0

Sorry if this question has been asked before, I genuinely cannot find any information pertaining to this.

I will start by stating this assumption: When you delete a file on a Windows PC, the win32api.DeleteFile function is called.

Say you have a program/script/function ect that securley deletes this file for instance microsoft's cipher.exe, would it be possible to 'overwrite' native deletion method, and use your own? To the effect that any OS deletion would call your own function. I would aim to be able to do this in python, but any language would be accepted(I'm guessing C++).

If this is unclear please let me know and i shall try to clarify.

Thanks once again, stackoverflow!

RandomHash
  • 669
  • 6
  • 20
  • 1
    This similar question has some answers that may help you: http://stackoverflow.com/questions/4910231/how-to-hook-c-in-explorers-rename-event – Simon Kraemer Feb 22 '16 at 19:06
  • The assumption is wrong already: `DeleteFile` is the public API exposed in the Win32 subsystem to delete a file. Applications or drivers, however, could bypass that, and call the native API [ZwDeleteFile](https://msdn.microsoft.com/en-us/library/windows/hardware/ff566435.aspx) (or `NtDeleteFile`) directly. There are other ways to delete files, though, e.g. by calling [ZwSetInformationFile](https://msdn.microsoft.com/en-us/library/windows/hardware/ff567096.aspx) with a *FileInformationClass* of `FileDispositionInformation`. – IInspectable Feb 22 '16 at 19:17
  • 2
    `DeletFile` actually calls [`NtOpenFile`](https://msdn.microsoft.com/en-us/library/ff567011) with `DELETE` access followed by [`NtSetInformationFile`](https://msdn.microsoft.com/en-us/library/ff567096). There's also [`NtDeleteFile`](https://msdn.microsoft.com/en-us/library/ff566435). A file can also be deleted by opening as `FILE_DELETE_ON_CLOSE` (Win32 `FILE_FLAG_DELETE_ON_CLOSE`). Or via [`SetFileInformationByHandle`](https://msdn.microsoft.com/en-us/library/aa365539). – Eryk Sun Feb 22 '16 at 19:20
  • 4
    Ultimately these are all ways to set delete disposition in the file / link/ stream control block of the file system, which unlinks a file that's flagged for deletion after all handle and kernel pointer references are closed. So you should look into writing a [file-system filter driver](https://msdn.microsoft.com/en-us/library/ff548202) to add secure delete functionality. – Eryk Sun Feb 22 '16 at 19:28
  • 3
    For an example to get your started, see the [Delete File System Minifilter Driver](https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete) on Microsoft's GitHub site. Also, if you want more insight into the design of Windows file systems, see the [fastfat File System Driver](https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/fastfat). – Eryk Sun Feb 22 '16 at 21:08
  • 2
    You may be able to get additional help while learning and developing a filter driver on the [OSR lists](http://www.osronline.com/page.cfm?name=ListServer) NTDEV and NTFSD. – Eryk Sun Feb 22 '16 at 21:15

0 Answers0