-1

I have a minifilter (kernel-mode). I want to delete a file with specific path (\Device\HarddiskVolume1\file.txt or C:\file.txt) from kernel-mode

Is there any way to do that?

UPDATE: 20150130

I try to use ZwDeleteFile routine as Harry Johnston said. These are my codes:

RtlInitUnicodeString(&gRedirectFullFilePath, "\\Device\\HarddiskVolume1\\test.txt"); // This file existed
InitializeObjectAttributes(&ObjectAttribute, &gRedirectFullFilePath, OBJ_CASE_INSENSITIVE, NULL, NULL); 
status = ZwDeleteFile(&ObjectAttribute);

But it crash my system. Is there anything wrong with my codes? => fixed (This is answer)

Thanks!

Community
  • 1
  • 1
GSP
  • 574
  • 3
  • 7
  • 34
  • 1
    The string is missing a backslash, though I wouldn't expect that to cause a crash. Why is `pObjectAttribute` a pointer? Normally it would be a local variable. Is this a file system minifilter driver? I'm not sure whether it is legal to call ZwDeleteFile() in that context. Also check the documented requirements regarding IRQL and special kernel APCs. – Harry Johnston Jan 30 '15 at 06:51

4 Answers4

3

The ZwDeleteFile routine:

The ZwDeleteFile routine deletes the specified file.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
1

By usual methods its not possible to delete the file from kernel mode i.e from device driver.

This kind of practice or idea is highly discouraged.

Dilip Kumar
  • 1,736
  • 11
  • 22
1

Use FltSetInformationFile() function with FileDispositionInformation class.

Rohan
  • 52,392
  • 12
  • 90
  • 87
0

There are many ways in which you can do that as illustrated in the minifilter DeleteSample from Microsoft.

  1. FILE_DELETE_ON_CLOSE flag which you can use in you CreateFile routine of choice.
  2. By setting the FileDispositionInformation
  3. Also notice the newly introduced FILE_DISPOSITION_INFORMATION_EX

Everything should be more clear after you study the sample. Also notice that you could do transactioned deletes and also delete a file by its file ID.

Good luck.

Gabriel Bercea
  • 1,191
  • 1
  • 10
  • 21