applecider
Reputation: 310
Blocking System Shutdown for Malware Analysis Without SSDT Hooks
I have a malware sandbox that worked by disabling patchguard so that SSDT functions could be hooked by a driver, but in windows 11 it appears this won't be possible anymore due to secureboot.
I have found that there appears to be no sanctioned way to completely prevent a system shutdown (without hooking SSDT functions).
The only things I can find are:
- PoRegisterPowerSettingsCallback -- which is notification only
- ShutdownBlockReasonCreate -- which is ring3 and bypass-able
- hook ring3 shutdown apis -- again only ring3 and bypass-able
None of these will 100% block a malware from shutting down the VM, this prevents my software from finishing it's job and preparing a report.
Is my best option just to delay the shutdown so I can wrap up the scan then allow it to shutdown anyway?
Upvotes: 0
Views: 24
Answers (0)
Related Questions
- How to get or store heap size in RtlAllocateHeap for later use in RtlFreeHeap?
- How to prevent memory editing to prevent hooking
- Building a manual sandbox for malware analysis
- Android file system hooks
- How to unhook SSDT hooks and make them gat away?
- Qt Application Blocking System Shutdown
- System-wide ShellExecute hooks?