looking for a simple process to overwrite a textfile so it is non-recoverable
can someone help out with this code.. i just either want to fill data with junk or just like some random data before it is deleted


.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib

OverWrite PROTO
.data
    szJunkData db "JuNk",0
    szFile    db "c:\blah.txt",0
.code
start:
    invoke OverWrite
    invoke ExitProcess, 0
   
OverWrite Proc
    local hFile:DWORD
    local BytesWritten:DWORD
    mov edi,9
@@:
    invoke CreateFile,addr szFile, GENERIC_WRITE, FILE_SHARE_READ, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
            mov hFile, eax
    invoke GetFileSize,eax,0
    invoke WriteFile, hFile, addr szJunkData,eax, addr BytesWritten, 0
    invoke CloseHandle, hFile
    dec edi
  jnz @B
      ret
OverWrite endp
end start
Posted on 2005-03-24 14:51:36 by illwill
If the file size you are trying to overwrite is larger than the system allocates for your data section, your program will crash due to a GPF. I would suggest the following after you get the file size:


    shr  eax,2    ;divide by 4 to write 4 bytes at a time
@@:
    push eax
    invoke WriteFile, hFile, addr szJunkData,4, addr BytesWritten, 0
    pop  eax
    dec  eax
    jnz  @B


Your file will then be entirely filled with JuNk except for the last few bytes which were not a multiple of 4.

Raymond
Posted on 2005-03-24 20:25:14 by Raymond
You're trying to write "filesize" bytes of data, but the "szJunkData" points to only 5 bytes: 'J' 'u' 'N' 'k' 'NULL' (and some possible bytes after it). this may cause GP fault.

and also this technique you're using isn't clever - for 2GB file you'd need to allocate 2GB of RAM.


[ /edit: Raymond was faster :P ]


after Raymond's post, I'd like to add, that writing 4 bytes at a time will be dead-slow :P
Posted on 2005-03-24 20:28:50 by ti_mo_n
what would be a better way to do this as far as speed and memory usage
Posted on 2005-03-24 21:54:37 by illwill
Write 4bytes at a time and keep doing that till you overwritten the whole file with "Junk". Like what Raymond have suggested..

Modify it to something like

    mov esi, eax
    shr  eax,2    ;divide by 4 to write 4 bytes at a time
@@:
    push eax
    invoke WriteFile, hFile, addr szJunkData,4, addr BytesWritten, 0
    pop  eax
    dec  eax
    jnz  @B
    and esi, 111b
    jz done
    invoke WriteFile, hFile, addr szJunkData,esi, addr BytesWritten, 0
done:


Another suggestion would be to reduce the file size, then overwrite it. It might work, if I am not wrong.
Posted on 2005-03-24 22:24:08 by roticv
ok it now writes junk to the file  :D
so would i have to do this process 9 times in order to make the file unrecoverable by DOD standards?


.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib

OverWrite PROTO
.data
    szJunkData db "JuNk",0
    szFile    db "c:\blah.txt",0
.code
start:
    invoke OverWrite
    invoke ExitProcess, 0
   
OverWrite PROC
    local hFile:DWORD
    local dwWritten:DWORD
    local dwFileSize:DWORD
    invoke CreateFile,addr szFile, GENERIC_WRITE, FILE_SHARE_WRITE, 0,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0
    mov hFile, eax
    invoke GetFileSize,eax,0
    shr  eax,2    ;divide by 4 to write 4 bytes at a time
@@:
    push eax
    invoke WriteFile, hFile, addr szJunkData,4, addr dwWritten, 0
    pop  eax
    dec  eax
    jnz  @B
    and esi, 111b
    jz done
    invoke WriteFile, hFile, addr szJunkData,esi, addr dwWritten, 0
done:
    invoke CloseHandle, hFile
      ret
OverWrite endp
end start


also
    and esi, 111b
    jz done
    invoke WriteFile, hFile, addr szJunkData,esi, addr dwWritten, 0
done:

what does that extra at the end do?
Posted on 2005-03-25 00:30:34 by illwill
To fill up overwrite the file completely with "junk". The main loop just fill it up to the multiple of 4.
Posted on 2005-03-25 05:28:55 by roticv
There is an example from Sysinternals wich is coded in C but it gives you the idea of implementation (source included): http://www.sysinternals.com/ntw2k/source/sdelete.shtml
Posted on 2005-03-25 06:03:33 by jNz
For DoD standards, I found a document that stated a random pattern must be written over every addressable sector on the disk a total of 18 times.? But this was to declassify a harddrive needless to say.

