flat assembler
Message board for the users of flat assembler.
Index
> Windows > Self-deleting file |
Author |
|
JohnFound 02 Aug 2004, 20:25
There are a lot of solutions (including with .bat files), but the only two pure assembly solutions I saw was:
1. Using stack for creating code that to be executed from kernel (on some ret) after terminating process. 2. Code injection in another process, that works in memory (for example explorer.exe) that to wait for base process termination and to delete the file. AFAIK, comrade was the author of one example about something similar: writing data in self executable: http://comrade64.cjb.net/src-asm.en.htm Regards. |
|||
02 Aug 2004, 20:25 |
|
silkodyssey 02 Aug 2004, 22:12
Some of the programs here may be helpful to you.
http://www.ols-lab.com/devcorner/tasm32/ _________________ silkodyssey |
|||
02 Aug 2004, 22:12 |
|
comrade 03 Aug 2004, 00:07
It is possible in Windows 2000 (not sure about NT4), but not Windows XP. The trick is to destroy the kernel object (a section object) that locks the file, and then do a trick with a chained call that would delete the file and quit immediately. This does not work in XP because the handle for the section object is random and unknown, but is fixed and known in Windows 2000.
More info here: http://www.catch22.org.uk/tuts/selfdel.asp and here: http://www.wasm.ru/forum/index.php?action=vthread&forum=4&topic=2569&page=1 You are interested in the .zip attachment in Four-F's post. |
|||
03 Aug 2004, 00:07 |
|
Rookie 03 Aug 2004, 22:53
Thanx! A lot! Now to get to work... (If anybody's interested in taking a look at the project, just say so)
|
|||
03 Aug 2004, 22:53 |
|
Rookie 05 Aug 2004, 11:54
I used the 5th example from http://www.catch22.org.uk/tuts/selfdel.asp
I made an asm version of it (which I also attached). Unfortunately, it doesn't seem to work. I traced the problem to the VirtualProtectEx call, which fails. I think it's because entrypoint is not calculated corectly. In the C source code it's something like this: Code: entrypoint = (context.Esp - sizeof(SELFDEL)) & ~0x1F which I translated as Code: mov eax,1Fh not eax mov ebx,[context.Esp] sub ebx,sizeof.SELFDEL and eax,ebx mov [entrypoint],eax Did I do it right? And if so, can anybody tell me where's the bug?
_________________ This is who I choose to be. |
|||||||||||
05 Aug 2004, 11:54 |
|
rwalt 07 Sep 2004, 00:13
I translated a TASM example ( which I believe is the only example in assembler ) of an self-deleteing EXE. Using OllyDbg I finally got this to work...
Code: include '%fasminc%/win32ax.inc' MAX_PATH = 104h STACK_CODE_SIZE = 9h .code stack_code: pop eax call eax ;call FreeLibrary pop eax call eax ;call DeleteFile ret (MAX_PATH + STACK_CODE_SIZE - 4h) start: sub esp, (MAX_PATH + STACK_CODE_SIZE) mov edi, esp mov ebx, edi mov ecx, STACK_CODE_SIZE mov esi, stack_code rep movsb push MAX_PATH push edi push ecx call L1 mov eax, L2 mov eax, [eax + 2h] push dword [eax] push edi mov eax, L3 mov eax, [eax + 2h] push dword [eax] push 0h call L4 push eax mov eax, L5 mov eax, [eax + 2h] push dword [eax] jmp ebx L1: jmp [GetModuleFileName] L2: jmp [ExitProcess] L3: jmp [DeleteFile] L4: jmp [GetModuleHandle] L5: jmp [FreeLibrary] .end start This will work on both 9x and ME. To possibly get it to work on NT you will have to replace FreeLibrary with UnmapViewOfFile. |
|||
07 Sep 2004, 00:13 |
|
Madis731 08 Sep 2004, 20:59
nope, it doesn't work that way:(
|
|||
08 Sep 2004, 20:59 |
|
rwalt 09 Sep 2004, 16:08
Madis731 wrote: nope, it doesn't work that way:( I think I have got it to work, try this code... Code: ; SELF-DEL.ASM ; Self-deleting executable file code ; For Windows 9x/ME/NT include '%fasminc%/win32ax.inc' .code main: push ebp mov ebp, esp sub esp, 10Ch push 0 call @1 mov [ebp-4], eax push 104h lea eax, [ebp-108h] push eax mov eax, [ebp-4] push eax call @2 call @3 and eax, 80000000h cmp eax, 0 jz winnt mov eax, [FreeLibrary] mov [ebp-10Ch], eax jmp delete winnt: mov eax, [UnmapViewOfFile] mov [ebp-10Ch], eax push 4 call @4 delete: lea eax, [ebp-108h] push 0 push 0 push eax push dword [ExitProcess] push dword [ebp-4] push dword [DeleteFile] push dword [ebp-10Ch] ret @1: jmp dword [GetModuleHandle] @2: jmp dword [GetModuleFileName] @3: jmp dword [GetVersion] @4: jmp dword [CloseHandle] .end main This might possibly work for Win2K, but will never work at all for XP/2K3. |
|||
09 Sep 2004, 16:08 |
|
Matrix 09 Sep 2004, 16:16
Its all right on win 98 se
MATRIX |
|||
09 Sep 2004, 16:16 |
|
Madis731 11 Sep 2004, 08:39
Works on 2K SP4
|
|||
11 Sep 2004, 08:39 |
|
Nikolay Petrov 11 Sep 2004, 18:53
Code: ;selfdel.asm ;The COMSPEC method - use cmd.exe command line format PE GUI 4.0 include '%fasminc%\win32a.inc' section '.code' code readable executable entry start start: ;--------------- Follow Code ----------------- invoke GetModuleFileName,0,szCmd,255 invoke GetShortPathName,szCmd,szFile,255 invoke wsprintf,szCmd,szFormat,szFile invoke GetEnvironmentVariable,Cmd,szFile,255 invoke MessageBox,0,message,title,MB_ICONINFORMATION invoke ShellExecute,0,0,szFile,szCmd,0,SW_HIDE invoke ExitProcess,0 ;--------------- Follow Data ----------------- section '.data' data readable writeable Cmd db "ComSpec",0 szFormat db "/c del %s >> NUL",0 title db "SelfDelete Demo",0 message db "When you press OK - file selfdel.exe will be delete.",0 szFile rb 255 szCmd rb 255 ;------------- Follow Import section -------------- section '.idata' import data readable writeable library kernel32,'kernel32.dll',\ user32, 'user32.dll',\ shell32, 'shell32.dll' include '%fasminc%\apia\kernel32.inc' include '%fasminc%\apia\user32.inc' include '%fasminc%\apia\shell32.inc' |
|||
11 Sep 2004, 18:53 |
|
asmdemon 12 Sep 2004, 02:28
works on xp sp2
|
|||
12 Sep 2004, 02:28 |
|
Rookie 01 Oct 2004, 21:19
Hey, guys, sooory it took me so long to get back to you. Thank you for your solutions. I haven't tested them yet to see if they'll do the trick for me, but I'd still like to thank you.
|
|||
01 Oct 2004, 21:19 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.