lloydlabs / delete-self-poc Goto Github PK

A way to delete a locked file, or current running executable, on disk.

License: MIT License

C 100.00%

delete-self-poc's Introduction

🗑️ delete-self-poc

The delete-self-poc is a demonstration of a method to delete a locked executable or currently running file from disk. This concept was initially discovered by Jonas Lykkegaard, and I have created the proof of concept (POC) for it. Additionally, it can be used to delete locked files on disk, provided that the current calling process has the necessary permissions to access and delete them.

How does this work, though - in this POC?

Open a HANDLE to the current running process with DELETE access. Note that only DELETE access is required.
Use the SetFileInformationByHandle function to rename the primary file stream, :$DATA, to :wtfbbq.
Close the HANDLE.
Open a HANDLE to the current process and set the DeleteFile flag of the FileDispositionInfo class to TRUE.
Close the HANDLE to trigger the file disposition.
Voila! The file is now gone.

Releases

I have included a statically linked release within this repository, if you can't be bothered compiling the original source code.

delete-self-poc's People

Contributors

Stargazers

Watchers

delete-self-poc's Issues

Two issues in the code

LPWSTR lpwStream = (LPWSTR)DS_STREAM_RENAME;
fRename.FileNameLength = sizeof(lpwStream);

sizeof(lpwStream) is always 8 bytes on 64-bit OS

FILE_RENAME_INFO fRename;
RtlCopyMemory(fRename.FileName, lpwStream, sizeof(lpwStream));

The FILE_RENAME_INFO.FileName buffer need to be allocated by yourself

x86 implementation fails when not running as Administrator

Very strange issue here. I am implementing this as part of a larger tool and in doing testing for compatibility with x86, I have found that it fails when ran as a normal user, however succeeds when ran as an Administrator. The x64 version of course works in both medium and high integrity. This testing was done on a windows 7 VM, however I also tested the x86 version on a windows 11 VM where I encountered the same issue.

Attached is a screenshot showing the issue. Top cmd prompt is normal user, bottom is admin.

I added a GetLastError() call which returned error 123, or:

"ERROR_INVALID_NAME
123 (0x7B)
The filename, directory name, or volume label syntax is incorrect."

per MSDN. This occurs at line 26 where SetFileInformationByHandle is called.

Does anyone have any ideas here? I'd believe that there is some incompatibility issue with x86, but the fact that it suceeds as an Admin but fails as a normal user, whereas it works fine for both on x64 is throwing me for a loop.

Not working as expected ..

I've compiled it with VS 2019 and tested this POC on all recent Windows versions:

Windows 7 SP1 - File was emptied, not deleted, and program crashed
Windows 8.1 - File was emptied, not deleted.
Windows 10 LTSC - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.

Server

Windows 2008 R2 - File was emptied, not deleted, and program crashed
Windows 2012 R2 - File was emptied, not deleted, and program crashed
Windows 2016 - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.
Windows 2019 - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.

lloydlabs / delete-self-poc Goto Github PK

delete-self-poc's Introduction

🗑️ delete-self-poc

Releases

delete-self-poc's People

Contributors

Stargazers

Watchers

Forkers

delete-self-poc's Issues

Two issues in the code

x86 implementation fails when not running as Administrator

Not working as expected ..

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent