Skip to content
/ delete-self-poc Public
forked from LloydLabs/delete-self-poc

A way to delete a locked file, or current running executable, on disk.

License

MIT license
0 stars 86 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

5l1v3r1/delete-self-poc

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

.gitattributes

.gitattributes

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main.c

main.c

 
 

main.h

main.h

 
 

Repository files navigation

🗑️ delete-self-poc

A way to delete a locked, or current running executable, on disk. This was originally found by Jonas Lykkegaard - I just wrote the POC for it. This can also be used to delete locked files on disk, that the current calling process has permissions to get DELETE access to.

How does this work, though - in this POC?

  1. Open a HANDLE to the current running process, with DELETE access. Note, DELETE is only needed.
  2. Rename the primary file stream, :$DATA, using SetFileInformationByHandle to :wtfbbq.
  3. Close the HANDLE
  4. Open a HANDLE to the current process, set DeleteFile for the FileDispositionInfo class to TRUE.
  5. Close the HANDLE to trigger the file disposition
  6. Viola - the file is gone.

Releases

I have included a statically linked release within this repository, if you can't be bothered compiling the original source code.

About

A way to delete a locked file, or current running executable, on disk.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • C 100.0%