How delete all files and folders of rootkit while this rootkit is running?

flash_mark · May 31, 2017, 8:54pm

Hi,

how all know, exists sevral anti rootkit softwares that is able to delete all files and folders of any rootkit even while this rootkit is running, the same also is possible to folders or files protected.

Today i have this code below that is able of delete all files and subfolders of a determinated folder that can be defined on source code, happens that this code not is able to delete even while this rootkit is running or folders or files protected.

Someone have some idea about make this? or already have made some project that was required this feature?

#include <ntifs.h>

typedef unsigned int UINT;

#define ALLOCSIZE PAGE_SIZE
#define REAL_DELETE

#ifdef REAL_DELETE
#define USE_DELETE_ON_CLOSE FILE_DELETE_ON_CLOSE
#else
#define USE_DELETE_ON_CLOSE FILE_DIRECTORY_FILE
#endif

#define echo(x) x
#define label(x) echo(x) LINE
#define RTL_CONSTANT_STRINGW(s) { sizeof( s ) - sizeof( (s)[0] ), sizeof( s ),(PWSTR)(s) }

#define STATIC_UNICODE_STRING(name, str) static const WCHAR label()[] = L##str; static const UNICODE_STRING name = RTL_CONSTANT_STRINGW(label())

#define STATIC_OBJECT_ATTRIBUTES(oa, name) STATIC_UNICODE_STRING(label(m), name); static OBJECT_ATTRIBUTES oa = { sizeof oa, 0, (PUNICODE_STRING)&label(m), OBJ_CASE_INSENSITIVE }

// int nLevel, PSTR prefix for debug only
void ntTraverse(POBJECT_ATTRIBUTES poa, ULONG FileAttributes, int nLevel, PSTR prefix)
{
if (IoGetRemainingStackSize() < PAGE_SIZE)
{
DbgPrint(“no stack!\n”);
return;
}

if (nLevel > MAXUCHAR)
{
DbgPrint(“nLevel > MAXUCHAR\n”);
return;
}

NTSTATUS status;
IO_STATUS_BLOCK iosb;
UNICODE_STRING ObjectName;
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName };

DbgPrint(“%s[<%wZ>]\n”, prefix, poa->ObjectName);

#ifdef REAL_DELETE
if (FileAttributes & FILE_ATTRIBUTE_READONLY)
{
if (0 <= NtOpenFile(&oa.RootDirectory, FILE_WRITE_ATTRIBUTES, poa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_OPEN_FOR_BACKUP_INTENT | FILE_OPEN_REPARSE_POINT))
{
static FILE_BASIC_INFORMATION fbi = { {},{},{},{}, FILE_ATTRIBUTE_NORMAL };
NtSetInformationFile(oa.RootDirectory, &iosb, &fbi, sizeof(fbi), FileBasicInformation);
NtClose(oa.RootDirectory);
}
}
#endif//REAL_DELETE

if (0 <= (status = NtOpenFile(&oa.RootDirectory, FILE_GENERIC_READ, poa, &iosb, FILE_SHARE_VALID_FLAGS,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_REPARSE_POINT | FILE_OPEN_FOR_BACKUP_INTENT | USE_DELETE_ON_CLOSE)))
{
if (FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (PVOID buffer = ExAllocatePool(PagedPool, ALLOCSIZE))
{
union {
PVOID pv;
PUCHAR pb;
PFILE_DIRECTORY_INFORMATION DirInfo;
};

while (0 <= (status = NtQueryDirectoryFile(oa.RootDirectory, NULL, NULL, NULL, &iosb,
pv = buffer, ALLOCSIZE, FileDirectoryInformation, 0, NULL, FALSE)))
{

ULONG NextEntryOffset = 0;

do
{
pb += NextEntryOffset;

ObjectName.Buffer = DirInfo->FileName;

switch (ObjectName.Length = (USHORT)DirInfo->FileNameLength)
{
case 2 * sizeof(WCHAR) :
if (ObjectName.Buffer[1] != ‘.’) break;
case sizeof(WCHAR) :
if (ObjectName.Buffer[0] == ‘.’) continue;
}

ObjectName.MaximumLength = ObjectName.Length;

#ifndef REAL_DELETE
if (DirInfo->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
#endif
{
ntTraverse(&oa, DirInfo->FileAttributes, nLevel + 1, prefix - 1);
}
#ifndef REAL_DELETE
else
#endif
{
DbgPrint(“%s%8I64u <%wZ>\n”, prefix, DirInfo->EndOfFile.QuadPart, &ObjectName);
}

} while (NextEntryOffset = DirInfo->NextEntryOffset);

if (ALLOCSIZE - iosb.Information > FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName[256]))
{
break;//NO_MORE_FILES
}
}

