{"id":6456,"date":"2019-06-21T22:18:29","date_gmt":"2019-06-21T22:18:29","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6456"},"modified":"2019-06-21T22:18:31","modified_gmt":"2019-06-21T22:18:31","slug":"definedosdevice-symbolic-link-trick","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/06\/21\/definedosdevice-symbolic-link-trick\/","title":{"rendered":"DefineDosDevice symbolic link trick"},"content":{"rendered":"\n

I don’t know who is the original author of this trick – I saw it being used by some malware a few years ago and it was also discussed on KernelMode forum<\/a>, and StackOverflow<\/a>. Reading McAfee’s paper about Process Reimaging<\/a> I suddenly remembered it. <\/p>\n\n\n\n

How does it work?<\/p>\n\n\n\n

With a DefineDosDevice<\/a> API (the same API that is used by the subst<\/em> command) we can create a new MSDOS device name. We can map it to a new, non-existing file path. The main executable can be then moved to that new space (i.e. new path the space is mapped to). <\/p>\n\n\n\n

This little trick makes the original file ‘disappear’ from the system. Most of the process listing tools continue to map the running process to its original path, yet any attempts to access properties of the file itself end up with nothing. This is because the process is running, but the file it was launched from is ‘not there’ anymore:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Let’s examine it step by step:<\/p>\n\n\n\n