If you want something that will follow DoD standards, you are going to have to google for that.
Posted on 2005-03-25 07:09:04 by gorshing
yea i have to preserve the file size pointer it for some reason keepswriting over itself making it bigger and bigger
im not good with c code enough to try to tranlate that code into asm
Posted on 2005-03-25 22:20:40 by illwill
You could try including class32.inc or later and using my Fstream class for easy file io.
Ask me for the latest version.
After opening a file with it, you can use Put and Get methods to access file data, and can set the filepointer by hand if need be.
It will automatically catch the existing filesizse when opening existing files, etc.
Posted on 2005-03-26 01:50:28 by Homer
Here's the code I come up with illwill


.386
.model flat,stdcall
option casemap:none

include \masm32\include\WINDOWS.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comdlg32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comdlg32.lib

NumTimesOverWrite                    equ    9        ;Or Whatever DOD requires
Multiple_Of_2                        equ    256      ;Or 2,4,8,16,32,64,128,256,etc
Multiple_Of_2_Minus_1                equ    255      ;Or 1,3,7,15,31,63,127,255,etc
Depends_On_Value_Of_Multiple_Of_2    equ    8        ;Or 1,2,3, 4, 5, 6,  7,  8,etc

OverWrite      PROTO

.data

szFilter        BYTE        "Text Files",0,"*.txt",0,0
szTitle        BYTE        "OverWrite and Delete A File",0
szQuestion      BYTE        "Delete Another File?",0

.data?

hFile          HANDLE      ?
BytesWritten    DWORD        ?
OpenProgram    OPENFILENAME <>
szFile          BYTE        256 dup (?)
szJunkData      BYTE        Multiple_Of_2 dup (?)

.code

Start:

        mov    OpenProgram.lStructSize,76
        mov    OpenProgram.nMaxFile,256
        lea    edx,szFilter
        mov    OpenProgram.lpstrFilter,edx
        add    edx,13
        mov    OpenProgram.lpstrDefExt,edx
        lea    edx,szTitle
        mov    OpenProgram.lpstrTitle,edx
        mov    OpenProgram.Flags,OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST
S0000:
        lea    edx,szFile
        mov    BYTE PTR,0
        mov    OpenProgram.lpstrFile,edx

        INVOKE  GetOpenFileName,ADDR OpenProgram                                    ;comdlg32.dll

        INVOKE  OverWrite

        ;INVOKE  DeleteFile,ADDR szFile                                              ;kernel32.dll

        INVOKE  MessageBox,NULL,ADDR szQuestion,ADDR szTitle,MB_OKCANCEL            ;user32.dll

        cmp    eax,IDOK
        je      S0000

        INVOKE  ExitProcess,eax                                                      ;kernel32.dll

OverWrite Proc

        push    edi
        push    esi

        mov    edi,NumTimesOverWrite
OW0000:
        INVOKE  CreateFile,ADDR szFile,GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 ;kernel32.dll

        mov    hFile,eax

        INVOKE  GetFileSize,eax,0                                                    ;kernel32.dll

        mov    BytesWritten,0
        mov    esi,eax
        shr    eax,Depends_On_Value_Of_Multiple_Of_2
OW0001:
        push    eax

        INVOKE  WriteFile,hFile,ADDR szJunkData,Multiple_Of_2,ADDR BytesWritten,0    ;kernel32.dll

        pop    eax

        dec    eax
        jnz    OW0001

        and    esi,Multiple_Of_2_Minus_1

        INVOKE  WriteFile,hFile,ADDR szJunkData,esi,ADDR BytesWritten,0              ;kernel32.dll

        INVOKE  CloseHandle,hFile                                                    ;kernel32.dll

        dec    edi
        jnz    OW0000

        pop    esi
        pop    edi

        ret

OverWrite ENDP

END Start


Also on roticv's recommendation:

and esi, 111b? ? ? ;should be 3 as opposed to 7

Hope this helps,

Darrel

EDIT:

Should use Yes/No MessageBox as opposed to OK/CANCEL.
More Smooth :lol:

EDIT2:

corrected variable spelling? ?;had leftout a "t" in word Multiple
Posted on 2005-03-26 03:42:38 by Darrel
compile but youre having the same problem as me when it overwrites the filesize pointer gets messed up and the file just gets bigger and bigger
Posted on 2005-03-26 15:06:18 by illwill
The code in my first post is now correct. I compiled and tested it.

