Page 1 of 2

### Anti Delete

Posted: Mon Nov 30, 2009 2:46 am
Anti Delete is a DLL that prevents sandboxed programs from deleting any files in the sandbox, by silently "discarding" any delete operation.

Useful to malware researchers.

Usage: To use it, download the ZIP and extract the DLL into some folder. Then insert this line in your Sandboxie.ini file for the sandbox in which you want to use the DLL.

InjectDll=C:\some\path\to\antidel.dll

The DLL will be injected into any process running in the sandbox. That's it!

http://bsa.isoftware.nl/old/antidel.rar

Posted: Tue Dec 01, 2009 1:59 am
Cool idea Buster. Can it be extended to deal with sdelete's deletion method?

Posted: Tue Dec 01, 2009 2:32 am
nick s wrote:Cool idea Buster. Can it be extended to deal with sdelete's deletion method?
Anti Delete is not new. I contributed it over 1 year ago.

I don´t know what´s sdelete´s deletion method. Do you know?

Posted: Tue Dec 01, 2009 2:45 am
Buster wrote:I don´t know what´s sdelete´s deletion method. Do you know?
I'm no expert on deletion coding or methods. I mentioned it because I was able to use a sandboxed sdelete to delete a sandboxed txt file created by a sandboxed text editor. Deleting via a sandboxed Windows Explorer was blocked by AntiDel.

Posted: Tue Dec 01, 2009 2:54 am
Anti Delete only prevents deletions invoked by DeleteFileA API.

Posted: Tue Dec 01, 2009 3:03 am
Buster wrote:Anti Delete only prevents deletions invoked by DeleteFileA API.
No problem. I only brought it up because I remember the days when sdelete was being bundled with rootkit packages. Maybe it still is.

Posted: Sun Dec 13, 2009 3:23 pm
I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.

Posted: Sun Dec 13, 2009 3:41 pm
DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both

Posted: Sun Dec 13, 2009 3:46 pm
Mark_ wrote:DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both
I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong.

Posted: Sun Dec 13, 2009 7:53 pm
Buster wrote:
Mark_ wrote:DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both
I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong.
if we are talking about the same sdelete: http://technet.microsoft.com/en-us/sysi ... 97443.aspx
then you are doing something wrong, i stepped trough it in a debugger and set a breakpoint on W that did fire..
(however the file is overwritten and renamed by the tool before calling deletefile)

Posted: Mon Dec 14, 2009 12:22 am
Buster wrote:I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.
Thanks for the improvement...

Code: Select all

C:\sysinternals>sdelete c:\files\antidel\test.txt

SDelete - Secure Delete v1.51
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.
c:\files\antidel\test.txt...
Error deleting c:\files\antidel\test.txt: The operation completed successfully.

Posted: Sun Jun 27, 2010 3:43 pm
Buster wrote:I have modified AntiDel to fix the problem nick s found.

You can get the new version from here.

Posted: Sun Jun 27, 2010 11:16 pm

http://bsa.isoftware.nl/antidel.rar

Posted: Mon Jun 28, 2010 5:12 am