A way to delete a locked file, or current running executable, on disk.

Overview

🗑️ delete-self-poc

A way to delete a locked, or current running executable, on disk. This was originally found by Jonas Lykkegaard - I just wrote the POC for it. This can also be used to delete locked files on disk, that the current calling process has permissions to get DELETE access to.

How does this work, though - in this POC?

  1. Open a HANDLE to the current running process, with GENERIC_READ | SYNCHRONIZE | DELETE access. Note, DELETE is only needed.
  2. Rename the primary file stream, :$DATA, using SetFileInformationByHandle to :wtfbbq.
  3. Close the HANDLE
  4. Open a HANDLE to the current process, set DeleteFile for the FileDispositionInfo class to TRUE.
  5. Close the HANDLE to trigger the file disposition
  6. Viola - the file is gone.

Releases

I have included a statically linked release within this repository, if you can't be bothered compiling the original source code.

Issues
  • Not working as expected ..

    Not working as expected ..

    I've compiled it with VS 2019 and tested this POC on all recent Windows versions:

    PC

    1. Windows 7 SP1 - File was emptied, not deleted, and program crashed
    2. Windows 8.1 - File was emptied, not deleted.
    3. Windows 10 LTSC - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.

    Server

    1. Windows 2008 R2 - File was emptied, not deleted, and program crashed
    2. Windows 2012 R2 - File was emptied, not deleted, and program crashed
    3. Windows 2016 - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.
    4. Windows 2019 - File was emptied, not deleted, and stuck at "Attempting to rename file name" for 20s. File size is zero, size on disk is still 124KB.
    opened by CaledoniaProject 6
  • x86 implementation fails when not running as Administrator

    x86 implementation fails when not running as Administrator

    Very strange issue here. I am implementing this as part of a larger tool and in doing testing for compatibility with x86, I have found that it fails when ran as a normal user, however succeeds when ran as an Administrator. The x64 version of course works in both medium and high integrity. This testing was done on a windows 7 VM, however I also tested the x86 version on a windows 11 VM where I encountered the same issue.

    Attached is a screenshot showing the issue. Top cmd prompt is normal user, bottom is admin.

    image

    I added a GetLastError() call which returned error 123, or:

    "ERROR_INVALID_NAME 123 (0x7B) The filename, directory name, or volume label syntax is incorrect."

    per MSDN. This occurs at line 26 where SetFileInformationByHandle is called.

    Does anyone have any ideas here? I'd believe that there is some incompatibility issue with x86, but the fact that it suceeds as an Admin but fails as a normal user, whereas it works fine for both on x64 is throwing me for a loop.

    opened by Octoberfest7 5
  • Two issues in the code

    Two issues in the code

    LPWSTR lpwStream = (LPWSTR)DS_STREAM_RENAME;
    fRename.FileNameLength = sizeof(lpwStream);
    

    sizeof(lpwStream) is always 8 bytes on 64-bit OS

    FILE_RENAME_INFO fRename;
    RtlCopyMemory(fRename.FileName, lpwStream, sizeof(lpwStream));
    

    The FILE_RENAME_INFO.FileName buffer need to be allocated by yourself

    opened by EddieIvan01 1
Releases(v1.1)
Owner
Lloyd
21, BEng Student @ ENU, RE, fuzzing & malware research.
Lloyd
Chad Strings - The Chad way to handle strings in C.

chadstr.h Chad Strings - The Chad way to handle strings in C. One str(...) macro to handle them all. Examples Usage: int table = 13; int id = 37; str

null 778 Jul 30, 2022
"Wireless Made Easy!" - Microchip MRF MiWi package is MiWi P2P and Star Stacks for MRF24J40 and MRF89XA transceivers running on MPLAB X IDE

MRF-MiWi "Wireless Made Easy!" - Microchip MiWi P2P and Star Stack Opened for MRF24J40 and MRF89XA transceiver running on MPLAB X IDE Devices: | MRF24

Microchip Technology 2 Dec 28, 2021
This is like Inverting Binary Tree, but instead of a Binary Tree it's a File Tree.

