Hi,
how all know, exists sevral anti rootkit softwares that is able to delete all files and folders of any rootkit even while this rootkit is running, the same also is possible to folders or files protected.
Today i have this code below that is able of delete all files and subfolders of a determinated folder that can be defined on source code, happens that this code not is able to delete even while this rootkit is running or folders or files protected.
Someone have some idea about make this? or already have made some project that was required this feature?
#include <ntifs.h>
typedef unsigned int UINT;
#define ALLOCSIZE PAGE_SIZE
#define REAL_DELETE
#ifdef REAL_DELETE
#define USE_DELETE_ON_CLOSE FILE_DELETE_ON_CLOSE
#else
#define USE_DELETE_ON_CLOSE FILE_DIRECTORY_FILE
#endif
#define echo(x) x
#define label(x) echo(x) LINE
#define RTL_CONSTANT_STRINGW(s) { sizeof( s ) - sizeof( (s)[0] ), sizeof( s ),(PWSTR)(s) }
#define STATIC_UNICODE_STRING(name, str) static const WCHAR label()[] = L##str; static const UNICODE_STRING name = RTL_CONSTANT_STRINGW(label())
#define STATIC_OBJECT_ATTRIBUTES(oa, name) STATIC_UNICODE_STRING(label(m), name); static OBJECT_ATTRIBUTES oa = { sizeof oa, 0, (PUNICODE_STRING)&label(m), OBJ_CASE_INSENSITIVE }
// int nLevel, PSTR prefix for debug only
void ntTraverse(POBJECT_ATTRIBUTES poa, ULONG FileAttributes, int nLevel, PSTR prefix)
{
if (IoGetRemainingStackSize() < PAGE_SIZE)
{
DbgPrint(“no stack!\n”);
return;
}
if (nLevel > MAXUCHAR)
{
DbgPrint(“nLevel > MAXUCHAR\n”);
return;
}
NTSTATUS status;
IO_STATUS_BLOCK iosb;
UNICODE_STRING ObjectName;
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName };
DbgPrint(“%s[<%wZ>]\n”, prefix, poa->ObjectName);
#ifdef REAL_DELETE
if (FileAttributes & FILE_ATTRIBUTE_READONLY)
{
if (0 <= NtOpenFile(&oa.RootDirectory, FILE_WRITE_ATTRIBUTES, poa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_OPEN_FOR_BACKUP_INTENT | FILE_OPEN_REPARSE_POINT))
{
static FILE_BASIC_INFORMATION fbi = { {},{},{},{}, FILE_ATTRIBUTE_NORMAL };
NtSetInformationFile(oa.RootDirectory, &iosb, &fbi, sizeof(fbi), FileBasicInformation);
NtClose(oa.RootDirectory);
}
}
#endif//REAL_DELETE
if (0 <= (status = NtOpenFile(&oa.RootDirectory, FILE_GENERIC_READ, poa, &iosb, FILE_SHARE_VALID_FLAGS,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_REPARSE_POINT | FILE_OPEN_FOR_BACKUP_INTENT | USE_DELETE_ON_CLOSE)))
{
if (FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (PVOID buffer = ExAllocatePool(PagedPool, ALLOCSIZE))
{
union {
PVOID pv;
PUCHAR pb;
PFILE_DIRECTORY_INFORMATION DirInfo;
};
while (0 <= (status = NtQueryDirectoryFile(oa.RootDirectory, NULL, NULL, NULL, &iosb,
pv = buffer, ALLOCSIZE, FileDirectoryInformation, 0, NULL, FALSE)))
{
ULONG NextEntryOffset = 0;
do
{
pb += NextEntryOffset;
ObjectName.Buffer = DirInfo->FileName;
switch (ObjectName.Length = (USHORT)DirInfo->FileNameLength)
{
case 2 * sizeof(WCHAR) :
if (ObjectName.Buffer[1] != ‘.’) break;
case sizeof(WCHAR) :
if (ObjectName.Buffer[0] == ‘.’) continue;
}
ObjectName.MaximumLength = ObjectName.Length;
#ifndef REAL_DELETE
if (DirInfo->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
#endif
{
ntTraverse(&oa, DirInfo->FileAttributes, nLevel + 1, prefix - 1);
}
#ifndef REAL_DELETE
else
#endif
{
DbgPrint(“%s%8I64u <%wZ>\n”, prefix, DirInfo->EndOfFile.QuadPart, &ObjectName);
}
} while (NextEntryOffset = DirInfo->NextEntryOffset);
if (ALLOCSIZE - iosb.Information > FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName[256]))
{
break;//NO_MORE_FILES
}
}
ExFreePool(buffer);
if (status == STATUS_NO_MORE_FILES)
{
status = STATUS_SUCCESS;
}
}
}
NtClose(oa.RootDirectory);
}
if (0 > status)
{
DbgPrint(“---- %x %wZ\n”, status, poa->ObjectName);
}
}
void ntTraverse()
{
//POBJECT_ATTRIBUTES oa;
char prefix[MAXUCHAR + 1];
memset(prefix, ‘\t’, MAXUCHAR);
prefix[MAXUCHAR] = 0;
STATIC_OBJECT_ATTRIBUTES(oa, “\??\C:\Rootkit-Folder”);
//STATIC_OBJECT_ATTRIBUTES(oa, “\systemroot”);
ntTraverse(&oa, FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_READONLY, 0, prefix + MAXUCHAR);
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
DbgPrint(“DriverUnload()!”);
return;
}
extern “C” NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {
NTSTATUS NtStatus = STATUS_SUCCESS;
pDriverObject->DriverUnload = DriverUnload;
//DbgPrint(“DriverEntry()!”);
ntTraverse();
return NtStatus;
}
------------------------------------------------------------------------------------------------------</ntifs.h>