98 replies to this topic

[neeko]

Which limit ? I don't have any.

[joakim]

@neeko
Maybe you could describe the theory before you get a running .Net4 script. (30 days is the trial limitation for non-WinPE)

[neeko]

I have a C# program which blocks WM_QUERYENDSESSION while the user doesn't act to shutdown.

[paraglider]

Why not post the source. It should be easy to convert to c++ if you don't have a c++ compiler.

[neeko]

I don't really know C# actually ^^

And it uses Windows components i absolutely don't know.

I've found it here : http://social.msdn.m...ab-4d1eed024baa

One thing is missing :

- using System.Runtime.InteropServices;

[MedEvil]

To turn a Windows into a PE, two settings are required (talking PE1 here, PE3 may or may not work identical) /minint parameter, which first switches Setupldr, then get's written to the registry as start parameter for 'whoever' cares.
Second is SystemSetupInProgress=1.

Any file checking any of the two parameters, can easily be patched to look for something else. This however causes default behavior of the file, which is not seldom a desaster in a PE.

So to get a better control over the behavior of several files, the actual code of those files needs to be modified, to keep the desired effects and avoid the non desired ones.

Depending on, how this is done and where you live, this is all kinds of levels of illegal.

[neeko]

I guess that modifying any Windows' file is prohibited by Microsoft, no matter where you live.

[MedEvil]

Microsoft can not prohibit anything. They're just a company that sells worldwide not a world government.
For instance, M$ would love to prohibit reverse engineering, but too bad for them, it is legal in europe. (to a certain degree)

[joakim]

I just started testing, but am facing the first hurdle. It's not the actual limitation, but more like the lack of it. I don't have time to wait 3 days between each test.. Have anybody figured out how to trigger the shutdown "naturally"? If so, how? Is there any messagebox displayed prior to shutdown (my vm will shut down in 3 days)?

[joakim]

My 3 days have not ended yet, but I've come a bit closer I think. I found some code that hooked WM_QUERYENDSESSION and WM_ENDSESSION, and it worked for user-invoked shutdowns in non-WinPE (regular Windows 7). It is some new api's not available in nt5. Don't know why it does not work in WinPE though. Regarding WinPE (3.0), I have noticed 2 ways of shutting down the system, which I can both prevent;

1. wpeutil.exe can be used. Patching wpeutil.dll for the string "shutdown" will prevent wpeutil from shutting down the system.
2. shutdown.exe can also be used. This one uses the named pipe InitShutdown that wininit.exe set up and winlogon.exe serves. Patching the string "shutdown" in wininit.exe will create misnamed pipes that the system do not know what to do with. In this case shutdown.exe will complain about missing RPC server, and cannot shutdown system.

But since I still never have seen the shutdown after 72 hours, I can't say if any of the above will work. I don't know what triggers what during such a shutdown. I seriously doubt I will have a machine occupied for 3 days just for 1 test... and 6 days for the second test...

Good luck guys.

[RoyM]

wpeinit will also shut down or restart the computer / PE3
save the code below in a utf-8 file named AutoUnattend_Shutdown.xml


call it from command line or batch like this;
%SystemRoot%\System32\wpeinit.exe /unattend=AutoUnattend_Shutdown.xml


<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.micro...nfig/2002/State" xmlns:xsi="http://www.w3.org/20...Schema-instance">
<Restart>Shutdown</Restart>
</component>
</settings>
</unattend>

[joakim]

Yes, but since wpeinit.exe also depends on wpeutil.dll, I think the patch still works (not 100% sure). The question is what actually triggers the shutdown after 72 hours, and how.

[neeko]

Well, it's a little bit too complicated for me, i can't help you on that, i've never modded Windows' exe.

Good luck guys, i'm looking to you

[Wonko the Sane]

I seriously doubt I will have a machine occupied for 3 days just for 1 test... and 6 days for the second test...

How often do you reboot normally?

I mean, haven't you got a 24/7 running machine on which you can run the PE in a VM?

A random idea (linked to the idea by pscEx).
*Somewhere* there must be a "timer" indicating "time passed since boot" or a "static" "last booted on date/time" timestamp.
If it is the second no easy way to find it, but if it is the first, maybe comparing two separate RAM dumps taken at a (say) 10 minutes interval will show where it is.


Wonko

[joakim]

I mean, haven't you got a 24/7 running machine on which you can run the PE in a VM?

Sure, but being restricted to 1 test each third day, is too slow. Now, since I'm using vmware I just found a vmx parameter I will try;

timeTracker.apparentHz

Have never tried it before though..

[Wonko the Sane]

Sure, but being restricted to 1 test each third day, is too slow.

I see what you mean , the math related to calculating time needed "bruteforcing" at a rate of 3,858024691358024691358024691358e-6 "passwords/second" is mindboggling and exceeds conventional calculators precision (besides lifetimes).




Wonko

[MedEvil]

Sure, but being restricted to 1 test each third day, is too slow.

You don't need to wait 3 days for preliminary testing.
Just kill PEShell or WPEinit and see if you can stop the reboot.
Once that works, i'm sure we can find more than one user, who is willing to have a PE run for 3 days.

[joakim]

You don't need to wait 3 days for preliminary testing.
Just kill PEShell or WPEinit and see if you can stop the reboot.

Killing processes is currently the only way of shutting down my WinPE system. Any other method does not work. So if the 72-hour shutdown is just terminating the shell process, then my patches will not work. However, if it is using any shutdown apis/namedpipes to initialize the shutdown, then I believe it will work.

The previously mentioned (and partly tested here) methods of using "ShutdownBlockReasonCreate" will likely not work if the shell process is just killed. If that's the case further apis (ntdll.dll) must be disabled as well (not very nice solution). But of course altering the timer would be the best solution. I tried looking at KeSetTimer inside the kernel, which is triggered when the animation is played, but do not know if this is it or even what to do with it.. But I have a feeling that this one is the right one.. If not resetting the timer is possible, then maybe extending the duedate may work (if we could locate where the timer is triggered). Anybody?

[MedEvil]

I'm already on it. Thought i found it. But couldn't make Win7PE_SE reboot after only 5 minutes.
So eighter it wasn't the right spot, which would be a big coincidence. Or in Win7PE_SE the timeout does not work.

[MedEvil]

If this reboot really does work, it does no way happen after 72hours.
There are only two files which contain this value in the whole PE and both can not be used to reboot after 5 minutes.

[MedEvil]

Before i invest any more time to figure out, how this reboot works, i want first a verification that Win7PE_SE really does reboot and the precise uptime after which it does.

[joakim]

I started a test vm (regular winpe 3.0), with my patched wininit.exe and wpeutil.dll before I went to bed last night around 00.45. That means I will know by tuesday morning if the system was shutdown one way or the other.

[MedEvil]

What is a regular WinPE3.0? A WAIK WinPE with CMD as shell?

[joakim]

What is a regular WinPE3.0? A WAIK WinPE with CMD as shell?

Yes. Winpeshl.exe put under the CmdLine registry key and cmd.exe running as the actual and only visible shell. Don't think putting cmd.exe in the CmdLine registry key will make any difference against the limit.

[neeko]

So guys, what about the issue ?