Self-Deleting File - "Melting"

Post date: Mar 13, 2010 10:33:50 PM

It may be necessary for an un-install program to remove an application, as well as itself in order to completely remove the application from disk. This [collection of] snippet[s] will enable an executable to delete itself from disk whilst running.

{

Comspec Method

Ported: steve10120

Compiled: Delphi 2007

Website: hackhound.org

}

The Comspec method works under all 32bit versions of Windows (95,98,ME,NT,2000,XP), as long as the COMSPEC environment variable is defined. This is always defined (by default) to be the full path to the operating system's command interpreter. For Windows 95, this is "command.exe". For Windows NT, this is "cmd.exe". The function will only work if the executable has exited, so it is important to call this function and then exit immediately. It works by spawning a copy of the system's command interpreter, and asking it to perform the following command:

del exepath >> NUL

This deletes the current executable, and pipes the output to NUL (no output). The shell process is created with a hidden window as well, so the whole process is invisible. For more information, visit: http://www.catch22.net/tuts/selfdel

function ComSpecMelt():Boolean;
var
  szFile:  array[0..255] of Char;
  szCmd:   array[0..255] of Char;
begin
  Result := FALSE;
  if GetModuleFileName(0, szFile, 256) <> 0 then
  begin
    GetShortPathName(szFile, szFile, 256);
    lstrcpy(szCmd,'/c del ');
    lstrcat(szCmd, szFile);
    lstrcat(szCmd, ' >> NUL');
    if (GetEnvironmentVariable('ComSpec', szFile, 256) <> 0) and
       (ShellExecute(0, nil, szFile, szCmd, nil, SW_HIDE) > 32) then
      Result := TRUE;
  end;
end;

Self Deletion Unit coded by FoRSaKeN^

This unit uses code injection to delete itself.

unit DeleteUnit;
interface
uses Windows;
Procedure DeleteME(hProcess:Cardinal);
implementation
Procedure DeleteME(hProcess:Cardinal);
  Type
   TData   = Record
   _DeleteFileA : Pointer;
  _ExitThread  : Pointer;
  _Sleep       : Pointer;
   _szFile      : Pointer;
  end;
  procedure LoadProc(param: Pointer); stdcall;
  var
  Inject : TData;
  begin
  Inject := TData(param^);
    asm
      @del:
      push 1000
      call Inject._Sleep
      push Inject._szFile
      call Inject._DeleteFileA
      cmp  eax,0
      je   @del
      push 0
      call Inject._ExitThread
    end;
  end;
  Var
  Written,ThreadID      : Cardinal;
  Params,Proc           : Pointer;
   pData                 : TData;
  Handle                : hWnd;
begin
if hProcess = 0 then exit;
//------------------------------------------------------------------------------
pData._DeleteFileA   := GetProcAddress(GetModuleHandle(kernel32),'DeleteFileA');
pData._ExitThread    := GetProcAddress(GetModuleHandle(kernel32),'ExitThread' );
pData._Sleep         := GetProcAddress(GetModuleHandle(kernel32),'Sleep'      );
//------------------------------------------------------------------------------
pData._szFile := VirtualAllocEx(hProcess, nil, Length(ParamStr(0)) + 1, $3000, $40);
WriteProcessMemory(hProcess, pData._szFile, PChar(Paramstr(0)), Length(Paramstr(0)) + 1, Written);
//------------------------------------------------------------------------------
Params  := VirtualAllocEx(hProcess, nil, SizeOf(TData),$3000, $40);
WriteProcessMemory(hProcess, Params, @pData, SizeOf(TData), Written);
if Written<>SizeOf(TData) then exit;
//------------------------------------------------------------------------------
Proc    := VirtualAllocEx(hProcess, nil, 500, $3000, $40);
WriteProcessMemory(hProcess, Proc, @LoadProc, 500, Written);
if Written<>500 then exit;
//------------------------------------------------------------------------------
Handle := CreateRemoteThread(hProcess,nil,0, Proc, Params, 0, ThreadID);
if Handle = 0 then exit;
//------------------------------------------------------------------------------
end;
end.

In the near future, I will add more self-deletion / "melting" snippets.