Saturday, December 22, 2012

Preventing Malware from deleting files: The quick and dirty way.

One of the common behaviors of Malware is to infect system processes in order to preserve access to the Machine or to run malicious actions silently, this can be accomplish by loading new drivers (kernel mode) or DLLs (user mode), which requires a physical file to be dropped into the file system and therefore, as soon as the driver/dll is loaded in memory, the malicious file is deleted, giving no chance to the Analyst to reverse it.

Any integrity-check tool (WinAnalysis, FileMon) will report those different files being dropped into the filesystem but how can we recover them? Assuming that Malware also uses many tricks to prevent tools like NTFSUndelete to recover deleted files. This means, the approach to recover the files after infection is not the recommended solution, instead we need to prevent the file from being deleted.

Then we have the sexy, advanced and recommended way to do this, by using API Hooking techniques, but unfortunately, you will need knowledge of Windows APIs, Memory Management, Processes creation, Microsoft Detours, Development, etc, so go for it, on the other hand is the dirty, not sexy and ugly way, but fast, easy and without to much knowledge, we just need to patch DeleteFileW API in Kernel32.dll in order to prevent any file in the system from being removed, play a little bit with WFP (Windows File Protection) in order to replace Kernel32.dll with our patch version and voila!!!

Enjoy it.