NtCreateSymbolicLinkObject creates an object in the Windows Object Manager (you can see such links using the WinObj utility from System Internals).
What is the correct way to delete a symbolic link object? I noticed that using NtOpenSymbolicLinkObject it is possible to specify DELETE in the ACCESS_MASK (bit 16 only) for delete access, but what I need to know is how to actually do the deletion?
To delete a native object namespace symbolic link from user mode: build an OBJECT_ATTRIBUTES struct describing the link object, then:
...
if (NtOpenSymbolicLinkObject( &handle, DELETE, &objectAttributes) == STATUS_SUCCESS)
{
NtMakeTemporaryObject( handle);
NtClose( handle);
}
You will likely need to use function pointers and GetProcAddress() for the NT*() function calls, unless you can track down or build an ntdll.dll import library to link against.
Your question doesn't actually specify if you're asking for user mode or kernel mode. My guess is, since you're also specifying the winapi, that you're looking for a solution in user mode. To my best knowledge there is no such functionality exposed from ntdll.dll. And frankly I've never even wondered why. So: good question!
Since the nt-native-api is undocumented by definition, with the exception of those few functions and types in winternl.h in newer Windows SDKs, those shared between user and kernel mode (mostly Rtl*, Nt* and Zw*) documented in the WDKs and the many efforts to document them anyway (ReactOS, this site, the Process Hacker source code, WINE and so on), only Microsoft can give you a truly definite answer. But even they'd probably ask you to specify a particular Windows version.
However, we can still make a best guess based on available information.
On my Windows 7 x64 I can see the following (compare to dumpbin /exports ntoskrnl.exe|findstr /i Symbolic):
C:\Windows\System32>dumpbin /exports ntdll.dll|findstr /i Symbolic
266 FB 000208BC NtCreateSymbolicLinkObject = _ZwCreateSymbolicLinkObject@16
379 16C 00021150 NtOpenSymbolicLinkObject = _ZwOpenSymbolicLinkObject@12
440 1A9 00021588 NtQuerySymbolicLinkObject = _ZwQuerySymbolicLinkObject@12
1517 5E4 000208BC ZwCreateSymbolicLinkObject = _ZwCreateSymbolicLinkObject@16
1628 653 00021150 ZwOpenSymbolicLinkObject = _ZwOpenSymbolicLinkObject@12
1689 690 00021588 ZwQuerySymbolicLinkObject = _ZwQuerySymbolicLinkObject@12
So for user mode we seem indeed to be out of luck here. ntdll.dll is -- to my best knowledge -- our only way to access the NT native API from user mode (not counting the use of the system call dispatcher directly, which is impractical for all but a few specialized use cases) and there is no function at all that fits the bill.
However, if your question happens to have been asked for kernel mode, then -- as a driver developer -- I can happily point you to: IoDeleteSymbolicLink which is paired with IoCreateSymbolicLink (and IoCreateUnprotectedSymbolicLink) and not with NtCreateSymbolicLinkObject (or ZwCreateSymbolicLinkObject) inside DriverEntry. As you can tell from the documentation it's pretty trivial to create a symbolic link object from a driver and remove it again, using the I/O manager's functions.
PS: You may want to take a peek at the ReactOS sources obname.c, oblink.c (both ob) and symlink.c (io/iomgr) seem to be good candidates. Typically you can get a relatively faithful glimpse of how Windows would implement this. But there are differences and ReactOS is kind of a moving target given that they have in the past changed the Windows version they target for compatibility. Besides, behavior of those functions can and will change between Windows versions (and even service packs) as well.