if it is reading MFT sectors directly as thoose call can not be filtered by a FS filter driver used by FileSpy.

I will check regarding flush section and FASTFAT reference.

@Cay Bremer
Is it possible to decrease an file_object reference count from user mode.

@Matt
The link is giving some error.

Aditya_Shrivastava · December 8, 2008, 1:41am

Just want to add one more thing, I tried it and the results force me to believe that it is playing with MFT.

There is a possibility that file is filtered and user mode can not view that from standard API. Like I wrote a filter driver to hide all files placed in a particular folder and denying any create on files inside folder.

I run the an app from the folder.
Load my driver to deny any further creation\display of file.
Than I check with the tool and it displays that correctly bypassing my mini filter driver and is able to successfully delete them (though createfile, deletefile will surly not work in this case as my filter will stop that).

I think this should change direction of the discussion properly.

Thanks
Aditya

anton_bassov · December 8, 2008, 2:00am

> Like even if somehow I mark all page as dirty, reference count for that file will still be greater than zero.

Please note that you can close a handle to the file after creating executable section. Therefore, handle refcount may be zero - if total refcount is non-zero, it means that it is incremented by MM. My theory is that if MM realizes that it does not need a file any more in order to back up executable section, it may, probably, release refcount on a file…

Will OS allows deleting a file with non zero reference count.

DEFINITELY not - this is what the very concept of refcount is all about, in the first place…

Anton Bassov

OSR_Community_User · December 8, 2008, 2:53am

Here is one way to do this from User Mode.

Create a batch file that will try to delete the running exe.
If not successfully it can wait and try again.
If successful the batch file can delete itself(This is possible for batch
files).

-Santosh

Aditya_Shrivastava · December 8, 2008, 3:19am

I already knew it.

But this will not work if somebody raise a system shutdown and the target process has registered it to receive a shutdown event at last(SetProcessShutdownParameters). In this case cmd.exe (batch file) will get close first before the target process and no deletion will happen.

It could happens even if a process has not called SetProcessShutdownParameters. And it will also not work for service in case of system shutdown.

I think move is a better option than this. But none of this will work in the scenario which I mentioned in message 16.

Thanks
Aditya

OSR_Community_User · December 8, 2008, 7:15am

“Maybe I’ve missed something,”

Not much other than imagination.

"This VB sample shows how to implement a self-deleting executable by
injecting code into foreign processes, "

. Think about Anton’s remarks. You’re lucky I don’t tell you
that you have things ass-backwards!
(multi-meaning paragraph)

“Aditya’s actual question was
about deleting currently running executable files the own process is not
associated with.”

I appreciate the clarification, me no habla Norte Americano…

Matt

Cay

On Fri, 05 Dec 2008 18:05:49 +0100, Matt wrote:
> Plenty of clues in a VB project Alex Ionescu posted many years ago.
>
> Surprised I remember seeing this 5 years ago (and where).
>
>
http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
> Id=1
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Friday, December 05, 2008 5:57 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Deleting a .exe file which is running
>
> Even explorer is not displaying the file. I checked the record of
> directory
> which originally contains the deleted file. And it is updated as no
> reference of the deleted file found at INDEX_ROOT attribute.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer