M2R Posted April 9, 2009 Posted April 9, 2009 How do I prevent EWX_FORCE shutdown?when I tried to code "prevent shutdown" apps by detect the WM_QueryEndSession and WM_EndSession, I realized that I couldn't prevent the EWX_FORCE message
KOrUPt Posted April 9, 2009 Posted April 9, 2009 (edited) This may seem a little overkill for your needs but I'll go ahead either way... I suggest you implement a Kernel driver that hooks NtShutdownSystem()(See http://undocumented.ntinternals.net/UserMo...ownSystem.html) and returns an access denied error. You could create a Userland application that uses events and such to decide whether or not to allow the system to be shutdown or not . If you need a hand implementing this let me know and I'll crack open my trusty IDE one more time and see what I can do . Just keep in the mind that the user could still hard reset the box if he feels it necessary. Hope this helps. KOrUPt. Edit: Corrected URL tags, well spotted Ghandi. Edited April 12, 2009 by KOrUPt
M2R Posted April 12, 2009 Author Posted April 12, 2009 Woops, 404: File not found. I can't open your suggested URL So, you think that I have to create Ring 3 app which 'trap' the shutdown related events, right? do you have some source code which implement your idea for preventing the EWX_FORCE? at least, thx for your response for this thread
ghandi Posted April 12, 2009 Posted April 12, 2009 The link is only invalid due to the ")" on the end...http://undocumented.ntinternals.net/UserMo...downSystem.htmlHR,Ghandi
KOrUPt Posted April 12, 2009 Posted April 12, 2009 (edited) Woops, 404: File not found. I can't open your suggested URL So, you think that I have to create Ring 3 app which 'trap' the shutdown related events, right? do you have some source code which implement your idea for preventing the EWX_FORCE? at least, thx for your response for this thread URL tags repaired. Thanks Ghandi . M2R, you're incorrect. I think you should create a Ring 0(Kernel land) driver and implement an SSDT hook for NtShutdownSystem() that returns an STATUS_ACCESS_DENIED response. I don't have any source code handy at the moment(well, only ancient things that make my eyes bleed, and as such I'd rather not disclose). I suggest you check out the Rootkits [e]book by Greg Hoglund and James Butler, it's an interesting read should you want to take the leap into kernel land, just be careful. The task at hand really isn't too hard to implement on a basic scale . Research is key! Hope this helps. KOrUPt. Edited April 12, 2009 by KOrUPt
M2R Posted April 13, 2009 Author Posted April 13, 2009 So the NtShutdownSystem 'trap' the SHUTDOWN_ACTION then return an STATUS_ACCESS_DENIED, right?Rootkits [e]book by Greg Hoglund and James Butler -> http://ultrauploading.com//v/4909783/ebc_rootkits_subverting_the_windows_kernel.rar.html
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now