flat assembler
Message board for the users of flat assembler.

Index > Windows > A 150-byte Win32 Program Which can Shutdown your Window XP

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
chris



Joined: 05 Jan 2006
Posts: 62
Location: China->US->China->?
chris 07 Apr 2006, 15:59
Finally get sometime to finish this tiny program. Very Happy

It has only 159 bytes that (tested on my laptop) can shutdown the Windows XP in just a second or two. The program doesn't have an import table, and no hardcoded API function calles are used.

the idea behind it is to use sysenter instruction to call NtShutdownSystem service, just like what you do in the old DOS system call. However, before you can successfully call the system service, the SeShutdownPrivilege must be enabled in the security token of the process. This is done by another two sysenter calls, namely, NtOpenProcessToken and NtAdjustPrivilegesToken.

there is a small problem that, when you call NtAdjustPrivilegesToken, as a parameter, the privilege value(a LUID) for SeShutdownPrivilege must be obtained at first. This is normally done by Win32 API LookupPrivillegeValue in advapi32.dll. However, in my program, a constant value 0x13 is used. This is by observation - it seems that those privilege values range from 0x2 to 0x1e and do not change on a standalone machine, but I am not sure about this, anyone has some further information about this issue?

NOTE: As a reminder for any member who wants to test this program on your computer. Make sure you have quit all your applications, since the NtShutdwonSystem service doesn't inform user mode applications that a system shutdown is in progress, this might cause your loss of data.

[update] it is 150 bytes now, see below.


Description:
Download
Filename: shutd0wn.zip
Filesize: 1.25 KB
Downloaded: 639 Time(s)



Last edited by chris on 10 Apr 2006, 02:36; edited 1 time in total
Post 07 Apr 2006, 15:59
View user's profile Send private message Reply with quote
blacky



Joined: 06 Apr 2006
Posts: 32
Location: JA
blacky 07 Apr 2006, 16:36
nice one mate! Smile
Post 07 Apr 2006, 16:36
View user's profile Send private message MSN Messenger Reply with quote
Ivan2k2



Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk
Ivan2k2 08 Apr 2006, 10:05
Hi chris
Your tiny program can be even smaller.
I've optimized and reduced size to 152 bytes


Description:
Download
Filename: shutd0wn152.zip
Filesize: 1.36 KB
Downloaded: 520 Time(s)

Post 08 Apr 2006, 10:05
View user's profile Send private message ICQ Number Reply with quote
chris



Joined: 05 Jan 2006
Posts: 62
Location: China->US->China->?
chris 08 Apr 2006, 12:48
Hey, thank you Ivan2k2, I didn't realize that 'push NtShutDownSystem'(opcode: 68f9000000) could be used as a valid value for heap commit, and also a lot of 'push 0' could be reduced to 'push ebx' for ebx=0, and the value of heap reserve is not so important for Win32 applications. Embarassed

I have revised this program and made it only 150 bytes(removed an unnecessary near jmp from your revision). Hope it is really small this time, thanks again. Very Happy


Description:
Download
Filename: shutd0wn150.zip
Filesize: 1.28 KB
Downloaded: 564 Time(s)

Post 08 Apr 2006, 12:48
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 08 Apr 2006, 12:49
I used it with OllyDbg but I traced it wrong and my computer had shutdown it self in less than two seconds Razz

is NtShutdownSystem equivalent to unplug the computer or it flush all buffers to disk and makes sure to remain the file system consistent? It's clear that it doesn't terminates all proceses nor close the session gracefully but I wish to know if at least flush the buffers.

Regards
Post 08 Apr 2006, 12:49
View user's profile Send private message Reply with quote
chris



Joined: 05 Jan 2006
Posts: 62
Location: China->US->China->?
chris 09 Apr 2006, 02:58
Hi, locodelassembly. the sysenter call is essentially an interrupt(actually the only one that can be used in user mode). Since ollydbg can not trace into kernel mode, it wouldn't be able to break at the appropriate point.

The above code is equivalent to call the native API ZwShutdownSystem in ntdll.dll which is not documented by Microsoft. However, if you google it, you will find that device drivers registered for shutdown notification are aware of this action, but Win32 applications and services are not.

So for FAT32 file system drivers, my guess is, they should be aware of this kind of shutdown, and for NTFS, I can almost be sure that they are. NTFS uses more sophisticated countermeasures to prevent data loss in case of even power failure or disk i/o failure, so don't worry. Wink
Post 09 Apr 2006, 02:58
View user's profile Send private message Reply with quote
TDCNL



Joined: 25 Jan 2006
Posts: 56
TDCNL 09 Apr 2006, 13:57
So we should first shutdown our programs of which we know they can be writing at the moment and then it's safe to shutdown with this tiny tool? Wink

_________________
:: The Dutch Cracker ::
Post 09 Apr 2006, 13:57
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Apr 2006, 22:02
Hi, chris. My problem was that I pressed Ctrl+F9 too much times so I ran the program without any stops... The second time I was more cautionous and I manually setted a breakpoint at 000400C and changed the call to the shutdown function with an infinite loop as a second safety measure Very Happy

Well if you are right about that drivers are notified of this API function then it's safe for file systems the use of this function but of course it's bad for processes that need to be notified. Well, in fact I think that this is responsibility of the cache manager to flush buffers when someone executes the shutdown function, isn't it?

