You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
83 lines
2.8 KiB
83 lines
2.8 KiB
#include <ntifs.h>
|
|
|
|
// https://github.com/DragonQuestHero/Kernel-Force-Delete
|
|
using ObReferenceObjectByHandleType = decltype(&ObReferenceObjectByHandle);
|
|
using ObfDereferenceObjectType = decltype(&ObfDereferenceObject);
|
|
using ZwCloseType = decltype(&ZwClose);
|
|
using IoCreateFileSpecifyDeviceObjectHintType = decltype(&IoCreateFileSpecifyDeviceObjectHint);
|
|
using ZwDeleteFileType = decltype(&ZwDeleteFile);
|
|
using RtlInitUnicodeStringType = decltype(&RtlInitUnicodeString);
|
|
|
|
typedef struct _IMPORT_STRUCT
|
|
{
|
|
ObReferenceObjectByHandleType ObReferenceObjectByHandlePtr;
|
|
ObfDereferenceObjectType ObfDereferenceObjectPtr;
|
|
ZwCloseType ZwClosePtr;
|
|
IoCreateFileSpecifyDeviceObjectHintType IoCreateFileSpecifyDeviceObjectHintPtr;
|
|
ZwDeleteFileType ZwDeleteFilePtr;
|
|
RtlInitUnicodeStringType RtlInitUnicodeStringPtr;
|
|
} IMPORT_STRUCT, *PIMPORT_STRUCT;
|
|
|
|
/*
|
|
Param: ImagePath
|
|
|
|
A pointer to a buffered Unicode string naming the file to be created or opened.
|
|
This value must be a fully qualified file specification, unless it is the name of a file relative
|
|
to the directory specified by RootDirectory. For example, \Device\Floppy1\myfile.dat or \??\B:\myfile.dat
|
|
could be the fully qualified file specification, provided that the floppy driver and overlying file system are already loaded.
|
|
(Note that \?? replaces \DosDevices as the name of the Win32 object namespace. \DosDevices will still work,
|
|
but \?? is translated faster by the object manager.)
|
|
*/
|
|
NTSTATUS EntryDelete(PIMPORT_STRUCT Imports, PWCHAR ImagePath)
|
|
{
|
|
HANDLE FileHandle;
|
|
NTSTATUS Status;
|
|
IO_STATUS_BLOCK IOBlock;
|
|
PDEVICE_OBJECT DeviceObject = nullptr;
|
|
PFILE_OBJECT FileObject = nullptr;
|
|
OBJECT_ATTRIBUTES FileAttributes;
|
|
UNICODE_STRING ImagePathUnicode;
|
|
|
|
Imports->RtlInitUnicodeStringPtr(&ImagePathUnicode, ImagePath);
|
|
RtlZeroMemory(&IOBlock, sizeof IOBlock);
|
|
|
|
InitializeObjectAttributes(&FileAttributes,
|
|
&ImagePathUnicode,
|
|
OBJ_CASE_INSENSITIVE,
|
|
NULL,
|
|
NULL);
|
|
|
|
if ((Status = Imports->IoCreateFileSpecifyDeviceObjectHintPtr(
|
|
&FileHandle,
|
|
SYNCHRONIZE | FILE_WRITE_ATTRIBUTES | FILE_READ_ATTRIBUTES | FILE_READ_DATA,
|
|
&FileAttributes,
|
|
&IOBlock,
|
|
NULL,
|
|
NULL,
|
|
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
|
|
FILE_OPEN,
|
|
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
|
NULL,
|
|
NULL,
|
|
CreateFileTypeNone,
|
|
NULL,
|
|
IO_IGNORE_SHARE_ACCESS_CHECK,
|
|
DeviceObject)) != STATUS_SUCCESS)
|
|
return Status;
|
|
|
|
if ((Status = Imports->ObReferenceObjectByHandlePtr(
|
|
FileHandle, NULL, NULL, NULL, (PVOID*)&FileObject, NULL)) != STATUS_SUCCESS)
|
|
return Status;
|
|
|
|
FileObject->SectionObjectPointer->ImageSectionObject = 0;
|
|
FileObject->DeleteAccess = 1;
|
|
|
|
if ((Status = Imports->ZwDeleteFilePtr(&FileAttributes)) != STATUS_SUCCESS)
|
|
return Status;
|
|
|
|
Imports->ObfDereferenceObjectPtr(FileObject);
|
|
if ((Status = Imports->ZwClosePtr(FileHandle)) != STATUS_SUCCESS)
|
|
return Status;
|
|
|
|
return Status;
|
|
} |