flat assembler
Message board for the users of flat assembler.

Index > Windows > Delete a locked file from kernel mode

Author
Thread Post new topic Reply to topic
mario29



Joined: 07 Sep 2010
Posts: 5
mario29 07 Sep 2010, 02:48
I have a file that is locked for writing and delete access (most likely another process is using it) from the windows api. Is there any way for a kernel mode driver to use a Zw* function or something to delete or overwrite such a file?
Post 07 Sep 2010, 02:48
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 07 Sep 2010, 14:22
Did you consider that it is locked for a good reason?

I imagine it would just be easier to kill the offending task, delete the file and then restart the task. Pulling a file out from under the task will likely cause it to crash anyway. So you are unlikely to save any effort by forcibly deleting the file without notifying the locking task.
Post 07 Sep 2010, 14:22
View user's profile Send private message Visit poster's website Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless 07 Sep 2010, 16:06
the best way to do it on my opinion is, if u know the process thats using this file, u can list all handles used by this process using (NtQuerySystemInformation) and use (NtQueryInformationFile) to convert that handle to its file name, check if its the same as the one ur looking for, and if it is simply use (CreateRemoteThread) and (CloseHandle) to close the handle as safely as possible.
i know it seems alot of work, but that depends on how bad u need that code.
i did it before in delphi, if ur intersted in my delphi code just drop me a message.
Post 07 Sep 2010, 16:06
View user's profile Send private message Reply with quote
farrier



Joined: 26 Aug 2004
Posts: 274
Location: North Central Mississippi
farrier 07 Sep 2010, 16:18
mario29,

I ran into this with a notebook that crashed violently, and upon recovery there was a corrupted file which I could not delete. What finally worked for me was TakeOwn:

technet.microsoft.com/en-us/library/cc753024(WS.10).aspx

After using this as--administrator--I was able to delete the file.

hth,

farrier

_________________
Some Assembly Required
It's a good day to code!
U.S.Constitution; Bill of Rights; Amendment 1:
... the right of the people peaceably to assemble, ...
The code is dark, and full of errors!
Post 07 Sep 2010, 16:18
View user's profile Send private message Reply with quote
mario29



Joined: 07 Sep 2010
Posts: 5
mario29 07 Sep 2010, 21:10
Thanks but I need to delete the file and I don't know the name of the process using the file. I don't mind if the process using the file crashes, I need to delete/overwrite the file. Is there a way of determining the process id of a process accessing a file, or even better is there a way of deleting/overwriting a locked file from kernel mode?
Post 07 Sep 2010, 21:10
View user's profile Send private message Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless 07 Sep 2010, 21:32
u can use a driver to do all this like "Unlocker" does (google it), but still, if u dont know the process using ur handles, u can use the same way to look for it in all processes and unlock it when its found. and no it isnt slow.
Post 07 Sep 2010, 21:32
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.