About a month or so ago I filled out the registration form for osronline.com (an online community for Windows® system software development) and only expected to have access to the website. Yesterday, I checked the mail box here at work to find a nice newsletter with several articles and example source code. It’s amazing to me that I received something with this kind of quality for free. Hopefully me posting this doesn’t end up biting me in the butt, and I end up getting a subscription bill in the mail.

The cover of this newsletter mentions WinHEC. If you’re a driver developer and would like some useful information, WinHEC is the place to get it. I really wish Microsoft would have some of these great conferences on the east coast as well. It’s not much fun to read stories about these wonderful conferences and have to get materials from them through the grape vine. Usually my friends from Microsoft fork me the latest materials from the conference, but I’d rather be there myself.

During the past week or so I’ve been working on a driver in my free time that prevents any files from being deleted. The driver works by using the hybrid hook method that can be found on rootkit.com and redirects the IAT entries for NtSetInformationFile and ZwSetInformationFile. Different Windows machines will use either one of those APIs when deleting a file. I can only make guesses as to why certain machines use one API over the other. The last step I need to finish before posting up the source code is finishing up the redirect for ZwSetInformationFile.

If you’re curious to see what code I’m using that gets executed when either one of those APIs are called, I’ll paste it below. Some extra information can be found here at osronline.com.

unsigned char new_code[] = { 
0×83, 0×7C, 0×24, 0×14, 0×0D, // cmp [esp+0×14],0×0000000D 
0×75, 0×11, // jnz short 
0×8B, 0×44, 0×24, 0×08, // mov eax,[esp+0×08] 
0xC7, 0×00, 0×02, 0×00, 0×00, 0xC0, // mov [eax], 0xC0000002 
0×8B, 0×44, 0×24, 0×0C, // mov eax, [esp+0×08] 
0xC6, 0×00, 0×00, // mov byte [eax], 0 
0xb8, 0xff, 0xff, 0xff, 0xff, // mov eax, 0xffffffff 
0xff, 0xe0 // jmp eax 
}

The method I used is the more hackish way to go about preventing the deletion of files. The proper method to use when intercepting such calls would be to setup a routine for grabbing IRP_MJ_SET_INFORMATION. When this IRP is dispatched and it specifies FileDispositionInformation it will provide a structure called FILE_DISPOSITION_INFORMATION. The structure is only a single byte that represents a boolean value to tell the system whether or not to delete the file. In the hackerish way I’ve intercepted this API call I change the value from a 1 (true) to a 0 (false).