NTFS streams solution for NOB_EXPERIMENTAL_DELETE_OLD on Windows #129
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Yet another potential solution for NOB_EXPERIMENTAL_DELETE_OLD on Windows.
Changes:
nob_delete_filebefore DeleteFileA call.Deleting the running executable on Windows is not possible, since the Image of the running process is mapped in memory from
nob.exe.oldand a reference to the file is kept.If we simply rename the file on disk the process will reference the newly named file, making it impossible to delete.
A trick that can be used to delete
nob.exe.oldis to take advantage of NTFS streams.In essence we can rename the standard data stream
nob.exe.old:$DATAtonob.exe.old:del, making the process reference the newly created data stream for its Image.At this point
nob.exe.oldis no longer referenced in the memory of the process, making it possible to be marked for deletion.In NTFS deleting a file will also remove all data streams that belong to it.
Deleting
nob.exe.oldwill succeed since the process keeps a reference to the:deldata stream and the:delstream will vanish because it belonged tonob.exe.old.This will leave no trace on the disk of any executable.
Here's what the Memory looks like inside Process Hacker 2 after succesfully deleting
nob.exe.old:This is a partial solution to #111 since it requires the current Volume to support NTFS.
PS: I left a long comment in the code with roughly the same stuff explained here to (hopefully) make it less of a pain to review.
I think it should be removed after reviewing since it bloats the file.