Invert File Tree in C++ This is like Inverting Binary Tree, but instead of the Binary Tree it's a File Tree. This is intended as a simple exercise to

Tsoding 11 Jun 18, 2021
A TreeSitter parser for the Neorg File Format

NFF TreeSitter Parser A TreeSitter grammar for Neorg. Available Commands Command Result yarn installs needed dependencies (only do if you don't have t

null 53 Jul 15, 2022
ring-span lite - A C++yy-like ring_span type for C++98, C++11 and later in a single-file header-only library

ring-span lite: A circular buffer view for C++98 and later Contents Example usage In a nutshell Dependencies Installation Synopsis Reported to work wi

Martin Moene 122 May 23, 2022
Simple and fast configuration file library (written in C99)

Features Configuration file reading Supported operating systems Ubuntu MacOS Windows Build requirements C99 compiler CMake 3.10+ Cloning git clone htt

Nikita Fediuchin 3 May 26, 2022
Generic single-file implementations of AVL tree in C and C++ suitable for deeply embedded systems

Cavl Generic single-file implementation of AVL tree suitable for deeply embedded systems. Simply copy cavl.h or cavl.hpp (depending on which language

Pavel Kirienko 5 Apr 14, 2022
Locate the current executable and the current module/library on the file system

Where Am I? A drop-in two files library to locate the current executable and the current module on the file system. Supported platforms: Windows Linux

Gregory Pakosz 366 Aug 7, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 470 Aug 7, 2022
Utility to convert any binary file into C source that can be compiled and linked to the executable.

bin2c Utility to convert any binary file into C source that can be compiled and linked to the executable. bin2o Utility to convert any binary file int

Vadim A. Anisimov 16 Jul 14, 2021
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 77 Jul 30, 2022
The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler.

The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler. This file is compiled by Hi-Te

null 9 May 23, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS

ESP-File-Server An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS Using an ESP32 to handle fil

G6EJD 24 Aug 7, 2022
Control-Alt-Delete - Help Tux Escape Beastie's Jail!

Control-Alt-Delete Help Tux escape Beastie's jail by completing the following challenges! Challenges Challenge 00: Drinks: Tux needs to drink less. Ch

NDLUG 8 Oct 31, 2021
recovery postgresql table data by update/delete/rollback/dropcolumn command

recovery postgresql table data by update/delete/rollback/dropcolumn command

RadonDB 5 Jul 21, 2022
C++ intrusive container templates. Abstract node links, no use of new/delete.

C-plus-plus-intrusive-container-templates C++ intrusive container templates. Abstract node links, no use of new/delete (AVL tree, singly-linked list,

Walt Karas 11 Feb 10, 2022
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Ulf Frisk 1.4k Aug 8, 2022
4K Executable Graphics framework

Blossom ?? Blossom is a small framework for creating 4K Executable Graphics artworks for the demoscene. You are free to use this as the basis for your

Luna 163 Aug 9, 2022
PageBuster - dump all executable pages of packed processes.

PageBuster Ever wanted to dump all the executable pages of a process? Do you crave something capable of dealing with packed processes? We've got you c

rev.ng 185 Aug 6, 2022
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 55 Jul 21, 2022
Programming language that compiles into a x86 ELF executable.

ocean Programming language that compiles into a x86 ELF executable. The main goal at the moment is to create a C compiler, which can atleast compile i

Richard 166 Jul 27, 2022
Resolve DOS MZ executable symbols at runtime

NtSymbol Resolve DOS MZ executable symbols at runtime Example You no longer have not have to use memory pattern scan inside your sneaky rootkit. Pass

Kento Oki 76 Jun 26, 2022
Decrypt FairPlay encrypted executable binaries on macOS

UnFairPlay Decrypt FairPlay encrypted binaries on macOS when SIP-enabled. By mapping an executable as r-x and then using mremap_encrypted on the encry

subdiox 58 Jul 30, 2022
Code::Blocks template for custom launcher executable.

Launcher Code::Blocks template for custom launcher executables. This is a basic Code::Blocks project for creating authentic Windows executables. Inclu

Federico Cappelletti 1 Feb 5, 2022
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Stealthy Kernel-mode Injector Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation

Charlie Wolfe 87 Jul 22, 2022
GSmartControl - Hard disk drive and SSD health inspection tool

GSmartControl Hard disk drive and SSD health inspection tool GSmartControl is a graphical user interface for smartctl (from smartmontools package), wh

Alexander Shaduri 185 Aug 8, 2022