Hi guys, what's up?
Is native applications familiar to you?
I'm right now building an anti-virus, and as you know the viruses can be active or passive, the passive is easy to remove but the active , well.... it's hard to remove but I finally found the solution is by removing it in system boot. As you know when the windows boot, any processes or services will not get started unless the kernel mode it's be done... By this way I can remove any virus before get started.
I have searched in google for weeks and I found that I can build a native application and add it in this registry path "HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute " but the problem is:
How to build a native application??? :-/

This quession I have google it and no result, and then I thought you may have the solution.......
thank you :)

I'm not sure what you mean by native program.. Win32? Console? Forms?

Also look into RegKeyOpenEx and you can add your app to the key you desire.

I'm not sure what you mean by native program.. Win32? Console? Forms?

Also look into RegKeyOpenEx and you can add your app to the key you desire.

As I know the native program is console application but I tried to make it and add it to the registry but's not worked.

Hi guys, what's up?
Is native applications familiar to you?
I'm right now building an anti-virus, and as you know the viruses can be active or passive, the passive is easy to remove but the active , well.... it's hard to remove but I finally found the solution is by removing it in system boot. As you know when the windows boot, any processes or services will not get started unless the kernel mode it's be done... By this way I can remove any virus before get started.
I have searched in google for weeks and I found that I can build a native application and add it in this registry path "HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute " but the problem is:
How to build a native application??? :-/

This quession I have google it and no result, and then I thought you may have the solution.......
thank you :)

Native apps use an undocumented "native" API. There's about 250 of these functions in the Windows Device Driver Kit. Unfortunately, most of these functions are undocumented. These apps only use the native API's and can't use operating environments such as Win32 API's. Thus, they must be loaded and started prior to the loading of the Win32 Subsystem. That registry key you listed above is where native apps are started by the Session Manager (smss.exe) prior to the start of the Win32 Subsystem.

Download the Windows Device Driver Kit (DDK) for more information on native apps.

Native apps use an undocumented "native" API. There's about 250 of these functions in the Windows Device Driver Kit. Unfortunately, most of these functions are undocumented. These apps only use the native API's and can't use operating environments such as Win32 API's. Thus, they must be loaded and started prior to the loading of the Win32 Subsystem. That registry key you listed above is where native apps are started by the Session Manager (smss.exe) prior to the start of the Win32 Subsystem.

Download the Windows Device Driver Kit (DDK) for more information on native apps.

Body your reply reminde me an article I have read it from a few days ( this is the link http://technet.microsoft.com/en-us/sysinternals/bb897447)
DDK...!!!!!
what is it?
Is it solve my problem?!!!!!

Body your reply reminde me an article I have read it from a few days ( this is the link http://technet.microsoft.com/en-us/sysinternals/bb897447)
DDK...!!!!!
what is it?
Is it solve my problem?!!!!!

The Windows Driver Kit (WDK) is a starting point to writing kernel code. It contains tools, samples, help files etc. which can be used if you want to code on that level. The kernel level is where your native api's are found.

Let's take a look at the Win32 CreateFile function. We would normally call this function in what is referred to as UserMode. The mode that most of us are familiar with. This function in turn calls NtCreateFile on the kernel level. NtCreateFile in turn calls ZwCreate file on the kernel level. NtCreateFile and ZwCreateFile are native API's.

The NtXxxx functions check the supplied parameters and access modes for validity and explicitly set the previous mode to USER mode. The ZwXxxx function variants do not. Thus, NT Drivers call ZwCreateFile(...)when they are opening a file on their own behalf. OS Environment Subsystems which are using the standard Win32 API's would use NtXxxxx since they are calling from user mode.

To recap, native apps use the native api instead of the UserMode Win32 api.

