NoDelete is a tool that assists in malware analysis by locking a folder where malware drops files before deleting them.
This project is being created mainly for my personal studies of Qt and C++. As soon as I learn new things, I will improve it all.
If you have any suggestions, feel free to contact me.
- Added
config.ini - Added logging for monitored folders
- Added ListView with paths
- Added option to open folders from ListView
- Implemented multi-threading
- Added functionality to restore original folder permissions
- Read from environment variable
- Added
app.manifest
Now you can set the folder you would like to lock in a config.ini file.
- Directories: All the directories you want to monitor and lock.
- LogFile: Name of the log file (default is in the same path as the binary).
When NoDelete loads the file, it will convert the environment variables and display them in a user-friendly format.
You can also open the directory to inspect the files that the malware wrote there. Just right-click on the line and select Open Directory.
Before running NoDelete, you will have full permissions on the target folder:
Once all folders are locked, you will see that only "Everyone" is allowed to perform specific actions:
A log will help you validate if anything went wrong and will also provide details about the success of locking the folders.
After using NoDelete, files inside the locked folder cannot be deleted. This allows you to lock a folder used by malware to drop files, ensuring the files remain intact for further investigation.
You can see all activities recorded in the log file:
- Save events to EventViewer
- CLI option