Thanks for the info chris

Regards
Post 09 Apr 2006, 22:02
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 10 Apr 2006, 00:12
rename thread to "150 byte..."
Post 10 Apr 2006, 00:12
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
chris



Joined: 05 Jan 2006
Posts: 62
Location: China->US->China->?
chris 10 Apr 2006, 02:36
vid wrote:
rename thread to "150 byte..."


okey, updated. Smile
Post 10 Apr 2006, 02:36
View user's profile Send private message Reply with quote
weiss



Joined: 03 Jan 2006
Posts: 25
weiss 12 Apr 2006, 18:01
interesting.
Post 12 Apr 2006, 18:01
View user's profile Send private message Reply with quote
UCM



Joined: 25 Feb 2005
Posts: 285
Location: Canada
UCM 12 Apr 2006, 20:21
Very.
I tried it and the computer turned off in about 3 seconds, faster than using the power button Surprised

_________________
This calls for... Ultra CRUNCHY Man!
Ta da!! *crunch*
Post 12 Apr 2006, 20:21
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 618
cod3b453 13 Apr 2006, 17:33
Exclamation i've never heard of sysenter...i'll try it later on my laptop Wink
Post 13 Apr 2006, 17:33
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2465
Location: Bucharest, Romania
Borsuc 13 Apr 2006, 17:36
Windows 98 turns off pretty quick too.

I don't know what XP really does so much at shutdown. probably another bloated (or unnecessary) thing. maybe it's damn-checking things 100 times, or I simply don't know.
Post 13 Apr 2006, 17:36
View user's profile Send private message Reply with quote
Ivan2k2



Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk
Ivan2k2 14 Apr 2006, 08:12
here me again with 147 bytes

i've optimized this code even more =)))) (tested only on my pc).
seems that some fields in pe-header are not necessary or not so important...


Description:
Download
Filename: shutd0wn147.zip
Filesize: 1.37 KB
Downloaded: 499 Time(s)

Post 14 Apr 2006, 08:12
View user's profile Send private message ICQ Number Reply with quote
TDCNL



Joined: 25 Jan 2006
Posts: 56
TDCNL 14 Apr 2006, 08:13
Nice optimizations, but... what API's and what arguments are really in the executable, it's a little hard to see?

_________________
:: The Dutch Cracker ::
Post 14 Apr 2006, 08:13
View user's profile Send private message Reply with quote
TDCNL



Joined: 25 Jan 2006
Posts: 56
TDCNL 14 Apr 2006, 08:14
The_Grey_Beast wrote:
Windows 98 turns off pretty quick too.

I don't know what XP really does so much at shutdown. probably another bloated (or unnecessary) thing. maybe it's damn-checking things 100 times, or I simply don't know.


It's trying to nicely shutdown programs which were still running and trying to shutdown it's services Wink

_________________
:: The Dutch Cracker ::
Post 14 Apr 2006, 08:14
View user's profile Send private message Reply with quote
Ancient One



Joined: 28 Feb 2005
Posts: 55
Ancient One 16 Apr 2006, 03:57
using the original idea, but this time only 104 bytes! here's the code
Code:
;tested only in XP SP2
;/-- ---------------------------------------------------------------------------\
;   File        : shutdown.asm.
;   Author      : Ancient One.
;\-----------------------------------------------------------------------------/

define imageBase 0x10000
ShutdownPowerOff=2
SeShutdownPrivilege=0x13
SE_PRIVILEGE_ENABLED=0x2
TOKEN_ADJUST_PRIVILEGES=0x20

NtAdjustPrivilegesToken=011
NtOpenProcessToken=123
NtShutdownSystem=249

use32
 dosHeader:
dw 'MZ'
dw 0

 ntHeader:
dd 'PE'
dw 0x14c
dw 0
entryPoint:
_12_bytes :
    mov     edi, _sysEnter+imageBase
    ;store 0xCC at _12_bytes
    mov     ebx, esp
    push    ebx
    push    TOKEN_ADJUST_PRIVILEGES
    jmp     _08_bytes_a
dw sizeof.optionalHeader
dw 0x102

 optionalHeader:
dw 0x10b

_14_bytes :
    call    edi
    push    ShutdownPowerOff eax SeShutdownPrivilege 1
    mov     ebp, esp
    push    eax
    jmp     _06_bytes
dd entryPoint

_08_bytes_a :
    push    (-1) ebx NtOpenProcessToken
    pop     eax
    jmp     _14_bytes

dd imageBase
dd 4
dd 4

_08_bytes_b :
    push    ebp
    mov     al, NtAdjustPrivilegesToken
    call    edi
    leave
    jmp     _xx_bytes

dw 3

_06_bytes :
    push    eax eax ebp eax
    jmp     _04_bytes

dd sizeof.image
dd sizeof.peHeaders

_04_bytes :
    push    dword [ebx]
    jmp     _08_bytes_b
dw 2
sizeof.optionalHeader = $-optionalHeader
sizeof.peHeaders = sizeof.optionalHeader
_xx_bytes:
    mov     al, NtShutdownSystem
_sysEnter:
    mov     edx, esp
    sysenter
sizeof.image=$

    
Post 16 Apr 2006, 03:57
View user's profile Send private message MSN Messenger Reply with quote
Ivan2k2



Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk
Ivan2k2 16 Apr 2006, 04:59
very very nice, Ancient One !!!!
Post 16 Apr 2006, 04:59
View user's profile Send private message ICQ Number Reply with quote
Ancient One



Joined: 28 Feb 2005
Posts: 55
Ancient One 16 Apr 2006, 05:25
thanks..
it use all the 'holes' in the pe headers, except the 2 bytes after dos header (needed to make _lfanew and sectionalignment share the same field). maybe i should put 'A1' there.. as my signature Smile.
Post 16 Apr 2006, 05:25
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.