Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/LloydLabs/delete-self-poc
A way to delete a locked file, or current running executable, on disk.
https://github.com/LloydLabs/delete-self-poc
Last synced: 7 days ago
JSON representation
A way to delete a locked file, or current running executable, on disk.
- Host: GitHub
- URL: https://github.com/LloydLabs/delete-self-poc
- Owner: LloydLabs
- License: mit
- Created: 2021-01-19T22:28:41.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2024-07-29T08:41:11.000Z (3 months ago)
- Last Synced: 2024-08-01T03:21:23.819Z (3 months ago)
- Language: C
- Homepage:
- Size: 10.7 KB
- Stars: 483
- Watchers: 19
- Forks: 88
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-anti-forensic - delete-self-poc
- awesome-hacking-lists - LloydLabs/delete-self-poc - A way to delete a locked file, or current running executable, on disk. (C)
README
# 🗑️ delete-self-poc
The `delete-self-poc` is a demonstration of a method to delete a locked executable or currently running file from disk. This concept was initially discovered by Jonas Lykkegaard, and I have created the proof of concept (POC) for it. Additionally, it can be used to delete locked files on disk, provided that the current calling process has the necessary permissions to access and delete them.How does this work, though - in this POC?
1. Open a HANDLE to the current running process with DELETE access. Note that only DELETE access is required.
2. Use the SetFileInformationByHandle function to rename the primary file stream, :$DATA, to :wtfbbq.
3. Close the HANDLE.
4. Open a HANDLE to the current process and set the DeleteFile flag of the FileDispositionInfo class to TRUE.
5. Close the HANDLE to trigger the file disposition.
6. Voila! The file is now gone.# Releases
I have included a statically linked release within this repository, if you can't be bothered compiling the original source code.