Removing Forced Reboot From An EXE

Had this process I wanted to execute during a number of tasks, this process had a command line argument “—reboot” which forced an immediate reboot. If you tried to run the command without the “–reboot” option you were given an error “You must specify –reboot  option”

But we wanted to control when the reboot occurred.

Using IDA Pro it is relatively easy to remove the reboot. Some programs may launch shutdown.exe to initiate shutdown/restart but in this case the program called Windows API ExitWindowsEx

Opening the EXE in IDA Pro we find ExitWindowsEx in the import table, then double click it.

image

With ExitWindowsEx selected we hit ‘X’ or right click and select Jump to xref to operand

image

 

From here we can see there are two different locations that call this API:

image

 

Clicking the locations we find code like this:

image

The two push commands are setting up the parameters for ExitWindowsEx, and the test eax, eax command is checking the return code. Looking up ExitWindowsEx function in MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/aa376868(v=vs.85).aspx) we can see it returns TRUE if the call was successful.

In this program, if the restart fails, it rolls back its changes, so we need to lie that the reboot succeeded, so we will set eax to 1.

We select push eax then select option to Assemble

image

We enter our code

image

We then continue inserting nop instructions until they go to the test eax, eax instruction

image

We then Apply Patches to input file

image

And our program no longer forces reboot, we can control when the reboot occurs.

Before doing this type of patch you should understand the implications and what you might break by eliminating this forced reboot…

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in IDA, Patching and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s