Register for your free account! | Forgot your password?

Go Back   elitepvpers > Coders Den > Coding Releases > Coding Snippets
You last visited: Today at 17:19

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



[AutoIT] (Self)Delete using asm

Discussion on [AutoIT] (Self)Delete using asm within the Coding Snippets forum part of the Coding Releases category.

Reply
 
Old   #1
 
[Beatrice]'s Avatar
 
elite*gold: LOCKED
Join Date: Oct 2014
Posts: 1,257
Received Thanks: 12,470
[AutoIT] (Self)Delete using asm



what's this?

normally you cannot delete an exe while running. to delete it, you have to run a code after the exe is terminated. what i'm doing here is injecting a code to an already running process, which makes your exe's deletion possible after its' termination. what it does is basically:
  • find a 32 bit process available for injection (not x64 cos lazy)
  • allocate some memory on the process
  • write kernel32.sleep with the time you specify & kernel32.deletefilea using the file you pick (can be the exe itself of course)
  • enumerate processes with Kernel32.K32EnumProcesses and loop through the pIDs until the specified process is terminated

  • delete the specified file
  • clear the pages back & exit thread
and poof it just can delete your file without creating any bat files or such


what can it be used for?
you can have your script do anything irrelevant, and before exiting anytime before exiting (as the code will loop until the process is terminated) you can use this code to self delete without any junk. it could also be used for self update scripts.

Quote:
Originally Posted by Jeoni View Post
...
thanks to Jeoni this time it clears the memory with virtualfree leaving no garbage for real

shellcode:

examples attached

i hope this helped someone out there. i know autoit is the worst possible way for injecting a code and this is not the cleanest way to do it but i still think it could be used.



Attached Files
File Type: rar DeleteFileAfterTermination.rar (617.0 KB, 8 views)
[Beatrice] is offline  
Thanks
3 Users
Old 07/11/2018, 08:17   #2



 
Serraniel's Avatar
 
elite*gold: 2222
The Black Market: 204/1/0
Join Date: May 2010
Posts: 6,846
Received Thanks: 5,099
Arrow AutoIt -> Coding Snippets

#moved
Serraniel is offline  
Old 07/12/2018, 23:31   #3


 
Jeoni's Avatar
 
elite*gold: 966
Join Date: Apr 2010
Posts: 1,097
Received Thanks: 677
Quote:
Originally Posted by [Beatrice] View Post
self delete without any junk
Well, to be precise, it does leave garbage, but at least no garbage files. The garbage are the two pages you allocate in the remote process and do not free afterwards. On normal consumer systems that amounts a memory leak of 8 KiB. May be larger if large pages are used.
To counter that, you can adjust your shellcode to first delete the page with the file name on it (well, one allocation, one page, would be enough for file name and code, but fine) and then delete the code page by using some basic return oriented programming resulting in the following shellcode:
Code:
push sleeptime
call Sleep
push filename
call DeleteFileA
push 0xC000 ; MEM_RELEASE
push 0
push filename
call VirtualFree
push 0 ; argument for ExitThread
push push 0xC000 ; MEM_RELEASE
push 0
push codeaddress
push &ExitThread
jmp VirtualFree
Of course, you may even calculate "codeaddress" in assembler. Or you may screw with the stack a bit around, so the thread can end naturally and not through ExitThread, but I'm too lazy for that. Anyhow, that way, it's not only without any garbage file but also with no memory leak in some remote process.
With best regards
Jeoni
Jeoni is offline  
Thanks
2 Users
Old 08/01/2018, 18:13   #4
 
[Beatrice]'s Avatar
 
elite*gold: LOCKED
Join Date: Oct 2014
Posts: 1,257
Received Thanks: 12,470
Quote:
Originally Posted by Jeoni View Post
Well, to be precise, it does leave garbage, but at least no garbage files. The garbage are the two pages you allocate in the remote process and do not free afterwards. On normal consumer systems that amounts a memory leak of 8 KiB. May be larger if large pages are used.
To counter that, you can adjust your shellcode to first delete the page with the file name on it (well, one allocation, one page, would be enough for file name and code, but fine) and then delete the code page by using some basic return oriented programming resulting in the following shellcode:
Of course, you may even calculate "codeaddress" in assembler. Or you may screw with the stack a bit around, so the thread can end naturally and not through ExitThread, but I'm too lazy for that. Anyhow, that way, it's not only without any garbage file but also with no memory leak in some remote process.
With best regards
Jeoni
I've updated the script, thank you so much for helping
[Beatrice] is offline  
Old 10/27/2020, 12:54   #5
 
[Beatrice]'s Avatar
 
elite*gold: LOCKED
Join Date: Oct 2014
Posts: 1,257
Received Thanks: 12,470
updated to use K32EnumProcesses rather than sleep to be consistent.
[Beatrice] is offline  
Thanks
1 User
Reply


Similar Threads Similar Threads
WarRock Direct3D [16.05.2012] ( ASM Bullets, ASM, OPK / SVP , ASM UNL AMMO )
05/17/2012 - WarRock Hacks, Bots, Cheats & Exploits - 8 Replies
Direct3D Hook 85% Credits to BlackLegend - helping me alot. Viva la Revolución http://www.abload.de/img/wr31lmaex.png http://www.abload.de/img/wr3253bzf.png Virustotal ( Packed / Compressed ) Click
2.9|Incredible-Hax VIP| Fully Bypassed Hack|ASM|RadarGPS;MAPGPS;WTW|&lots of more ASM
09/02/2011 - WarRock Hacks, Bots, Cheats & Exploits - 14 Replies
http://www.bilderkiste.org/show/original/313149758 4796/PublicHack.png This hack is now packed, and unpacking is not working ;) This hack is public and free for a little time! :D http://ind01.bilderkiste.org/3131497451181/Hack.p ng Virustotal (packed with Themida) Download
|||KingClem Public D3D | Full ASM Bypassed| Enough ASM Functions! | BIg Public! | |||
08/03/2011 - WarRock Hacks, Bots, Cheats & Exploits - 27 Replies
Screenshot: http://kingclem.co.de/uploads/screen.png Crediting: -KingClem™ -KitoKid -Cracken



All times are GMT +1. The time now is 17:19.


Powered by vBulletin®
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2023 elitepvpers All Rights Reserved.