Protecting a Windows application from premature termination

Have you ever written a Windows app that works on a specific and very important task that must be completed, but then someone force-closes it?

One solution would be to send a request to the user that asks the user not to force-close the app. Unfortunately, this doesn’t usually work.

There is a cool “trick” you can do to make sure no one will close that important app, or get a BSOD (Blue Screen Of Death), that is unknown to most programmers. This cool trick is called NtSetInformationProcess.

Some OS (Operating System) processes, such as Csrss.exe (Client Server Runtime Process), are considered critical for the normal function of the OS and closing them would crash the system in order to avoid any abnormal behavior.

NtSetInformationProcess is an external undocumented OS function that instructs the OS to set the current process as “critical.” This triggers a BSOD when it closes by force.

Warning: When the user tries to force-close the application, a warning may not appear to alert the user that he’s about to close a critical app that may crash the system.

Disclaimer:  We, AppSec Labs, shall not in any way be held responsible in the case of any damage that may occur from using this function, nor any abnormal behavior.

Add the following code to your C# app to add a reference to the external function:

[DllImport(“ntdll”)]

static extern int NtSetInformationProcess(IntPtr PHandle, int PInformationClass, ref int PInformation, int PInfoLength);

PHandle – A handle for the process.

PInformationClass – Flag-like parameter – 0x1D (BreakOnTermination).

PInformation – A value that indicated, in our case, whether to set the process as critical, or return it back to normal (“1”  sets it as critical; “0” returns it to normal).

PInfoLength – An integer value that corresponds to the flag (for example, 4 for integer).

The following example makes the current process critical to the system and its premature termination will crash the OS and result in a BSOD.

int IsCritical = 1;

NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref IsCritical, 4);

Here, what you can do is to simply change the “isCritical” value to “0” in order  to revert the process back to normal. See below:

int IsCritical = 0;

NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref IsCritical, 4);

Note: There is another function that also makes a process critical: RtlAdjustPrivilege.

“No one likes a sad face”

Trigger emergency shutdown programmatically

Ever wonder if you could use an application to force the system to shut down? Well, you are about to find out that it’s not only possible, but also very easy!

NtShutdownSystem is an external and undocumented OS function for local system shut-down without notification.

Disclaimer: We, AppSec Labs, shall not in any way be held responsible in the case of any damage that may occur from using this function, nor any abnormal behavior.

The function takes an integer that signifies a specific action to instruct the OS with the shutdown action. For instance, ”1” signifies a reboot,  while ”0” simply shuts the system down).

Before we can call the function we have to import the external function with [DllImport(“NTDLL”)] and declare just a few lines before the call itself with private static extern void NtShutdownSystem(int Action). This can be done in the variable declaration section, for instance.

The action is a SHUTDOWN_ACTION enumeration:

0 = Shut-down with no reboot

1 = Shut-down with reboot

2 = Power off

For example, NtShutdownSystem(1), can be used  to quickly force the computer to reboot.

As a matter of fact, there are many undocumented features and lots of cool tricks that can be used to further enrich and protect our programs. Just remember that with great power comes even greater responsibility!

Who would have thought that such abilities lay deep inside our OS? And, there is so much more! So stay tuned for more cool features and tricks and let me know how your experiments turn out. See you next time!

Gilad Ofir, Application Security Consultant, AppSec Labs

My Linkedin page : il.linkedin.com/pub/gilad-ofir/19/599/449/en