Fixed Self Deletion Using Alternate data stream

Whitecat18 · Whitecat18 · commit cc97a6f0dd1e · 2024-11-01T22:01:54.000+05:30
diff --git a/Malware_Tips/self_delete.rs b/Malware_Tips/self_delete.rs
@@ -8,118 +8,134 @@
 
 */
 
-use std::env::current_exe;
-use std::mem::{size_of, size_of_val};
+/*
+    Explanation:~
+        * The code creates an alternate data stream, which isn't visible in typical file listings, and uses this to manipulate the file in a way that allows for self-deletion. 
+        * By renaming the file's alternate data stream, it essentially prepares the file for an operation that can be performed on itself without directly needing admin permissions for file deletion.
+        * The actual deletion occurs when the file handle is closed after marking the file for deletion, which is a Windows feature where marking a file for deletion and then closing the last handle to it results in the file being deleted.
+
+*/
+use std::ffi::OsString;
+use std::os::windows::ffi::OsStrExt;
 use std::ptr::null_mut;
 use winapi::ctypes::c_void;
-use winapi::um::errhandlingapi::GetLastError;
 use winapi::um::fileapi::{CreateFileW, SetFileInformationByHandle, FILE_RENAME_INFO};
 use winapi::um::handleapi::CloseHandle;
 use winapi::um::heapapi::HeapFree;
 use winapi::um::minwinbase::{FileDispositionInfo, FileRenameInfo};
-use winapi::um::winnt::HEAP_ZERO_MEMORY;
+use winapi::um::winbase::FILE_FLAG_DELETE_ON_CLOSE;
+use winapi::um::winnt::{FILE_ATTRIBUTE_NORMAL, HEAP_ZERO_MEMORY};
 use winapi::um::{fileapi::FILE_DISPOSITION_INFO, heapapi::{GetProcessHeap, HeapAlloc}};
-use winapi::um::handleapi::INVALID_HANDLE_VALUE;
-
-macro_rules! okey {
-    ($msg:expr, $($arg:expr), *) => {
-        println!("[+] {}",format!($msg, $($arg), *));
-    }
-}
 
-macro_rules! error {
-    ($msg:expr, $($arg:expr), *) => {
-        println!("[!] {}",format!($msg, $($arg), *));
-        println!("Exiting ...");
-        std::process::exit(1);
-    };
-}
+// macro_rules! okey {
+//     ($msg:expr, $($arg:expr), *) => {
+//         println!("[+] {}",format!($msg, $($arg), *));
+//     }
+// }
 
-pub const NULL: *mut c_void = 0 as *mut c_void;
+// macro_rules! error {
+//     ($msg:expr, $($arg:expr), *) => {
+//         println!("[!] {}",format!($msg, $($arg), *));
+//         println!("Exiting ...");
+//         std::process::exit(1);
+//     };
+// }
 
 fn main(){
-    let stream = "let del this nerdy !";
-    let stream_wide: Vec<u16> = stream.encode_utf16().chain(std::iter::once(0)).collect();
+    // This stream name is for alternate stream.
+    let stream = ":test_stream";
+    let stream_wide: Vec<u16> = OsString::from(stream).encode_wide().chain(std::iter::once(0)).collect();
 
     unsafe{
-        let mut delete_file: FILE_DISPOSITION_INFO = std::mem::zeroed();
-        delete_file.DeleteFile = true.into(); 
+        let mut delete_file = FILE_DISPOSITION_INFO{
+            DeleteFile: 1 // default value is 1
+        };
 
-        let length = size_of::<FILE_RENAME_INFO>();
+        let rename_info_size = std::mem::size_of::<FILE_RENAME_INFO>() + (stream_wide.len() * std::mem::size_of::<u16>());
+        
+        // allocate memory for FILE_RENAME_INFO
+        let rename_info = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, rename_info_size) as *mut FILE_RENAME_INFO;
 
-        let rename_info = HeapAlloc(
-            GetProcessHeap(), 
-            HEAP_ZERO_MEMORY,
-            length as usize
-        ) as *mut FILE_RENAME_INFO;
+        if rename_info.is_null() {
+            panic!("Memory allocation failed");
+        }
 
