You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
115 lines
4.6 KiB
115 lines
4.6 KiB
# fdelete
|
|
|
|
Ever find yourself trying to delete a file and for whatever reason you are not allowed too? you can use fdelete.exe to remove whatever file/directory you want now.
|
|
This project inherits VDM and uses GDRV by default but you can use whatever method of physical read/write you want. This must be ran as admin as it loads a driver (GDRV).
|
|
|
|
# fdelete-km
|
|
|
|
The kernel module part of this project is used to generate the assembly to call kernel functions with over four parameters. VDM temp hooks NtShutdownSystem and since NtShutdownSystem
|
|
only takes four parameters, some of the required functions cannot be called since the arguments are not copied from the usermode stack to the kernel stack in KiSystemCall...
|
|
|
|
note: I choose NtShutdownSystem since its in every single windows version ever and inline hooking this function wouldnt cause any race conditions lol.
|
|
|
|
```cpp
|
|
VOID KiSystemService(IN PKTHREAD Thread, IN PKTRAP_FRAME TrapFrame, IN ULONG Instruction)
|
|
{
|
|
// ... etc ....
|
|
|
|
//
|
|
// Save the function responsible for handling this system call
|
|
//
|
|
SystemCall = (PVOID)DescriptorTable->Base[Number];
|
|
|
|
//
|
|
// Check if this is a GUI call
|
|
//
|
|
if (Offset & SERVICE_TABLE_TEST)
|
|
{
|
|
//
|
|
// TODO
|
|
//
|
|
UNIMPLEMENTED;
|
|
ASSERT(FALSE);
|
|
}
|
|
|
|
//
|
|
// Check how many arguments this system call takes
|
|
//
|
|
ArgumentCount = DescriptorTable->Number[Number] / 4; // <====== note that each syscall has its own amount of params.. NtShutdownSystem only has 4!
|
|
ASSERT(ArgumentCount <= 17);
|
|
|
|
// ... etc ...
|
|
```
|
|
|
|
|
|
The functions which need to be called that have more then four parameters are passed up inside of a structure in rcx and a pointer to the wide string path is passed up in rdx.
|
|
For all intense and purposes you can ignore the kernel part of this...
|
|
|
|
### usage
|
|
|
|
```
|
|
usage: [OPTION] [File Path/Directory Path]
|
|
--file, delete a specific file...
|
|
--dir, delete an entire directory...
|
|
```
|
|
|
|
### example
|
|
|
|
Here we are cleaning out stuff that isnt important and takes up alot of space (1GB~).
|
|
|
|
```
|
|
fdelete.exe --file C:\Windows\System32\ntoskrnl.exe
|
|
delete \??\C:\Windows\System32\ntoskrnl.exe result: 1
|
|
```
|
|
|
|
```
|
|
fdelete.exe --dir C:\Windows\System32\
|
|
deleted \??\C:\Windows\System32\aadcloudap.dll
|
|
deleted \??\C:\Windows\System32\aadjcsp.dll
|
|
deleted \??\C:\Windows\System32\aadtb.dll
|
|
deleted \??\C:\Windows\System32\aadWamExtension.dll
|
|
deleted \??\C:\Windows\System32\AarSvc.dll
|
|
deleted \??\C:\Windows\System32\AboutSettingsHandlers.dll
|
|
deleted \??\C:\Windows\System32\AboveLockAppHost.dll
|
|
deleted \??\C:\Windows\System32\accessibilitycpl.dll
|
|
deleted \??\C:\Windows\System32\accountaccessor.dll
|
|
deleted \??\C:\Windows\System32\AccountsRt.dll
|
|
deleted \??\C:\Windows\System32\AcGenral.dll
|
|
deleted \??\C:\Windows\System32\AcLayers.dll
|
|
deleted \??\C:\Windows\System32\acledit.dll
|
|
deleted \??\C:\Windows\System32\aclui.dll
|
|
deleted \??\C:\Windows\System32\acmigration.dll
|
|
deleted \??\C:\Windows\System32\ACPBackgroundManagerPolicy.dll
|
|
deleted \??\C:\Windows\System32\acppage.dll
|
|
deleted \??\C:\Windows\System32\acproxy.dll
|
|
deleted \??\C:\Windows\System32\AcSpecfc.dll
|
|
deleted \??\C:\Windows\System32\ActionCenter.dll
|
|
deleted \??\C:\Windows\System32\ActionCenterCPL.dll
|
|
deleted \??\C:\Windows\System32\ActionQueue.dll
|
|
deleted \??\C:\Windows\System32\ActivationClient.dll
|
|
deleted \??\C:\Windows\System32\ActivationManager.dll
|
|
deleted \??\C:\Windows\System32\activeds.dll
|
|
deleted \??\C:\Windows\System32\activeds.tlb
|
|
deleted \??\C:\Windows\System32\ActiveHours.png
|
|
deleted \??\C:\Windows\System32\ActiveSyncCsp.dll
|
|
deleted \??\C:\Windows\System32\ActiveSyncProvider.dll
|
|
deleted \??\C:\Windows\System32\actxprxy.dll
|
|
deleted \??\C:\Windows\System32\AcWinRT.dll
|
|
deleted \??\C:\Windows\System32\AcXtrnal.dll
|
|
deleted \??\C:\Windows\System32\AdaptiveCards.dll
|
|
deleted \??\C:\Windows\System32\AddressParser.dll
|
|
deleted \??\C:\Windows\System32\adhapi.dll
|
|
deleted \??\C:\Windows\System32\adhsvc.dll
|
|
deleted \??\C:\Windows\System32\AdmTmpl.dll
|
|
deleted \??\C:\Windows\System32\adprovider.dll
|
|
deleted \??\C:\Windows\System32\adrclient.dll
|
|
deleted \??\C:\Windows\System32\adsldp.dll
|
|
deleted \??\C:\Windows\System32\adsldpc.dll
|
|
deleted \??\C:\Windows\System32\adsmsext.dll
|
|
deleted \??\C:\Windows\System32\adsnt.dll
|
|
deleted \??\C:\Windows\System32\adtschema.dll
|
|
deleted \??\C:\Windows\System32\AdvancedEmojiDS.dll
|
|
deleted \??\C:\Windows\System32\AdvancedInstallers\cmiv2.dll
|
|
|
|
// ..... etc etc .....
|
|
``` |