A way to delete a locked file, or current running executable, on disk.

Related tags

Data Structures delete-self-poc
Overview

🗑️ delete-self-poc

A way to delete a locked, or current running executable, on disk. This was originally found by Jonas Lykkegaard - I just wrote the POC for it. This can also be used to delete locked files on disk, that the current calling process has permissions to get DELETE access to.

How does this work, though - in this POC?

  1. Open a HANDLE to the current running process, with GENERIC_READ | SYNCHRONIZE | DELETE access. Note, DELETE is only needed.
  2. Rename the primary file stream, :$DATA, using SetFileInformationByHandle to :wtfbbq.
  3. Close the HANDLE
  4. Open a HANDLE to the current process, set DeleteFile for the FileDispositionInfo class to TRUE.
  5. Close the HANDLE to trigger the file disposition
  6. Viola - the file is gone.

Releases

I have included a statically linked release within this repository, if you can't be bothered compiling the original source code.

You might also like...
Utility to convert any binary file into C source that can be compiled and linked to the executable.

bin2c Utility to convert any binary file into C source that can be compiled and linked to the executable. bin2o Utility to convert any binary file int

Vadim A. Anisimov 16 Jul 14, 2021
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 91 Dec 28, 2022
The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler.

The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler. This file is compiled by Hi-Te

null 11 Dec 10, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 6 Oct 19, 2022
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Ulf Frisk 1.7k Jan 2, 2023
An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS

ESP-File-Server An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS Using an ESP32 to handle fil

G6EJD 33 Jan 8, 2023
Control-Alt-Delete - Help Tux Escape Beastie's Jail!

Control-Alt-Delete Help Tux escape Beastie's jail by completing the following challenges! Challenges Challenge 00: Drinks: Tux needs to drink less. Ch

NDLUG 8 Oct 31, 2021
Implementation of a client that communicates with a REST API. The client gives certain commands (add/delete a book, see details of a book, see the collection, etc.) and the server replies accordingly. Used concepts: HTTP, JSON, JWT.

Nume: Dragne Lavinia-Stefana Grupa: 324 CA PROTOCOALE DE COMUNICATIE - Tema #3 - Client Web. Comunicaţie cu REST API # Continutul

null 1 Jun 22, 2022
recovery postgresql table data by update/delete/rollback/dropcolumn command

recovery postgresql table data by update/delete/rollback/dropcolumn command

RadonDB 6 Aug 4, 2022
C++ intrusive container templates. Abstract node links, no use of new/delete.

C-plus-plus-intrusive-container-templates C++ intrusive container templates. Abstract node links, no use of new/delete (AVL tree, singly-linked list,

Walt Karas 10 Nov 7, 2022
GSmartControl - Hard disk drive and SSD health inspection tool

GSmartControl Hard disk drive and SSD health inspection tool GSmartControl is a graphical user interface for smartctl (from smartmontools package), wh

Alexander Shaduri 225 Jan 5, 2023
4K Executable Graphics framework
4K Executable Graphics framework

Blossom 🌸 Blossom is a small framework for creating 4K Executable Graphics artworks for the demoscene. You are free to use this as the basis for your

Luna 173 Dec 7, 2022
PageBuster - dump all executable pages of packed processes.

PageBuster Ever wanted to dump all the executable pages of a process? Do you crave something capable of dealing with packed processes? We've got you c

rev.ng 188 Oct 10, 2022
Graphs the disk IO in a linux terminal.
Graphs the disk IO in a linux terminal.

diskgraph Monitor for disk IO Introduction The diskgraph tool will graph disk IO under linux, in a terminal. Examples: $ ./diskgraph /dev/nvme0n1 $ ./

Bram Stolk 184 Nov 14, 2022
Microcontroller based switchless ROM switcher for the Commodore 1541-II disk drive

Retroninja 1541-II Switchless Multi-ROM A microcontroller based switchless ROM switcher for the Commodore 1541-II disk drive. Switch between stock CBM

retroninja 5 Sep 3, 2022
Hide SMBIOS/disk/NIC serials from EFI bootkit
Hide SMBIOS/disk/NIC serials from EFI bootkit

Rainbow Rainbow is a bootkit like HWID spoofer for Windows. It abuses several hooks in EFI runtime services and uses clever DKOM to hide hardware seri

Samuel Tulach 184 Jan 6, 2023
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 55 Jul 21, 2022
A small proof-of-concept for using disk devices for DMA on Windows.
A small proof-of-concept for using disk devices for DMA on Windows.

ddma A small proof-of-concept for using disk devices for DMA on Windows. Why Some native hypervisors (i.e. Hyper-V) allow the guest unvirtualized devi

null 55 Dec 30, 2022
Programming language that compiles into a x86 ELF executable.

ocean Programming language that compiles into a x86 ELF executable. The main goal at the moment is to create a C compiler, which can atleast compile i

Richard 166 Jul 27, 2022
Comments
  • Not working as expected ..

