Kill Process vs Kill thread using MadCHook
Madshi, what am I doing wrong? My program works fine without NtTerminateThread, I can Inject and Uninject as many as I want with no problem also NtSuspendThread and NtTerminateProcess works fine.
I just added the following declaration for NtTerminateThread, after I inject the dll nothing happen I can still terminate it because I'm not blocking it but when I try to uninject the dll I get blue screen of death on Windows XP
What am I doing wrong. I'm just passing the parameters without doing anything!
NtTerminateThreadNext : Function (ThreadHandle: Dword; ExitCode: Dword): Dword; stdcall;
Function NtTerminateThreadCallback(ThreadHandle: Dword; ExitCode: Dword): Dword; stdcall;
Begin
Result:= NtTerminateThreadNext(ThreadHandle, ExitCode);
End;
Begin
If GetVersion And $80000000 = 0 Then
Begin
HookAPI('ntdll.dll', 'NtTerminateProcess', @NtTerminateProcessCallback, @NtTerminateProcessNext);
HookAPI('ntdll.dll', 'NtTerminateThread', @NtTerminateThreadCallback, @NtTerminateThreadNext);
HookAPI('ntdll.dll', 'NtSuspendThread', @NtSuspendThreadCallback, @NtSuspendThreadNext);
End
End.
I just added the following declaration for NtTerminateThread, after I inject the dll nothing happen I can still terminate it because I'm not blocking it but when I try to uninject the dll I get blue screen of death on Windows XP
What am I doing wrong. I'm just passing the parameters without doing anything!
NtTerminateThreadNext : Function (ThreadHandle: Dword; ExitCode: Dword): Dword; stdcall;
Function NtTerminateThreadCallback(ThreadHandle: Dword; ExitCode: Dword): Dword; stdcall;
Begin
Result:= NtTerminateThreadNext(ThreadHandle, ExitCode);
End;
Begin
If GetVersion And $80000000 = 0 Then
Begin
HookAPI('ntdll.dll', 'NtTerminateProcess', @NtTerminateProcessCallback, @NtTerminateProcessNext);
HookAPI('ntdll.dll', 'NtTerminateThread', @NtTerminateThreadCallback, @NtTerminateThreadNext);
HookAPI('ntdll.dll', 'NtSuspendThread', @NtSuspendThreadCallback, @NtSuspendThreadNext);
End
End.
Thank you Madshi for your reply it was always helpfull.
I've solved all problem using your helpfull tips however
the goal of my service application is to prevent user from logging off. In other words I want to Restart the machine instead of logging off.
I've added the following from your code
/////////////////////////////////////////////////////////////////////////////////////
Library Code:
/////////////////////////////////////////////////////////////////////////////////////
Var
ExitWindowsExNext : Function (Flags, Reserved: Dword): Bool; stdcall;
InitiateSystemShutdownWNext : Function (Pc, Msg: PWideChar; IimeOut: Dword; Force, Reboot: Bool): Bool; stdcall;
InitiateSystemShutdownExWNext : Function (Pc, Msg: PWideChar; IimeOut: Dword; Force, Reboot, Reason: Bool): Bool; stdcall;
Function IsShutdownAllowed(Flags: Dword): Boolean;
Var b1: Boolean;
Begin
b1:= False;
If SendIpcMessage('ShutdownIpcQueue', @Flags, 4, @b1, 1, 5000, False) And (Not b1) Then
Begin
Result:= False;
SetLastError(ERROR_ACCESS_DENIED);
End
Else
Result:= True;
End;
Function ExitWindowsExCallback(Flags, Reserved: Dword): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(Flags) And ExitWindowsExNext(Flags, Reserved);
End;
Function GetShutdownFlags(Force, Reboot: Boolean): Dword;
Begin
If Reboot Then
Result:= EWX_REBOOT
Else
Result:= EWX_SHUTDOWN;
If Force Then
Result:= Result Or EWX_FORCE;
End;
Function InitiateSystemShutdownWCallback(Pc, Msg: PWideChar; TimeOut: Dword; Force, Reboot: Bool): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(GetShutdownFlags(Force, Reboot)) And
InitiateSystemShutdownWNext(Pc, Msg, TimeOut, Force, Reboot);
End;
Function InitiateSystemShutdownExWCallback(Pc, Msg: PWideChar; TimeOut: Dword; Force, Reboot, Reason: Bool): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(GetShutdownFlags(Force, Reboot)) And
InitiateSystemShutdownExWNext(Pc, Msg, TimeOut, Force, Reboot, Reason);
End;
Begin
HookAPI(user32, 'ExitWindowsEx', @ExitWindowsExCallback, @ExitWindowsExNext);
HookAPI(advapi32, 'InitiateSystemShutdownW', @InitiateSystemShutdownWCallback, @InitiateSystemShutdownWNext);
HookAPI(advapi32, 'InitiateSystemShutdownExW', @InitiateSystemShutdownExWCallback, @InitiateSystemShutdownExWNext);
End.