Note I have commented out the DeleteFile function so I could check and make sure it was the same file size and filled with zeroes.

Regards,

Darrel
Posted on 2005-03-26 19:22:31 by Darrel
You ought to overwrite with a few more patterns than just zeroes, and you should probably open the file in UNBUFFERED mode as well, just to be on the safe side...
Posted on 2006-01-09 16:43:09 by f0dder
will,

This should come close to doing what you want. Its just a rough test piece but the splatit procedure is pretty straight forward.


; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл
    include \masm32\include\masm32rt.inc
; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл

comment * -----------------------------------------------------
                        Build this  template with
                      "CONSOLE ASSEMBLE AND LINK"
        ----------------------------------------------------- *

    splatit PROTO :DWORD

    .code

start:
 
; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл

    call main

    exit

; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл

main proc

    LOCAL pbuf  :DWORD
    LOCAL buffer[260]:BYTE

    mov pbuf, ptr$(buffer)

    invoke GetCL,1,pbuf

    invoke splatit,pbuf

    ret

main endp

; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл

splatit proc lpfile:DWORD

    LOCAL hFile :DWORD
    LOCAL flen  :DWORD
    LOCAL blen  :DWORD
    LOCAL pbuf1 :DWORD
    LOCAL pbuf2 :DWORD
    LOCAL bwrt  :DWORD
    LOCAL cloc  :DWORD
    LOCAL icnt  :DWORD

    mov hFile, fopen(lpfile)
    mov flen, fsize(hFile)

    mov pbuf1, alloc(flen)
    mov pbuf2, alloc(flen)

    push esi

    mov esi, pbuf1
    mov ecx, flen
  @@:
    mov BYTE PTR , 00000000b
    add esi, 1
    sub ecx, 1
    jnz @B

    mov esi, pbuf2
    mov ecx, flen
  @@:
    mov BYTE PTR , 11111111b
    add esi, 1
    sub ecx, 1
    jnz @B

    mov esi, 8      ; change the count here if you need to
    mov icnt, 1

  lpst:
    print "Iteration "
    print str$(icnt),13,10
    add icnt, 1
    mov cloc, fseek(hFile,0,FILE_BEGIN) ; set pointer to start of file
    mov bwrt, fwrite(hFile,pbuf1,flen)  ; write filler to file
    invoke FlushFileBuffers,hFile      ; flush file to disk

    print "Iteration "
    print str$(icnt),13,10
    add icnt, 1
    mov cloc, fseek(hFile,0,FILE_BEGIN)
    mov bwrt, fwrite(hFile,pbuf2,flen)
    invoke FlushFileBuffers,hFile

    sub esi, 1
    jnz lpst

    pop esi

    fclose hFile

    test fdelete(lpfile), eax

    free pbuf2
    free pbuf1

    ret

splatit endp

; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл

end start
Posted on 2006-01-10 21:49:10 by hutch--
Hutch, you should still use FILE_FLAG_NO_BUFFERING - while FlushFileBuffers "ought to" do what the name indicates, using unbuffered I/O keeps you from using filesystem cache for the "nuking" process. FlushFileBuffers should still be used, though. Quoting MSDN: To open a file for unbuffered I/O, call the CreateFile function with the FILE_FLAG_NO_BUFFERING flag. This prevents the file contents from being cached. However, the file metadata may still be cached. To flush the metadata to a disk, use FlushFileBuffers..

Oh, and if you're really paranoid you should consider renaming the file as well - to as many chars as original filename, filled with random chars.
Posted on 2006-01-11 05:56:15 by f0dder
Isn't illwill in prison anyway?
Posted on 2006-01-11 13:13:31 by stormix

Isn't illwill in prison anyway?


I don't think so - at least he's been on IRC after all that mess, the little fool he is :)
Posted on 2006-01-11 15:42:10 by f0dder