Okay, at the risk of hijacking this thread, I’ll try to elaborate:
Firstly, the sample injects code into a foreign process (explorer.exe) and
creates a remote thread for it.
Then, the sample terminates itself in order to make conventional deletion
possible.
Finally, the remote thread simply attempts to delete the sample’s own
executable file (disregarding a race condition).
As you can see, the file is deleted after its process has ceased to exist,
therefore it is unrelated to the actual question.
My introductory clause “Maybe I’ve missed something” was merely a phrase
of civility.
On Sun, 07 Dec 2008 15:14:48 +0100, Matt wrote:
>
> “Maybe I’ve missed something,”
>
> Not much other than imagination.
>
> "This VB sample shows how to implement a self-deleting executable by
> injecting code into foreign processes, "
>
> . Think about Anton’s remarks. You’re lucky I don’t tell you
> that you have things ass-backwards!
> (multi-meaning paragraph)
>
> “Aditya’s actual question was
> about deleting currently running executable files the own process is not
> associated with.”
>
> I appreciate the clarification, me no habla Norte Americano…
>
> Matt
>
>
> - Cay
>
>
> On Fri, 05 Dec 2008 18:05:49 +0100, Matt wrote:
>> Plenty of clues in a VB project Alex Ionescu posted many years ago.
>>
>> Surprised I remember seeing this 5 years ago (and where).
>>
>>
> http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
>> Id=1
>>
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of
>> xxxxx@gmail.com
>> Sent: Friday, December 05, 2008 5:57 AM
>> To: Windows System Software Devs Interest List
>> Subject: RE:[ntdev] Deleting a .exe file which is running
>>
>> Even explorer is not displaying the file. I checked the record of
>> directory
>> which originally contains the deleted file. And it is updated as no
>> reference of the deleted file found at INDEX_ROOT attribute.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Look Copernicus,
I specifically stated the link was intended for CLUES; NOT HOW TO DO WHAT
THE OP ASKED ABOUT… DUH! So get off it!!!
I would kindly request that you perform a ‘Cranial Extraction’ and re-read
the thread.
It’s amazing by how far you’ve missed the point.
Matt
Okay, at the risk of hijacking this thread, I’ll try to elaborate:
Firstly, the sample injects code into a foreign process (explorer.exe) and
creates a remote thread for it.
Then, the sample terminates itself in order to make conventional deletion
possible.
Finally, the remote thread simply attempts to delete the sample’s own
executable file (disregarding a race condition).
As you can see, the file is deleted after its process has ceased to exist,
therefore it is unrelated to the actual question.
My introductory clause “Maybe I’ve missed something” was merely a phrase
of civility.
On Sun, 07 Dec 2008 15:14:48 +0100, Matt wrote:
>
> “Maybe I’ve missed something,”
>
> Not much other than imagination.
>
> "This VB sample shows how to implement a self-deleting executable by
> injecting code into foreign processes, "
>
> . Think about Anton’s remarks. You’re lucky I don’t tell you
> that you have things ass-backwards!
> (multi-meaning paragraph)
>
> “Aditya’s actual question was
> about deleting currently running executable files the own process is not
> associated with.”
>
> I appreciate the clarification, me no habla Norte Americano…
>
> Matt
>
>
> - Cay
>
>
> On Fri, 05 Dec 2008 18:05:49 +0100, Matt wrote:
>> Plenty of clues in a VB project Alex Ionescu posted many years ago.
>>
>> Surprised I remember seeing this 5 years ago (and where).
>>
>>
>
http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
>> Id=1
>>
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of
>> xxxxx@gmail.com
>> Sent: Friday, December 05, 2008 5:57 AM
>> To: Windows System Software Devs Interest List
>> Subject: RE:[ntdev] Deleting a .exe file which is running
>>
>> Even explorer is not displaying the file. I checked the record of
>> directory
>> which originally contains the deleted file. And it is updated as no
>> reference of the deleted file found at INDEX_ROOT attribute.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Well if this was there in the VB sample. (I am not able to get a look yet as the link is giving me error)
This can easily be achievable from windows API too.
I can just create a remote thread with Loadlibrary method as thread proc and can load my dll which calls ExitProcess when it gets attach notification. It will cause a process exit (using ExitProcess) and I can delete the file afterwards.
