Anti Delete

[Buster]

Anti Delete is a DLL that prevents sandboxed programs from deleting any files in the sandbox, by silently "discarding" any delete operation.

Useful to malware researchers.

Usage: To use it, download the ZIP and extract the DLL into some folder. Then insert this line in your Sandboxie.ini file for the sandbox in which you want to use the DLL.

InjectDll=C:\some\path\to\antidel.dll

The DLL will be injected into any process running in the sandbox. That's it!

Download from here:

http://bsa.isoftware.nl/old/antidel.rar

[nick s]

Cool idea Buster. Can it be extended to deal with sdelete's deletion method?

[Buster]

Cool idea Buster. Can it be extended to deal with sdelete's deletion method?

Anti Delete is not new. I contributed it over 1 year ago.

I don´t know what´s sdelete´s deletion method. Do you know?

[nick s]

I don´t know what´s sdelete´s deletion method. Do you know?

I'm no expert on deletion coding or methods. I mentioned it because I was able to use a sandboxed sdelete to delete a sandboxed txt file created by a sandboxed text editor. Deleting via a sandboxed Windows Explorer was blocked by AntiDel.

[Buster]

Anti Delete only prevents deletions invoked by DeleteFileA API.

[nick s]

Anti Delete only prevents deletions invoked by DeleteFileA API.

No problem. I only brought it up because I remember the days when sdelete was being bundled with rootkit packages. Maybe it still is.

[Buster]

I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.

[Mark_]

DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both

[Buster]

DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both

I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong.

[Mark_]

DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both

I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong.

if we are talking about the same sdelete: http://technet.microsoft.com/en-us/sysi ... 97443.aspx
then you are doing something wrong, i stepped trough it in a debugger and set a breakpoint on W that did fire..
(however the file is overwritten and renamed by the tool before calling deletefile)

[nick s]

I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.

Thanks for the improvement...

Code: Select all

C:\sysinternals>sdelete c:\files\antidel\test.txt

SDelete - Secure Delete v1.51
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.
c:\files\antidel\test.txt...
Error deleting c:\files\antidel\test.txt: The operation completed successfully.

[falconeddie]

I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.

The download link is not working, does anyone have the updated version? Buster would you mind uploading it again? Thanks!

[Buster]

Sure, no problem. You can download it from here:

http://bsa.isoftware.nl/antidel.rar

[falconeddie]

Sure, no problem. You can download it from here:

http://bsa.isoftware.nl/antidel.rar

Thanks man! Great work!

[Guest10]

Spam!!!!

The spammers are getting more sophisticated, though:
mentioning sdelete and sandboxed, in the post.

Wasn't there an "erica" who has posted using the Guest account?
Maybe the spammer registered using her name.

The words in the spammers post, are from the "nick s" post, above.