0

I want to delete files by sending IRP via a WDK driver. It works well for deleting all files no matter *.pdf or *.pptx, except some EXEs which require Administrator to run, such as EXE installer and setup.exe etc. I don't know why it hangs on IoCallDriver once I try to delete EXE installers. I have also tried to set a timeout for KeWaitForSingleObject but no luck, the driver keeps hanging on IoCallDriver.

Does Windows limit drivers to remove these Administrator authority EXEs? How to solve this? Thanks a lot.

NTSTATUS send_delete_file_irp(PFILE_OBJECT file_object) {
    
    
    
    
    KEVENT event;
    PDEVICE_OBJECT device_object = IoGetBaseFileSystemDeviceObject(file_object);
    
    
    PIRP irp = IoAllocateIrp(device_object->StackSize, false);

    // Set the complete routine that will free the IRP and signal the event
    KeInitializeEvent(&event, SynchronizationEvent, false);
    IoSetCompletionRoutine(
        irp,
        io_complete,
        &event,
        true,
        true,
        true);

    FILE_DISPOSITION_INFORMATION file_disposition;
    file_disposition.DeleteFile = true;

    IO_STATUS_BLOCK io_status_block;

    irp->AssociatedIrp.SystemBuffer = &file_disposition;
    irp->UserEvent = &event;
    irp->UserIosb = &io_status_block;
    irp->Tail.Overlay.OriginalFileObject = file_object;
    irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
    irp->RequestorMode = KernelMode;
    
    IO_STACK_LOCATION* stack_location = IoGetNextIrpStackLocation(irp);
    stack_location->MajorFunction = IRP_MJ_SET_INFORMATION;
    stack_location->DeviceObject = device_object;
    stack_location->FileObject = file_object;
    stack_location->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION);
    stack_location->Parameters.SetFile.FileInformationClass = FileDispositionInformation;
    stack_location->Parameters.SetFile.FileObject = file_object;

    


    IoCallDriver(device_object, irp);
    
    KeWaitForSingleObject(&event, Executive, KernelMode, true, nullptr);
    

    return STATUS_SUCCESS;
    
}
SuperBerry
  • 1,193
  • 1
  • 12
  • 28
  • why you by self send IRP instead use `IoSetInformation` ? from where you get *file_object* ? what is context - when, from where you call `send_delete_file_irp` ? if call hang - first what you must do - look call stack and post – RbMm Sep 14 '21 at 10:31
  • @RbMm Actually the code removed the file, even it hangs. After restart PC the file was gone. However, I don't know why it hangs. If it deletes other files, the driver works smoothly. – SuperBerry Sep 14 '21 at 13:00
  • i already ask several questions. – RbMm Sep 14 '21 at 13:12
  • I used the code from https://github.com/Rhydon1337/windows-kernel-file-delete. I call send_delet_file_irp from MajorFunction[IRP_MJ_DEVICE_CONTROL]. – SuperBerry Sep 14 '21 at 14:39
  • 2
    if you have `PFILE_OBJECT` as input and want set `FileDispositionInformation` on it - need use [`IoSetInformation`](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-iosetinformation) api instead your custom `send_delete_file_irp`. if you have file name as input - the best call `ZwOpenFile` or `NtOpenFile` with `FILE_DELETE_ON_CLOSE | FILE_OPEN_FOR_BACKUP_INTENT` (but this basically for user mode) or `ZwDeleteFile`. about hang - you play with ImageSectionObject, SectionObjectPointer->SharedCacheMap and so ? – RbMm Sep 16 '21 at 07:11
  • @RbMm thank you! I found it. I have cancelled the recover of ImageSectionObject, SectionObjectPointer then it works. – SuperBerry Sep 17 '21 at 00:48

0 Answers0