Results 1 to 8 of 8

Thread: Self-deleting exe:s, widespread technique won't work?!

  1. #1
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5

    Self-deleting exe:s, widespread technique won't work?!

    There are several tricks for making programs that are in one way or another able to delete themselves, without leaving any traces in the system.

    One of the most wide-spread techniques, and also the one which is supposed to be one of the most platform independent (between Windows versions) is the following:

    1.
    Start the program you want to delete (EXE1).

    2.
    From this program, drop a second exe file (EXE2).

    3.
    Open a file handle to EXE2 from EXE1, using CreateFile, with the flag "FILE_FLAG_DELETE_ON_CLOSE".

    4.
    Execute EXE2 from EXE1 (e.g. with CreateProcess), causing the operating system to open another file handle to EXE2.

    5.
    Let EXE1 exit and terminate (which will implicitly cause its filehandle to EXE2 to close, leaving only the operating system's filehandle to EXE2 left open).

    6.
    EXE2 waits for EXE1 to terminate, and as soon as it detects this, it deletes EXE1 from disk.

    7.
    After successfully deleting EXE1, the job of EXE2 is complete, and it exits and terminates, causing the operating system's filehandle to it to close.

    8.
    The general concept and idea is now that EXE2 should immediately be deleted upon this closing of the last open file handle to it. This is also a seemingly correct assumption, especially when you read the entry for the "FILE_FLAG_DELETE_ON_CLOSE" flag of the CreateFile API in the Win32API reference:

    FILE_FLAG_DELETE_ON_CLOSE
    Indicates that the operating system is to delete the file immediately after all of its handles have been closed, not just the handle for which you specified FILE_FLAG_DELETE_ON_CLOSE.
    The problem is that on the contrary (according to my own experiments), the file deletion does only work if the last file handle to be closed is the one that was opened with the "FILE_FLAG_DELETE_ON_CLOSE" flag. If any file handle is left after this, nothing will happen when it is closed, and the file will hence not be deleted.

    This will of course prevent the whole self-deleting exe technique to fail, since the operating systems handle of EXE2 always have to be closed after the handle that EXE1 opened (the one with the FILE_FLAG_DELETE_ON_CLOSE). This is because EXE2 will not succeed in deleting EXE1 before EXE1 is closed, and as soon as EXE1 is closed, its handle to EXE2 will be implicitly closed. And EXE2 will not terminate before it has successfully deleted EXE1, and hence, the operating system's handle to EXE2 will not close before EXE1 has terminated and (implicitly) closed its handle to EXE2.

    There is even ready-made example code to be found on the web that is supposed to demonstrate this technique, and the people who provide it claim to have used it successfully. But I have tried this very code on both Win98, Win2000 and WinXP, and in all cases, the dropped exe fails to automatically delete when it terminates, hence being left on the disk.

    This makes me wonder if this whole technique is just someone's drug induced fantasy, based on a mixture of the incorrect statements in the Win32 API reference and their own lazyness not to actually try the code themselves (and then obviously lying about having gotten it to work).


    So, my question here:

    Has anyone reading this post ever gotten this to work, or at least ever seen a program that succeeded in using this technique?

    Also, I attach the very small source code of the example program that is supposed to accomplish this with this post. It would be very nice if people could compile it (it should compile right away in VS 6/NET, if inserted into a standard console application), and try it on their systems to see if it succeeds there.

    It will simply print out the full path of the EXE2 it has created, and then use the procedure described above.

    The desired result is that both the main exe (EXE1) and the created EXE2 should be deleted from the disk afterwards, but in my case EXE2 will always remain on the disk.

    Thanks for any help or tips!

    dELTA
    Last edited by dELTA; March 14th, 2003 at 08:36.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Here is the source for the short example program (2685 bytes).
    Attached Files Attached Files

  3. #3
    foxthree
    Guest

    Self Deleting...

    Interesting you mention it. Myself and my friend were discussing this the other day as a new way to prevent patching your code. You see any modification to your code, you self-destruct. Maybe annoying but hey...

    However, I believe my friend tried it and had the same effect something like you said. My suggestion to him was to do something like uninstall proggies do... Uninstall Programs uninstall other files *and* finally delete themselves. Why would you need 2 EXEs for this. The uninstall way looks far more 31337

    I think it also can be done in a platform independent manner using some VC++ linker switches... I believe Matt Pietrek mentioned something about this in one of his articles... I'm sure you'll find it if you search the web... Why don't I post the link u say, heh I'm suffering from a disease called laziness

    Happy hunting,

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5

    Re: Self Deleting...

    Thanks for the reply FoxThree! Some questions though:

    However, I believe my friend tried it and had the same effect something like you said. My suggestion to him was to do something like uninstall proggies do... Uninstall Programs uninstall other files *and* finally delete themselves. Why would you need 2 EXEs for this. The uninstall way looks far more 31337
    And more exactly what do you mean with "like uninstall proggies do"?

    Most uninstallers use the Windows Installer services, which can assist in deleting the last file, since it's really the Windows Installer service that is performing the tasks, and it is still left in the system afterwards. The majority of the uninstallers that are not using the Windows Installer services are using MoveFileEx/wininit.ini to remove the final executable on the next reboot. This is elementary, but the problem is that it is not instant, the file will be left on the disk until the next reboot, and I really don't want that.


    I think it also can be done in a platform independent manner using some VC++ linker switches... I believe Matt Pietrek mentioned something about this in one of his articles... I'm sure you'll find it if you search the web... Why don't I post the link u say, heh I'm suffering from a disease called laziness
    I have very hard to see how the linker can have anything whatsoever to do with such a thing? Also, I cannot find any Pietrek article discussing the subject of self-deletion. It would be great if you could explain some more, or maybe even give me that link if you can find it.

    Thanks!


    PS.
    I see some people have downloaded the test program source code. What results have you gotten while running it?

    PS2.
    For people suffering from the same disease as FoxThree, I have included the compiled exe file with this post. (Yes, mega-bloated to 156 kb, courtesy of VS6 ).
    Attached Files Attached Files

  5. #5
    הבּרוּ נשׂאי כּלי יהוה mike's Avatar
    Join Date
    Mar 2001
    Posts
    491
    http://www.google.com/search?q=pietrek+"self-deleting"

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Yes, I have seen a bunch of articles and texts about it too, but some of them contradict each other, so I thought I'd ask some people I can trust for additional first-hand info.

  7. #7
    הבּרוּ נשׂאי כּלי יהוה mike's Avatar
    Join Date
    Mar 2001
    Posts
    491
    Last edited by mike; March 16th, 2003 at 22:52.

  8. #8
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    http://board.win32asmcommunity.net/showthread.php?s=&threadid=1152

Similar Threads

  1. Anti debugging technique?
    By live_dont_exist in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: November 26th, 2013, 01:18
  2. The Point-R technique
    By upb in forum Blogs Forum
    Replies: 19
    Last Post: November 10th, 2007, 04:30
  3. LINK: API Hooking: a new and fast technique
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: October 6th, 2005, 04:31
  4. debuggin technique? dumping eip
    By fred in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 16th, 2003, 14:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •