madshi.net

Posted: **Sun Aug 09, 2015 9:38 pm**

Hi guys,

I'd like to implement hook in windows shutdown when my system is running. The idea is block shutdown, log off, power off.

I'm using madCodeHook 3.1.9 commercial version.

Please, see below my code.

**************************************************************************************************************************************************************************************************************************

Code: Select all

library hShutdown;

{$IMAGEBASE $42800000}

uses
  Windows,
  SysUtils,
  madCodeHook,
  madStrings;

{$R *.res}

var
ExitWindowsExNext                     : function (uFlags, Reserved: dword):bool; stdcall;
InitiateSystemShutdownNextA     : function (lpMachineName:LPSTR;lpMessage:LPSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool):bool; stdcall;
InitiateSystemShutdownNextW    : function (lpMachineName:LPWSTR;lpMessage:LPWSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool):bool; stdcall;
InitiateSystemShutdownExNext    : function (lpMachineName:LPSTR;lpMessage:LPSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool;dwReason:DWORD):bool; stdcall;

function ExitWindowsExCallback(flags, reserved: dword): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownExCallback(lpMachineName:LPSTR; lpMessage:LPSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownACallback(lpMachineName:LPSTR; lpMessage:LPSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownWCallback(lpMachineName:LPWSTR; lpMessage:LPWSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

procedure DLLEntryPoint(Rson: dword);
begin
 Try
   CollectHooks;
   HookAPI(user32, 'ExitWindowsEx', @ExitWindowsExCallback, @ExitWindowsExNext);
   HookAPI(advapi32, 'InitiateSystemShutdownA', @InitiateSystemShutdownACallback, @InitiateSystemShutdownNextA);
   HookAPI(advapi32, 'InitiateSystemShutdownW', @InitiateSystemShutdownWCallback, @InitiateSystemShutdownNextW);
   HookAPI(advapi32, 'InitiateSystemShutdownEx', @InitiateSystemShutdownExCallback, @InitiateSystemShutdownExNext);
   FlushHooks;
 Except
   On E: Exception do;
 end;
end;

begin
  if not Assigned(DllProc) then
   begin
    DLLProc := @DLLEntryPoint;
    DLLEntryPoint(DLL_PROCESS_ATTACH);
   end;
end.

*********************************************************************************************************************************************************************************
I don't have any problem with madshi driver! The driver loaded perfectly and injection DLL as well, but the hook doesn't work at all.
what's wrong in my code?

See below my code to Loading driver to block shutdown

**********************************************************************************************************************************

Code: Select all

Program Load
.......
.......
.......
.......

procedure TForm10.Button1Click(Sender: TObject);
begin
if LoadInjectionDriver('hShutdown', 'shutdown_x86.sys', 'shutdown_x64.sys') then
  begin
   InjectLibrary('hShutdown', 'hshutdown.dll', [b]ALL_SESSIONS[/b], true);
  end
else
  begin
     Showmessage('Error while loading the driver....');
     close;
  end;
 Showmessage('Shutdown blocked....');
end;

//Unload driver and unlock shutdown
procedure TForm10.Button2Click(Sender: TObject);
begin
  UninjectLibrary('hShutdown', 'hshutdown.dll', ALL_SESSIONS, true);
  StopInjectionDriver('hShutdown');
  Showmessage('Shutdown unlocked....');
  close;
end;

..........
..........
*******************************************************************************************************************
Who of you have any idea about of the problem? Might help-me please?

Thank you .

Kind regards,

Eli

Posted: **Mon Aug 10, 2015 7:22 am**

===> is what you need (ALL_SESSIONS or SYSTEM_PROCESSES) - Your flags are incorrect if you want a true system-wide hook via injection. Also, if you need SysUtils for SEH only... consider abandoning it

It's bloat and has a rich init section. System.pas has most of what you need and it's perfectly stable in other processes or use Win API directly.

--Iconic

Posted: **Mon Aug 10, 2015 5:38 pm**

Hello iconic,

But in madCodeHook 3.1.9 commercial version there is only two options, see below:

ALL_SESSIONS : dword = dword(-1);
CURRENT_SESSION : dword = dword(-2);

SYSTEM_PROCESSES is only to madCodeHook 2.x. I don't use this version.

Posted: **Mon Aug 10, 2015 9:25 pm**

Didn't know this, thanks for pointing it out. I have a license for 2.x as you alluded to and not 3.x

Have you tried hooking NtShutdownSystem() and NtSetSystemPowerState()?

--Iconic

Posted: **Tue Aug 18, 2015 7:16 pm**

Sorry for the late reply.

I suppose you already used ProcessExplorer (or a similar tool) to double check that your hook dll is loaded in the process who initiates the shutdown?

I see 2 problems in your code:

1) There is no "InitiateSystemShutdownEx". It's A/W, too.
2) You're calling HookAPI() etc for every event/reason, which is not correct. You should only call it for DLL_PROCESS_ATTACH. You don't really need to use DLLEntryPoint at all. Instead just move the contents of the DLLEntryPoint function to the dll's "begin end." block.

Posted: **Thu Aug 20, 2015 1:02 am**

Hello Madshi,

Yes. You're right. After adjust the code with your tips, is working perfect. Thank you so much for help me.

Problem solved!

Kind regards,

Eli

Posted: **Thu Aug 20, 2015 4:19 am**

Yup Madshi is right. Glad everything works =) I was a bit thrown off since ExitWindowsEx doesn't have any ansi or unicode version of the API so I overlooked it with the other functions you're hooking. On NT-based Windows operating systems these calls will generally pass Ansi functions to Unicode (wide) so I don't think you'll need to hook Ansi variants. Always worth testing this. I noticed you're hooking Ansi in your DLL

--Iconic

Posted: **Thu Aug 20, 2015 7:07 am**

Yeah, often it's enough to hook W, but in older OSs sometimes it's not. So I usually hook both, just to be extra safe, because I don't have fun to test every hooked API on every OS I need to support.

madshi.net

ShutdownHook

ShutdownHook

Re: ShutdownHook

Re: ShutdownHook

Re: ShutdownHook

Re: ShutdownHook

Re: ShutdownHook

Re: ShutdownHook

Re: ShutdownHook