flat assembler
Message board for the users of flat assembler.

Index > Windows > Self-deleting file

Author
Thread Post new topic Reply to topic
Rookie



Joined: 21 Aug 2003
Posts: 44
Location: Planet Romania
Rookie
Can anyone give a piece of code of an exe that can do this?
Although I haven't tried it, common sense tells me that DeleteFile would cause a 'File In Use' error or something like that. I remember seeing somewhere something about it. The exe would copy itself somewhere in memory and run from there, thus being able to delete itself (they reffered to it as virus coding, I think). But I can't remember where. Nor how they did it (it was written in C, and I was just getting aquainted with it). Or maybe it's much simpler than that, but I haven't got a clue on how to do it. So, can anybody help me please?

PS: the 'virus coding' I mentioned earlier, I think it's a programming technique. I don't really know. I say this only to assure you that I'm not trying to write 'malicious code'. I'm working on a scriptable install system, and need the self-deleting capabilites for the uninstall.exe.

_________________
This is who I choose to be.
Post 02 Aug 2004, 19:42
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3502
Location: Bulgaria
JohnFound
There are a lot of solutions (including with .bat files), but the only two pure assembly solutions I saw was:
1. Using stack for creating code that to be executed from kernel (on some ret) after terminating process.
2. Code injection in another process, that works in memory (for example explorer.exe) that to wait for base process termination and to delete the file.
AFAIK, comrade was the author of one example about something similar: writing data in self executable: http://comrade64.cjb.net/src-asm.en.htm

Regards.
Post 02 Aug 2004, 20:25
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
silkodyssey



Joined: 02 Oct 2003
Posts: 198
Location: St.Vincent & the Grenadines
silkodyssey
Some of the programs here may be helpful to you.
http://www.ols-lab.com/devcorner/tasm32/

_________________
silkodyssey
Post 02 Aug 2004, 22:12
View user's profile Send private message MSN Messenger Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
It is possible in Windows 2000 (not sure about NT4), but not Windows XP. The trick is to destroy the kernel object (a section object) that locks the file, and then do a trick with a chained call that would delete the file and quit immediately. This does not work in XP because the handle for the section object is random and unknown, but is fixed and known in Windows 2000.

More info here:
http://www.catch22.org.uk/tuts/selfdel.asp

and here:
http://www.wasm.ru/forum/index.php?action=vthread&forum=4&topic=2569&page=1

You are interested in the .zip attachment in Four-F's post.

_________________
comrade (comrade64@live.com; http://comrade.ownz.com/)
Post 03 Aug 2004, 00:07
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Rookie



Joined: 21 Aug 2003
Posts: 44
Location: Planet Romania
Rookie
Thanx! A lot! Now to get to work... (If anybody's interested in taking a look at the project, just say so)
Post 03 Aug 2004, 22:53
View user's profile Send private message Reply with quote
Rookie



Joined: 21 Aug 2003
Posts: 44
Location: Planet Romania
Rookie
I used the 5th example from http://www.catch22.org.uk/tuts/selfdel.asp
I made an asm version of it (which I also attached). Unfortunately, it doesn't seem to work. I traced the problem to the VirtualProtectEx call, which fails. I think it's because entrypoint is not calculated corectly.
In the C source code it's something like this:
Code:
entrypoint = (context.Esp - sizeof(SELFDEL)) & ~0x1F    

which I translated as
Code:
        mov     eax,1Fh
        not     eax
        mov     ebx,[context.Esp]
        sub     ebx,sizeof.SELFDEL
        and     eax,ebx
        mov     [entrypoint],eax    

Did I do it right? And if so, can anybody tell me where's the bug?


Description:
Download
Filename: selfdel.zip
Filesize: 6.41 KB
Downloaded: 187 Time(s)


_________________
This is who I choose to be.
Post 05 Aug 2004, 11:54
View user's profile Send private message Reply with quote
rwalt



Joined: 27 Apr 2004
Posts: 19
Location: Illinois, USA
rwalt
I translated a TASM example ( which I believe is the only example in assembler ) of an self-deleteing EXE. Using OllyDbg I finally got this to work...
Code:
include '%fasminc%/win32ax.inc'

MAX_PATH = 104h
STACK_CODE_SIZE = 9h

.code
stack_code:
        pop     eax
        call    eax ;call FreeLibrary
        pop     eax
        call    eax ;call DeleteFile
        ret     (MAX_PATH + STACK_CODE_SIZE - 4h)

start:
        sub     esp, (MAX_PATH + STACK_CODE_SIZE)
        mov     edi, esp

        mov     ebx, edi
        mov     ecx, STACK_CODE_SIZE
        mov     esi, stack_code
        rep     movsb

        push    MAX_PATH
        push    edi
        push    ecx
        call    L1

        mov     eax, L2
        mov     eax, [eax + 2h]
        push    dword [eax]

        push    edi

        mov     eax, L3
        mov     eax, [eax + 2h]
        push    dword [eax]

        push    0h
        call    L4

        push    eax

        mov     eax, L5
        mov     eax, [eax + 2h]
        push    dword [eax]

        jmp     ebx

    L1: jmp     [GetModuleFileName]
    L2: jmp     [ExitProcess]
    L3: jmp     [DeleteFile]
    L4: jmp     [GetModuleHandle]
    L5: jmp     [FreeLibrary]