/////////////////////////////////////////////////////////////////////////////////////
The Service Application Code:
/////////////////////////////////////////////////////////////////////////////////////
Var
MayShutDown: Boolean = False;
Procedure ShutdownIpcQueue(Name: PChar; MessageBuf: Pointer; MessageLen: Dword; AnswerBuf: Pointer; AnswerLen : Dword); stdcall;
Var s1: String;
Begin
Boolean(AnswerBuf^):= MayShutDown;
If Not MayShutdown Then
Begin
If Dword(MessageBuf^) And EWX_LOGOFF <> 0 Then
s1 := 'You''re not allowed to log off.'
Else
If Dword(MessageBuf^) And EWX_REBOOT <> 0 Then
s1:= 'You''re not allowed to restart Windows.'
Else
s1 := 'You''re not allowed to shutdown Windows.';
End;
End;
Begin
CreateIpcQueue('ShutdownIpcQueue', ShutdownIpcQueue);
InjectLibrary(ALL_SESSIONS Or SYSTEM_PROCESSES, 'mydll.dll');
End.
/////////////////////////////////////////////////////////////////////////////////
I don't care what the user is doing Reboot/Shutdown/Logoff or Suspend all I care about is whatever he does I stop it and send a restart instead or blocking all except Restart.
////////////////////////////////////////////////////////////////////////////////
Thank you again for all your help.
I've solved all problem using your helpfull tips however
the goal of my service application is to prevent user from logging off. In other words I want to Restart the machine instead of logging off.
I've added the following from your code
/////////////////////////////////////////////////////////////////////////////////////
Library Code:
/////////////////////////////////////////////////////////////////////////////////////
Var
ExitWindowsExNext : Function (Flags, Reserved: Dword): Bool; stdcall;
InitiateSystemShutdownWNext : Function (Pc, Msg: PWideChar; IimeOut: Dword; Force, Reboot: Bool): Bool; stdcall;
InitiateSystemShutdownExWNext : Function (Pc, Msg: PWideChar; IimeOut: Dword; Force, Reboot, Reason: Bool): Bool; stdcall;
Function IsShutdownAllowed(Flags: Dword): Boolean;
Var b1: Boolean;
Begin
b1:= False;
If SendIpcMessage('ShutdownIpcQueue', @Flags, 4, @b1, 1, 5000, False) And (Not b1) Then
Begin
Result:= False;
SetLastError(ERROR_ACCESS_DENIED);
End
Else
Result:= True;
End;
Function ExitWindowsExCallback(Flags, Reserved: Dword): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(Flags) And ExitWindowsExNext(Flags, Reserved);
End;
Function GetShutdownFlags(Force, Reboot: Boolean): Dword;
Begin
If Reboot Then
Result:= EWX_REBOOT
Else
Result:= EWX_SHUTDOWN;
If Force Then
Result:= Result Or EWX_FORCE;
End;
Function InitiateSystemShutdownWCallback(Pc, Msg: PWideChar; TimeOut: Dword; Force, Reboot: Bool): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(GetShutdownFlags(Force, Reboot)) And
InitiateSystemShutdownWNext(Pc, Msg, TimeOut, Force, Reboot);
End;
Function InitiateSystemShutdownExWCallback(Pc, Msg: PWideChar; TimeOut: Dword; Force, Reboot, Reason: Bool): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(GetShutdownFlags(Force, Reboot)) And
InitiateSystemShutdownExWNext(Pc, Msg, TimeOut, Force, Reboot, Reason);
End;
Begin
HookAPI(user32, 'ExitWindowsEx', @ExitWindowsExCallback, @ExitWindowsExNext);
HookAPI(advapi32, 'InitiateSystemShutdownW', @InitiateSystemShutdownWCallback, @InitiateSystemShutdownWNext);
HookAPI(advapi32, 'InitiateSystemShutdownExW', @InitiateSystemShutdownExWCallback, @InitiateSystemShutdownExWNext);
End.