A fully function example follows. Refer to the InitializeNativeFunctions call. It initializes the following native functions:
RtlInitUnicodeString
ZwCreateFile
ZwCreateEvent
ZwQueryDirectoryFile
ZwWaitForSingleObject
RtlUnicodetoAnsiString

#include <windows.h>
#include <stdio.h>

typedef LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS;
typedef DWORD ULONG_PTR;

#define STATUS_SUCCESS (NTSTATUS)0x00000000L
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define FILE_OPEN               0x00000001
#define OBJ_CASE_INSENSITIVE    0x00000040L
#define FILE_DIRECTORY_FILE     0x00000001

#define InitializeObjectAttributes( p, n, a, r, s ) {    \
    (p)->uLength = sizeof( OBJECT_ATTRIBUTES );          \
    (p)->hRootDirectory = r;                             \
    (p)->uAttributes = a;                                \
    (p)->pObjectName = n;                                \
    (p)->pSecurityDescriptor = s;                        \
    (p)->pSecurityQualityOfService = NULL;               \
}

typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR  Buffer;
} UNICODE_STRING;

typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef USHORT RTL_STRING_LENGTH_TYPE;

typedef struct _STRING {
	USHORT Length;
	USHORT MaximumLength;
	PCHAR Buffer;
} STRING;

typedef STRING *PSTRING;
typedef STRING ANSI_STRING;
typedef PSTRING PANSI_STRING;

typedef struct _OBJECT_ATTRIBUTES {
	ULONG uLength;
	HANDLE hRootDirectory;
	PUNICODE_STRING pObjectName;
	ULONG uAttributes;
	PVOID pSecurityDescriptor;        
	PVOID pSecurityQualityOfService;  
} OBJECT_ATTRIBUTES;

#define InitializeObjectAttributes( p, n, a, r, s ) {    \
    (p)->uLength = sizeof( OBJECT_ATTRIBUTES );          \
    (p)->hRootDirectory = r;                             \
    (p)->uAttributes = a;                                \
    (p)->pObjectName = n;                                \
    (p)->pSecurityDescriptor = s;                        \
    (p)->pSecurityQualityOfService = NULL;               \
}

typedef OBJECT_ATTRIBUTES * POBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK {
	union {
		NTSTATUS Status;
		PVOID Pointer;
	};
	ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef VOID (NTAPI *PIO_APC_ROUTINE) (IN PVOID ApcContext, IN PIO_STATUS_BLOCK IoStatusBlock, IN ULONG Reserved);

typedef enum _FILE_INFORMATION_CLASS {
	FileDirectoryInformation         = 1,
		FileFullDirectoryInformation,   
		FileBothDirectoryInformation,   
		FileBasicInformation,          
		FileStandardInformation,        
		FileInternalInformation,        
		FileEaInformation,              
		FileAccessInformation,          
		FileNameInformation,            
		FileRenameInformation,          
		FileLinkInformation,            
		FileNamesInformation,           
		FileDispositionInformation,    
		FilePositionInformation,       
		FileFullEaInformation,         
		FileModeInformation,            
		FileAlignmentInformation,       
		FileAllInformation,             
		FileAllocationInformation,     
		FileEndOfFileInformation,      
		FileAlternateNameInformation,  
		FileStreamInformation,          
		FilePipeInformation,          
		FilePipeLocalInformation,       
		FilePipeRemoteInformation,     
		FileMailslotQueryInformation,   
		FileMailslotSetInformation,     
		FileCompressionInformation,    
		FileObjectIdInformation,        
		FileCompletionInformation,      
		FileMoveClusterInformation,     
		FileQuotaInformation,           
		FileReparsePointInformation,   
		FileNetworkOpenInformation,    
		FileAttributeTagInformation,   
		FileTrackingInformation,        
		FileIdBothDirectoryInformation, 
		FileIdFullDirectoryInformation, 
		FileValidDataLengthInformation, 
		FileShortNameInformation,       
		FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;

typedef enum _EVENT_TYPE {NotificationEvent, SynchronizationEvent} EVENT_TYPE;

typedef struct _FILE_BOTH_DIR_INFORMATION {
	ULONG NextEntryOffset;
	ULONG FileIndex;
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER EndOfFile;
	LARGE_INTEGER AllocationSize;
	ULONG FileAttributes;
	ULONG FileNameLength;
	ULONG EaSize;
	CCHAR ShortNameLength;
	WCHAR ShortName[12];
	WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;

