Anti Delete

Utilities designed for use with Sandboxie
Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Anti Delete

Post by Buster » Mon Nov 30, 2009 2:46 am

Anti Delete is a DLL that prevents sandboxed programs from deleting any files in the sandbox, by silently "discarding" any delete operation.

Useful to malware researchers.

Usage: To use it, download the ZIP and extract the DLL into some folder. Then insert this line in your Sandboxie.ini file for the sandbox in which you want to use the DLL.

InjectDll=C:\some\path\to\antidel.dll

The DLL will be injected into any process running in the sandbox. That's it!

Download from here:

http://bsa.isoftware.nl/old/antidel.rar
Last edited by Buster on Tue Oct 09, 2012 10:40 am, edited 2 times in total.

nick s
Posts: 382
Joined: Sat Dec 20, 2008 12:52 am

Post by nick s » Tue Dec 01, 2009 1:59 am

Cool idea Buster. Can it be extended to deal with sdelete's deletion method?
Nick

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Dec 01, 2009 2:32 am

nick s wrote:Cool idea Buster. Can it be extended to deal with sdelete's deletion method?
Anti Delete is not new. I contributed it over 1 year ago.

I don´t know what´s sdelete´s deletion method. Do you know?

nick s
Posts: 382
Joined: Sat Dec 20, 2008 12:52 am

Post by nick s » Tue Dec 01, 2009 2:45 am

Buster wrote:I don´t know what´s sdelete´s deletion method. Do you know?
I'm no expert on deletion coding or methods. I mentioned it because I was able to use a sandboxed sdelete to delete a sandboxed txt file created by a sandboxed text editor. Deleting via a sandboxed Windows Explorer was blocked by AntiDel.
Nick

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Dec 01, 2009 2:54 am

Anti Delete only prevents deletions invoked by DeleteFileA API.

nick s
Posts: 382
Joined: Sat Dec 20, 2008 12:52 am

Post by nick s » Tue Dec 01, 2009 3:03 am

Buster wrote:Anti Delete only prevents deletions invoked by DeleteFileA API.
No problem. I only brought it up because I remember the days when sdelete was being bundled with rootkit packages. Maybe it still is.
Nick

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Dec 13, 2009 3:23 pm

I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.

Mark_
Posts: 111
Joined: Wed Dec 31, 2008 3:48 pm

Post by Mark_ » Sun Dec 13, 2009 3:41 pm

DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both :)

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Dec 13, 2009 3:46 pm

Mark_ wrote:DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both :)
I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong. :?

Mark_
Posts: 111
Joined: Wed Dec 31, 2008 3:48 pm

Post by Mark_ » Sun Dec 13, 2009 7:53 pm

Buster wrote:
Mark_ wrote:DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both :)
I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong. :?
if we are talking about the same sdelete: http://technet.microsoft.com/en-us/sysi ... 97443.aspx
then you are doing something wrong, i stepped trough it in a debugger and set a breakpoint on W that did fire..
(however the file is overwritten and renamed by the tool before calling deletefile)

nick s
Posts: 382
Joined: Sat Dec 20, 2008 12:52 am

Post by nick s » Mon Dec 14, 2009 12:22 am

Buster wrote:I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.
Thanks for the improvement...

Code: Select all

C:\sysinternals>sdelete c:\files\antidel\test.txt

SDelete - Secure Delete v1.51
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.
c:\files\antidel\test.txt...
Error deleting c:\files\antidel\test.txt: The operation completed successfully.
Nick

falconeddie
Posts: 2
Joined: Sun Jun 27, 2010 3:34 pm

Post by falconeddie » Sun Jun 27, 2010 3:43 pm

Buster wrote:I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.
The download link is not working, does anyone have the updated version? Buster would you mind uploading it again? Thanks!

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Jun 27, 2010 11:16 pm

Sure, no problem. You can download it from here:

http://bsa.isoftware.nl/antidel.rar

falconeddie
Posts: 2
Joined: Sun Jun 27, 2010 3:34 pm

Post by falconeddie » Mon Jun 28, 2010 5:12 am

Buster wrote:Sure, no problem. You can download it from here:

http://bsa.isoftware.nl/antidel.rar
Thanks man! Great work!

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Mon Sep 06, 2010 7:08 am

Buster wrote:Spam!!!!
The spammers are getting more sophisticated, though:
mentioning sdelete and sandboxed, in the post.

Wasn't there an "erica" who has posted using the Guest account?
Maybe the spammer registered using her name.

The words in the spammers post, are from the "nick s" post, above.
Last edited by Guest10 on Mon Sep 06, 2010 7:26 am, edited 1 time in total.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest