Интересный метод самоудаления

[user_47]

Видимо чтобы отрабатывало без возможных багов от версии венды придётся по старинке запускать каким то способом отдельный дочерний процесс на затирание и удаление файла.

 

[DoomSlayer2002]

Видимо чтобы отрабатывало без возможных багов от версии венды придётся по старинке запускать каким то способом отдельный дочерний процесс на затирание и удаление файла.

Да впринципе обнуление тоже норм - кроме имени там ничего не останется никаких следов.

 

[Hexorcist]

24h2 файл не удаляется но обнуляется до 0 байт

Мне сначало так тоже казалось, а оказалось, что он переносил все данные из основного data stream в другой.

 

[r3xq1]

Вот этот попробуйте https://www.rotta.rocks/offensive-tool-development/anti-analysis-techniques/anti-debugging-techniques/self-deleting-malware
На C# работает такой код (x86, Any CPU):

using System;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;

public class FileOperations
{
    private const string NEW_STREAM = ":wtfbbq";

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    private struct FILE_RENAME_INFO
    {
        public int ReplaceIfExists;
        public IntPtr RootDirectory;
        public uint FileNameLength;
        [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
        public string FileName;
    }

    [StructLayout(LayoutKind.Sequential)]
    private struct FILE_DISPOSITION_INFO
    {
        [MarshalAs(UnmanagedType.Bool)]
        public bool DeleteFile;
    }

    [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    private static extern SafeFileHandle CreateFileW(
        string lpFileName,
        uint dwDesiredAccess,
        uint dwShareMode,
        IntPtr lpSecurityAttributes,
        uint dwCreationDisposition,
        uint dwFlagsAndAttributes,
        IntPtr hTemplateFile);

    [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    private static extern uint GetModuleFileNameW(
        IntPtr hModule,
        [Out] char[] lpFilename,
        uint nSize);

    [DllImport("kernel32.dll", SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool SetFileInformationByHandle(
        SafeFileHandle hFile,
        int FileInformationClass,
        IntPtr pFileInformation,
        uint dwBufferSize);

    private const uint DELETE = 0x00010000;
    private const uint SYNCHRONIZE = 0x00100000;
    private const uint FILE_SHARE_READ = 0x00000001;
    private const uint OPEN_EXISTING = 3;
    private const int FileRenameInfo = 3;
    private const int FileDispositionInfo = 4;

    private static string GetCurrentExecutablePath()
    {
        char[] pathBuffer = new char[260];
        uint length = GetModuleFileNameW(IntPtr.Zero, pathBuffer, (uint)pathBuffer.Length);
        if (length == 0)
        {
            int error = Marshal.GetLastWin32Error();
            Console.WriteLine($"[!] GetModuleFileNameW Failed With Error: {error}");
            return null;
        }

        return new string(pathBuffer, 0, (int)length);
    }

    private static bool ExecuteFileOperation(int infoClass, IntPtr infoPtr, int size)
    {
        string filePath = GetCurrentExecutablePath();
        if (string.IsNullOrEmpty(filePath)) return false;

        using (SafeFileHandle handle = CreateFileW(
            filePath,
            DELETE | SYNCHRONIZE,
            FILE_SHARE_READ,
            IntPtr.Zero,
            OPEN_EXISTING,
            0,
            IntPtr.Zero))
        {
            if (handle.IsInvalid)
            {
                Console.WriteLine($"[!] CreateFileW Failed With Error: {Marshal.GetLastWin32Error()}");
                return false;
            }

            if (!SetFileInformationByHandle(handle, infoClass, infoPtr, (uint)size))
            {
                Console.WriteLine($"[!] SetFileInformationByHandle Failed With Error: {Marshal.GetLastWin32Error()}");
                return false;
            }
        }

        return true;
    }

    public static void DeleteSelf()
    {
        try
        {
            // Prepare rename info
            var renameInfo = new FILE_RENAME_INFO
            {
                ReplaceIfExists = 1,
                RootDirectory = IntPtr.Zero,
                FileNameLength = (uint)(NEW_STREAM.Length * sizeof(char)),
                FileName = NEW_STREAM
            };

            int renameSize = Marshal.SizeOf<FILE_RENAME_INFO>();
            IntPtr renamePtr = Marshal.AllocHGlobal(renameSize);
            Marshal.StructureToPtr(renameInfo, renamePtr, false);

            Console.WriteLine($"[i] Renaming :$DATA to {NEW_STREAM} ...");
            if (ExecuteFileOperation(FileRenameInfo, renamePtr, renameSize))
                Console.WriteLine("[+] DONE");

            Marshal.FreeHGlobal(renamePtr);

            // Prepare disposition info
            var disposeInfo = new FILE_DISPOSITION_INFO { DeleteFile = true };
            int disposeSize = Marshal.SizeOf<FILE_DISPOSITION_INFO>();
            IntPtr disposePtr = Marshal.AllocHGlobal(disposeSize);
            Marshal.StructureToPtr(disposeInfo, disposePtr, false);

            Console.WriteLine("[i] DELETING ...");
            if (ExecuteFileOperation(FileDispositionInfo, disposePtr, disposeSize))
                Console.WriteLine("[+] DONE");

            Marshal.FreeHGlobal(disposePtr);
        }
        catch (Exception ex)
        {
            Console.WriteLine($"[!] Exception: {ex.Message}");
        }
    }

    public static void Main()
    {
        DeleteSelf();
        Console.ReadKey();
    }
}

