Hello,all
how do i prohibit to delete a file?
As a network Administrator, I remove delete rights from the file for all users.
But I see some benefits of having some kind of software file watch going too.
Viruses use a binary replication method to stay in memory. Two executables stay in memory, watching each other, until one is terminated, then the other reproduces at the termination event of the other.
M$ does provide Security Logging here:
http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.aspx
It's a base for re-creating the file after it's delete, provided you have the current data to do so.
Regards, P1 :8)
Remove the delete access permission?
Or, you could open the file with FILE_SHARE_READ and FILE_SHARE_WRITE - then hold on to the handle until you're ready.
This will stop it being deleted, but not from being written at zero bytes :bdg
Thanks you who answered my question
besides p1 and Tedd's method. i think the following maybe selected.
1. hide file
2. hook someapi
3.MarkAsReadOnly proc
local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE
local fbi:FILE_BASIC_INFORMATION
InitializeObjectAttributes addr oa, addr g_usFileName, \
OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwCreateFile, addr hFile, FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + SYNCHRONIZE, \
addr oa, addr iosb, 0, 0, FILE_SHARE_READ, \
FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
.if eax == STATUS_SUCCESS
invoke ZwQueryInformationFile, hFile, addr iosb, addr fbi, sizeof fbi, FileBasicInformation
.if eax == STATUS_SUCCESS
or fbi.FileAttributes, FILE_ATTRIBUTE_READONLY
invoke ZwSetInformationFile, hFile, addr iosb, addr fbi, sizeof fbi, FileBasicInformation
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0("FileWorks: Now file marked as read-only\n")
.else
invoke DbgPrint, $CTA0("FileWorks: Can't change file attributes. Status: %08X\n"), eax
.endif
.else
invoke DbgPrint, $CTA0("FileWorks: Can't query file attributes. Status: %08X\n"), eax
.endif
invoke ZwClose, hFile
.else
invoke DbgPrint, $CTA0("FileWorks: Can't open file. Status: %08X\n"), eax
.endif
ret
MarkAsReadOnly endp
i want to know more.
Hello! Tedd, if you open the file with FILE_SHARE_READ only, that makes the write and the delete impossible, isn't it so? => no zero bytes :) Or am I wrong???
Nick
Yes, that's right :wink
I said READ and WRITE so the file could still be both read and modified, but if you want it to only be readable then that will work (of course, 'you' can still modify it with your open handle.)