Pendingfilerenameoperations


Recommended Posts

Im trying to add the PendingFileRenameOperations value (type REG_MULTI_SZ) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager so that I can move/delete specified files on reboot. I understand the syntax needed:

Line 1 contains: \??\<Drive:>\<SourcePath>\SourceFileName.Extension
Line 2 contains: !\??\<Drive:>\<DestinationPath>\DestinationFileName.Extension

What I don't know is what type of value PendingFileRenameOperations needs to be. MultiString Value? Is that what "REG_MULTI_SZ" indicates?

Thanks,

Matt

Link to post
Share on other sites

Well, I'm ending up having to delete on reboot. One question about this quote from TT's link:

C:\>reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Session Manager" /v "PendingFileRenameOperations"

Why does this return: "Error: The system was unable to find the specified registry key or value"?

Thanks again

Matt

Link to post
Share on other sites
Well, I'm ending up having to delete on reboot. One question about this quote from TT's link:

C:\>reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Session Manager" /v "PendingFileRenameOperations"

Why does this return: "Error: The system was unable to find the specified registry key or value"?

Thanks again

Matt

Maybe because it is a hidden/protected section of the registry? Isn't that part of regedt32 (no i) and not regedit?

Link to post
Share on other sites

I am not really understanding what is happening. When you are finished(or what you have so far), I would like to look at your batch script if possible. I might learn something in the process.

Link to post
Share on other sites

I am not really understanding what is happening. When you are finished(or what you have so far), I would like to look at your batch script if possible. I might learn something in the process.

Sure thing. I'll send it to you once its done being written and has been fully tested. I won't post the tool or the source on the forums however because, if the tool is used incorrectly, the user could delete needed system files.

If anyone else is interested, let me know, give me a good reason, and I might send it to you ;)

Link to post
Share on other sites

OK, i figured out what was wrong. When I tried to add the data to PendingFileRenameOperations using reg.exe, it didnt work because reg.exe cant parse Multi String data well. It wanted hex, which is too complicated. So, now I'm using SWREG, a file by Bobbi_Flekman, that allows my to use ASCII rather than hex. Meaning... i got the delete on reboot gig down! :)

Link to post
Share on other sites

I am trying to make sense of what your are doing. Using the method above, does that add an entry to the registry that tells windows to delete at reboot?

Does using the system call MoveFileEx automatically add this entry for you?

Link to post
Share on other sites
I am trying to make sense of what your are doing. Using the method above, does that add an entry to the registry that tells windows to delete at reboot?

Does using the system call MoveFileEx automatically add this entry for you?

I believe this is for removing stubborn malware files that cannot be deleted while Windows is running.

Link to post
Share on other sites
Does this allow multiple files to be deleted on reboot or single?
By using this value, there is a way to delete multiple files on reboot. That's how Killbox does it. However, I am unsure on how to manipulate the data for this value to do more than one at a time. The Trojan it will be dealing with will only require one file for deletion, so that's all I'm having to write it for :)
I am trying to make sense of what your are doing. Using the method above, does that add an entry to the registry that tells windows to delete at reboot?

Yes. Adding the value 'PendingFileRenameOperations' to the Key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] with the data parsed correctly for the file I want, will tell Windows to delete it on reboot. This is actually used for Windows to Move the file on reboot, but if you put the destination as NULL, it essentially just deletes it.

Does using the system call MoveFileEx automatically add this entry for you?

Yes, and that's why I was trying to call it in the batch. However, batch doiesn't have the capability to call MoveFileEx, so I'm having to do it this way.

I believe this is for removing stubborn malware files that cannot be deleted while Windows is running.
Exactly.

This is how this particular trojen works. It creates a random named file in System32, and a running process with the same name. On every reboot, the file/process name changes. If you try to kill the process, it regenerates, with a new name for itself and the file. If you try to just delete the file, the process will either: not let you, or create a new one--again with a new name.

So here's what I'm trying to do. If I suspend the process, rather than kill it, then the process is not active, but its not going to rename itself and the file. Then, with the process suspended, I will attempt to add the file to PendingFileRenameOperations. Now, two things could go wrong with this:

  1. The malware is watching PendingFileRenameOperations, and as sson as it sees its been added, it will remove itself. Thus, making the delete on reboot not work
  2. If the process is loaded before PendingFileRenameOperations on bootup, then the file set to be deleted won't exist anymore, and it will just create a new random named file/process.

If either of those continually occur, I will have to go back and try different methods; essentually, think of a different way and rewrite the tool. But that's what testing is for :D

It will also try to remove the Reg value that the file was sitting in, but that's not as important as HJT would be able to do this very easily.

By default, the windows xp command line doesn't support reg actions without hex (at least, on the value I was working with) or process actions. So, I had to bundle two files, process.exe and swreg.exe. These give the command line the ability to manipulate running processes and the registry the way I wanted.

Since the offending files are random, there is no way (no simple way I should say) to have the tool just target what it is looking for. So, it requires to user to enter the filename. This is why I am weary to release it to people who aren't infected. If they were to put in a system file, that system file will be qued for deletion on reboot. And on reboot, files don't have the same protection from Windows as they do normally.

I have completed the tool as I have originally conceived it, now it is in the testing stage. The first step is to locate copies of the trojan and try it out. Like I said, if it doesn't work, I'll be back to the drawing board. :ph34r:

Matt

Link to post
Share on other sites

Thanks TT. You and shane are on my list to send this too. I know you guys won't misuse it, and even if something does go wrong; you're not called Experts for nothing ;)

If anyone else is interested, contact me via PM and we'll talk.

BTW, moving this to spyware/adware information.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...