flat assembler
Message board for the users of flat assembler.
Index
> Windows > A 150-byte Win32 Program Which can Shutdown your Window XP Goto page 1, 2 Next |
Author |
|
chris 07 Apr 2006, 15:59
Finally get sometime to finish this tiny program.
It has only 159 bytes that (tested on my laptop) can shutdown the Windows XP in just a second or two. The program doesn't have an import table, and no hardcoded API function calles are used. the idea behind it is to use sysenter instruction to call NtShutdownSystem service, just like what you do in the old DOS system call. However, before you can successfully call the system service, the SeShutdownPrivilege must be enabled in the security token of the process. This is done by another two sysenter calls, namely, NtOpenProcessToken and NtAdjustPrivilegesToken. there is a small problem that, when you call NtAdjustPrivilegesToken, as a parameter, the privilege value(a LUID) for SeShutdownPrivilege must be obtained at first. This is normally done by Win32 API LookupPrivillegeValue in advapi32.dll. However, in my program, a constant value 0x13 is used. This is by observation - it seems that those privilege values range from 0x2 to 0x1e and do not change on a standalone machine, but I am not sure about this, anyone has some further information about this issue? NOTE: As a reminder for any member who wants to test this program on your computer. Make sure you have quit all your applications, since the NtShutdwonSystem service doesn't inform user mode applications that a system shutdown is in progress, this might cause your loss of data. [update] it is 150 bytes now, see below.
Last edited by chris on 10 Apr 2006, 02:36; edited 1 time in total |
|||||||||||
07 Apr 2006, 15:59 |
|
blacky 07 Apr 2006, 16:36
nice one mate!
|
|||
07 Apr 2006, 16:36 |
|
Ivan2k2 08 Apr 2006, 10:05
Hi chris
Your tiny program can be even smaller. I've optimized and reduced size to 152 bytes
|
|||||||||||
08 Apr 2006, 10:05 |
|
chris 08 Apr 2006, 12:48
Hey, thank you Ivan2k2, I didn't realize that 'push NtShutDownSystem'(opcode: 68f9000000) could be used as a valid value for heap commit, and also a lot of 'push 0' could be reduced to 'push ebx' for ebx=0, and the value of heap reserve is not so important for Win32 applications.
I have revised this program and made it only 150 bytes(removed an unnecessary near jmp from your revision). Hope it is really small this time, thanks again.
|
|||||||||||
08 Apr 2006, 12:48 |
|
chris 09 Apr 2006, 02:58
Hi, locodelassembly. the sysenter call is essentially an interrupt(actually the only one that can be used in user mode). Since ollydbg can not trace into kernel mode, it wouldn't be able to break at the appropriate point.
The above code is equivalent to call the native API ZwShutdownSystem in ntdll.dll which is not documented by Microsoft. However, if you google it, you will find that device drivers registered for shutdown notification are aware of this action, but Win32 applications and services are not. So for FAT32 file system drivers, my guess is, they should be aware of this kind of shutdown, and for NTFS, I can almost be sure that they are. NTFS uses more sophisticated countermeasures to prevent data loss in case of even power failure or disk i/o failure, so don't worry. |
|||
09 Apr 2006, 02:58 |
|
TDCNL 09 Apr 2006, 13:57
So we should first shutdown our programs of which we know they can be writing at the moment and then it's safe to shutdown with this tiny tool?
_________________ :: The Dutch Cracker :: |
|||
09 Apr 2006, 13:57 |
|
LocoDelAssembly 09 Apr 2006, 22:02
Hi, chris. My problem was that I pressed Ctrl+F9 too much times so I ran the program without any stops... The second time I was more cautionous and I manually setted a breakpoint at 000400C and changed the call to the shutdown function with an infinite loop as a second safety measure
Well if you are right about that drivers are notified of this API function then it's safe for file systems the use of this function but of course it's bad for processes that need to be notified. Well, in fact I think that this is responsibility of the cache manager to flush buffers when someone executes the shutdown function, isn't it? Thanks for the info chris Regards |
|||
09 Apr 2006, 22:02 |
|
vid 10 Apr 2006, 00:12
rename thread to "150 byte..."
|
|||
10 Apr 2006, 00:12 |
|
chris 10 Apr 2006, 02:36
vid wrote: rename thread to "150 byte..." okey, updated. |
|||
10 Apr 2006, 02:36 |
|
weiss 12 Apr 2006, 18:01
interesting.
|
|||
12 Apr 2006, 18:01 |
|
UCM 12 Apr 2006, 20:21
Very.
