fdelete/README.md

# fdelete

Ever find yourself trying to delete a file and for whatever reason you are not allowed too? you can use fdelete.exe to remove whatever file/directory you want now.
This project inherits VDM and uses GDRV by default but you can use whatever method of physical read/write you want. This must be ran as admin as it loads a driver (GDRV).

# fdelete-km

The kernel module part of this project is used to generate the assembly to call kernel functions with over four parameters. VDM temp hooks NtShutdownSystem and since NtShutdownSystem
only takes four parameters, some of the required functions cannot be called since the arguments are not copied from the usermode stack to the kernel stack in KiSystemCall...

note: I choose NtShutdownSystem since its in every single windows version ever and inline hooking this function wouldnt cause any race conditions lol.

```cpp
// taken from ReactOS: https://doxygen.reactos.org/dd/d1a/arm_2usercall_8c_source.html#l00082
VOID KiSystemService(IN PKTHREAD Thread, IN PKTRAP_FRAME TrapFrame, IN ULONG Instruction)
{
     // ... etc ....
     
     //
     // Save the function responsible for handling this system call
     //
     SystemCall = (PVOID)DescriptorTable->Base[Number];
 
     //
     // Check if this is a GUI call
     //
     if (Offset & SERVICE_TABLE_TEST)
     {
         //
         // TODO
         //
         UNIMPLEMENTED;
         ASSERT(FALSE);
     }
 
     //
     // Check how many arguments this system call takes
     //
     ArgumentCount = DescriptorTable->Number[Number] / 4; // <====== note that each syscall has its own amount of params.. NtShutdownSystem only has 4!
     ASSERT(ArgumentCount <= 17);
     
     // ... etc ...
```


The functions which need to be called that have more then four parameters are passed up inside of a structure in rcx and a pointer to the wide string path is passed up in rdx. 
For all intense and purposes you can ignore the kernel part of this...

### usage

```
usage: [OPTION] [File Path/Directory Path]
        --file, delete a specific file...
        --dir, delete an entire directory...
```

### example

Here we are cleaning out stuff that isnt important and takes up alot of space (1GB~).

```
fdelete.exe --file C:\Windows\System32\ntoskrnl.exe
    delete \??\C:\Windows\System32\ntoskrnl.exe result: 1
```

```
fdelete.exe --dir C:\Windows\System32\
    deleted \??\C:\Windows\System32\aadcloudap.dll
    deleted \??\C:\Windows\System32\aadjcsp.dll
    deleted \??\C:\Windows\System32\aadtb.dll
    deleted \??\C:\Windows\System32\aadWamExtension.dll
    deleted \??\C:\Windows\System32\AarSvc.dll
    deleted \??\C:\Windows\System32\AboutSettingsHandlers.dll
    deleted \??\C:\Windows\System32\AboveLockAppHost.dll
    deleted \??\C:\Windows\System32\accessibilitycpl.dll
    deleted \??\C:\Windows\System32\accountaccessor.dll
    deleted \??\C:\Windows\System32\AccountsRt.dll
    deleted \??\C:\Windows\System32\AcGenral.dll
    deleted \??\C:\Windows\System32\AcLayers.dll
    deleted \??\C:\Windows\System32\acledit.dll
    deleted \??\C:\Windows\System32\aclui.dll
    deleted \??\C:\Windows\System32\acmigration.dll
    deleted \??\C:\Windows\System32\ACPBackgroundManagerPolicy.dll
    deleted \??\C:\Windows\System32\acppage.dll
    deleted \??\C:\Windows\System32\acproxy.dll
    deleted \??\C:\Windows\System32\AcSpecfc.dll
    deleted \??\C:\Windows\System32\ActionCenter.dll
    deleted \??\C:\Windows\System32\ActionCenterCPL.dll
    deleted \??\C:\Windows\System32\ActionQueue.dll
    deleted \??\C:\Windows\System32\ActivationClient.dll
    deleted \??\C:\Windows\System32\ActivationManager.dll
    deleted \??\C:\Windows\System32\activeds.dll
    deleted \??\C:\Windows\System32\activeds.tlb
    deleted \??\C:\Windows\System32\ActiveHours.png
    deleted \??\C:\Windows\System32\ActiveSyncCsp.dll
    deleted \??\C:\Windows\System32\ActiveSyncProvider.dll
    deleted \??\C:\Windows\System32\actxprxy.dll
    deleted \??\C:\Windows\System32\AcWinRT.dll
    deleted \??\C:\Windows\System32\AcXtrnal.dll
    deleted \??\C:\Windows\System32\AdaptiveCards.dll
    deleted \??\C:\Windows\System32\AddressParser.dll
    deleted \??\C:\Windows\System32\adhapi.dll
    deleted \??\C:\Windows\System32\adhsvc.dll
    deleted \??\C:\Windows\System32\AdmTmpl.dll
    deleted \??\C:\Windows\System32\adprovider.dll
    deleted \??\C:\Windows\System32\adrclient.dll
    deleted \??\C:\Windows\System32\adsldp.dll
    deleted \??\C:\Windows\System32\adsldpc.dll
    deleted \??\C:\Windows\System32\adsmsext.dll
    deleted \??\C:\Windows\System32\adsnt.dll
    deleted \??\C:\Windows\System32\adtschema.dll
    deleted \??\C:\Windows\System32\AdvancedEmojiDS.dll
    deleted \??\C:\Windows\System32\AdvancedInstallers\cmiv2.dll
    
    // ..... etc etc .....
```
Initial commit 3 years ago			`# fdelete`

