14 replies to this topic

[irancplusplus]

Hi
can we write a C++ program in Windows which can delete itself completely from hard disk!?
a .exe file that deletes itself.

[mebob]

I don't see why you wouldn't be able to. I'd think you'd delete it like you would any other file from inside a program.

EDIT: Nevermind, I just tried it and it didn't work. I'll see if there is a way though.

---------- Post added at 06:02 PM ---------- Previous post was at 05:47 PM ----------

This site has a lot of samples for this: Self Deleting Executables | www.catch22.net. All of them require the program to actually exit for it to be deleted however.

[RhetoricalRuvim]

@mebob: I know, I tried deleting an executable that was running, before.

* * *

I was thinking maybe starting another process that would do the deleting, but then you would have the other program that you started to delete after it deletes the program you originally started, so you'll end up with the same question again, of how you would delete that program.

I wonder if there's a Windows utility that deletes a file after a determined amount of time.

[WingedPanther]

The fact that it is running locks the file. Since the file is locked, no file can delete it until it stops running. Once it stops running, it can't delete itself :) You might be able to create and launch a batch file or something in a separate thread, however.

[mebob]

The one under "Solution for XP+" is pretty interesting. It pushes all the functions to be called in reverse order, then does a return (all with inline assembly). All that code is placed in an external library to be run with rundll32. At the bottom of the page there is also a "catch-all" complicated solution.

[Sysop_fb]

There's some stack magic you can do but it's basically undefined behavior since you'd have to return with an invalid IP.
I think most viruses that do this (atleast the ones from like 8 years ago) will write a simple asm program in memory somewhere and then set the next instruction to be run at the start of that program which ofcourse will still leave that memory with the ability to be overwritten when the program in question returns although I don't know the odds of that happening. Ofcourse all of this depends on which OS you're running......
Writing a program to do this over and over again to see how many times it would suceed on average would be interesting.

[mebob]

I don't quite understand what you mean by "return with an invalid IP". How would the instruction pointer be invalidated, exactly?

[Sysop_fb]

It's just taboo to me to return from a program with a non pristine stack which is what you would be doing before forcing a call to happen after your program ends, invalid is a harsh word I guess.
Rightly so in C since it's considered undefined behavior as far as I know.

Oh if we're looking at the same webpage the bottom solution is very similar to an earlier solution, the program just creates a child process and loads some code in it's memory to wait for the parent to finish, once it finishes the child process deletes the program and then exits to kill its own process. I don't know when the last time he tested that was though it appears to of been tested on XP so it might not work on vista.
The other trick above it with the pushing of windows API calls onto the stack and setting it to be run before exiting should still work but I can't try it as I'm about to drive 4 hours...

[RhetoricalRuvim]

Maybe some Windows directory that's being watched almost all the time. If you save a child program inside that directory, run that program, and exit. Then that program should delete this program, after what exiting. Since the directory that program's in is being watched almost all the time, Windows would probably delete that program because it's not in the "allowed in this directory list."

Well, just an idea; probably a bad one, but still, just putting some more thoughts here :D.

[mebob]

Sysop_fb said:

It's just taboo to me to return from a program with a non pristine stack which is what you would be doing before forcing a call to happen after your program ends, invalid is a harsh word I guess.
Rightly so in C since it's considered undefined behavior as far as I know.

I think I understand what you are saying, but Windows API functions don't use cdecl (used in regular C functions) in which the function (in our case main) that calls another function must clean up the stack after the called function. Windows API functions use stdcall in which the function being called cleans up the stack. That should leave the stack clean.

[Muted]

This is probably one of the most elegant ways to melt a file ("self-delete"):

bool melt() {

    wchar_t szFile[MAX_PATH] = {0}, szCmd[MAX_PATH] = {0};

    if ((GetModuleFileNameW(0, szFile, MAX_PATH) != 0) && (GetShortPathNameW(szFile, szFile, MAX_PATH) != 0)) {
        lstrcpyW(szCmd, L"/c del ");
        lstrcatW(szCmd, szFile);
        lstrcatW(szCmd, L" >> NUL");

        if ((GetEnvironmentVariableW(L"ComSpec", szFile,MAX_PATH) != 0) &&
                                    ((INT)ShellExecute(0, 0, szFile,szCmd, 0, SW_HIDE) > 32))
            return true;
    }

    return false;
}

You can also create a batch file script on Windows, and call the batch file at the end of execution;
Having the batch file endlessly loop trying to delete the *.exe until it is deleted.

[irancplusplus]

they didn't work for me in Win 7 64bit