ShutdownHook

c++ / delphi package - dll injection and api hooking

ShutdownHook

Postby elioliveira » Sun Aug 09, 2015 9:38 pm

Hi guys,

I'd like to implement hook in windows shutdown when my system is running. The idea is block shutdown, log off, power off.

I'm using madCodeHook 3.1.9 commercial version.

Please, see below my code.

**************************************************************************************************************************************************************************************************************************
Code: Select all
library hShutdown;

{$IMAGEBASE $42800000}

uses
  Windows,
  SysUtils,
  madCodeHook,
  madStrings;

{$R *.res}

var
ExitWindowsExNext                     : function (uFlags, Reserved: dword):bool; stdcall;
InitiateSystemShutdownNextA     : function (lpMachineName:LPSTR;lpMessage:LPSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool):bool; stdcall;
InitiateSystemShutdownNextW    : function (lpMachineName:LPWSTR;lpMessage:LPWSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool):bool; stdcall;
InitiateSystemShutdownExNext    : function (lpMachineName:LPSTR;lpMessage:LPSTR;dwTimeout:DWORD;bForceAppsClosed,bRebootAfterShutdown:bool;dwReason:DWORD):bool; stdcall;

function ExitWindowsExCallback(flags, reserved: dword): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownExCallback(lpMachineName:LPSTR; lpMessage:LPSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownACallback(lpMachineName:LPSTR; lpMessage:LPSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

function InitiateSystemShutdownWCallback(lpMachineName:LPWSTR; lpMessage:LPWSTR;dwTimeout:DWORD; bForceAppsClosed, bRebootAfterShutdown:bool; dwReason:DWORD): bool; stdcall;
begin
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
end;

procedure DLLEntryPoint(Rson: dword);
begin
 Try
   CollectHooks;
   HookAPI(user32, 'ExitWindowsEx', @ExitWindowsExCallback, @ExitWindowsExNext);
   HookAPI(advapi32, 'InitiateSystemShutdownA', @InitiateSystemShutdownACallback, @InitiateSystemShutdownNextA);
   HookAPI(advapi32, 'InitiateSystemShutdownW', @InitiateSystemShutdownWCallback, @InitiateSystemShutdownNextW);
   HookAPI(advapi32, 'InitiateSystemShutdownEx', @InitiateSystemShutdownExCallback, @InitiateSystemShutdownExNext);
   FlushHooks;
 Except
   On E: Exception do;
 end;
end;

begin
  if not Assigned(DllProc) then
   begin
    DLLProc := @DLLEntryPoint;
    DLLEntryPoint(DLL_PROCESS_ATTACH);
   end;
end.


*********************************************************************************************************************************************************************************
I don't have any problem with madshi driver! The driver loaded perfectly and injection DLL as well, but the hook doesn't work at all.
what's wrong in my code? :sorry:

See below my code to Loading driver to block shutdown

**********************************************************************************************************************************
Code: Select all
Program Load
.......
.......
.......
.......

procedure TForm10.Button1Click(Sender: TObject);
begin
if LoadInjectionDriver('hShutdown', 'shutdown_x86.sys', 'shutdown_x64.sys') then
  begin
   InjectLibrary('hShutdown', 'hshutdown.dll', [b]ALL_SESSIONS[/b], true);
  end
else
  begin
     Showmessage('Error while loading the driver....');
     close;
  end;
 Showmessage('Shutdown blocked....');
end;

//Unload driver and unlock shutdown
procedure TForm10.Button2Click(Sender: TObject);
begin
  UninjectLibrary('hShutdown', 'hshutdown.dll', ALL_SESSIONS, true);
  StopInjectionDriver('hShutdown');
  Showmessage('Shutdown unlocked....');
  close;
end;

..........
..........
*******************************************************************************************************************
Who of you have any idea about of the problem? Might help-me please?

Thank you . :wink:

Kind regards,

Eli
elioliveira
 
Posts: 4
Joined: Fri Jul 24, 2015 11:59 pm

Re: ShutdownHook

Postby iconic » Mon Aug 10, 2015 7:22 am

===> is what you need (ALL_SESSIONS or SYSTEM_PROCESSES) - Your flags are incorrect if you want a true system-wide hook via injection. Also, if you need SysUtils for SEH only... consider abandoning it ;) It's bloat and has a rich init section. System.pas has most of what you need and it's perfectly stable in other processes or use Win API directly.

--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: ShutdownHook

Postby elioliveira » Mon Aug 10, 2015 5:38 pm

Hello iconic,

But in madCodeHook 3.1.9 commercial version there is only two options, see below:

ALL_SESSIONS : dword = dword(-1);
CURRENT_SESSION : dword = dword(-2);

SYSTEM_PROCESSES is only to madCodeHook 2.x. I don't use this version.
elioliveira
 
Posts: 4
Joined: Fri Jul 24, 2015 11:59 pm

Re: ShutdownHook

Postby iconic » Mon Aug 10, 2015 9:25 pm

Didn't know this, thanks for pointing it out. I have a license for 2.x as you alluded to and not 3.x ;) Have you tried hooking NtShutdownSystem() and NtSetSystemPowerState()?

--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: ShutdownHook

Postby madshi » Tue Aug 18, 2015 7:16 pm

Sorry for the late reply.

I suppose you already used ProcessExplorer (or a similar tool) to double check that your hook dll is loaded in the process who initiates the shutdown?

I see 2 problems in your code:

1) There is no "InitiateSystemShutdownEx". It's A/W, too.
2) You're calling HookAPI() etc for every event/reason, which is not correct. You should only call it for DLL_PROCESS_ATTACH. You don't really need to use DLLEntryPoint at all. Instead just move the contents of the DLLEntryPoint function to the dll's "begin end." block.
madshi
Site Admin
 
Posts: 9879
Joined: Sun Mar 21, 2004 5:25 pm

Re: ShutdownHook

Postby elioliveira » Thu Aug 20, 2015 1:02 am

Hello Madshi,

Yes. You're right. After adjust the code with your tips, is working perfect. Thank you so much for help me.

Problem solved! :wink:

Kind regards,

Eli
elioliveira
 
Posts: 4
Joined: Fri Jul 24, 2015 11:59 pm

Re: ShutdownHook

Postby iconic » Thu Aug 20, 2015 4:19 am

Yup Madshi is right. Glad everything works =) I was a bit thrown off since ExitWindowsEx doesn't have any ansi or unicode version of the API so I overlooked it with the other functions you're hooking. On NT-based Windows operating systems these calls will generally pass Ansi functions to Unicode (wide) so I don't think you'll need to hook Ansi variants. Always worth testing this. I noticed you're hooking Ansi in your DLL

--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: ShutdownHook

Postby madshi » Thu Aug 20, 2015 7:07 am

Yeah, often it's enough to hook W, but in older OSs sometimes it's not. So I usually hook both, just to be extra safe, because I don't have fun to test every hooked API on every OS I need to support.
madshi
Site Admin
 
Posts: 9879
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 4 guests

cron