Self-delete technology detailed

Here first, the program is self-deleting implementation: the program creates a batch file, and creates the process execution, then the program ends the process; the function made by the batch is delayed for 5 seconds, delete the specified program and then delete it. In this way, the program self-deleting function is implemented.

The self-deleting implementation can mainly use two methods, one is to use batch technology, and the other is to call the API provided by Windows for implementation.

First, let’s talk about batch technology.Batch treatment (BATCH)Also known as batch scripts. As the name suggests, batch is the process of batching an object, usually considered a simplified scripting language, which is applied to the DOS and Windows systems. The extension of the batch file is BAT. Comparable batch of batch contains two categories: DOS batch and PS batch. PS batch is based on Microsoft’s powerful PowerShell, which is used to process scripts for some tasks; while DOS batch is DOS command, perform DOS commands automatically to implement a specific operation. More complex, you need to use the runtime running procedures such as the command control of IF, for, goto, like advanced languages ??such as C, Basic. If more complex applications are required, it is necessary to use an external program, which includes external commands provided by the system itself and the tools or software provided by third parties. Although the batch program is running in the command line environment, but not only the command line software can be used, and the program running under the current system can be run in the batch file.

Some people think that the meaning of batch language is more widely described above, including many software batch languages, such as Microsoft Office, Visual Studio, Adobe Photoshop’s batch language, users can make them The corresponding software performs an automation operation (for example, adjusting the resolution of all PSD files). And this kind of batch language also provides the function of recording a series of operations as a batch file so that users can get batch programs without writing programs.

In this place, it is also a special language. For example, we must write some commands in CMD, you can write him into a BAT file. Here, it is possible to use a batch implementation self-deletion. One premise is that the batch provides yourself to delete your own command, as shown below

After the batch file executes this command, the file will be deleted directly, not the recycle bin, then we can execute the program we want to perform, then use DEL% 0 after Sleep, you can use DEL% 0 to remove itself.

There is a point here, one is to use the choice command to delay, and the other is delayed using the ping command. It should be noted that the choice this command is from Windows 2003 to have this command. That is, the Windows 2003 version or the above version supports this command, which is not supported for versions below Windows 2003. The Windows XP version is low than the Windows 2003 version, so you don’t support the choice command.

Then we first perform the implementation of the choice command, the BAT code is as follows.

We sort out the idea, to achieve self-deletion, first need to know the directory where the program is located, then generate a batch file and generate a process to execute a batch file, mainly used getModuleFileName this API


Retrieves the fully qualified path of the file containing the specified module.

Then we must first write a function to automatically generate the batch file, here you can write directly with WSPrintf

Then use FOPEN_S, FWRITE generation batch file

The full code is as follows

Then we first get the directory where the program is located

Then put the batch file with the program in the same directory.

Then call the CMD command line

Create a batch file written before calling

Finally, use createProcess to create a process, but there is a relatively special place, that is, we need to hide execution, then we can use the model that does not display the execution program window, this parameter is in the ninth parameters of CreateProcess, first look at CreateProcess structure

It is the parameter of the lpstartupinfoa. This parameter determines how the new process’s main form shows the Startupinfo structure, we continue to follow the StartupInfo structure.

To hide the window, the value of dwflags needs to be set to startf_useshowwindow, and the value of wshowWindow is set to false.

Then call the CREATEPROCESS startup process

Here, you have to look at the effect, you directly exit, nothing, prove is right, because we hide the CMD window

Here we change the value of wshowWindow to True and then check the effect.

It seems that it seems that it is still not obvious, we replace the way, run EXE directly, and found Test.bat in the same directory.

After 10s, it was found that EXE was deleted, proved that our self-deletion was successful.

It is mentioned above, in XP is a command without choice, then use the ping command instead, the BAT code is as follows

Similar to Choice, here is not fine, directly change the code.

Here, you will mention a small TIPS, here we implement the self-starting and deletion of cmd.exe, can you write a self-deletion of the CS’s online EXE? The answer is yes, it will not expand it here.

Let’s take a look at Movefileex this API

DWFlags: Set the mobile flag, indicate how to operate file or directory.

MoveFile_copy_allowed: This value needs to be specified when moving files to different drive characters, otherwise failure, this value cannot be used with MoveFile_delay_until_reboot.

Movefile_delay_until_reboot: The file is not moved immediately. When the next machine is restarted, the file will be moved, can’t be used at the same time as MoveFile_copy_allowed

MoveFile_fail_if_not_trackable: When the source file is moving to the resource failure.

Movefile_replace_existing: When the destination file already exists, replace the contents of the contents of the LPEXistingFileName replace the previous content, at this time, check ACL permissions, may fail

MoveFile_Write_through: Only the function returns when the file is completely reached, the buffer cannot have a not available.

Movefileex This function is called, there are several points, the first is to execute when dwflags is MoveFile_Delay_until_reboot, the second point is if the directory is required to ensure that the directory does not exist, Three points are not to move the directory at different drives.

那么我们这里实现自删除的话,就是好需要设置dwFlags为MOVEFILE_DELAY_UNTIL_REBOOT,这里为什么要system或者administrator权限呢,是因为MoveFileEx是通过写入HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations这个注册表路径来达到移动或删除的目的,我们可以看到这个键是位于HKEY_LOCAL_MACHINE的,而不是USER,所以必须要administrator权限进行修改

Here we look at this key value, its type is REG_MULTI_SZ, then this key value can be written to multiple strings


So how do you use MoveFileEx to delete it, first raise two concepts, autochk, and page files.

Here is the autochk:

In the official explanation of MSDN, the meaning of Autochk is: Runs When the Computer is Started and Prior To Windows Server Starting to Verify The Logical Integrity of a File System.

That is, Autochk is actually used to verify the logic integrity of the file system, then talk about the page file:

Page files refer to files that the operating system reflects the size of the hard disk space that builds and uses virtual memory. To organize the page file, first move the page file from the original drive to another drive, then organize the original drive, and finally move the page file back to the original drive, at which time the page file is stored in a continuous disk space. bingo. Specifically, under the Windows operating system (Windows 2000 / XP) pagefile.sys file, it is a system page file (which is a well-known virtual memory file), its size depends on the open program how much and you originally set The minimum and maximum value of the page file is constantly changing, sometimes only dozens of MB, sometimes reaching a few hundred or even thousands of MB.

Then there is any relationship between the two concepts, there is a time node that the user performs autochk when starting the computer, but has not created a page file. Under this time node, the user can talk to the operating system yet. , Then you can delete the file that you can’t delete under normal circumstances. My understanding is that when you don’t create a page file, the operating system has not started complete, so this time the executable is actually not fully loaded. of.



Because we have to write the path behind the buffer, you should use LSTRCAT.

Then call MoveFileEx to implement self-deletion

The full code is as follows

Here we directly, discover the error 5, corresponding to getLastError error attribute is insufficient, here we mentioned the need to modify the registry, so use the USER privilege to start is refusal to access.

Here we use the Administrator launcher, you can see successful

Viewing the PENDINGFILENAMEOPERATIONS key value After you have added success, you will be deleted after you restart.

We have implemented two self-deleted ways. We can find that the MoveFileEx method is required to restart the computer before delete, and the batch can be deleted without rebooting. Here, it can be used according to specific uses. Implementation.

This articleDrunkmarsOriginal release
Reprinted, please refer to the reprint statement, indicate:
Safety guest – Ideal security new media