• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

Visual C++ Source Code

The source code of an attemp to write Forensic Deletion Software in Visual C++:

/* deletes Hard Drive given in the parameter */
void DeleteHardDrive(char PhysicalDrive[])
{
    HANDLE DiskHandle;
    DiskHandle = CreateFileA(PhysicalDrive, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_NO_BUFFERING, NULL);
    void * PartitionTable = NULL;
    PartitionTable = VirtualAlloc(NULL, 512, MEM_COMMIT, PAGE_READWRITE | PAGE_NOCACHE);
    void * WriteBuffer = NULL;
    WriteBuffer = VirtualAlloc(NULL, 64*512, MEM_COMMIT, PAGE_READWRITE | PAGE_NOCACHE);
    FillMemory(WriteBuffer, 64*512, 0);
    DWORD NumberOfBytesRead, NumberOfBytesWritten;

    // read the Partition Table
    ReadFile(DiskHandle, PartitionTable, 512, &NumberOfBytesRead, NULL);

    // destroy the Partition Table and the whole MBR Record
    //    this will causes in "Operating System not found" on startup and making the hd unformatted
    SetFilePointer(DiskHandle, 0, 0, FILE_BEGIN);
    WriteFile(DiskHandle, WriteBuffer, 63*512, &NumberOfBytesWritten, NULL);
    SetFilePointer(DiskHandle, 0, 0, FILE_BEGIN);
    WriteFile(DiskHandle, WriteBuffer, 63*512, &NumberOfBytesWritten, NULL);
    SetFilePointer(DiskHandle, 0, 0, FILE_BEGIN);
    WriteFile(DiskHandle, WriteBuffer, 63*512, &NumberOfBytesWritten, NULL);

    // destroy Backup Partition Table (mostly copied into the last sector of an HD by some System Tools)
    //IN DEVELOPMENT
    //CURRENTLY there has been now way found to return hd sector size

    // destroy Partition 1
    BYTE Type;
    //Type = PartitionTable[0x1BE+4];
    // getting the Type just results in errors ("void* unkown size", "can't be converted", etc.) - dev cancelled
    switch ()
    {
        case 4:
            break;
    }
}

Download the full source code under http://www.viennacomputerproducts.com/downloads/Forensic Deletion Software/Forensic Deletion Software.cpp.