You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Malware_Tips/self_delete.rs
+85-69Lines changed: 85 additions & 69 deletions
Original file line number
Diff line number
Diff line change
@@ -8,118 +8,134 @@
8
8
9
9
*/
10
10
11
-
use std::env::current_exe;
12
-
use std::mem::{size_of, size_of_val};
11
+
/*
12
+
Explanation:~
13
+
* The code creates an alternate data stream, which isn't visible in typical file listings, and uses this to manipulate the file in a way that allows for self-deletion.
14
+
* By renaming the file's alternate data stream, it essentially prepares the file for an operation that can be performed on itself without directly needing admin permissions for file deletion.
15
+
* The actual deletion occurs when the file handle is closed after marking the file for deletion, which is a Windows feature where marking a file for deletion and then closing the last handle to it results in the file being deleted.
16
+
17
+
*/
18
+
use std::ffi::OsString;
19
+
use std::os::windows::ffi::OsStrExt;
13
20
use std::ptr::null_mut;
14
21
use winapi::ctypes::c_void;
15
-
use winapi::um::errhandlingapi::GetLastError;
16
22
use winapi::um::fileapi::{CreateFileW,SetFileInformationByHandle,FILE_RENAME_INFO};
17
23
use winapi::um::handleapi::CloseHandle;
18
24
use winapi::um::heapapi::HeapFree;
19
25
use winapi::um::minwinbase::{FileDispositionInfo,FileRenameInfo};
20
-
use winapi::um::winnt::HEAP_ZERO_MEMORY;
26
+
use winapi::um::winbase::FILE_FLAG_DELETE_ON_CLOSE;
27
+
use winapi::um::winnt::{FILE_ATTRIBUTE_NORMAL,HEAP_ZERO_MEMORY};
21
28
use winapi::um::{fileapi::FILE_DISPOSITION_INFO, heapapi::{GetProcessHeap,HeapAlloc}};
22
-
use winapi::um::handleapi::INVALID_HANDLE_VALUE;
23
-
24
-
macro_rules! okey {
25
-
($msg:expr, $($arg:expr), *) => {
26
-
println!("[+] {}",format!($msg, $($arg), *));
27
-
}
28
-
}
29
29
30
-
macro_rules! error {
31
-
($msg:expr, $($arg:expr), *) => {
32
-
println!("[!] {}",format!($msg, $($arg), *));
33
-
println!("Exiting ...");
34
-
std::process::exit(1);
35
-
};
36
-
}
30
+
// macro_rules! okey {
31
+
// ($msg:expr, $($arg:expr), *) => {
32
+
// println!("[+] {}",format!($msg, $($arg), *));
33
+
// }
34
+
// }
37
35
38
-
pubconstNULL:*mutc_void = 0as*mutc_void;
36
+
// macro_rules! error {
37
+
// ($msg:expr, $($arg:expr), *) => {
38
+
// println!("[!] {}",format!($msg, $($arg), *));
39
+
// println!("Exiting ...");
40
+
// std::process::exit(1);
41
+
// };
42
+
// }
39
43
40
44
fnmain(){
41
-
let stream = "let del this nerdy !";
42
-
let stream_wide:Vec<u16> = stream.encode_utf16().chain(std::iter::once(0)).collect();
45
+
// This stream name is for alternate stream.
46
+
let stream = ":test_stream";
47
+
let stream_wide:Vec<u16> = OsString::from(stream).encode_wide().chain(std::iter::once(0)).collect();
0 commit comments