[utsav.0202]

Hi
I am making a very small rootkit removal tool. For that first I am finding hidden processes and services.
I am able to find the hidden processes and services properly but am not able to delete binaries associated with those services and processes. Please suggest me ways to delete the files.

Thanks

[EP_X0FF]

http://msdn.microsoft.com/en-us/library ... s.85).aspx

[utsav.0202]

The file to be deleted is a ".sys" file. It is a service whose start type is BOOT. It then protects itself from being deleted.
I am not able to delete it from native application as well because native application is executed after the BOOT services have started.

[nullptr]

Just kill the file by overwriting the header, reboot -> delete.

[utsav.0202]

I did not get it. Can I get sample code?
Will it require reboot?

[EP_X0FF]

The file to be deleted is a ".sys" file. It is a service whose start type is BOOT. It then protects itself from being deleted.
I am not able to delete it from native application as well because native application is executed after the BOOT services have started.

Depends on how this filtering is implemented. This can be stupid blocking by handing the exclusive rights, hooks, FSD filter etc. What is in your case?

[utsav.0202]

I want to make a tool that works for all(or maximum) types of rootkits.

-I am using brute force to get the hidden process(exe of that process)
-I am reading services from %sysdir%\config\SYSTEM file and comparing it with HKLM\SYSTEM\CurrentControlSet\Services to get the hidden services(exe or sys file)
Now I want to delete these files.

Please redirect me to a link that explains all the methods of file protection and the ways to delete that file.

[EP_X0FF]

Please redirect me to a link that explains all the methods of file protection and the ways to delete that file.

To grasp the immensity? First start point will be learning NTFS internals. More simpe and profitable create offline scanner or set of tools for each type of rootkits.

[xdeadcode]

Hi utsav.0202

I agree with EP_X0FF about set of tools for removal each type of rootkits. It is not about reusing same code.It's about how you treat rootkits, which are in my opinion very risky type of malware to remove it in generic way (mistake means bsod - or even system crash).

About file deletion, first question is if you really need to remove file with some 'tricky' way? If rootkit is protecting something - better is to unarm it's protecitons mechanisms, or make it not boot next time, and then remove it even from user mode.

You have to be aware that today rootkits can be very complicated piece of code that can protect itself on many different os levels.

As EP_X0FF suggested it is good for you to read about NTFS filesystem, also raw disk accessing. But first of all think if you really need it.

Best regards.

[utsav.0202]

Thanks.
Can you please provide me some start up links?

Meanwhile I wrote a test driver(BOOT start) that reads a file name from registry and deletes it using ZwDeleteFile.
I read that there are different groups according to which BOOT services are loaded, the groups are given under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List

In registry I gave the file name to be deleted as \??\C:\a.exe

When I set the group of my driver to "MS Transactions"(last), it successfully deleted the file but when I set the group to "System Reserved"(first) or "System Bus Extender"(fourth) ZwDeleteFile returned STATUS_OBJECT_PATH_NOT_FOUND.
Do I need to use another name for the file?