Self-delete technology detailed

Here first, the program is self-deleting implementation: the program creates a batch file, and creates the process execution, then the program ends the process; the function made by the batch is delayed for 5 seconds, delete the specified program and then delete it. In this way, the program self-deleting function is implemented.

The self-deleting implementation can mainly use two methods, one is to use batch technology, and the other is to call the API provided by Windows for implementation.

First, let’s talk about batch technology.Batch treatment (BATCH)Also known as batch scripts. As the name suggests, batch is the process of batching an object, usually considered a simplified scripting language, which is applied to the DOS and Windows systems. The extension of the batch file is BAT. Comparable batch of batch contains two categories: DOS batch and PS batch. PS batch is based on Microsoft’s powerful PowerShell, which is used to process scripts for some tasks; while DOS batch is DOS command, perform DOS commands automatically to implement a specific operation. More complex, you need to use the runtime running procedures such as the command control of IF, for, goto, like advanced languages ??such as C, Basic. If more complex applications are required, it is necessary to use an external program, which includes external commands provided by the system itself and the tools or software provided by third parties. Although the batch program is running in the command line environment, but not only the command line software can be used, and the program running under the current system can be run in the batch file.

Some people think that the meaning of batch language is more widely described above, including many software batch languages, such as Microsoft Office, Visual Studio, Adobe Photoshop’s batch language, users can make them The corresponding software performs an automation operation (for example, adjusting the resolution of all PSD files). And this kind of batch language also provides the function of recording a series of operations as a batch file so that users can get batch programs without writing programs.

In this place, it is also a special language. For example, we must write some commands in CMD, you can write him into a BAT file. Here, it is possible to use a batch implementation self-deletion. One premise is that the batch provides yourself to delete your own command, as shown below

After the batch file executes this command, the file will be deleted directly, not the recycle bin, then we can execute the program we want to perform, then use DEL% 0 after Sleep, you can use DEL% 0 to remove itself.

There is a point here, one is to use the choice command to delay, and the other is delayed using the ping command. It should be noted that the choice this command is from Windows 2003 to have this command. That is, the Windows 2003 version or the above version supports this command, which is not supported for versions below Windows 2003. The Windows XP version is low than the Windows 2003 version, so you don’t support the choice command.

Then we first perform the implementation of the choice command, the BAT code is as follows.

We sort out the idea, to achieve self-deletion, first need to know the directory where the program is located, then generate a batch file and generate a process to execute a batch file, mainly used getModuleFileName this API

GetModuleFileName

Retrieves the fully qualified path of the file containing the specified module.

Then we must first write a function to automatically generate the batch file, here you can write directly with WSPrintf

Then use FOPEN_S, FWRITE generation batch file

The full code is as follows

Then we first get the directory where the program is located

Then put the batch file with the program in the same directory.

Then call the CMD command line

Create a batch file written before calling

Finally, use createProcess to create a process, but there is a relatively special place, that is, we need to hide execution, then we can use the model that does not display the execution program window, this parameter is in the ninth parameters of CreateProcess, first look at CreateProcess structure

It is the parameter of the lpstartupinfoa. This parameter determines how the new process’s main form shows the Startupinfo structure, we continue to follow the StartupInfo structure.

To hide the window, the value of dwflags needs to be set to startf_useshowwindow, and the value of wshowWindow is set to false.

Then call the CREATEPROCESS startup process

Here, you have to look at the effect, you directly exit, nothing, prove is right, because we hide the CMD window

Here we change the value of wshowWindow to True and then check the effect.

It seems that it seems that it is still not obvious, we replace the way, run EXE directly, and found Test.bat in the same directory.

After 10s, it was found that EXE was deleted, proved that our self-deletion was successful.

It is mentioned above, in XP is a command without choice, then use the ping command instead, the BAT code is as follows

Similar to Choice, here is not fine, directly change the code.

Here, you will mention a small TIPS, here we implement the self-starting and deletion of cmd.exe, can you write a self-deletion of the CS’s online EXE? The answer is yes, it will not expand it here.

Let’s take a look at Movefileex this API

DWFlags: Set the mobile flag, indicate how to operate file or directory.

MoveFile_copy_allowed: This value needs to be specified when moving files to different drive characters, otherwise failure, this value cannot be used with MoveFile_delay_until_reboot.

Movefile_delay_until_reboot: The file is not moved immediately. When the next machine is restarted, the file will be moved, can’t be used at the same time as MoveFile_copy_allowed

MoveFile_fail_if_not_trackable: When the source file is moving to the resource failure.

Movefile_replace_existing: When the destination file already exists, replace the contents of the contents of the LPEXistingFileName replace the previous content, at this time, check ACL permissions, may fail

MoveFile_Write_through: Only the function returns when the file is completely reached, the buffer cannot have a not available.

Movefileex This function is called, there are several points, the first is to execute when dwflags is MoveFile_Delay_until_reboot, the second point is if the directory is required to ensure that the directory does not exist, Three points are not to move the directory at different drives.

那么我们这里实现自删除的话,就是好需要设置dwFlags为MOVEFILE_DELAY_UNTIL_REBOOT,这里为什么要system或者administrator权限呢,是因为MoveFileEx是通过写入HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations这个注册表路径来达到移动或删除的目的,我们可以看到这个键是位于HKEY_LOCAL_MACHINE的,而不是USER,所以必须要administrator权限进行修改

Here we look at this key value, its type is REG_MULTI_SZ, then this key value can be written to multiple strings

经过探究后发现,MoveFileEx这个api在执行删除操作写入File\0\0到PendingFileRenameOperations,而如果是执行移动操作则是把File\0OtherFile\0写入

So how do you use MoveFileEx to delete it, first raise two concepts, autochk, and page files.