.end start
    

This will work on both 9x and ME. To possibly get it to work on NT you will have to replace FreeLibrary with UnmapViewOfFile.
Post 07 Sep 2004, 00:13
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
nope, it doesn't work that way:(
Post 08 Sep 2004, 20:59
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
rwalt



Joined: 27 Apr 2004
Posts: 19
Location: Illinois, USA
rwalt
Madis731 wrote:
nope, it doesn't work that way:(


I think I have got it to work, try this code...
Code:
; SELF-DEL.ASM
; Self-deleting executable file code
; For Windows 9x/ME/NT

include '%fasminc%/win32ax.inc'

.code
main:
    push    ebp
 mov     ebp, esp

        sub     esp, 10Ch

       push    0
   call    @1
  mov     [ebp-4], eax

    push    104h
        lea     eax, [ebp-108h]
     push    eax
 mov     eax, [ebp-4]
        push    eax
 call    @2

      call    @3
  and     eax, 80000000h
      cmp     eax, 0
      jz      winnt

   mov     eax, [FreeLibrary]
  mov     [ebp-10Ch], eax
     jmp     delete

    winnt:
        mov     eax, [UnmapViewOfFile]
      mov     [ebp-10Ch], eax
     push    4
   call    @4

    delete:
   lea     eax, [ebp-108h]
     push    0
   push    0
   push    eax
 push    dword [ExitProcess]
 push    dword [ebp-4]
       push    dword [DeleteFile]
  push    dword [ebp-10Ch]
    ret

    @1: jmp      dword [GetModuleHandle]
    @2: jmp      dword [GetModuleFileName]
    @3: jmp    dword [GetVersion]
    @4: jmp   dword [CloseHandle]

.end main
    


This might possibly work for Win2K, but will never work at all for XP/2K3.
Post 09 Sep 2004, 16:08
View user's profile Send private message Reply with quote
Matrix



Joined: 04 Sep 2004
Posts: 1171
Location: Overflow
Matrix
Its all right on win 98 se

MATRIX
Post 09 Sep 2004, 16:16
View user's profile Send private message Visit poster's website Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
Works on 2K SP4
Post 11 Sep 2004, 08:39
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Nikolay Petrov



Joined: 22 Apr 2004
Posts: 101
Location: Bulgaria
Nikolay Petrov
Code:
;selfdel.asm
;The COMSPEC method - use cmd.exe command line
format PE GUI 4.0

include '%fasminc%\win32a.inc'

section '.code' code readable executable
entry start
start:
;--------------- Follow Code -----------------
    invoke GetModuleFileName,0,szCmd,255
    invoke GetShortPathName,szCmd,szFile,255
    invoke wsprintf,szCmd,szFormat,szFile
    invoke GetEnvironmentVariable,Cmd,szFile,255
    invoke MessageBox,0,message,title,MB_ICONINFORMATION
    invoke ShellExecute,0,0,szFile,szCmd,0,SW_HIDE
    invoke ExitProcess,0

;--------------- Follow Data -----------------
section '.data' data readable writeable

Cmd db "ComSpec",0
szFormat db "/c del %s >> NUL",0
title db "SelfDelete Demo",0
message db "When you press OK - file selfdel.exe will be delete.",0
szFile rb 255
szCmd  rb 255


;------------- Follow Import section --------------
section '.idata' import data readable writeable

 library kernel32,'kernel32.dll',\
         user32,  'user32.dll',\
         shell32, 'shell32.dll'

        include '%fasminc%\apia\kernel32.inc'
        include '%fasminc%\apia\user32.inc'
        include '%fasminc%\apia\shell32.inc'    
Post 11 Sep 2004, 18:53
View user's profile Send private message Reply with quote
asmdemon



Joined: 18 Jan 2004
Posts: 97
Location: Virginia Beach, VA
asmdemon
works on xp sp2
Post 12 Sep 2004, 02:28
View user's profile Send private message Visit poster's website Reply with quote
Rookie



Joined: 21 Aug 2003
Posts: 44
Location: Planet Romania
Rookie
Hey, guys, sooory it took me so long to get back to you. Thank you for your solutions. I haven't tested them yet to see if they'll do the trick for me, but I'd still like to thank you.
Post 01 Oct 2004, 21:19
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.