Another way to delete the process itself

zhaozj2021-02-16  67

This article is a collection of collection, not what I have written.

Everyone knows that when the general program is running, the executable itself is protected by the operating system. It cannot be accessed by rewritten, let alone delete themselves when it is still running. Seeing a Undocument method on the homepage of LU0, deleting yourself by changing the file access mode of the system underlying. I saw it very admired.

But is there a function that can be found on the MSDN? Yes! Jeffrey richter gives us a sample: deleteme.cppmodule name: deleteme.cppwritten by: Jeffrey RichterDescription: allows an executable file to delete itself ********************* ********************************************************* / #include #include #include / int WinApi WinMain (Hinstance H, Hinstance B, LPSTR PSZ, INT N) {// is this the Original Exe or The Clone EXE ? // if the command-line 1 argument, this is the original exe // if the command-line> 1 argument, this is the clone exeif (__ARGC == 1) {// Original Exe: Spawn Clone EXE to DELETE THIS exe // copy this executable image into the user's temp directorytchar szpathorig [_max_path], szpathclone [_max_path]; getmodulefilename (null, szpathorig, _max_path); gettemppath (_max_path, szpathclone); gettempfilename (szpathclone, __text ( "del"), 0 , szpathclone); copyfile (szpathorig, szpathclone, false); // *** attention ***: // open the clone exe using file_flag_delete_on_closehandle hfile = createfile (szpathclone, 0, file_share_read, null, open_ existing, file_flag_delete_on_close, null); // spawn the clone exe passing it our exe's process handle // and the full path name to the original exe file.tchar szcmdline [512]; handle hprocessorig = openprocess (synchronize, true, getcurrentprocessid () WSPRINTF (""% s% d / "% s /"), szpathclone, hprocessorig, szpathorig; startupinfo si; zeromemory (& Si, SIZEOF (Si)); Si.cb = Sizeof (Si) Process_information pi; CreateProcess (Null, Szcmdline, Null, Null, True, 0, Null, Null, & Si, & Pi); CloseHandle (HProcessorig); CloseHandle (HFILE);

转载请注明原文地址:https://www.9cbs.com/read-15747.html

New Post(0)