Kill Process vs Kill thread using MadCHook

contains all delphi packages mentioned below
DeCoDish
Posts: 17
Joined: Wed Dec 03, 2008 3:10 pm

Post by DeCoDish »

Madshi, what am I doing wrong? My program works fine without NtTerminateThread, I can Inject and Uninject as many as I want with no problem also NtSuspendThread and NtTerminateProcess works fine.

I just added the following declaration for NtTerminateThread, after I inject the dll nothing happen I can still terminate it because I'm not blocking it but when I try to uninject the dll I get blue screen of death on Windows XP

What am I doing wrong. I'm just passing the parameters without doing anything!

NtTerminateThreadNext : Function (ThreadHandle: Dword; ExitCode: Dword): Dword; stdcall;

Function NtTerminateThreadCallback(ThreadHandle: Dword; ExitCode: Dword): Dword; stdcall;
Begin
Result:= NtTerminateThreadNext(ThreadHandle, ExitCode);
End;


Begin
If GetVersion And $80000000 = 0 Then
Begin
HookAPI('ntdll.dll', 'NtTerminateProcess', @NtTerminateProcessCallback, @NtTerminateProcessNext);
HookAPI('ntdll.dll', 'NtTerminateThread', @NtTerminateThreadCallback, @NtTerminateThreadNext);
HookAPI('ntdll.dll', 'NtSuspendThread', @NtSuspendThreadCallback, @NtSuspendThreadNext);
End
End.
DeCoDish
Posts: 17
Joined: Wed Dec 03, 2008 3:10 pm

Post by DeCoDish »

Madshi please help! I'm really stuck!!!

Any hint is VERRY appreciated.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Don't know what's going on. Try only the NtTerminateThread hook and nothing else. Does that also bluescreen?
DeCoDish
Posts: 17
Joined: Wed Dec 03, 2008 3:10 pm

Post by DeCoDish »

Thank you Madshi for your reply it was always helpfull.

I've solved all problem using your helpfull tips however

the goal of my service application is to prevent user from logging off. In other words I want to Restart the machine instead of logging off.

I've added the following from your code

/////////////////////////////////////////////////////////////////////////////////////
Library Code:
/////////////////////////////////////////////////////////////////////////////////////

Var
ExitWindowsExNext : Function (Flags, Reserved: Dword): Bool; stdcall;
InitiateSystemShutdownWNext : Function (Pc, Msg: PWideChar; IimeOut: Dword; Force, Reboot: Bool): Bool; stdcall;
InitiateSystemShutdownExWNext : Function (Pc, Msg: PWideChar; IimeOut: Dword; Force, Reboot, Reason: Bool): Bool; stdcall;

Function IsShutdownAllowed(Flags: Dword): Boolean;
Var b1: Boolean;
Begin
b1:= False;
If SendIpcMessage('ShutdownIpcQueue', @Flags, 4, @b1, 1, 5000, False) And (Not b1) Then
Begin
Result:= False;
SetLastError(ERROR_ACCESS_DENIED);
End
Else
Result:= True;
End;

Function ExitWindowsExCallback(Flags, Reserved: Dword): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(Flags) And ExitWindowsExNext(Flags, Reserved);
End;

Function GetShutdownFlags(Force, Reboot: Boolean): Dword;
Begin
If Reboot Then
Result:= EWX_REBOOT
Else
Result:= EWX_SHUTDOWN;
If Force Then
Result:= Result Or EWX_FORCE;
End;

Function InitiateSystemShutdownWCallback(Pc, Msg: PWideChar; TimeOut: Dword; Force, Reboot: Bool): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(GetShutdownFlags(Force, Reboot)) And
InitiateSystemShutdownWNext(Pc, Msg, TimeOut, Force, Reboot);
End;

Function InitiateSystemShutdownExWCallback(Pc, Msg: PWideChar; TimeOut: Dword; Force, Reboot, Reason: Bool): Bool; stdcall;
Begin
Result:= IsShutdownAllowed(GetShutdownFlags(Force, Reboot)) And
InitiateSystemShutdownExWNext(Pc, Msg, TimeOut, Force, Reboot, Reason);
End;

Begin
HookAPI(user32, 'ExitWindowsEx', @ExitWindowsExCallback, @ExitWindowsExNext);
HookAPI(advapi32, 'InitiateSystemShutdownW', @InitiateSystemShutdownWCallback, @InitiateSystemShutdownWNext);
HookAPI(advapi32, 'InitiateSystemShutdownExW', @InitiateSystemShutdownExWCallback, @InitiateSystemShutdownExWNext);
End.

