Delete executable of the application itself

zhaozj2021-02-16  78

The following code is written by Gary Nebbett. Gary Nebbett is the author of the Windows NT / 2000 Native API Reference. It is a master of the NT system. He analyzed some of his code. This code did not end in Process The exe file that starts the processs will be deleted. Int main (int Argc, char * argv []) {

HMODULE module = GetModuleHandle (0); CHAR buf [MAX_PATH]; GetModuleFileName (module, buf, sizeof buf); CloseHandle (HANDLE (4)); __asm ​​{lea eax, buf push 0 push 0 push eax push ExitProcess push module push DeleteFile push UnmapViewOfFile ret} return 0;} now, let's look at what the contents of the stack offset 24 0 20 0 16 offset buf 12 address of ExitProcess 8 module 4 address of DeleteFile 0 address of UnmapViewOfFile RET returns to the UnmapViewOfFile call, i.e. The place in the stack is 0.1.1%. When entering the unmapviewoffile process, the stack is seen in the stack to return the address deletefile and hmodul module. That is to return to the deletefile's entrance address. When returning to deletefile, Seeing the address of EXITPROCESS, that is, returns the address. And the parameter EAX, and EAX is the file name of EXE Buffer.Buffer. Return from getModuleFileName (Module, BUF, SIZEOF BUF). After executing deletefile, return Go to EXITPROCESS function portal. And the parameter is 0 and the return address is also 0.0 is an illegal address. If returned to address 0, it will be wrong. And call EXITPROCESS should not return. This code is exquisite: 1. If there is The handle of the file will fail, so the file deletion will fail, so CloseHandle (Handle (4)); is a very clever one. Handle4 is the hardcod of the OS, corresponding to the image of the EXE. In the default, OS assumed no The call will turn off the configured handle, and now the handle is turned off. Deleting a file unable to unable a handle of the file. 2. Since unmapViewoffile releases another corresponding image to Handle and unpacking the image of memory. So, any code behind will not reference the image mapping address. Any code. Otherwise, OS will report an error. Now the code is just not referenced to any image within any image after unmapViewoffile. 3. Before EXITPROCESS, the exe file is deleted. That is, the process is still, and the main The EXE file where the thread is located is no longer. (Winnt / 9x protects these Win32 images that are mapped to memory is not deleted.)

转载请注明原文地址:https://www.9cbs.com/read-15754.html

New Post(0)