A forum for reverse engineering, OS internals and malware analysis 

Delete File

Ask your beginner questions here.

Re: Delete File

 #14690  by xqrzd
 Mon Jul 16, 2012 7:07 pm
Maybe because the mount manager wasn't loaded yet? Anyway, why not just use raw disk access? If you're just trying to delete files, raw disk access will almost always work (TDL2 is the only rootkit I know of that uses files and raw disk doesn't work).

Re: Delete File

 #14691  by xdeadcode
 Mon Jul 16, 2012 8:01 pm
Please take a look here: http://support.microsoft.com/kb/115486.
Look at your fs and disk drivers groups and then compare it with your driver.
Zw* will use fs to delete file.

Still i don't think that doing any removal with generic mechanism (even by raw access) is good idea. Everything depends on what kind of hooks/patches/methods has been made to system by rootkit to hide/protect files/rootkit. I would recommend to first unarm and then try to remove with simple fs interface. Remember that file system (like NTFS) is very complicated piece of code that hides a lot of problems that can occur during disk raw accessing.

Best regards.

Re: Delete File

 #14695  by utsav.0202
 Tue Jul 17, 2012 6:14 am
How do I use raw disk access? (an example will be of great help)

Please tell me more about "unarming".

I want to learn.

Re: Delete File

 #14696  by xdeadcode
 Tue Jul 17, 2012 8:29 am
utsav.0202,

To properly cover raw disk access first read how storage disk stack is organized in windows.
Then go to WDK samples and read them all to know what is SRB and how to use it.
You should also know how SCSI interface looks like (any documentaction from any vendor will be enough).
Some useful ioctls you will probably need: FSCTL_GET_RETRIEVAL_POINTERS, FSCTL_GET_NTFS_VOLUME_DATA, IOCTL_VOLUME_LOGICAL_TO_PHYSICAL. Read about it and figure out why you need them.
I belive after that you will be able to create your sector read/writes requests.
But be aware that this will not cover all problems that are hidden by filesystem.

According to unarming. There is no one direction how to unarm rootkit, since all rootkits families are different (or most of them). Depending on what is patched your soft behaviour will be different.

Also raw disk access without unarming first won't give you good results. E.g. anaylyze tdl3 sample. If you see that device object is stolen, then even raw disk access won't work as you expect without first reverting disk storage stack to good order, revering all routines and so on..

best regards,
 Return to “Newbie Questions”