NTSTATUS (WINAPI * pRtlInitUnicodeString)(PUNICODE_STRING, PCWSTR);
NTSTATUS (WINAPI * pZwCreateFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG);
NTSTATUS (WINAPI * pZwCreateEvent)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, EVENT_TYPE, BOOLEAN);
NTSTATUS (WINAPI * pZwQuerydirectoryFile)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN);
NTSTATUS (WINAPI * pZwWaitForSingleobject)(HANDLE, BOOLEAN, PLARGE_INTEGER);
NTSTATUS (WINAPI * pRtlUnicodeStringToAnsiString)(PANSI_STRING, PCUNICODE_STRING, BOOLEAN);
NTSTATUS (WINAPI * pZwClose)(HANDLE);

void IntializeNativeFunctions(VOID)
{
	HMODULE hModule = LoadLibrary ("Ntdll.dll");

	pRtlInitUnicodeString = (NTSTATUS (WINAPI *)(PUNICODE_STRING, PCWSTR)) GetProcAddress (hModule, "RtlInitUnicodeString");
	pZwCreateFile = (NTSTATUS (WINAPI *)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG)) GetProcAddress (hModule, "ZwCreateFile");
	pZwCreateEvent = (NTSTATUS (WINAPI *)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, EVENT_TYPE, BOOLEAN)) GetProcAddress (hModule, "ZwCreateEvent");
	pZwQuerydirectoryFile = (NTSTATUS (WINAPI *)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN)) GetProcAddress (hModule, "ZwQueryDirectoryFile");
	pZwWaitForSingleobject = (NTSTATUS (WINAPI *)(HANDLE, BOOLEAN, PLARGE_INTEGER)) GetProcAddress (hModule, "ZwWaitForSingleObject");
	pRtlUnicodeStringToAnsiString = (NTSTATUS (WINAPI *)(PANSI_STRING, PCUNICODE_STRING, BOOLEAN)) GetProcAddress (hModule, "RtlUnicodeStringToAnsiString");
	pZwClose = (NTSTATUS (WINAPI *)(HANDLE)) GetProcAddress (hModule, "ZwClose");
}

NTSTATUS ListDirectory(WCHAR * pszDirectoryName)
{
	UNICODE_STRING RootDirectoryName;
	ANSI_STRING as;
	OBJECT_ATTRIBUTES RootDirectoryAttributes;
	NTSTATUS ntStatus = STATUS_SUCCESS;
	HANDLE RootDirectoryHandle;
	IO_STATUS_BLOCK Iosb;
	HANDLE Event;
	PUCHAR Buffer[65536];
	WCHAR wszBuffer[50];

	PFILE_BOTH_DIR_INFORMATION DirInformation;

	if(pRtlInitUnicodeString == NULL) return -1;
	if(pRtlUnicodeStringToAnsiString == NULL) return -1;
	_snwprintf(wszBuffer,sizeof(wszBuffer),L"\\??\\%s\\",pszDirectoryName);
	ntStatus = ((pRtlInitUnicodeString)(&RootDirectoryName, wszBuffer));
	if (!NT_SUCCESS(ntStatus))
		return ntStatus;
	InitializeObjectAttributes (&RootDirectoryAttributes, &RootDirectoryName, OBJ_CASE_INSENSITIVE, 0, 0);
	if(pZwCreateFile == NULL) return -1;
	ntStatus =((pZwCreateFile)(&RootDirectoryHandle,
		GENERIC_READ,
		&RootDirectoryAttributes,
		&Iosb,
		0,
		FILE_ATTRIBUTE_DIRECTORY,
		FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
		FILE_OPEN,
		FILE_DIRECTORY_FILE,
		0, 0));

