Introduce a clever delete program own method

zhaozj2021-02-11  153

Introduce a clever delete program own method

vcbear

Recently, I saw that netizens asked how to delete themselves after the program is running. I don't know if everyone is interested in Trojans. I still want this effect: Users as long as one runs, the executable file is not, but the program is still When running, I am afraid to call "ghosts!", "Wife, come out to see God". In fact, the most typical usage is to write anti-installation procedures. If you are free, BEAR is a way to "delete yourself".

Everyone knows that when the general program is running, the executable itself is protected by the operating system. It cannot be accessed by rewritten, let alone delete themselves when it is still running. Seeing a Undocument method on the homepage of LU0, deleting yourself by changing the file access mode of the system underlying. I saw it very admired. But is there a function that can be found on the MSDN? Yes! Jeffrey Richter has made us an example:

DELETEME.CPP MODULE: DELETEME.CPP WRITTEN BY: JEFFREY RICHTEN BY: ALEFFREY RICHTER Description: Allows An Executable File to Delete Itself ****************************** *************************************************** / #include # Include #include / int WinStance H, Hinstance B, LPSTR PSZ, INT N) {// is this the Original EXE or THE CLONE EXE? // if The Command-Line 1 argument, this is the original exe // if the command-line> 1 argument, this is the clone exe if (__ARGC == 1) {// Original EXE: SPAWN Clone EXE to DELETE This EXE // COPY THIS Executable Image into the user's temp directory TCHAR szPathOrig [_MAX_PATH], szPathClone [_MAX_PATH]; GetModuleFileName (NULL, szPathOrig, _MAX_PATH); GetTempPath (_MAX_PATH, szPathClone); GetTempFileName (szPathClone, __TEXT ( "Del"), 0, szPathClone); CopyFile ( Szpathorig, szpathclone, false); // *** Note ***: // open the clone exe usding file_flag_delete_on_close handle hfile = createfile (szpathclone, 0, file_share_read, null, o PEN_EXISTING, FILE_FLAG_DELETE_ON_CLOSE, NULL); // Spawn the clone EXE passing it our EXE's process handle // and the full path name to the Original EXE file TCHAR szCmdLine [512];. HANDLE hProcessOrig = OpenProcess (SYNCHRONIZE, TRUE, GetCurrentProcessId () WSPRINTF (""% s% d / "% s /"), szpathclone, hprocessorig, szpathorig; startupinfo si; zeromemory (& Si, SIZEOF (Si)); Si.cb = Sizeof (Si) Process_information pi; CreateProcess (Null, Szcmdline, Null, Null, True, 0, Null, Null, & Si, & Pi); CloseHandle (HProcessorig); CloseHandle (HFILE);

. // This original process can now terminate} else {// Clone EXE: When original EXE terminates, delete it HANDLE hProcessOrig = (HANDLE) _ttoi (__ targv [1]); WaitForSingleObject (hProcessOrig, INFINITE); CloseHandle (hProcessOrig); DeleteFile (__ targv [2]); // Insert code here to remove the subdirectory too (if desired) // The system will delete the clone EXE automatically // because it was opened with FILE_FLAG_DELETE_ON_CLOSE} return (0);.} read Yet?

This program is very simple: isn't it possible to delete itself directly at runtime? Ok, then the program is copied (clone) one yourself, start another process with the replica, then end the run, then the original EXE file is not protected by the system. At this time, the original EXE file is removed by the new process as the killer, and continue Complete other functions of the program.

After the new process is over, the replica is automatically deleted. This is another trick worth mentioning, paying attention:

// Open the clone exe usding file_flag_delete_on_close

Handle Hfile = CreateFile (Szpathclone, 0, File_Share_read, null, open_existing, file_flag_delete_on_close, null);

The file_flag_delete_on_close flag in this is telling the operating system. After all the handles related to this file is turned off (including the Seni-Bing created above), the file is deleted. Almost all temporary documents are created, this flag is indicated.

Also note: Before the replica process, you should wait for the original process to exit. Use the process synchronization technology.

Handle HProcessorig = OpenProcess (Synchronize, True, getCurrentProcessId ());

Get the original process handle. Thesynchronice flag is valid in NT. The role is to make the handle of OpenProcess can be synchronous objects. The replica process is synchronized with the waitforsingleObject function, and then a deletefile, and other destruction (such as deleting the dialogue) Work, finishing work!

The program is based on console. By the incoming parameter is determined to be the original process or the new process of replica, and the information of the target file that needs to be operated (mainly the path), the replica is placed in the system's TEMP directory (getTemppath), You can also find a place you think safely (such as Windows / System32, etc.).

There is no deep technology in this. Look at other things to delete their own examples, for example, before the process exits, use fwrite and other methods to output a .bat file, write a few DEL inside, then Winexec this BAT file is Can. Most of the sectariums who have played DOS will. Today, I have learned it, cool.

2001.2.27

(Casset, as long as you don't take the name of Jeffrey, there is BEAR ....: d)

In addition, Jeffrey's website:

转载请注明原文地址:https://www.9cbs.com/read-6064.html

New Post(0)