But as Cay had already pointed this couple of time; this is not what I am looking for.
Regarding what Anton had suggested, I will surly be trying that but this tool is not doing that.
Anton suggested that after doing ?mark pages as dirty? stuff, one can call DeleteFile and it will be a successful call conceptually. But a call to DeleteFile will result in one or more IRPs which is not the case at all. (I already checked it with filespy)
The file got delete and no IRPs generated which are directed to filesystem; as no such IRPs generated there is no filter driver to deny the call. So when this tool says force delete it is indeed a force delete.
And this is where the idea of directly dealing with MFT strikes in my mind. I am not sure if some other way exist.
Thanks
Aditya
> Anton suggested that after doing ?mark pages as dirty? stuff, one can call DeleteFile and
it will be a successful call conceptually.
Well, the only thing I suggested is an experiment - I don’t know if it is going to work this way. It is impossible to say anything without knowing MM’s internal details. It MAY work, although, as I said already, I can see quite a few issues here…
But a call to DeleteFile will result in one or more IRPs which is not the case at all
Files under Windows are deleted upon close. Either you open a file with DELETE_ON_CLOSE flag set,
or set delete information to an open file
And this is where the idea of directly dealing with MFT strikes in my mind.
I would not advise it. If you do smth wrong (and you have a good chance to do things wrong, because, AFAIK, all NTFS details have never been officially published by MSFT), you are going to screw up the system PERMANENTLY - the resulting damage can be so significant that even clean reinstall without formatting the drive would not help you to get your data back…
However, if you are just desperate to do it, please tell us the name of your product so that any Windows user who reads this thread gives it a second thought before running it on his/her system…
Anton Bassov
My point is, no technique employed by this sample (code injection, etc.)
is useful for the problem at hand.
So, I concluded that the link you have “contributed” does not offer any
relevant clues at all.
Ironically, you mentioned Anton’s suggestion of modifying PTEs, and told
me to reread this thread while apparently ignoring that I gave the exact
suggestion priorly.
I am surprised by your desire for escalation and lack of manners as
demonstrated by your excessive use of personal attacks.
On Sun, 07 Dec 2008 16:35:06 +0100, Matt wrote:
> Look Copernicus,
>
> I specifically stated the link was intended for CLUES; NOT HOW TO DO WHAT
> THE OP ASKED ABOUT… DUH! So get off it!!!
>
> I would kindly request that you perform a ‘Cranial Extraction’ and
> re-read
> the thread.
>
> It’s amazing by how far you’ve missed the point.
>
> Matt
>
>
>
>
>
>
>
>
> Okay, at the risk of hijacking this thread, I’ll try to elaborate:
>
> Firstly, the sample injects code into a foreign process (explorer.exe)
> and
> creates a remote thread for it.
> Then, the sample terminates itself in order to make conventional deletion
> possible.
> Finally, the remote thread simply attempts to delete the sample’s own
> executable file (disregarding a race condition).
>
> As you can see, the file is deleted after its process has ceased to
> exist,
> therefore it is unrelated to the actual question.
>
> My introductory clause “Maybe I’ve missed something” was merely a phrase
> of civility.
>
>
> - Cay
>
>
> On Sun, 07 Dec 2008 15:14:48 +0100, Matt wrote:
>>
>> “Maybe I’ve missed something,”
>>
>> Not much other than imagination.
>>
>> "This VB sample shows how to implement a self-deleting executable by
>> injecting code into foreign processes, "
>>
>> . Think about Anton’s remarks. You’re lucky I don’t tell you
>> that you have things ass-backwards!
>> (multi-meaning paragraph)
>>
>> “Aditya’s actual question was
>> about deleting currently running executable files the own process is not
>> associated with.”
>>
>> I appreciate the clarification, me no habla Norte Americano…
>>
>> Matt
>>
>>
>> - Cay
>>
>>
>> On Fri, 05 Dec 2008 18:05:49 +0100, Matt wrote:
>>> Plenty of clues in a VB project Alex Ionescu posted many years ago.
>>>
>>> Surprised I remember seeing this 5 years ago (and where).
