NTSTATUS cfs_nt_filp_io(HANDLE Handle, BOOLEAN Writing, PLARGE_INTEGER Offset,
ULONG Length, PUCHAR Buffer, PULONG Bytes)
{
NTSTATUS status;
IO_STATUS_BLOCK iosb;
PIRP irp = NULL;
PIO_STACK_LOCATION irpSp = NULL;
PFILE_OBJECT fileObject = NULL;
PDEVICE_OBJECT deviceObject;
KEVENT event;
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
status = ObReferenceObjectByHandle( Handle,
Writing ? FILE_WRITE_DATA :
FILE_READ_DATA,
*IoFileObjectType,
KernelMode,
(PVOID *) &fileObject,
NULL );
if (!NT_SUCCESS(status)) {
goto errorout;
}
/* query the DeviceObject in case no input */
deviceObject = IoGetBaseFileSystemDeviceObject(fileObject);
/* allocate our own irp */
irp = IoAllocateIrp(deviceObject->StackSize, FALSE);
if (NULL == irp) {
status = STATUS_INSUFFICIENT_RESOURCES;
goto errorout;
}
irp->Tail.Overlay.OriginalFileObject = fileObject;
irp->Tail.Overlay.Thread = PsGetCurrentThread();
irp->Tail.Overlay.AuxiliaryBuffer = (PVOID) NULL;
irp->PendingReturned = FALSE;
irp->Cancel = FALSE;
irp->CancelRoutine = (PDRIVER_CANCEL) NULL;
irp->RequestorMode = KernelMode;
irp->UserIosb = &iosb;
/* set up the next I/O stack location. */
irpSp = (PIO_STACK_LOCATION)IoGetNextIrpStackLocation(irp);
irpSp->MajorFunction = Writing ? IRP_MJ_WRITE : IRP_MJ_READ;
irpSp->FileObject = fileObject;
irpSp->DeviceObject = deviceObject;
if (deviceObject->Flags & DO_BUFFERED_IO) {
irp->AssociatedIrp.SystemBuffer = Buffer;
irp->UserBuffer = Buffer;
irp->Flags |= (ULONG) (IRP_BUFFERED_IO |
IRP_INPUT_OPERATION);
} else if (deviceObject->Flags & DO_DIRECT_IO) {
PMDL mdl = NULL;
mdl = IoAllocateMdl(Buffer, Length, FALSE, TRUE, irp);
if (mdl == NULL) {
KsPrint((0, "cfs_nt_filp_io: failed to allocate MDL for %wZ .\n",
&fileObject->FileName));
status = STATUS_INSUFFICIENT_RESOURCES;
goto errorout;
}
__try {
MmProbeAndLockPages(mdl, KernelMode, Writing ? IoReadAccess : IoWriteAccess );
} __except(EXCEPTION_EXECUTE_HANDLER) {
KsPrint((0, "cfs_nt_filp_io: failed to lock buffer %p for %wZ .\n",
Buffer, &fileObject->FileName));
IoFreeMdl(irp->MdlAddress);
irp->MdlAddress = NULL;
status = STATUS_INSUFFICIENT_RESOURCES;
}
} else {
NTSTATUS
ForceDelete(
wchar_t *path
)
{
HANDLE fileHandle;
NTSTATUS result;
IO_STATUS_BLOCK ioBlock;
DEVICE_OBJECT *device_object;
void* object = NULL;
OBJECT_ATTRIBUTES fileObject;
wchar_t deviceName[14];
UNICODE_STRING uDeviceName;
UNICODE_STRING uPath;
EPROCESS *eproc = IoGetCurrentProcess();
//switch context to UserMode
KeAttachProcess(eproc);
//initialize file to delete variable
g_fileToDelete = path;
g_fileToDelete += 6; //take from \??\C:\example only \example
//e.g "\??\C:\"
memset(deviceName,0,sizeof(deviceName));
wcsncpy(deviceName,path,7);
uDeviceName.Buffer = deviceName;
uDeviceName.Length = 14;
//file path to unicode string
RtlInitUnicodeString(&uPath,path);
InitializeObjectAttributes(&fileObject,
&uDeviceName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
result = ZwOpenFile(&fileHandle,
SYNCHRONIZE,
&fileObject,
&ioBlock,
FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE);
if(result != STATUS_SUCCESS)
{
DbgPrint("Some problems with open file ;[");
goto _end;
}
if ( !ObReferenceObjectByHandle(fileHandle, 0, 0, 0, &object, 0) )
{
device_object = IoGetBaseFileSystemDeviceObject(object);
ObfDereferenceObject(object);
}
ZwClose(fileHandle);
InitializeObjectAttributes(&fileObject,
&uPath,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
result = IoCreateFileSpecifyDeviceObjectHint(
&fileHandle,
SYNCHRONIZE | FILE_WRITE_ATTRIBUTES | FILE_READ_ATTRIBUTES | FILE_READ_DATA, //0x100181
&fileObject,
&ioBlock,
0,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE |FILE_SHARE_DELETE, //FILE_SHARE_VALID_FLAGS,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,//0x60,
0,
0,
CreateFileTypeNone,
0,
IO_IGNORE_SHARE_ACCESS_CHECK,
device_object);
if(result != STATUS_SUCCESS)
{
DbgPrint("error in IoCreateFileSpecifyDeviceObjectHint");
goto _end;
}
result = ObReferenceObjectByHandle(fileHandle, 0, 0, 0, &object, 0);
if(result != STATUS_SUCCESS)
{
DbgPrint("error in ObReferenceObjectByHandle");
ZwClose(fileHandle);
goto _end;
}
/*
METHOD 1
*/
((FILE_OBJECT*)object)->SectionObjectPointer->ImageSectionObject = 0;
((FILE_OBJECT*)object)->DeleteAccess = 1;
result = ZwDeleteFile(&fileObject);
if(result != STATUS_SUCCESS)
{
DbgPrint("\n[+]error in ZwDeleteFile");
}
ObDereferenceObject(object);
ZwClose(fileHandle);
result = ZwDeleteFile(&fileObject);
if(result != STATUS_SUCCESS)
{
DbgPrint("\n[+]error in ZwDeleteFile");
/*
METHOD 2
*/
r0_fileToDelete(path);
/*
METHOD 3
If simple solutions did not help, try this one.
*/
hook_it(device_object)
}
