_xeroxz
/
fdelete
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
force delete any file (and directory)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12 Commits
1 Branch
1 Tag
129 KiB
 
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Go to file
_xeroxz e6c1418939
Update README.md 		3 years ago
fdelete made console application example 3 years ago
fdelete-km made console application example 3 years ago
README.md Update README.md 3 years ago
fdelete.sln made console application example 3 years ago

README.md

fdelete

Ever find yourself trying to delete a file and for whatever reason you are not allowed too? you can use fdelete.exe to remove whatever file/directory you want now. This project inherits VDM and uses GDRV by default but you can use whatever method of physical read/write you want. This must be ran as admin as it loads a driver (GDRV).

fdelete-km

The kernel module part of this project is used to generate the assembly to call kernel functions with over four parameters. VDM temp hooks NtShutdownSystem and since NtShutdownSystem only takes four parameters, some of the required functions cannot be called since the arguments are not copied from the usermode stack to the kernel stack in KiSystemCall...

note: I choose NtShutdownSystem since its in every single windows version ever and inline hooking this function wouldnt cause any race conditions lol.

// taken from ReactOS: https://doxygen.reactos.org/dd/d1a/arm_2usercall_8c_source.html#l00082
VOID KiSystemService(IN PKTHREAD Thread, IN PKTRAP_FRAME TrapFrame, IN ULONG Instruction)
{
     // ... etc ....
     
     //
     // Save the function responsible for handling this system call
     //
     SystemCall = (PVOID)DescriptorTable->Base[Number];
 
     //
     // Check if this is a GUI call
     //
     if (Offset & SERVICE_TABLE_TEST)
     {
         //
         // TODO
         //
         UNIMPLEMENTED;
         ASSERT(FALSE);
     }
 
     //
     // Check how many arguments this system call takes
     //
     ArgumentCount = DescriptorTable->Number[Number] / 4; // <====== note that each syscall has its own amount of params.. NtShutdownSystem only has 4!
     ASSERT(ArgumentCount <= 17);
     
     // ... etc ...

The functions which need to be called that have more then four parameters are passed up inside of a structure in rcx and a pointer to the wide string path is passed up in rdx. For all intense and purposes you can ignore the kernel part of this...

usage

usage: [OPTION] [File Path/Directory Path]
        --file, delete a specific file...
        --dir, delete an entire directory...

example

Here we are cleaning out stuff that isnt important and takes up alot of space (1GB~).

fdelete.exe --file C:\Windows\System32\ntoskrnl.exe
    delete \??\C:\Windows\System32\ntoskrnl.exe result: 1

fdelete.exe --dir C:\Windows\System32\
    deleted \??\C:\Windows\System32\aadcloudap.dll
    deleted \??\C:\Windows\System32\aadjcsp.dll
    deleted \??\C:\Windows\System32\aadtb.dll
    deleted \??\C:\Windows\System32\aadWamExtension.dll
    deleted \??\C:\Windows\System32\AarSvc.dll
    deleted \??\C:\Windows\System32\AboutSettingsHandlers.dll
    deleted \??\C:\Windows\System32\AboveLockAppHost.dll
    deleted \??\C:\Windows\System32\accessibilitycpl.dll
    deleted \??\C:\Windows\System32\accountaccessor.dll
    deleted \??\C:\Windows\System32\AccountsRt.dll
    deleted \??\C:\Windows\System32\AcGenral.dll
    deleted \??\C:\Windows\System32\AcLayers.dll
    deleted \??\C:\Windows\System32\acledit.dll
    deleted \??\C:\Windows\System32\aclui.dll
    deleted \??\C:\Windows\System32\acmigration.dll
    deleted \??\C:\Windows\System32\ACPBackgroundManagerPolicy.dll
    deleted \??\C:\Windows\System32\acppage.dll
    deleted \??\C:\Windows\System32\acproxy.dll
    deleted \??\C:\Windows\System32\AcSpecfc.dll
    deleted \??\C:\Windows\System32\ActionCenter.dll
    deleted \??\C:\Windows\System32\ActionCenterCPL.dll
    deleted \??\C:\Windows\System32\ActionQueue.dll
    deleted \??\C:\Windows\System32\ActivationClient.dll
    deleted \??\C:\Windows\System32\ActivationManager.dll
    deleted \??\C:\Windows\System32\activeds.dll
    deleted \??\C:\Windows\System32\activeds.tlb
    deleted \??\C:\Windows\System32\ActiveHours.png
    deleted \??\C:\Windows\System32\ActiveSyncCsp.dll
    deleted \??\C:\Windows\System32\ActiveSyncProvider.dll
    deleted \??\C:\Windows\System32\actxprxy.dll
    deleted \??\C:\Windows\System32\AcWinRT.dll
    deleted \??\C:\Windows\System32\AcXtrnal.dll
    deleted \??\C:\Windows\System32\AdaptiveCards.dll
    deleted \??\C:\Windows\System32\AddressParser.dll
    deleted \??\C:\Windows\System32\adhapi.dll
    deleted \??\C:\Windows\System32\adhsvc.dll
    deleted \??\C:\Windows\System32\AdmTmpl.dll
    deleted \??\C:\Windows\System32\adprovider.dll
    deleted \??\C:\Windows\System32\adrclient.dll
    deleted \??\C:\Windows\System32\adsldp.dll
    deleted \??\C:\Windows\System32\adsldpc.dll
    deleted \??\C:\Windows\System32\adsmsext.dll
    deleted \??\C:\Windows\System32\adsnt.dll
    deleted \??\C:\Windows\System32\adtschema.dll
    deleted \??\C:\Windows\System32\AdvancedEmojiDS.dll
    deleted \??\C:\Windows\System32\AdvancedInstallers\cmiv2.dll
    
    // ..... etc etc .....