/////////////////////////////////////////////////////////////////////////////////////
The Service Application Code:
/////////////////////////////////////////////////////////////////////////////////////

Var
MayShutDown: Boolean = False;

Procedure ShutdownIpcQueue(Name: PChar; MessageBuf: Pointer; MessageLen: Dword; AnswerBuf: Pointer; AnswerLen : Dword); stdcall;
Var s1: String;
Begin
Boolean(AnswerBuf^):= MayShutDown;
If Not MayShutdown Then
Begin
If Dword(MessageBuf^) And EWX_LOGOFF <> 0 Then
s1 := 'You''re not allowed to log off.'
Else
If Dword(MessageBuf^) And EWX_REBOOT <> 0 Then
s1:= 'You''re not allowed to restart Windows.'
Else
s1 := 'You''re not allowed to shutdown Windows.';
End;
End;

Begin
CreateIpcQueue('ShutdownIpcQueue', ShutdownIpcQueue);
InjectLibrary(ALL_SESSIONS Or SYSTEM_PROCESSES, 'mydll.dll');
End.

/////////////////////////////////////////////////////////////////////////////////
I don't care what the user is doing Reboot/Shutdown/Logoff or Suspend all I care about is whatever he does I stop it and send a restart instead or blocking all except Restart.
////////////////////////////////////////////////////////////////////////////////

Thank you again for all your help.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Is there a question buried somewhere in your post? Or is all ok now?
DeCoDish
Posts: 17
Joined: Wed Dec 03, 2008 3:10 pm

Post by DeCoDish »

Using the code above, I want to block the LogOff process. I just want to allow shutdown and Restart only.

In other words I don't want a user to be able to logOff no matter what.

Thank for your quick reply!
DeCoDish
Posts: 17
Joined: Wed Dec 03, 2008 3:10 pm

Post by DeCoDish »

Madshi, it looks like the SendIpcMessage is not called from IsShutdownAllowed function inside my dll

This Function Always and Always return value TRUE!!! Doesn't matter what is the value of MayShutDown from inside the program. Doesn't make sence???

Function IsShutdownAllowed(Flags: Dword): Boolean;
Var b1: Boolean;
Begin
b1:= False;
If SendIpcMessage('ShutdownIpcQueue', @Flags, 4, @b1, 1, 5000, False) And (Not b1) Then
Begin
Result:= False;
SetLastError(ERROR_ACCESS_DENIED);
End
Else
Result:= True;
End;

And from my Service Application this function is never called also:


Procedure ShutdownIpcQueue(Name: PChar; MessageBuf: Pointer; MessageLen: Dword; AnswerBuf: Pointer; AnswerLen: Dword); stdcall;
Var s1: String;
Begin
Boolean(AnswerBuf^):= MayShutDown; // Default is set to False;
If Not MayShutdown Then
Begin
If Dword(MessageBuf^) And EWX_LOGOFF <> 0 Then
s1 := 'You''re not allowed to log off.'
Else
If Dword(MessageBuf^) And EWX_REBOOT <> 0 Then
s1:= 'You''re not allowed to restart Windows.'
Else
s1 := 'You''re not allowed to shutdown Windows.';
MessageBox(0, PChar(s1), 'Information...', 0);
End
Else
MessageBox(0, PChar('MyShutdown is True'), 'Information...', 0);
End;

Begin
CreateIpcQueue('ShutdownIpcQueue', ShutdownIpcQueue);
End.

Please help!!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Try calling SendIpcMessage directly in the initialization of the DLL. Does the come through to the application? Try sending SendIpcMessage from inside the application to itself. Does that come through?
Post Reply