I need to delete the exe file after it is launched so that it cannot be analyzed (unless, of course, the possibility of a dump is missed). There are a couple of methods I know of to do this, but they are very crutches:

  1. Remove the flash drive after running the program. It will continue to work, but the image will not be available anywhere (which may cause a runtime error when requesting, for example, resources, but this is not important).
  2. Create a virtual disk and disconnect it when the program is launched from it (does almost the same thing as method 1.

So how do you normally remove the exe at runtime? Maybe working with disks on a physical level?

  • 6
    Virusoch write? - VladD
  • No, I do not write. Few other goals - user2173645
  • It was good in OS / 2 - there is a special API function for this :) - full load into memory and unlocking the file ... - Harry
  • MoveFile seems to be able to move it, and then look for it ... :-) - Vladimir Martyanov
  • Unlink the executable file at runtime and delete it is not so false. But to do it “so that it cannot be analyzed” to no avail, this will not affect the complexity of the analysis. - VTT

5 answers 5

There is 1 very difficult option for Windows: 1. Create a file 2.exe it

1) creates a region with an assembly code (VirtualAlloc at the address 0x20000 for example and another at 0x410000 (for 1.exe))

2) reads 1.exe in 0x410000 as a single block

3) creates a region with an assembler code (for example, address 0x20000)

4) switch to assembler clears all assembly stacks and makes jmp 0x20000

5) the assembler code erases from memory 2.exe (also wiped up the virtual memory)

6) writes to the same (from where erased 2.exe) 1.exe from 0x410000 memory and jmp on this code, but I don’t know if it will work

You can try to compile somehow on a special file 1.exe itself as for example and load it into the process memory. In general it is worth digging about Wirth. memory. Surely, if you delete the projected exe and close the file descriptor (s), then you can also erase the file (then 2.exe is not needed at all). Need to test.

I do not write a virus

Well call it a Windows vulnerability tester.

    Generally, Windows blocks files during execution or reading / writing. You can, of course, try to circumvent this with the methods used by viruses, but I think that the antivirus will quickly hack such chaos. I think the best option for you will be to put the removal script after completion.

    • I do not write a virus and it does not matter to me whether the antivirus will swear or not. I just need any known method like remove without using any third-party programs (as I used to create a virtual disk). - user2173645
    • Off topic: if I wrote a virus, I would inject it into system processes. So it is much more difficult to find it, and practically nobody looks at the dll - user2173645
    • And why third-party software to create a virtual disk? With the help of CMD, you can create - Mishakov Maxim
    • diskpart is third-party software (which is in cmd) - user2173645

    This does not answer the question, but this is the maximum that I own.

    http://web.archive.org/web/20160308234918/http://www.catch22.net/tuts/self-deleting-executables

    The simplest solution from the article is based on the fact that the bat file can delete itself: del %0 or del %0.bat saved in notepad, then launched.

    From personal experience I will add (not related to the above article): WinHEX program allows you to replace any bytes on the media, it does not matter if the file is not a file, it is not started, you can use the knowledge about the file system to find the executable module in the device section from the file system by overwriting these bytes. But the ways to achieve such actions by WinHEX are unknown. In the same way, you can also, while in the Windows environment, read the system files that store passwords. This can be done using one of the utility to recover deleted files. When you ask to restore a file that exists (for example, storing passwords and locked by the operating system), it will copy its contents to wherever you want.

      There is another option to use the driver (kernel), through physical memory. Well, or untie the module from the list of processes. Anything. Just thought there is a ring3 option. I will try to play around with injecting system processes.

        And yet I found a solution. Called process hollowing (source code on github). After the exe image is not listed as involved, so you can delete