I tried it and the computer turned off in about 3 seconds, faster than using the power button _________________ This calls for... Ultra CRUNCHY Man! Ta da!! *crunch* |
|||
12 Apr 2006, 20:21 |
|
cod3b453 13 Apr 2006, 17:33
i've never heard of sysenter...i'll try it later on my laptop
|
|||
13 Apr 2006, 17:33 |
|
Borsuc 13 Apr 2006, 17:36
Windows 98 turns off pretty quick too.
I don't know what XP really does so much at shutdown. probably another bloated (or unnecessary) thing. maybe it's damn-checking things 100 times, or I simply don't know. |
|||
13 Apr 2006, 17:36 |
|
Ivan2k2 14 Apr 2006, 08:12
here me again with 147 bytes
i've optimized this code even more =)))) (tested only on my pc). seems that some fields in pe-header are not necessary or not so important...
|
|||||||||||
14 Apr 2006, 08:12 |
|
TDCNL 14 Apr 2006, 08:13
Nice optimizations, but... what API's and what arguments are really in the executable, it's a little hard to see?
_________________ :: The Dutch Cracker :: |
|||
14 Apr 2006, 08:13 |
|
TDCNL 14 Apr 2006, 08:14
The_Grey_Beast wrote: Windows 98 turns off pretty quick too. It's trying to nicely shutdown programs which were still running and trying to shutdown it's services _________________ :: The Dutch Cracker :: |
|||
14 Apr 2006, 08:14 |
|
Ancient One 16 Apr 2006, 03:57
using the original idea, but this time only 104 bytes! here's the code
Code: ;tested only in XP SP2 ;/-- ---------------------------------------------------------------------------\ ; File : shutdown.asm. ; Author : Ancient One. ;\-----------------------------------------------------------------------------/ define imageBase 0x10000 ShutdownPowerOff=2 SeShutdownPrivilege=0x13 SE_PRIVILEGE_ENABLED=0x2 TOKEN_ADJUST_PRIVILEGES=0x20 NtAdjustPrivilegesToken=011 NtOpenProcessToken=123 NtShutdownSystem=249 use32 dosHeader: dw 'MZ' dw 0 ntHeader: dd 'PE' dw 0x14c dw 0 entryPoint: _12_bytes : mov edi, _sysEnter+imageBase ;store 0xCC at _12_bytes mov ebx, esp push ebx push TOKEN_ADJUST_PRIVILEGES jmp _08_bytes_a dw sizeof.optionalHeader dw 0x102 optionalHeader: dw 0x10b _14_bytes : call edi push ShutdownPowerOff eax SeShutdownPrivilege 1 mov ebp, esp push eax jmp _06_bytes dd entryPoint _08_bytes_a : push (-1) ebx NtOpenProcessToken pop eax jmp _14_bytes dd imageBase dd 4 dd 4 _08_bytes_b : push ebp mov al, NtAdjustPrivilegesToken call edi leave jmp _xx_bytes dw 3 _06_bytes : push eax eax ebp eax jmp _04_bytes dd sizeof.image dd sizeof.peHeaders _04_bytes : push dword [ebx] jmp _08_bytes_b dw 2 sizeof.optionalHeader = $-optionalHeader sizeof.peHeaders = sizeof.optionalHeader _xx_bytes: mov al, NtShutdownSystem _sysEnter: mov edx, esp sysenter sizeof.image=$ |
|||
16 Apr 2006, 03:57 |
|
Ivan2k2 16 Apr 2006, 04:59
very very nice, Ancient One !!!!
|
|||
16 Apr 2006, 04:59 |
|
Ancient One 16 Apr 2006, 05:25
thanks..
it use all the 'holes' in the pe headers, except the 2 bytes after dos header (needed to make _lfanew and sectionalignment share the same field). maybe i should put 'A1' there.. as my signature . |
|||
16 Apr 2006, 05:25 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.