 |
 | Anti Delete |  |
|
Buster
|
|
Anti Delete is a DLL that prevents sandboxed programs from deleting any files in the sandbox, by silently "discarding" any delete operation.
Useful to malware researchers. Usage: To use it, download the ZIP and extract the DLL into some folder. Then insert this line in your Sandboxie.ini file for the sandbox in which you want to use the DLL. InjectDll=C:\some\path\to\antidel.dll The DLL will be injected into any process running in the sandbox. That's it! Download from here: http://bsa.isoftware.nl/old/antidel.rar |
|||||||||||
|
Last edited by Buster on Tue Oct 09, 2012 2:40 pm; edited 2 times in total
|
|||||||||||||
 |
| |
|
nick s
|
|
Cool idea Buster. Can it be extended to deal with sdelete's deletion method?
|
|||||||||||
|
_________________ Nick
|
|||||||||||||
|
| |
|
Buster
|
|
Anti Delete is not new. I contributed it over 1 year ago. I donīt know whatīs sdeleteīs deletion method. Do you know? |
|||||||||||||
|
|||||||||||||||
|
| |
|
nick s
|
|
I'm no expert on deletion coding or methods. I mentioned it because I was able to use a sandboxed sdelete to delete a sandboxed txt file created by a sandboxed text editor. Deleting via a sandboxed Windows Explorer was blocked by AntiDel. |
|||||||||||||
|
|||||||||||||||
|
| |
|
Buster
|
|
Anti Delete only prevents deletions invoked by DeleteFileA API.
|
|||||||||||
|
|||||||||||||
|
| |
|
nick s
|
|
No problem. I only brought it up because I remember the days when sdelete was being bundled with rootkit packages. Maybe it still is. |
|||||||||||||
|
|||||||||||||||
|
| |
|
Buster
|
|
|
|||||||||||
|
|||||||||||||
|
| |
|
Mark_
|
|
DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both
 |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Donīt know why or if I did something wrong.  |
|||||||||||||
|
|||||||||||||||
|
| |
|
Mark_
|
|
if we are talking about the same sdelete: http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx then you are doing something wrong, i stepped trough it in a debugger and set a breakpoint on W that did fire.. (however the file is overwritten and renamed by the tool before calling deletefile) |
|||||||||||||||
|
|||||||||||||||||
|
| |
|
nick s
|
|
Thanks for the improvement...
|
|||||||||||||||
|
|||||||||||||||||
|
| |
|
falconeddie
|
|
The download link is not working, does anyone have the updated version? Buster would you mind uploading it again? Thanks! |
|||||||||||||
|
|||||||||||||||
|
| |
|
Buster
|
|
|
|||||||||||
|
|||||||||||||
|
| |
|
falconeddie
|
|
Thanks man! Great work! |
|||||||||||||
|
|||||||||||||||
|
| |
|
Guest10
|
|
mentioning sdelete and sandboxed, in the post. Wasn't there an "erica" who has posted using the Guest account? Maybe the spammer registered using her name. The words in the spammers post, are from the "nick s" post, above. |
|||||||||||||
|
Last edited by Guest10 on Mon Sep 06, 2010 11:26 am; edited 1 time in total _________________ Paul XP Pro SP3 (Admin rights), Zone Alarm Pro Firewall, Malwarebytes Pro, Firefox 21, Thunderbird 17
|
|||||||||||||||
|
 | Anti Delete | |
|
||
Use the RSS feed to watch this topic for replies |
|
|