文件常规删除的三种方法都比较熟悉。#define FILE_DELETE_ON_CLOSE                    0x00001000@1 Nt/ZwCreateFile  Nt/ZwOpenFile    填充OpenPacket结构，标记FILE_DELETE_ON_CLOSE    (WRK)@2 Nt/ZwDeleteFile填充OpenPacket结构，标记FILE_DELETE_ON_CLOSE    (WRK)@3 Nt/ZwSetInformationFile  使用FileDispositionInformation (enum 0d==13)IoCallDriver( deviceObject, irp );XP WIN7 cmd中del 命令完整的栈回溯del c:\41: kd> kvn # ChildEBP RetAddr  Args to Child              00 b1dd2cb0 804e23c9 82102020 81fde1e8 81fde1f8 Ntfs!NtfsFsdSetInformation (FPO: [Non-Fpo])01 b1dd2cc0 805dc2c1 b1dd2d64 0013efd0 805804ed nt!IopfCallDriver+0x31 (FPO: [0,0,0])02 b1dd2d48 804de98f 00000090 0013f010 0013f033 nt!NtSetInformationFile+0x533 (FPO: [Non-Fpo])03 b1dd2d48 7c92e514 00000090 0013f010 0013f033 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b1dd2d64)04 0013efb0 7c92dc6a 7c832054 00000090 0013f010 ntdll!KiFastSystemCallRet (FPO: [0,0,0])05 0013efb4 7c832054 00000090 0013f010 0013f033 ntdll!NtSetInformationFile+0xc (FPO: [5,0,0])06 0013f028 4ad17d07 0113f050 0015d990 001591c0 kernel32!DeleteFileW+0x23f (FPO: [Non-Fpo])07 0013f46c 4ad08fc1 001591c0 0015d990 00000000 cmd!NewEraseFile+0x1b2 (FPO: [Non-Fpo])08 0013f6d4 4ad09148 001591c0 00000000 00000006 cmd!ExpandAndApplyToFS+0x22a (FPO: [Non-Fpo])09 0013f774 4ad0937c 001591c0 00000000 00000006 cmd!WalkTree+0x40 (FPO: [Non-Fpo])0a 0013f9d0 4ad092df 0013f9e8 0015a0c8 0015913c cmd!DelPatterns+0x6a (FPO: [Non-Fpo])0b 0013fc60 4ad091a3 0015a060 0013fe9c 4ad05a92 cmd!DelWork+0x13c (FPO: [Non-Fpo])0c 0013fc6c 4ad05a92 0015a0c8 00000000 0015a0c8 cmd!eDelete+0x10 (FPO: [Non-Fpo])0d 0013fe9c 4ad013eb 0015a0c8 0015a0c8 00000002 cmd!FindFixAndRun+0x1f5 (FPO: [Non-Fpo])0e 0013fee0 4ad0f138 00000000 00000001 00000000 cmd!Dispatch+0x137 (FPO: [Non-Fpo])0f 0013ff44 4ad05154 00000001 00034068 00032bf8 cmd!main+0x216 (FPO: [Non-Fpo])10 0013ffc0 7c817077 80000001 01b0ea68 7ffd3000 cmd!mainCRTStartup+0x125 (FPO: [Non-Fpo])11 0013fff0 00000000 4ad05046 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])1: kd> dds espb1dd2cb4  804e23c9 nt!IopfCallDriver+0x31b1dd2cb8  82102020 pdevice_objetb1dd2cbc  81fde1e8 pirpNTSTATUSNtfsFsdSetInformation (    IN PVOLUME_DEVICE_OBJECT VolumeDeviceObject,    IN PIRP Irp    )1: kd> dt _device_object 82102020 -rntdll!_DEVICE_OBJECT   +0x000 Type             : 0n3   +0x002 Size             : 0x860   +0x004 ReferenceCount   : 0n0   +0x008 DriverObject     : 0x82237ca0 _DRIVER_OBJECT      +0x01c DriverName       : _UNICODE_STRING "\FileSystem\Ntfs"         +0x000 Length           : 0x20         +0x002 MaximumLength    : 0x20         +0x004 Buffer           : 0xe140e128  "\FileSystem\Ntfs"1: kd> dt _irp 81fde1e8 -rntdll!_IRP   +0x000 Type             : 0n6    //#define IRP_MJ_SET_INFORMATION          0x06   +0x040 Tail             : __unnamed      +0x000 Overlay          : __unnamed         +0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY         +0x000 DriverContext    : [4] (null)          +0x010 Thread           : 0x81ca8518 _ETHREAD         +0x014 AuxiliaryBuffer  : (null)          +0x018 ListEntry        : _LIST_ENTRY [ 0x0 - 0x0 ]         +0x020 CurrentStackLocation : 0x81fde330 _IO_STACK_LOCATION         +0x020 PacketType       : 0x81fde330         +0x024 OriginalFileObject : 0x81c63660 _FILE_OBJECT1: kd> dt _file_object 0x81c63660 ntdll!_FILE_OBJECT   +0x026 ReadAccess       : 0 ‘‘   +0x027 WriteAccess      : 0 ‘‘   +0x028 DeleteAccess     : 0x1 ‘‘   +0x029 SharedRead       : 0x1 ‘‘   +0x02a SharedWrite      : 0x1 ‘‘   +0x02b SharedDelete     : 0x1 ‘‘   +0x02c Flags            : 0x40040   +0x030 FileName         : _UNICODE_STRING "\4"Win8.0 win8.1 (9200 9600)使用的是ZwOpenFile  FILE_DELETE_ON_CLOSE  标志