ExFreePool(buffer);

if (status == STATUS_NO_MORE_FILES)
{
status = STATUS_SUCCESS;
}
}
}

NtClose(oa.RootDirectory);
}

if (0 > status)
{
DbgPrint(“---- %x %wZ\n”, status, poa->ObjectName);
}
}

void ntTraverse()
{
//POBJECT_ATTRIBUTES oa;
char prefix[MAXUCHAR + 1];
memset(prefix, ‘\t’, MAXUCHAR);
prefix[MAXUCHAR] = 0;

STATIC_OBJECT_ATTRIBUTES(oa, “\??\C:\Rootkit-Folder”);
//STATIC_OBJECT_ATTRIBUTES(oa, “\systemroot”);
ntTraverse(&oa, FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_READONLY, 0, prefix + MAXUCHAR);
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
DbgPrint(“DriverUnload()!”);
return;
}

extern “C” NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {
NTSTATUS NtStatus = STATUS_SUCCESS;
pDriverObject->DriverUnload = DriverUnload;
//DbgPrint(“DriverEntry()!”);
ntTraverse();
return NtStatus;
}

------------------------------------------------------------------------------------------------------</ntifs.h>

Slava_Imameev · June 1, 2017, 2:47am

A rootkit places hooks and subverts calls to Nt* functions and IoCallDriver. An advanced AV software would call file system or disk driver dispatch functions directly without using the dispatch table changed by a rootkit. A more advanced AV software would change file system and memory from a hypervisor running at the higher privilege level than a rootkit and OS kernel.

flash_mark · June 1, 2017, 8:56am

So, not exists source code to make this task?

“delete all files and folders of rootkit while this rootkit is running”

I already saw anti rootkit that for example delete whole folder of any AV software. How is possible?

MBond · June 1, 2017, 7:22pm

I can’t resist

Like in an OS that actually supported ring 1 & 2 instead of just 0 & 3 ???

Sent from Mailhttps: for Windows 10

From: xxxxx@hotmail.com mailto:xxxxx
Sent: June 1, 2017 2:47 AM
To: Windows File Systems Devs Interest Listmailto:xxxxx
Subject: RE:[ntfsd] How delete all files and folders of rootkit while this rootkit is running?

A rootkit places hooks and subverts calls to Nt* functions and IoCallDriver. An advanced AV software would call file system or disk driver dispatch functions directly without using the dispatch table changed by a rootkit. A more advanced AV software would change file system and memory from a hypervisor running at the higher privilege level than a rootkit and OS kernel.

—
NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></mailto:xxxxx></mailto:xxxxx></https:>

Mike_Boucher · June 2, 2017, 12:04am

>Like in an OS that actually supported ring 1 & 2 instead of just 0 & 3

Hey! This is a kernel thread, not a crazy-talk thread. Y’all just keep
that radical ring 1 talk to yourself.

On Thu, Jun 1, 2017 at 5:21 PM, Marion Bond wrote:

> I can’t resist
>
>
>
> Like in an OS that actually supported ring 1 & 2 instead of just 0 & 3 ???
>
>
>
> Sent from Mail https: for
> Windows 10
>
>
>
> *From: *xxxxx@hotmail.com
> *Sent: *June 1, 2017 2:47 AM
> *To: *Windows File Systems Devs Interest List
> *Subject: RE:[ntfsd] How delete all files and folders of rootkit while
> this rootkit is running?
>
>
>
> A rootkit places hooks and subverts calls to Nt functions and
> IoCallDriver. An advanced AV software would call file system or disk driver
> dispatch functions directly without using the dispatch table changed by a
> rootkit. A more advanced AV software would change file system and memory
> from a hypervisor running at the higher privilege level than a rootkit and
> OS kernel.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:></https:>

flash_mark · June 2, 2017, 9:23am

Seems that no one know how do.
Thank you by attention

Slava_Imameev · June 2, 2017, 12:06pm

Let’s reiterate it. Nobody here wants to start an introductory course in Operating Systems Design.

amitr0-2 · June 9, 2017, 8:30pm

>“delete all files and folders of rootkit while this rootkit is running”

it kind of depends on a few things:

whether the root kit has an open handle to the files to be deleted, in
that case delete will fail, and the only way to do it will be to close
those handles and delete after wards.
what kind of file it is that you want to delete, say this root kit
installs it’s own driver and it is loaded in memory when you delete, you
might or might not succeed deletion because of #1 above, but even more
importantly, it is not just the sys file to be deleted that matters, what
if the sys file is said to be boot start, deleting that boot start driver
will cause your machine to bug check on next reboot as it is an essential
driver to boot, so the cleanup involves more than just deleting files in
this case.

root kits are a thing of the past, these days infection are spread in other
fashions, and much of the tech is legacy. Also, there are too many ways the
an anti-malware program having it’s heuristic based on #1 and #2 above can
be fooled.

On Thu, Jun 1, 2017 at 5:56 AM, wrote:

> So, not exists source code to make this task?
>
> “delete all files and folders of rootkit while this rootkit is running”
>
> I already saw anti rootkit that for example delete whole folder of any AV
> software. How is possible?
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–

- ab</http:>