P.S: Windows 11 x64 pro

 

[Hexorcist]

Вот этот попробуйте https://www.rotta.rocks/offensive-tool-development/anti-analysis-techniques/anti-debugging-techniques/self-deleting-malware
На C# работает такой код (x86, Any CPU):

using System;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;

public class FileOperations
{
    private const string NEW_STREAM = ":wtfbbq";

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    private struct FILE_RENAME_INFO
    {
        public int ReplaceIfExists;
        public IntPtr RootDirectory;
        public uint FileNameLength;
        [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
        public string FileName;
    }

    [StructLayout(LayoutKind.Sequential)]
    private struct FILE_DISPOSITION_INFO
    {
        [MarshalAs(UnmanagedType.Bool)]
        public bool DeleteFile;
    }

    [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    private static extern SafeFileHandle CreateFileW(
        string lpFileName,
        uint dwDesiredAccess,
        uint dwShareMode,
        IntPtr lpSecurityAttributes,
        uint dwCreationDisposition,
        uint dwFlagsAndAttributes,
        IntPtr hTemplateFile);

    [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    private static extern uint GetModuleFileNameW(
        IntPtr hModule,
        [Out] char[] lpFilename,
        uint nSize);

    [DllImport("kernel32.dll", SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool SetFileInformationByHandle(
        SafeFileHandle hFile,
        int FileInformationClass,
        IntPtr pFileInformation,
        uint dwBufferSize);

    private const uint DELETE = 0x00010000;
    private const uint SYNCHRONIZE = 0x00100000;
    private const uint FILE_SHARE_READ = 0x00000001;
    private const uint OPEN_EXISTING = 3;
    private const int FileRenameInfo = 3;
    private const int FileDispositionInfo = 4;

    private static string GetCurrentExecutablePath()
    {
        char[] pathBuffer = new char[260];
        uint length = GetModuleFileNameW(IntPtr.Zero, pathBuffer, (uint)pathBuffer.Length);
        if (length == 0)
        {
            int error = Marshal.GetLastWin32Error();
            Console.WriteLine($"[!] GetModuleFileNameW Failed With Error: {error}");
            return null;
        }

        return new string(pathBuffer, 0, (int)length);
    }

    private static bool ExecuteFileOperation(int infoClass, IntPtr infoPtr, int size)
    {
        string filePath = GetCurrentExecutablePath();
        if (string.IsNullOrEmpty(filePath)) return false;

        using (SafeFileHandle handle = CreateFileW(
            filePath,
            DELETE | SYNCHRONIZE,
            FILE_SHARE_READ,
            IntPtr.Zero,
            OPEN_EXISTING,
            0,
            IntPtr.Zero))
        {
            if (handle.IsInvalid)
            {
                Console.WriteLine($"[!] CreateFileW Failed With Error: {Marshal.GetLastWin32Error()}");
                return false;
            }

            if (!SetFileInformationByHandle(handle, infoClass, infoPtr, (uint)size))
            {
                Console.WriteLine($"[!] SetFileInformationByHandle Failed With Error: {Marshal.GetLastWin32Error()}");
                return false;
            }
        }

        return true;
    }

    public static void DeleteSelf()
    {
        try
        {
            // Prepare rename info
            var renameInfo = new FILE_RENAME_INFO
            {
                ReplaceIfExists = 1,
                RootDirectory = IntPtr.Zero,
                FileNameLength = (uint)(NEW_STREAM.Length * sizeof(char)),
                FileName = NEW_STREAM
            };

            int renameSize = Marshal.SizeOf<FILE_RENAME_INFO>();
            IntPtr renamePtr = Marshal.AllocHGlobal(renameSize);
            Marshal.StructureToPtr(renameInfo, renamePtr, false);

            Console.WriteLine($"[i] Renaming :$DATA to {NEW_STREAM} ...");
            if (ExecuteFileOperation(FileRenameInfo, renamePtr, renameSize))
                Console.WriteLine("[+] DONE");

            Marshal.FreeHGlobal(renamePtr);

            // Prepare disposition info
            var disposeInfo = new FILE_DISPOSITION_INFO { DeleteFile = true };
            int disposeSize = Marshal.SizeOf<FILE_DISPOSITION_INFO>();
            IntPtr disposePtr = Marshal.AllocHGlobal(disposeSize);
            Marshal.StructureToPtr(disposeInfo, disposePtr, false);

            Console.WriteLine("[i] DELETING ...");
            if (ExecuteFileOperation(FileDispositionInfo, disposePtr, disposeSize))
                Console.WriteLine("[+] DONE");

            Marshal.FreeHGlobal(disposePtr);
        }
        catch (Exception ex)
        {
            Console.WriteLine($"[!] Exception: {ex.Message}");
        }
    }

    public static void Main()
    {
        DeleteSelf();
        Console.ReadKey();
    }
}

Посмотреть вложение 108140
P.S: Windows 11 x64 pro

Последняя версия Windows 11?
На Windows 11 24H2 (OS Build 26100.4061) получаю такой результат:

 

[r3xq1]

Последняя версия Windows 11?
На Windows 11 24H2 (OS Build 26100.4061) получаю такой результат:

22H2 (OS Build 2621.1702)