Update README.md 3 years ago			`Ever find yourself trying to delete a file and for whatever reason you are not allowed too? you can use fdelete.exe to remove whatever file/directory you want now.`
Update README.md 3 years ago			`This project inherits VDM and uses GDRV by default but you can use whatever method of physical read/write you want. This must be ran as admin as it loads a driver (GDRV).`
Update README.md 3 years ago
Update README.md 3 years ago			`# fdelete-km`

Update README.md 3 years ago			`The kernel module part of this project is used to generate the assembly to call kernel functions with over four parameters. VDM temp hooks NtShutdownSystem and since NtShutdownSystem`
Update README.md 3 years ago			`only takes four parameters, some of the required functions cannot be called since the arguments are not copied from the usermode stack to the kernel stack in KiSystemCall...`

Update README.md 3 years ago			`note: I choose NtShutdownSystem since its in every single windows version ever and inline hooking this function wouldnt cause any race conditions lol.`

Update README.md 3 years ago			```cpp
Update README.md 3 years ago			`// taken from ReactOS: https://doxygen.reactos.org/dd/d1a/arm_2usercall_8c_source.html#l00082`
Update README.md 3 years ago			`VOID KiSystemService(IN PKTHREAD Thread, IN PKTRAP_FRAME TrapFrame, IN ULONG Instruction)`
			`{`
Update README.md 3 years ago			`// ... etc ....`

Update README.md 3 years ago			`//`
			`// Save the function responsible for handling this system call`
			`//`
			`SystemCall = (PVOID)DescriptorTable->Base[Number];`

			`//`
			`// Check if this is a GUI call`
			`//`
			`if (Offset & SERVICE_TABLE_TEST)`
			`{`
			`//`
			`// TODO`
			`//`
			`UNIMPLEMENTED;`
			`ASSERT(FALSE);`
			`}`

			`//`
			`// Check how many arguments this system call takes`
			`//`
Update README.md 3 years ago			`ArgumentCount = DescriptorTable->Number[Number] / 4; // <====== note that each syscall has its own amount of params.. NtShutdownSystem only has 4!`
Update README.md 3 years ago			`ASSERT(ArgumentCount <= 17);`