/////////////////////////////////////////////////////////////////////////////////////
The Service Application Code:
/////////////////////////////////////////////////////////////////////////////////////
Var
MayShutDown: Boolean = False;
Procedure ShutdownIpcQueue(Name: PChar; MessageBuf: Pointer; MessageLen: Dword; AnswerBuf: Pointer; AnswerLen : Dword); stdcall;
Var s1: String;
Begin
Boolean(AnswerBuf^):= MayShutDown;
If Not MayShutdown Then
Begin
If Dword(MessageBuf^) And EWX_LOGOFF <> 0 Then
s1 := 'You''re not allowed to log off.'
Else
If Dword(MessageBuf^) And EWX_REBOOT <> 0 Then
s1:= 'You''re not allowed to restart Windows.'
Else
s1 := 'You''re not allowed to shutdown Windows.';
End;
End;
Begin
CreateIpcQueue('ShutdownIpcQueue', ShutdownIpcQueue);
InjectLibrary(ALL_SESSIONS Or SYSTEM_PROCESSES, 'mydll.dll');
End.
/////////////////////////////////////////////////////////////////////////////////
I don't care what the user is doing Reboot/Shutdown/Logoff or Suspend all I care about is whatever he does I stop it and send a restart instead or blocking all except Restart.
////////////////////////////////////////////////////////////////////////////////
Thank you again for all your help.
Madshi, it looks like the SendIpcMessage is not called from IsShutdownAllowed function inside my dll
This Function Always and Always return value TRUE!!! Doesn't matter what is the value of MayShutDown from inside the program. Doesn't make sence???
Function IsShutdownAllowed(Flags: Dword): Boolean;
Var b1: Boolean;
Begin
b1:= False;
If SendIpcMessage('ShutdownIpcQueue', @Flags, 4, @b1, 1, 5000, False) And (Not b1) Then
Begin
Result:= False;
SetLastError(ERROR_ACCESS_DENIED);
End
Else
Result:= True;
End;
And from my Service Application this function is never called also:
Procedure ShutdownIpcQueue(Name: PChar; MessageBuf: Pointer; MessageLen: Dword; AnswerBuf: Pointer; AnswerLen: Dword); stdcall;
Var s1: String;
Begin
Boolean(AnswerBuf^):= MayShutDown; // Default is set to False;
If Not MayShutdown Then
Begin
If Dword(MessageBuf^) And EWX_LOGOFF <> 0 Then
s1 := 'You''re not allowed to log off.'
Else
If Dword(MessageBuf^) And EWX_REBOOT <> 0 Then
s1:= 'You''re not allowed to restart Windows.'
Else
s1 := 'You''re not allowed to shutdown Windows.';
MessageBox(0, PChar(s1), 'Information...', 0);
End
Else
MessageBox(0, PChar('MyShutdown is True'), 'Information...', 0);
End;
Begin
CreateIpcQueue('ShutdownIpcQueue', ShutdownIpcQueue);
End.
Please help!!
This Function Always and Always return value TRUE!!! Doesn't matter what is the value of MayShutDown from inside the program. Doesn't make sence???
Function IsShutdownAllowed(Flags: Dword): Boolean;
Var b1: Boolean;
Begin
b1:= False;
If SendIpcMessage('ShutdownIpcQueue', @Flags, 4, @b1, 1, 5000, False) And (Not b1) Then
Begin
Result:= False;
SetLastError(ERROR_ACCESS_DENIED);
End
Else
Result:= True;
End;
And from my Service Application this function is never called also:
Procedure ShutdownIpcQueue(Name: PChar; MessageBuf: Pointer; MessageLen: Dword; AnswerBuf: Pointer; AnswerLen: Dword); stdcall;
Var s1: String;
Begin
Boolean(AnswerBuf^):= MayShutDown; // Default is set to False;
If Not MayShutdown Then
Begin
If Dword(MessageBuf^) And EWX_LOGOFF <> 0 Then
s1 := 'You''re not allowed to log off.'
Else
If Dword(MessageBuf^) And EWX_REBOOT <> 0 Then
s1:= 'You''re not allowed to restart Windows.'
Else
s1 := 'You''re not allowed to shutdown Windows.';
MessageBox(0, PChar(s1), 'Information...', 0);
End
Else
MessageBox(0, PChar('MyShutdown is True'), 'Information...', 0);
End;
Begin
CreateIpcQueue('ShutdownIpcQueue', ShutdownIpcQueue);
End.
Please help!!