A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #23457  by Microwave89
 Sun Jul 27, 2014 9:14 pm
Hi,
In order to be able to write or delete some registry keys/values in last minute, I need to detect a shutdown or reboot of Windows.
Keys must not be modified if there is only a logoff!

Currently I'm relying on a very simple method which isn't failsafe at all:
By using xbootmgr I figured out a process which is being terminated on shutdown, but not on logoff.
This svchost.exe process is maintaining a handle to an alpc port with a simple name. If this handle is closed the port object is deleted and cannot be referenced anymore.
Hence, if I first succeed referencing the port object and I later fail, I can infer that the process must have exited in the meantime and Windows is being shutdown (or rebooted).
But on Windows 7 SP1 there doesn't exist this particular port object so the registry is never being modified..

As you can see, this solution is terribly unproper, are there better ways to achieve my goal?
I would mostly appreciate solutions working by only polling or by synchronization.
Is there maybe any shutdown event being signaled which is accessible from kernelmode too?
So my system thread gets unblocked and can then modify the registry?
Maybe i can somehow listen to rpc messages?

Target systems are Windows 7 SP1 x64 and Windows 8.1 x64.


Best Regards

Microwave89

P.S. intercepting IRP_MJ_SHUTDOWN / IRP_MJ_POWER isn't suitable, since if I try to write to registry there is STATUS_TO_LATE issued.
 #23470  by Microwave89
 Wed Jul 30, 2014 11:44 am
Hi Vrtule,

I just googled a little about the IoRegisterShutdownNotification API and I found some developers rumouring
that even with this API it's not possible to get the registry modified permanently.
http://www.osronline.com/showThread.cfm?link=154532

This correllates with my earlier results of patching IRP_MJ_SHUTDOWN of fltmgr.sys, then receiving those IRPs and still not being able to write to the registry.

However, I think I will give it a try using my own DeviceObject, though.

If that's not working, maybe I can still ignore to distinguish between logoff and shutdown and just undo the modifications if there is another logon.
Because any logoff/shutdown attempt seems to be easily detectable using KeWaitForSingleObject on explorer.exe (or whatever the shell might be)...

If someone knows another method, I would be glad if he let me know.


Best regards

Microwave89