Page 1 of 2
Anti Delete
Posted: Mon Nov 30, 2009 2:46 am
by Buster
Anti Delete is a DLL that prevents sandboxed programs from deleting any files in the sandbox, by silently "discarding" any delete operation.
Useful to malware researchers.
Usage: To use it, download the ZIP and extract the DLL into some folder. Then insert this line in your Sandboxie.ini file for the sandbox in which you want to use the DLL.
InjectDll=C:\some\path\to\antidel.dll
The DLL will be injected into any process running in the sandbox. That's it!
Download from here:
http://bsa.isoftware.nl/old/antidel.rar
Posted: Tue Dec 01, 2009 1:59 am
by nick s
Cool idea Buster. Can it be extended to deal with sdelete's deletion method?
Posted: Tue Dec 01, 2009 2:32 am
by Buster
nick s wrote:Cool idea Buster. Can it be extended to deal with sdelete's deletion method?
Anti Delete is not new. I contributed it over 1 year ago.
I don´t know what´s sdelete´s deletion method. Do you know?
Posted: Tue Dec 01, 2009 2:45 am
by nick s
Buster wrote:I don´t know what´s sdelete´s deletion method. Do you know?
I'm no expert on deletion coding or methods. I mentioned it because I was able to use a sandboxed sdelete to delete a sandboxed txt file created by a sandboxed text editor. Deleting via a sandboxed Windows Explorer was blocked by AntiDel.
Posted: Tue Dec 01, 2009 2:54 am
by Buster
Anti Delete only prevents deletions invoked by DeleteFileA API.
Posted: Tue Dec 01, 2009 3:03 am
by nick s
Buster wrote:Anti Delete only prevents deletions invoked by DeleteFileA API.
No problem. I only brought it up because I remember the days when sdelete was being bundled with rootkit packages. Maybe it still is.
Posted: Sun Dec 13, 2009 3:23 pm
by Buster
I have modified AntiDel to fix the problem nick s found.
You can get the new version from
here.
Posted: Sun Dec 13, 2009 3:41 pm
by Mark_
DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both
Posted: Sun Dec 13, 2009 3:46 pm
by Buster
Mark_ wrote:DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both
I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong.
Posted: Sun Dec 13, 2009 7:53 pm
by Mark_
Buster wrote:Mark_ wrote:DeleteFileA directly calls DeleteFileW (after converting from Ansi to Unicode) so you don't have to hook both
I made a test and hooking only DeleteFileW sdelete was able to delete a file. Hooking both this would not happen. Don´t know why or if I did something wrong.
if we are talking about the same sdelete:
http://technet.microsoft.com/en-us/sysi ... 97443.aspx
then you are doing something wrong, i stepped trough it in a debugger and set a breakpoint on W that did fire..
(however the file is overwritten and renamed by the tool before calling deletefile)
Posted: Mon Dec 14, 2009 12:22 am
by nick s
Buster wrote:I have modified AntiDel to fix the problem nick s found.
You can get the new version from
here.
Thanks for the improvement...
Code: Select all
C:\sysinternals>sdelete c:\files\antidel\test.txt
SDelete - Secure Delete v1.51
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
SDelete is set for 1 pass.
c:\files\antidel\test.txt...
Error deleting c:\files\antidel\test.txt: The operation completed successfully.
Posted: Sun Jun 27, 2010 3:43 pm
by falconeddie
Buster wrote:I have modified AntiDel to fix the problem nick s found.
You can get the new version from
here.
The download link is not working, does anyone have the updated version? Buster would you mind uploading it again? Thanks!
Posted: Sun Jun 27, 2010 11:16 pm
by Buster
Sure, no problem. You can download it from here:
http://bsa.isoftware.nl/antidel.rar
Posted: Mon Jun 28, 2010 5:12 am
by falconeddie
Posted: Mon Sep 06, 2010 7:08 am
by Guest10
Buster wrote:Spam!!!!
The spammers are getting more sophisticated, though:
mentioning sdelete and sandboxed, in the post.
Wasn't there an "erica" who has posted using the Guest account?
Maybe the spammer registered using her name.
The words in the spammers post, are from the "nick s" post, above.