-        (*rename_info).FileNameLength = (stream_wide.len() * size_of::<u16>()) as u32 - 2;
+        delete_file.DeleteFile = 1;
+        (*rename_info).FileNameLength = (stream_wide.len() * std::mem::size_of::<u16>()) as u32 - 2;
 
         std::ptr::copy_nonoverlapping(
             stream_wide.as_ptr(),
-            (*rename_info).FileName.as_mut_ptr(), 
-            stream_wide.len()
+            (*rename_info).FileName.as_mut_ptr(),
+            stream_wide.len(),
         );
 
-        let path = current_exe().unwrap();
-        let path_str = path.to_str().unwrap();
-        
-        let mut full_path: Vec<u16> = path_str.encode_utf16().collect();
+        let path = std::env::current_exe().unwrap();
+        let mut full_path: Vec<u16> = OsString::from(path).encode_wide().collect();
         full_path.push(0);
 
-        let h_file = CreateFileW(
+        // Open the file with delete and synchronize permissions
+        let handle = CreateFileW(
             full_path.as_ptr(),
-            0x00010000 | 0x00100000, 
+            0x00010000 | 0x00100000,
             0x00000001,
-            null_mut(),
-            3 as u32,
-            0,
+            core::ptr::null_mut(),
+            3, // OPEN_EXISTING
+            0 as u32, // FILE_ATTRIBUTE_NORMAL
             null_mut(),
         );
 
-        if h_file == INVALID_HANDLE_VALUE {
-            error!("CreateFileW Error: {:?}",GetLastError());
+        if handle.is_null() {
+            panic!("Failed to open file");
         }
 
-        okey!("CreateFileW Adr: {:?}",h_file);
-
-        SetFileInformationByHandle(
-            h_file,
-            FileRenameInfo,
-            rename_info as *mut _,
-            length as u32,
+        // rename the alternate data stream
+        let setfileinfohandle = SetFileInformationByHandle(
+            handle, 
+            FileRenameInfo, 
+            rename_info as *mut c_void, 
+            rename_info_size as u32
         );
-        
-        CloseHandle(h_file);
 
-        let h_file = CreateFileW(
+        if setfileinfohandle == 0 {
+            panic!("Failed to set file information for rename");
+        }
+
+        CloseHandle(handle);
+
+        // Re-open the file with delete on close flag
+        let handle = CreateFileW(
             full_path.as_ptr(),
-            0x00010000 | 0x00100000, 
+            0x00010000 | 0x40000000 | 0x00100000,
             0x00000001,
-            null_mut(),
-            3 as u32,
-            0,
+            std::ptr::null_mut(),
+            3, 
+            FILE_ATTRIBUTE_NORMAL | FILE_FLAG_DELETE_ON_CLOSE,
             null_mut(),
         );
 
-        if h_file == INVALID_HANDLE_VALUE {
-            error!("CreateFileW Error2: {}",GetLastError());
+        if handle == null_mut() {
+            panic!("Failed to re-open file for deletion");
         }
 
-        SetFileInformationByHandle(
-            h_file,
-            FileDispositionInfo,
-            &delete_file as *const _ as *mut _,
-            size_of_val(&delete_file) as u32,
+        // Mark the file for deletion
+        let setfileinfo = SetFileInformationByHandle(
+            handle, 
+            FileDispositionInfo, 
+            &delete_file as *const FILE_DISPOSITION_INFO as *mut c_void, 
+            std::mem::size_of::<FILE_DISPOSITION_INFO>() as u32
         );
 
-        CloseHandle(h_file);
+        if setfileinfo == 0 {
+            panic!("Failed to mark file for deletion");
+        }
+
+        CloseHandle(handle); // This will delete the file
 
+        // free the allocated memory
         HeapFree(
-            GetProcessHeap(),
-            0,
+            GetProcessHeap(), 
+            0, 
             rename_info as *mut c_void,
         );
     }
-}
-
+}
