Suggest whether to add the ability to delete files

Question

Suggest whether to add the ability to delete files

MMitsuha opened this issue 3 years ago · 3 comments

I'm studying the rootkit, which uses NTFS to hide files to make itself persistent, and I'm looking for a way to clear it

Answer 1 · 2022-02-28T15:33:49.000Z

Writing/removing file is not easy and it will work only on non-mounted partition or image file.
I don't think I will implement it for now, but adding something to detect rootkit might be interesting.
How this rootkit hides itself using NTFS?

Answer 2 · 2022-03-05T07:07:53.000Z

I think it hooked the NtQueryDirectoryFile and stripped its file out of the return value. I don't want to restore the hook, so I'm looking for a way to modify the file in NTFS by sector changes to modify or delete the file

Answer 3 · 2022-03-05T16:39:26.000Z

ok, but it's not possible to write something to a running volume from userland.