    Not working as expected ..

    I've compiled it with VS 2019 and tested this POC on all recent Windows versions:

    PC

    1. Windows 7 SP1 - File was emptied, not deleted, and program crashed
    2. Windows 8.1 - File was emptied, not deleted.
    3. Windows 10 LTSC - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.

    Server

    1. Windows 2008 R2 - File was emptied, not deleted, and program crashed
    2. Windows 2012 R2 - File was emptied, not deleted, and program crashed
    3. Windows 2016 - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.
    4. Windows 2019 - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.
    opened by CaledoniaProject 6
  • x86 implementation fails when not running as Administrator

    x86 implementation fails when not running as Administrator

    Very strange issue here. I am implementing this as part of a larger tool and in doing testing for compatibility with x86, I have found that it fails when ran as a normal user, however succeeds when ran as an Administrator. The x64 version of course works in both medium and high integrity. This testing was done on a windows 7 VM, however I also tested the x86 version on a windows 11 VM where I encountered the same issue.

    Attached is a screenshot showing the issue. Top cmd prompt is normal user, bottom is admin.

    image

    I added a GetLastError() call which returned error 123, or:

    "ERROR_INVALID_NAME 123 (0x7B) The filename, directory name, or volume label syntax is incorrect."

    per MSDN. This occurs at line 26 where SetFileInformationByHandle is called.

    Does anyone have any ideas here? I'd believe that there is some incompatibility issue with x86, but the fact that it suceeds as an Admin but fails as a normal user, whereas it works fine for both on x64 is throwing me for a loop.

    opened by Octoberfest7 5
  • Two issues in the code

    Two issues in the code 

    LPWSTR lpwStream = (LPWSTR)DS_STREAM_RENAME;
fRename.FileNameLength = sizeof(lpwStream);

    sizeof(lpwStream) is always 8 bytes on 64-bit OS

    FILE_RENAME_INFO fRename;
RtlCopyMemory(fRename.FileName, lpwStream, sizeof(lpwStream));

    The FILE_RENAME_INFO.FileName buffer need to be allocated by yourself

    opened by EddieIvan01 1
Releases(v1.1)
Owner
Lloyd
21, BEng Student @ ENU, RE, fuzzing & malware research.
Lloyd
GitHub
Chad Strings - The Chad way to handle strings in C.

chadstr.h Chad Strings - The Chad way to handle strings in C. One str(...) macro to handle them all. Examples Usage: int table = 13; int id = 37; str

null 792 Dec 28, 2022
"Wireless Made Easy!" - Microchip MRF MiWi package is MiWi P2P and Star Stacks for MRF24J40 and MRF89XA transceivers running on MPLAB X IDE

MRF-MiWi "Wireless Made Easy!" - Microchip MiWi P2P and Star Stack Opened for MRF24J40 and MRF89XA transceiver running on MPLAB X IDE Devices: | MRF24

Microchip Technology 2 Sep 27, 2022
This is like Inverting Binary Tree, but instead of a Binary Tree it's a File Tree.

Invert File Tree in C++ This is like Inverting Binary Tree, but instead of the Binary Tree it's a File Tree. This is intended as a simple exercise to

Tsoding 12 Nov 23, 2022
A TreeSitter parser for the Neorg File Format

NFF TreeSitter Parser A TreeSitter grammar for Neorg. Available Commands Command Result yarn installs needed dependencies (only do if you don't have t

null 63 Dec 7, 2022
ring-span lite - A C++yy-like ring_span type for C++98, C++11 and later in a single-file header-only library

ring-span lite: A circular buffer view for C++98 and later Contents Example usage In a nutshell Dependencies Installation Synopsis Reported to work wi

Martin Moene 127 Dec 28, 2022
Simple and fast configuration file library (written in C99)

Features Configuration file reading Supported operating systems Ubuntu MacOS Windows Build requirements C99 compiler CMake 3.10+ Cloning git clone htt

Nikita Fediuchin 3 May 26, 2022
Generic single-file implementations of AVL tree in C and C++ suitable for deeply embedded systems

Cavl Generic single-file implementation of AVL tree suitable for deeply embedded systems. Simply copy cavl.h or cavl.hpp (depending on which language

Pavel Kirienko 8 Dec 27, 2022
Locate the current executable and the current module/library on the file system

Where Am I? A drop-in two files library to locate the current executable and the current module on the file system. Supported platforms: Windows Linux

Gregory Pakosz 382 Dec 27, 2022
This application contains the data of 100 students. In this application RollNo is unique as a Student id. Application have functionalities like these: Create New Record, Modify existing record, Delete Record, Delete all record,To show Record,To show all Record,exit.

Student_Data_Management This is a student data management program which can store the data of 100 students. I made this in my initial phase of program

Anjali Kumawat 17 Sep 17, 2021
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 514 Jan 3, 2023