Hi
I want that my system is does not shutdown on my driver.
Then, I am going to hooking NtShutdownSystem().
It does not know whether hooking must be carried out however.
compile error ==> ‘ZwShutdownSystem’ : inconsistent dll linkage. dllexport
assumed.
Is hooking carried out however?
Help me…
my coding
DriverEntry(…)
{
SetupCallNumber();
hooking();
}
void SetupCallNumbers()
{
ULONG BuildNumber = (NtBuildNumber & 0x0000FFFF);
DbgPrint("ROOTKIT: Detected build number is %d, ", BuildNumber);
switch(BuildNumber)
{
case 0x565:
DbgPrint(“Windows NT 4.0\n”);
_callnumber_NtCreateProcess = 0x1F;
_callnumber_NtShutdownSystem =0xB5;
break;
case 0x893:
_callnumber_NtCreateProcess = 0x29;
_callnumber_NtShutdownSystem =0xD9;
break;
default:
DbgPrint(“Warning - unsupported windows version. No call
hooks will take place!\n”);
break;
}
}
void hooking(){
OldZwShutdownSystem =
(NTSHUTDOWNSYSTEM)(SYSTEMSERVICES(ZwShutdownSystem));
_asm cli
(NTSHUTDOWNSYSTEM)(SYSTEMSERVICES(ZwShutdownSystem)) =
NewZwShutdownSystem;
_asm sti
}
_declspec(naked) NTSTATUS NTAPI ZwShutdownSystem(SHUTDOWN_ACTION action)
{
_asm
{
mov eax, _callnumber_NtShutdownSystem
lea edx, [esp+4]
int 2eh
ret 04h
}
}
NTSTATUS NewZwShutdownSystem(SHUTDOWN_ACTION Action)
{
DbgPrint(“ShutDown\n”);
return STATUS_PRIVILEGE_NOT_HELD;
}
Well besides the standard rant’s about hooking system services is a bad
idea, in this particular case you have a lot of mistakes. You should
realize in the NT 4.0 and Win2k days the call numbers changed at times per
service pack, so you hook code is not going to work. The only safe thing is
to deconstruct the call in user space, get the number and pass it to your
driver to hook, note this still means all the problems of hooking and
unhooking are still present, just the call number is correct.
The real question is why do you want to hook shutdown system? If it is for
notification you can get this otherways.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“u9220502” wrote in message news:xxxxx@ntdev…
> Hi
>
> I want that my system is does not shutdown on my driver.
> Then, I am going to hooking NtShutdownSystem().
> It does not know whether hooking must be carried out however.
>
> compile error ==> ‘ZwShutdownSystem’ : inconsistent dll linkage. dllexport
> assumed.
>
> Is hooking carried out however?
> Help me…
>
>
> my coding
> DriverEntry(…)
> {
> SetupCallNumber();
> hooking();
> }
>
> void SetupCallNumbers()
> {
> ULONG BuildNumber = (NtBuildNumber & 0x0000FFFF);
> DbgPrint("ROOTKIT: Detected build number is %d, ", BuildNumber);
> switch(BuildNumber)
> {
> case 0x565:
> DbgPrint(“Windows NT 4.0\n”);
> _callnumber_NtCreateProcess = 0x1F;
> _callnumber_NtShutdownSystem =0xB5;
> break;
>
> case 0x893:
> _callnumber_NtCreateProcess = 0x29;
> _callnumber_NtShutdownSystem =0xD9;
> break;
>
> default:
> DbgPrint(“Warning - unsupported windows version. No call
> hooks will take place!\n”);
> break;
> }
> }
>
> void hooking(){
> OldZwShutdownSystem =
> (NTSHUTDOWNSYSTEM)(SYSTEMSERVICES(ZwShutdownSystem));
> _asm cli
> (NTSHUTDOWNSYSTEM)(SYSTEMSERVICES(ZwShutdownSystem)) =
> NewZwShutdownSystem;
> _asm sti
> }
>
> _declspec(naked) NTSTATUS NTAPI ZwShutdownSystem(SHUTDOWN_ACTION action)
> {
> _asm
> {
> mov eax, _callnumber_NtShutdownSystem
> lea edx, [esp+4]
> int 2eh
> ret 04h
> }
> }
>
>
>
>
> NTSTATUS NewZwShutdownSystem(SHUTDOWN_ACTION Action)
> {
> DbgPrint(“ShutDown\n”);
> return STATUS_PRIVILEGE_NOT_HELD;
> }
>
>
>
> DbgPrint("ROOTKIT: Detected build number is %d, ", BuildNumber);
Writing rootkits is great 
asking on forums on “how to write a rootkit” is
even greater
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> The real question is why do you want to hook shutdown system? If it is for
notification you can get this otherways.
By system set power IRP going to S5, for instance.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> ----------
From: Maxim S. Shatskih[SMTP:xxxxx@storagecraft.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, April 02, 2004 12:10 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] How about??? NtShutdownSystem() Hooking…
> The real question is why do you want to hook shutdown system? If it is
for
> notification you can get this otherways.
By system set power IRP going to S5, for instance.
This doesn’t seem as notification need:
NTSTATUS NewZwShutdownSystem(SHUTDOWN_ACTION Action)
{
DbgPrint(“ShutDown\n”);
return STATUS_PRIVILEGE_NOT_HELD;
}
Good catch with rootkit, Max. It wasn’t apparent on the quick look. I’m not
sure if we should help to somebody who wants prevent users from shutting
system down…
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
On w2k and later, NtShutdownSystem is a wrapper around
NtSetSystemPowerState, and both functions can be used to shut the machine down.
Also note that I don’t think that failing these functions will be enough.
The “Shut Down” UI item will still exist, and choosing it will shut down all
apps and all user-mode services, which can be not what the guy wants.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”
Sent: Friday, April 02, 2004 2:23 AM
Subject: RE: Re:[ntdev] How about??? NtShutdownSystem() Hooking…
> > ----------
> > From: Maxim S. Shatskih[SMTP:xxxxx@storagecraft.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Friday, April 02, 2004 12:10 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re: Re:[ntdev] How about??? NtShutdownSystem() Hooking…
> >
> > > The real question is why do you want to hook shutdown system? If it is
> > for
> > > notification you can get this otherways.
> >
> > By system set power IRP going to S5, for instance.
> >
> This doesn’t seem as notification need:
>
> NTSTATUS NewZwShutdownSystem(SHUTDOWN_ACTION Action)
> {
> DbgPrint(“ShutDown\n”);
> return STATUS_PRIVILEGE_NOT_HELD;
> }
>
> Good catch with rootkit, Max. It wasn’t apparent on the quick look. I’m not
> sure if we should help to somebody who wants prevent users from shutting
> system down…
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com