>>>
>>>
>>
> http://www.planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=45195&lngW
>>> Id=1
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of
>>> xxxxx@gmail.com
>>> Sent: Friday, December 05, 2008 5:57 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: RE:[ntdev] Deleting a .exe file which is running
>>>
>>> Even explorer is not displaying the file. I checked the record of
>>> directory
>>> which originally contains the deleted file. And it is updated as no
>>> reference of the deleted file found at INDEX_ROOT attribute.
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>>Well, the only thing I suggested is an experiment - I don’t know if it is going to work this way.
Point taken, I thought you meant conceptually it should work.
>Files under Windows are deleted upon close. Either you open a file with DELETE_ON_CLOSE flag set, or set delete information to an open file
I know this, but as I said i checked the MFT record and the file was deleted and no IRPs was generated on the file. So it is not using DeleteFile for sure.
>please tell us the name of your product so that any Windows user who reads this thread gives it a second thought before running it on his/her system…
No need to worry :-), I will not write such code and even my organization will not allow me to do this.
I am working on a detection product (Well; these organizational policy bounds me, else I’ll be good with sharing name, probably you already knew it)
and will not do anything which will make it a System Cracker utility. 
Thanks for your continuous support,
Aditya
> i checked the MFT record and the file was deleted and no IRPs was generated on the file.
So it is not using DeleteFile for sure.
Are you saying that IRP_MJ_SET_INFORMATION was not sent to a file??? As long as file gets actually deleted, the only situation when it may happen is when the target file had been originally opened with DELETE_ON_CLOSE flag set…
Anton Bassov
>>Are you saying that IRP_MJ_SET_INFORMATION was not sent to a file???
Yes no set_information and no create irp.
As long as file gets actually deleted, the only situation when it may happen is when the target file had been originally opened with DELETE_ON_CLOSE flag set…
I ran the exe from explorer, check with file spy that there was no no open request with file_delete_on_close flag. After this I load my drive which denies every create call on the respective file. Than I ran the tool and as per filespy logs this tool had not generated any create irp on the file.
Thanks,
Aditya
Hi guys,
After the above discussion IceSword caught my attention a little bit, since it appears to do some nice tricks (except for the live-exe deletion thing). For once, Process Explorer cannot display its process security information and then of course WinDbg *failed* to attach to it (not start it, but attach after it has been started).
I know that they are supposed to be building a rootkit eliminator or something but myself being a driver dev used to roaming the kernel with WinDbg I just could not stand my beloved WinDbg failing to debug some process.
So, although I by no means am a reverse engineering expert, I decided to take a shot at it. Sure enough I could detour their exe and I noticed some interesting calls like the ones shown below:
GetProcAddress(77e40000,LoadLibraryExW)
GetProcAddress(,) -> 77e41b0c
VirtualProtectEx(ffffffff,77e41b0c,64,40,12fd04)
VirtualProtectEx(,) -> 1
VirtualProtectEx(ffffffff,77e41b0c,64,20,12fd08)
VirtualProtectEx(,) -> 1
40 is PAGE_EXECUTE_READWRITE and 20 is PAGE_EXECUTE_READ.
So it seems that they are patching LoadLibraryExW (in their own process space of course) and some other less important functions in the way.
So since I had already detoured them I modified the VirtualProtectEx detour function with some silly code to save the original memory contents when 40 was appearing and restore them when 20 was appearing and bingo. IceSword then complained a bit about some initialization failing and a driver failing to load and then worked perfectly (btw I had another copy already open so that their driver would be in place). ProcExp could see all its properties, so I did a right click on one of my test EXEs that was running, selected force delete, the msgbox “Are you sure” appeared and then I attached WinDbg, with success this time.
Then I started to play around a bit, but soon got pretty bored (reversing is not my game) and had little time and had to write this post too, so I’ll let someone else take over.
What I would do if I had more time is to make sure all the GetProcAddress funcs they load are detoured, so than I can put breakpoints in my detouring DLL and thus break in the middle of their calls so as to examine what they are doing.
My guess is that they install some file system filter that does not return the exe name when the directory contents are listed. The file is still there for those that are using it (see procexp), but no new handles to it can be opened.
Dimitris Staikos
Hi Dimitris Staikos ,
Thanks for taking the trouble, It will help me investigating this in future.
Regards,
Aditya