// sde : Self deleting executable
// OS : Works on NT and 2000
// Author : Gary Nebbett
// STL, London Road, Harlow, Essex CM17 9NA, UK
// Voice +44-279-29531
// Email [email protected] | PSI%234237100122::GRN
// Reference : Deleting the Executable File of
// the Running Process Gary Nebbett [email protected]
// Windows Developer Magazine
// http://www.windevnet.com/documents/s=7257/wdj0109g/0109g.htm
// selfdel.cpp
// ------------------ ------------------- ----------------
// | | | Virtual Address | | File Control |
// | Process Object |------>| Descriptor | | Block |
// | | | (VAD) | | (FCB) |
// ------------------ ------------------- ----------------
// : | ^
// handle : to | ptr reference | ptr
// v v |
// ------------------ ------------------- ---------------
// | | | Image Section | | |
// | Section Object | | Control Area | | File Object |
// | | | | | |
// ------------------ ------------------- ---------------
// | ^ ^ |
// | ptr | ptr | ptr | ptr
// v | | |
// ------------------ | | ------------- |
// | | | | | Section | |
// | Segment |<----------- ---| Object |<---
// | | | pointers |
// ------------------ -------------
// DeleteFile() fails when used on it's own (running) executable
// because there is a reference from the File Object to the File
// Control Block that is incompatible with the deletion of the file.
// The reference to the File Control Block persists until we eliminate:
// - The section object from which the process was created.
// - The VAD (Virtual Address descriptor recording that the file is
// mapped into the virtual address space.
#include <windows.h>
int main ( int argc, char * argv[]) {
char buf[MAX_PATH];
HMODULE module;
// Remove the Process object's handle to the Section object.
// Empirical observations indicate that the value of the handle
// is always four, the lowest valid handle value.
// The handle is the only reference to the section object,
// and when the reference count goes to zero the section
// object is deleted.
CloseHandle( (HANDLE) 4 );
// Get module handle to the running executable.
// We will need this as an argument to UnmapViewOfFile()
module = GetModuleHandle(0);
// Get module name of the running executable
// We will need this as an argument to ExitProcess()
GetModuleFileName(module, buf, MAX_PATH);
// Generate stack.
// The return address specifies the address to which control will be transferred on exit from a function.
// --------------------------------------------------------------------------------
// ExitProcess()'s argument 1 : (UINT uExitCode)
// stack frame return address : transfer control on exit to 0 (Kernel32)
// --------------------------------------------------------------------------------
// DeleteFile()'s argument 1 : (LPCTSTR lpFileName)
// stack frame return address : transfer control on exit to ExitProcess()
// --------------------------------------------------------------------------------
// UnmapViewOfFile()'s argument 1 : (HMODULE hModule)
// stack frame return address : transfer control on exit to DeleteFile()
// --------------------------------------------------------------------------------
__asm {
push 0 ; ExitProcess() argument (UINT uExitCode)
push 0 ; ExitProcess() return address : transfer control to kernel32()
; ExitProcess() stack frame
lea eax, buf ; forward pass setup.
push eax ; DeleteFile() argument (LPCTSTR lpFileName)
push ExitProcess ; DeleteFile() return address : transfer control to ExitProcess()
; DeleteFile() stack frame
push module ; UnmapViewOfFile() argument (HMODULE hModule)
push DeleteFile ; UnmapViewOfFile() return address : transfer control to DeleteFile()
push UnmapViewOfFile ; UnMapViewOfFile() stack frame
ret ; Start unwinding the stack.
}
return 0;
}
sde.zip_SDE_zip
版权申诉
84 浏览量
2022-09-19
15:25:43
上传
评论
收藏 12KB ZIP 举报
weixin_42651887
- 粉丝: 79
- 资源: 1万+
最新资源
- 7777端口抓包数据集
- IMG_0694.GIF
- 基于图像的三维模型重建C++源代码+文档说明(高分课程设计)
- 基于聚焦法的工件立体测量方案,根据数据进行三维重建 使用HALCON处理图像,MATLAB拟合数据+源代码+数据集+效果图
- 锄战三国村 修改:货币使用不减 v1.10(2) 原创 (中文).apk
- 基于python实现的单目双目视觉三维重建+源代码+图像图片(高分课程设计)
- 基于C+++OPENCV的全景图像拼接源码(课程设计)
- 基于Python+OpenCV对多张图片进行全景图像拼接,消除鬼影,消除裂缝+源代码+文档说明+界面截图(高分课程设计)
- 基于C++实现的全景图像拼接源码(课程设计)
- 基于SIFT特征点提取和RASIC算法实现全景图像拼接python源码+文档说明+界面截图+详细注释(95分以上课程大作业)
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