ShutdownHook

c++ / delphi package - dll injection and api hooking
Post Reply
elioliveira
Posts: 4
Joined: Fri Jul 24, 2015 11:59 pm

ShutdownHook

Post by elioliveira »

Hi guys,

I'd like to implement hook in windows shutdown when my system is running. The idea is block shutdown, log off, power off.

I'm using madCodeHook 3.1.9 commercial version.

Please, see below my code.

**************************************************************************************************************************************************************************************************************************

Code: Select all

library hShutdown;

{$IMAGEBASE $42800000}

uses
  Windows,
  SysUtils,
  madCodeHook,
  madStrings;

{$R *.res}

var
ExitWindowsExNext                     : function (uFlags, Reserved: dword):bool; stdcall;
InitiateSystemShutdownNextA     : function (lpMachineName:LPSTR;lpMessage:LPSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool):bool; stdcall;
InitiateSystemShutdownNextW    : function (lpMachineName:LPWSTR;lpMessage:LPWSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool):bool; stdcall;
InitiateSystemShutdownExNext    : function (lpMachineName:LPSTR;lpMessage:LPSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool;dwReason:DWORD):bool; stdcall;

function ExitWindowsExCallback(flags, reserved: dword): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownExCallback(lpMachineName:LPSTR; lpMessage:LPSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownACallback(lpMachineName:LPSTR; lpMessage:LPSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownWCallback(lpMachineName:LPWSTR; lpMessage:LPWSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

procedure DLLEntryPoint(Rson: dword);
begin
 Try
   CollectHooks;
   HookAPI(user32, 'ExitWindowsEx', @ExitWindowsExCallback, @ExitWindowsExNext);
   HookAPI(advapi32, 'InitiateSystemShutdownA', @InitiateSystemShutdownACallback, @InitiateSystemShutdownNextA);
   HookAPI(advapi32, 'InitiateSystemShutdownW', @InitiateSystemShutdownWCallback, @InitiateSystemShutdownNextW);
   HookAPI(advapi32, 'InitiateSystemShutdownEx', @InitiateSystemShutdownExCallback, @InitiateSystemShutdownExNext);
   FlushHooks;
 Except
   On E: Exception do;
 end;
end;

begin
  if not Assigned(DllProc) then
   begin
    DLLProc := @DLLEntryPoint;
    DLLEntryPoint(DLL_PROCESS_ATTACH);
   end;
end.
*********************************************************************************************************************************************************************************
I don't have any problem with madshi driver! The driver loaded perfectly and injection DLL as well, but the hook doesn't work at all.
what's wrong in my code? :sorry:

See below my code to Loading driver to block shutdown

**********************************************************************************************************************************

Code: Select all

Program Load
.......
.......
.......
.......

procedure TForm10.Button1Click(Sender: TObject);
begin
if LoadInjectionDriver('hShutdown', 'shutdown_x86.sys', 'shutdown_x64.sys') then
  begin
   InjectLibrary('hShutdown', 'hshutdown.dll', [b]ALL_SESSIONS[/b], true);
  end
else
  begin
     Showmessage('Error while loading the driver....');
     close;
  end;
 Showmessage('Shutdown blocked....');
end;

//Unload driver and unlock shutdown
procedure TForm10.Button2Click(Sender: TObject);
begin
  UninjectLibrary('hShutdown', 'hshutdown.dll', ALL_SESSIONS, true);
  StopInjectionDriver('hShutdown');
  Showmessage('Shutdown unlocked....');
  close;
end;
..........
..........
*******************************************************************************************************************
Who of you have any idea about of the problem? Might help-me please?

Thank you . :wink:

Kind regards,

Eli
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: ShutdownHook

Post by iconic »

===> is what you need (ALL_SESSIONS or SYSTEM_PROCESSES) - Your flags are incorrect if you want a true system-wide hook via injection. Also, if you need SysUtils for SEH only... consider abandoning it ;) It's bloat and has a rich init section. System.pas has most of what you need and it's perfectly stable in other processes or use Win API directly.

--Iconic
elioliveira
Posts: 4
Joined: Fri Jul 24, 2015 11:59 pm

Re: ShutdownHook

Post by elioliveira »

Hello iconic,

But in madCodeHook 3.1.9 commercial version there is only two options, see below:

ALL_SESSIONS : dword = dword(-1);
CURRENT_SESSION : dword = dword(-2);

SYSTEM_PROCESSES is only to madCodeHook 2.x. I don't use this version.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: ShutdownHook

Post by iconic »

Didn't know this, thanks for pointing it out. I have a license for 2.x as you alluded to and not 3.x ;) Have you tried hooking NtShutdownSystem() and NtSetSystemPowerState()?

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: ShutdownHook

Post by madshi »

Sorry for the late reply.

I suppose you already used ProcessExplorer (or a similar tool) to double check that your hook dll is loaded in the process who initiates the shutdown?

I see 2 problems in your code:

1) There is no "InitiateSystemShutdownEx". It's A/W, too.
2) You're calling HookAPI() etc for every event/reason, which is not correct. You should only call it for DLL_PROCESS_ATTACH. You don't really need to use DLLEntryPoint at all. Instead just move the contents of the DLLEntryPoint function to the dll's "begin end." block.
elioliveira
Posts: 4
Joined: Fri Jul 24, 2015 11:59 pm

Re: ShutdownHook

Post by elioliveira »

Hello Madshi,

Yes. You're right. After adjust the code with your tips, is working perfect. Thank you so much for help me.

Problem solved! :wink:

Kind regards,

Eli
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: ShutdownHook

Post by iconic »

Yup Madshi is right. Glad everything works =) I was a bit thrown off since ExitWindowsEx doesn't have any ansi or unicode version of the API so I overlooked it with the other functions you're hooking. On NT-based Windows operating systems these calls will generally pass Ansi functions to Unicode (wide) so I don't think you'll need to hook Ansi variants. Always worth testing this. I noticed you're hooking Ansi in your DLL

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: ShutdownHook

Post by madshi »

Yeah, often it's enough to hook W, but in older OSs sometimes it's not. So I usually hook both, just to be extra safe, because I don't have fun to test every hooked API on every OS I need to support.
Post Reply