	if (!NT_SUCCESS(ntStatus))
	{
		printf("Unable to open %s, error = 0x%x\n", &RootDirectoryName, ntStatus);
		return ntStatus;
	}
	if(pZwCreateEvent == NULL) return -1;
	ntStatus = ((pZwCreateEvent)(&Event, GENERIC_ALL, 0, NotificationEvent, FALSE));
	if (!NT_SUCCESS(ntStatus))
	{
		printf("Event creation failed with error 0x%x\n", ntStatus);
		return ntStatus;
	}
	if(pZwQuerydirectoryFile == NULL) return -1;
	if(((pZwQuerydirectoryFile)(RootDirectoryHandle,
		Event, 0, 0,
		&Iosb,
		Buffer,
		sizeof(Buffer),
		FileBothDirectoryInformation,
		FALSE,
		NULL,
		FALSE)) == STATUS_PENDING)
	{
		if(pZwWaitForSingleobject == NULL) return -1;
		ntStatus = ((pZwWaitForSingleobject)(Event, TRUE, 0));
	}
	if (!NT_SUCCESS(ntStatus))
	{
		printf("Unable to query directory contents, error 0x%x\n", ntStatus);
		return ntStatus;
	}
	DirInformation = (PFILE_BOTH_DIR_INFORMATION) Buffer;
	while (1)
	{
		UNICODE_STRING EntryName;
		EntryName.MaximumLength = EntryName.Length = (USHORT) DirInformation -> FileNameLength;
		EntryName.Buffer = &DirInformation -> FileName[0];
		((pRtlUnicodeStringToAnsiString)(&as, &EntryName, TRUE));
		printf("%s\n", as.Buffer);
		if (0 == DirInformation -> NextEntryOffset)
			break;
		else
			DirInformation = (PFILE_BOTH_DIR_INFORMATION) (((PUCHAR)DirInformation) + DirInformation -> NextEntryOffset);
	}
	((pZwClose)(RootDirectoryHandle));
	return ntStatus;
}

int main(VOID)
{
	WCHAR wszDirectory[] = {L"C:\\Temp"};
	IntializeNativeFunctions();
	ListDirectory(wszDirectory);
	return 0;
}

Just an addendum, native apps use a NtProcessStartup entry point as opposed to WinMain or main. This is why it is required to be started from the Bootexecute registry key.

I finally found the solution is by removing it in system boot.

Are you aware of the regular MoveFileEx() function? It may provide a working solution in this case (i.e. you'll need to use the MOVEFILE_DELAY_UNTIL_REBOOT flag).

Are you aware of the regular MoveFileEx() function? It may provide a working solution in this case (i.e. you'll need to use the MOVEFILE_DELAY_UNTIL_REBOOT flag).

what you mean?
is this a script or something?!!!!!:-O

The Windows Driver Kit (WDK) is a starting point to writing kernel code. It contains tools, samples, help files etc. which can be used if you want to code on that level. The kernel level is where your native api's are found.

Let's take a look at the Win32 CreateFile function. We would normally call this function in what is referred to as UserMode. The mode that most of us are familiar with. This function in turn calls NtCreateFile on the kernel level. NtCreateFile in turn calls ZwCreate file on the kernel level. NtCreateFile and ZwCreateFile are native API's.

The NtXxxx functions check the supplied parameters and access modes for validity and explicitly set the previous mode to USER mode. The ZwXxxx function variants do not. Thus, NT Drivers call ZwCreateFile(...)when they are opening a file on their own behalf. OS Environment Subsystems which are using the standard Win32 API's would use NtXxxxx since they are calling from user mode.

To recap, native apps use the native api instead of the UserMode Win32 api.

A fully function example follows. Refer to the InitializeNativeFunctions call. It initializes the following native functions:
RtlInitUnicodeString
ZwCreateFile
ZwCreateEvent
ZwQueryDirectoryFile
ZwWaitForSingleObject
RtlUnicodetoAnsiString

{/QUOTE]

I will tried and if I have a quession I will ask you?!! thank you any way

what you mean?
is this a script or something?!!!!!:-O

It is a Windows API function. It can be used to delete files upon next system startup - which is what you basically seem to be wanting. So, possibly it may be of help to you - though this depends on what exactly your anti-virus thingy is.

commented: do you have some examples? +0

do you have some examples?

You might try the following minimal snippet to see how it works - maybe it will suit you, maybe not.

#include <iostream>
#include <windows.h>

using namespace std;

int main()
{
    // Queue the file c:\temp\foobar.txt for deletion upon next system start up ...
    MoveFileEx("C:\\temp\\foobar.txt", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

    // If the following displays zero - the operation succeeded, anything else
    // is an error code.
    cout << " GetLastError(): " << GetLastError() << endl;
}

As stated in the MSDN documentation, you need to have write access to a specific part of the system registry.

Oh, and please use the Reply to this Article -button when replying to a post i.e. do not use the Vote & Comment -button for that purpose. ;)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.