News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Self delete executable

Started by aw27, November 27, 2017, 02:05:47 AM

Previous topic - Next topic

aw27

Probably, the only way that always works as advertised:


.386
.model flat, stdcall

include .\delHelper.inc

.data
batname db "deleter.bat",0
batTemplate db '@echo off',10,':try',10,'del "%s"',10,'if exist "%s" goto try',10,'del %%0',10,0

.code

main proc
LOCAL tempPath[256] : BYTE
LOCAL tempLen : DWORD
LOCAL currentFile[256] : BYTE
LOCAL fileLen : DWORD
LOCAL fHandle : HANDLE
LOCAL batContents [512] : BYTE
LOCAL batLen : DWORD
LOCAL written : DWORD
LOCAL stupinfo : STARTUPINFOA
LOCAL ProcessInfo : PROCESS_INFORMATION

INVOKE GetTempPathA, 200, addr tempPath
mov tempLen, eax
invoke strcat, addr tempPath, addr batname

invoke GetModuleFileNameA, 0, addr currentFile, 256
mov fileLen, eax

; Create the .bat file
invoke CreateFileA, addr tempPath, GENERIC_WRITE,FILE_SHARE_READ,0, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
.if eax==-1
jmp @exit
.endif
mov fHandle, eax

invoke sprintf, addr batContents, addr batTemplate, addr currentFile, addr currentFile
mov batLen, eax
invoke WriteFile, fHandle, addr batContents, batLen, addr written, 0
invoke CloseHandle, fHandle

; Launch .bat file
lea edi, stupinfo
mov ecx, sizeof STARTUPINFOA
mov al, 0
cld
rep stosb
mov stupinfo.cb, sizeof STARTUPINFOA
mov stupinfo.dwFlags, STARTF_USESHOWWINDOW

invoke CreateProcessA, 0, addr tempPath, 0, 0, 1, CREATE_NO_WINDOW, 0, 0, addr stupinfo, addr ProcessInfo
invoke Closehandle, ProcessInfo.hThread
@exit:
invoke ExitProcess,0
main endp

end main

dedndave

oh, i know!  :shock:

ExitProcess

:biggrin:

anunitu


aw27

Quote from: dedndave on November 27, 2017, 04:59:24 AM
oh, i know!  :shock:

ExitProcess

:biggrin:

Of course, but before you find Christ you must first find the church (amen   :bgrin:)

Mikl__

self-destructor
In the time of MS-DOS, nobody was surprised at such a focus, the operating system allowed to write anything anywhere, and even delete the executable file while executing it. With the advent of Windows, the free will ended. If the file is started, then before it finishes, nothing can be done with it. But from this rule there is one exception - the so-called batch or bat-files. They are executed not as a stand-alone application, but as a set of instructions for the command processor, so they can easily delete themselves. This we will use to solve our problem. Here is an example of a batch file that first tries to delete a file on a given path, and then self-destruct.:loc
del "D:\Path\file.exe"
if exist "D:\Path\file.exe" goto loc
del %0
Checking and looping are needed in order to wait until the file is released and becomes available for elimination. The "del% 0" command deletes the bat file in which it is executed, without reference to its name. Now, to make our executable self-extracting, it must perform the following actions: get the name and path of the executable file, create a bat-file, run it and exit. bat-file wait for the end of the executable file, delete it, then delete itself..data
         mask    db ':loc',13,10
        db 'del "%s"',13,10
        db 'if exist "%s" goto loc',13,10
        db 'del %%0',0
batext  db '.bat',0

fname   db MAX_PATH dup (?)
buff    db MAX_PATH*3 dup (?)
...
.code
        ..... 
        invoke  GetModuleFileName,0,addr buff,MAX_PATH
        ; name of file in DOS'style
        invoke  GetShortPathName,addr buff,addr fname,MAX_PATH
        ; make bat-file
        invoke  wsprintf,buff,mask,fname,fname
        add     esp,16
        ; size of bat-file
        mov     esi,eax
        ; add ".bat"
        invoke  lstrcat,addr fname,addr batext
        ; write bat-file
        invoke  _lcreat,addr fname,0
        cmp     eax,-1
        je      @f
        mov     ebx,eax
        invoke  _lwrite,ebx,addr buff,esi
        invoke  _lclose,ebx
        ;hide run
        invoke  WinExec,addr fname,SW_HIDE
@@: invoke  ExitProcess,0

aw27

@Mikl__

Thank you for explaining what my example does and for making it Windows 95 compatible  :t

Mikl__

aw27,
There isn't my article. I pointed out the link to the article http://www.manhunter.ru/assembler/1019_samoudalyayuschiysya_fayl.html (17.05.2016)


This is another version of the suicide file. I do not presume to judge who the author, but IMHO both files come from the same source

aw27

@Mikl__

Ah, that is the reason it is broken then.

1) mask is a reserved word, replace with _mask.
2) invoke  wsprintf,buff,mask,fname,fname is wrong. It must be invoke  wsprintf, addr buff, addr _mask, addr fname, addr fname
3) add     esp,16 should not exist.
4) Also, what is the point of GetShortPathName to obtain a 8.3 DOS name when you are going to use double quotes surrounding the name in the batch file?

Strange is that no one tried to build it  and see it is broken.  :icon_rolleyes:

Mikl__

invoke  wsprintf,buff,mask,fname,fname is wrongit's not a mistake. I translated the program from FASM to MASM but not very carefully ~ 1 min

aw27

Quote from: Mikl__ on November 28, 2017, 02:10:10 AM
invoke  wsprintf,buff,mask,fname,fname is wrongit's not a mistake. I translated the program from FASM to MASM but not very carefully ~ 1 min
Ah, FASM.  :t