Here is the autochk:

In the official explanation of MSDN, the meaning of Autochk is: Runs When the Computer is Started and Prior To Windows Server Starting to Verify The Logical Integrity of a File System.

That is, Autochk is actually used to verify the logic integrity of the file system, then talk about the page file:

Page files refer to files that the operating system reflects the size of the hard disk space that builds and uses virtual memory. To organize the page file, first move the page file from the original drive to another drive, then organize the original drive, and finally move the page file back to the original drive, at which time the page file is stored in a continuous disk space. bingo. Specifically, under the Windows operating system (Windows 2000 / XP) pagefile.sys file, it is a system page file (which is a well-known virtual memory file), its size depends on the open program how much and you originally set The minimum and maximum value of the page file is constantly changing, sometimes only dozens of MB, sometimes reaching a few hundred or even thousands of MB.

Then there is any relationship between the two concepts, there is a time node that the user performs autochk when starting the computer, but has not created a page file. Under this time node, the user can talk to the operating system yet. , Then you can delete the file that you can’t delete under normal circumstances. My understanding is that when you don’t create a page file, the operating system has not started complete, so this time the executable is actually not fully loaded. of.

那么我们知道了原理,这里实现一下,其实代码相比于批处理方式少了很多,但是涉及到的知识点却是一点都不少。我们在前面发现在PendingFileRenameOperations键的数值数据中,路径前面都有\\,但是这里并不是加上\\,在MoveFileEx的函数定义中删除文件的路径开头需要加上\\?\

所以我们在缓冲区前面先加上\\?\

Because we have to write the path behind the buffer, you should use LSTRCAT.

Then call MoveFileEx to implement self-deletion

The full code is as follows

Here we directly, discover the error 5, corresponding to getLastError error attribute is insufficient, here we mentioned the need to modify the registry, so use the USER privilege to start is refusal to access.

Here we use the Administrator launcher, you can see successful

Viewing the PENDINGFILENAMEOPERATIONS key value After you have added success, you will be deleted after you restart.

We have implemented two self-deleted ways. We can find that the MoveFileEx method is required to restart the computer before delete, and the batch can be deleted without rebooting. Here, it can be used according to specific uses. Implementation.

This articleDrunkmarsOriginal release
Reprinted, please refer to the reprint statement, indicate: https://www.anquanke.com/post/id/259050
Safety guest – Ideal security new media

Karan Mehra says he has not seen son Kavish for more than 100 days: ‘It has been a disturbing, painful time’

Television actors Karan Mehra and Nisha Rawal’s separation became an ugly mess after she accused him of infidelity and alleged domestic violence. Karan insisted that she had orchestrated the entire incident, in order to force him into providing alimony. Three months later, Karan says that he is ‘still fighting the battle’ and it has been a particularly difficult time for him as he is not allowed to see their son Kavish.

Speaking to Hindustan Times, the former Yeh Rishta Kya Kehlata Hai actor said, “It has been more than three months and I am fighting the battle. The matter is subjudice so I don’t want to talk much about it. I have not seen Kavish since more than 100 days, not able to enter my home or take my belongings. It has been an emotional, disturbing and painful time for all of us. We are fighting it as a family.”

He added that everyone in his family, including his parents have been falsely framed. “It is not right to put my parents through all this, especially when my dad is a heart patient. It is quite disturbing. The proceedings, the process and the fight are not easy. I am out of my house while she and her brother are in the house, aaram se.” Karan Mehra mentioned that he is busy shooting for a Punjabi show, which is keeping him busy and distracted.

Cristiano Ronaldo to make second United debut against Newcastle, says Solskjaer

Cristiano Ronaldo will make his second debut for Manchester United when they host Newcastle United in the Premier League on Saturday (Sept 11), manager Ole Gunnar Solskjaer has said, but he did not confirm if the Portuguese forward would start.

Ronaldo rejoined United from Juventus on a two-year deal and will be looking to add to his 118 goals at the Old Trafford club where he won eight major trophies in six seasons.

Solskjaer said Ronaldo’s return had lifted the mood at United and the 36-year-old, who had “trained all week”, brought with him a “winner’s mentality”.

“He’s been having a good pre-season with Juventus, played with the national team, had a good week with us. He’ll definitely be on the pitch at some point, that’s for sure,” Solskjaer told reporters on Friday.

“We’ve got mutual respect for each other, but he knows I’ve got to make the decisions when to play (him), when not to play. It’s my job to get the best out of him, that comes from communication. He doesn’t need me to tell him what to do.

“Everyone is going to look up to him and he is going to be a leader in this dressing room.”

Ronaldo will don the No. 7 shirt again at United and Solskjaer said its former owner, Uruguay striker Edinson Cavani, had no qualms about handing it to the Portuguese forward.

“Edinson has been remarkable, played really well last season… To pass up his shirt shows the respect he’s got for Cristiano and respect the other way. Two top pros, players and human beings,” Solskjaer said.

United will be without midfielder Fred who is banned after failing to turn up for Brazil’s World Cup qualifiers, which the Norwegian described as a “lose-lose situation”.

“The players want to play but we all know what kind of situation we find ourselves in the last year-and-a-half with the pandemic to limit the spread of the virus,” Solskjaer said.

“We’ve worked really hard to try and find a way – private jets, there are ways of getting them in and out – but all of the decisions have gone against the players who want to play for national teams and clubs but not allowed.

“(I’m) disappointed with the whole thing, common sense might not be common anymore. Fingers crossed, some sense comes into people’s minds.”