			`// ... etc ...`
			```


Update README.md 3 years ago			`The functions which need to be called that have more then four parameters are passed up inside of a structure in rcx and a pointer to the wide string path is passed up in rdx.`
			`For all intense and purposes you can ignore the kernel part of this...`

Update README.md 3 years ago			`### usage`

			```
			`usage: [OPTION] [File Path/Directory Path]`
			`--file, delete a specific file...`
			`--dir, delete an entire directory...`
			```

			`### example`

Update README.md 3 years ago			`Here we are cleaning out stuff that isnt important and takes up alot of space (1GB~).`

Update README.md 3 years ago			```
			`fdelete.exe --file C:\Windows\System32\ntoskrnl.exe`
			`delete \??\C:\Windows\System32\ntoskrnl.exe result: 1`
			```
Update README.md 3 years ago
			```
			`fdelete.exe --dir C:\Windows\System32\`
			`deleted \??\C:\Windows\System32\aadcloudap.dll`
			`deleted \??\C:\Windows\System32\aadjcsp.dll`
			`deleted \??\C:\Windows\System32\aadtb.dll`
			`deleted \??\C:\Windows\System32\aadWamExtension.dll`
			`deleted \??\C:\Windows\System32\AarSvc.dll`
			`deleted \??\C:\Windows\System32\AboutSettingsHandlers.dll`
			`deleted \??\C:\Windows\System32\AboveLockAppHost.dll`
			`deleted \??\C:\Windows\System32\accessibilitycpl.dll`
			`deleted \??\C:\Windows\System32\accountaccessor.dll`
			`deleted \??\C:\Windows\System32\AccountsRt.dll`
			`deleted \??\C:\Windows\System32\AcGenral.dll`
			`deleted \??\C:\Windows\System32\AcLayers.dll`
			`deleted \??\C:\Windows\System32\acledit.dll`
			`deleted \??\C:\Windows\System32\aclui.dll`
			`deleted \??\C:\Windows\System32\acmigration.dll`
			`deleted \??\C:\Windows\System32\ACPBackgroundManagerPolicy.dll`
			`deleted \??\C:\Windows\System32\acppage.dll`
			`deleted \??\C:\Windows\System32\acproxy.dll`
			`deleted \??\C:\Windows\System32\AcSpecfc.dll`
			`deleted \??\C:\Windows\System32\ActionCenter.dll`
			`deleted \??\C:\Windows\System32\ActionCenterCPL.dll`
			`deleted \??\C:\Windows\System32\ActionQueue.dll`
			`deleted \??\C:\Windows\System32\ActivationClient.dll`
			`deleted \??\C:\Windows\System32\ActivationManager.dll`
			`deleted \??\C:\Windows\System32\activeds.dll`
			`deleted \??\C:\Windows\System32\activeds.tlb`
			`deleted \??\C:\Windows\System32\ActiveHours.png`
			`deleted \??\C:\Windows\System32\ActiveSyncCsp.dll`
			`deleted \??\C:\Windows\System32\ActiveSyncProvider.dll`
			`deleted \??\C:\Windows\System32\actxprxy.dll`
			`deleted \??\C:\Windows\System32\AcWinRT.dll`
			`deleted \??\C:\Windows\System32\AcXtrnal.dll`
			`deleted \??\C:\Windows\System32\AdaptiveCards.dll`
			`deleted \??\C:\Windows\System32\AddressParser.dll`
			`deleted \??\C:\Windows\System32\adhapi.dll`
			`deleted \??\C:\Windows\System32\adhsvc.dll`
			`deleted \??\C:\Windows\System32\AdmTmpl.dll`
			`deleted \??\C:\Windows\System32\adprovider.dll`
			`deleted \??\C:\Windows\System32\adrclient.dll`
			`deleted \??\C:\Windows\System32\adsldp.dll`
			`deleted \??\C:\Windows\System32\adsldpc.dll`
			`deleted \??\C:\Windows\System32\adsmsext.dll`
			`deleted \??\C:\Windows\System32\adsnt.dll`
			`deleted \??\C:\Windows\System32\adtschema.dll`
			`deleted \??\C:\Windows\System32\AdvancedEmojiDS.dll`
			`deleted \??\C:\Windows\System32\AdvancedInstallers\cmiv2.dll`

			`// ..... etc etc .....`
			```