How delete all files and folders of rootkit while this rootkit is running?
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 2 of 2

Thread: How delete all files and folders of rootkit while this rootkit is running?

  1. #1
    Join Date
    Apr 2014
    Posts
    55

    Question How delete all files and folders of rootkit while this rootkit is running?

    Hi,

    how all know, exists sevral anti rootkit softwares that is able to delete all files and folders of any rootkit even while this rootkit is running, the same also is possible to folders or files protected.

    Today i have this code below that is able of delete all files and subfolders of a determinated folder that can be defined on source code, happens that this code not is able to delete even while this rootkit is running or folders or files protected.

    Someone have some idea about make this? or already have made some project that was required this feature?

    Code:
    #include <ntifs.h>
    
    typedef unsigned int UINT;
    
    #define ALLOCSIZE PAGE_SIZE
    #define _REAL_DELETE_
    
    #ifdef _REAL_DELETE_
    #define USE_DELETE_ON_CLOSE FILE_DELETE_ON_CLOSE
    #else
    #define USE_DELETE_ON_CLOSE FILE_DIRECTORY_FILE
    #endif
    
    #define echo(x) x 
    #define label(x) echo(x)__LINE__ 
    #define RTL_CONSTANT_STRINGW(s) { sizeof( s ) - sizeof( (s)[0] ), sizeof( s ),(PWSTR)(s) } 
    
    #define STATIC_UNICODE_STRING(name, str) static const WCHAR label(__)[] = L##str; static const UNICODE_STRING name = RTL_CONSTANT_STRINGW(label(__))
    
    #define STATIC_OBJECT_ATTRIBUTES(oa, name) STATIC_UNICODE_STRING(label(m), name); static OBJECT_ATTRIBUTES oa = { sizeof oa, 0, (PUNICODE_STRING)&label(m), OBJ_CASE_INSENSITIVE }
    
    // int nLevel, PSTR prefix for debug only
    void ntTraverse(POBJECT_ATTRIBUTES poa, ULONG FileAttributes, int nLevel, PSTR prefix)
    {
    	if (IoGetRemainingStackSize() < PAGE_SIZE)
    	{
    		DbgPrint("no stack!\n");
    		return;
    	}
    
    	if (nLevel > MAXUCHAR)
    	{
    		DbgPrint("nLevel > MAXUCHAR\n");
    		return;
    	}
    
    	NTSTATUS status;
    	IO_STATUS_BLOCK iosb;
    	UNICODE_STRING ObjectName;
    	OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName };
    
    	DbgPrint("%s[<%wZ>]\n", prefix, poa->ObjectName);
    
    #ifdef _REAL_DELETE_
    	if (FileAttributes & FILE_ATTRIBUTE_READONLY)
    	{
    		if (0 <= NtOpenFile(&oa.RootDirectory, FILE_WRITE_ATTRIBUTES, poa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_OPEN_FOR_BACKUP_INTENT | FILE_OPEN_REPARSE_POINT))
    		{
    			static FILE_BASIC_INFORMATION fbi = { {},{},{},{}, FILE_ATTRIBUTE_NORMAL };
    			NtSetInformationFile(oa.RootDirectory, &iosb, &fbi, sizeof(fbi), FileBasicInformation);
    			NtClose(oa.RootDirectory);
    		}
    	}
    #endif//_REAL_DELETE_
    
    	if (0 <= (status = NtOpenFile(&oa.RootDirectory, FILE_GENERIC_READ, poa, &iosb, FILE_SHARE_VALID_FLAGS,
    		FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_REPARSE_POINT | FILE_OPEN_FOR_BACKUP_INTENT | USE_DELETE_ON_CLOSE)))
    	{
    		if (FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
    		{
    			if (PVOID buffer = ExAllocatePool(PagedPool, ALLOCSIZE))
    			{
    				union {
    					PVOID pv;
    					PUCHAR pb;
    					PFILE_DIRECTORY_INFORMATION DirInfo;
    				};
    
    				while (0 <= (status = NtQueryDirectoryFile(oa.RootDirectory, NULL, NULL, NULL, &iosb,
    					pv = buffer, ALLOCSIZE, FileDirectoryInformation, 0, NULL, FALSE)))
    				{
    
    					ULONG NextEntryOffset = 0;
    
    					do
    					{
    						pb += NextEntryOffset;
    
    						ObjectName.Buffer = DirInfo->FileName;
    
    						switch (ObjectName.Length = (USHORT)DirInfo->FileNameLength)
    						{
    						case 2 * sizeof(WCHAR) :
    							if (ObjectName.Buffer[1] != '.') break;
    						case sizeof(WCHAR) :
    							if (ObjectName.Buffer[0] == '.') continue;
    						}
    
    						ObjectName.MaximumLength = ObjectName.Length;
    
    #ifndef _REAL_DELETE_
    						if (DirInfo->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
    #endif
    						{
    							ntTraverse(&oa, DirInfo->FileAttributes, nLevel + 1, prefix - 1);
    						}
    #ifndef _REAL_DELETE_
    						else
    #endif
    						{
    							DbgPrint("%s%8I64u <%wZ>\n", prefix, DirInfo->EndOfFile.QuadPart, &ObjectName);
    						}
    
    					} while (NextEntryOffset = DirInfo->NextEntryOffset);
    
    					if (ALLOCSIZE - iosb.Information > FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName[256]))
    					{
    						break;//NO_MORE_FILES
    					}
    				}
    
    				ExFreePool(buffer);
    
    				if (status == STATUS_NO_MORE_FILES)
    				{
    					status = STATUS_SUCCESS;
    				}
    			}
    		}
    
    		NtClose(oa.RootDirectory);
    	}
    
    	if (0 > status)
    	{
    		DbgPrint("---- %x %wZ\n", status, poa->ObjectName);
    	}
    }
    
    void ntTraverse()
    {
    	//POBJECT_ATTRIBUTES oa;
    	char prefix[MAXUCHAR + 1];
    	memset(prefix, '\t', MAXUCHAR);
    	prefix[MAXUCHAR] = 0;
    
    	STATIC_OBJECT_ATTRIBUTES(oa, "\\??\\C:\\Rootkit-Folder");
    	//STATIC_OBJECT_ATTRIBUTES(oa, "\\systemroot");
    	ntTraverse(&oa, FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_READONLY, 0, prefix + MAXUCHAR);
    }
    
    VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
    	DbgPrint("DriverUnload()!");
    	return;
    }
    
    extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {
    	NTSTATUS NtStatus = STATUS_SUCCESS;
    	pDriverObject->DriverUnload = DriverUnload;
    	//DbgPrint("DriverEntry()!");
    	ntTraverse();
    	return NtStatus;
    }

  2. #2

    Re: How delete all files and folders of rootkit while this rootkit is running?

    Please write did you find the solution of this problem?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This a Codeguru.com survey!


On-Demand Webinars (sponsored)