flat assembler
Message board for the users of flat assembler.

Index > Windows > How to use InitiateSystemShutdown?

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 20 Feb 2017, 10:51
hello guys, i am new to programming using flat assembler although i have done a bit of basic MASM coding in the past - i believe i am still a newbie in all these. i have the following code that assembles but doesnt do what i intend even after running it as admin.

Code:
include '%fasminc%\win32ax.inc'

.data
  msgTxt DB 'Restart PC?',0
  msgTitle DB 'idris'
.code
        start:
                invoke MessageBox, NULL, msgTxt, msgTitle, MB_YESNO
                cmp EAX, IDYES
                jne exit
                invoke  InitiateSystemShutdown, NULL, msgTxt, 10, FALSE, TRUE
        exit:
                invoke ExitProcess,0

.end start    


as a sidenote, i am looking to make friends with fellow assembly coders whether newbies like me or anyone, that i can talk to directly to avoid flooding the boards with newbie threads like this, thanks in advance
Post 20 Feb 2017, 10:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 20 Feb 2017, 12:01
You'll need this:
MS docs wrote:
To shut down the local computer, the calling process must have the SE_SHUTDOWN_NAME privilege.
So you might need to add this privilege to the process.

NOTE: I didn't try it because I don't want to restart my PC.
Post 20 Feb 2017, 12:01
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 20 Feb 2017, 12:44
thanks sir, for the fast reply. i pointed out in the original OP that i ran the app as admin hence it should have full priviledge. how else do i can go about granting the App the SE_SHUTDOWN priv?
Post 20 Feb 2017, 12:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 20 Feb 2017, 13:02
The admin login does not necessarily have all privileges. But it does have the ability to add all privileges when needed.

Here is some code that might work for you:
Code:
enable_privilege:
    virtual at esp
        .hndle  dd      ?
        .tokens dd      ?
        .luid   dq      ?
        .attr   dd      ?
        .stack_size=$-$$
    end virtual
        sub     esp,.stack_size
        invoke  GetCurrentProcess
        invoke  OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES,addr .hndle
        test    eax,eax
        jz      .fail
        invoke  LookupPrivilegeValue,0,SE_SHUTDOWN_NAME,addr .luid
        test    eax,eax
        jz      .fail
        mov     [.tokens],1
        mov     [.attr],SE_PRIVILEGE_ENABLED
        mov     eax,[.hndle]
        invoke  AdjustTokenPrivileges,eax,0,addr .tokens+12,0,0,0
        test    eax,eax
        jz      .fail
        invoke  CloseHandle,[.hndle]
        add     esp,.stack_size
        clc
        ret
    .fail:
        invoke  CloseHandle,[.hndle]
        add     esp,.stack_size
        stc
        ret    
Post 20 Feb 2017, 13:02
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 20 Feb 2017, 13:07
Oh, BTW, the constants are:
Code:
SE_SHUTDOWN_NAME db 'SeShutdownPrivilege',0
TOKEN_ADJUST_PRIVILEGES = 0x0020
SE_PRIVILEGE_ENABLED    = 2    
Post 20 Feb 2017, 13:07
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 22 Feb 2017, 05:46
sir thanks for your help, well i incorporated that in my code and the result is below

Code:
   include '%fasminc%\win32ax.inc'

.data
  msgTxt DB 'Restart PC?',0
  msgTitle DB 'idris'
  virtual at esp
          .handle dd ?
          .tokens dd ?
          .luid dq ?
          .attr dd ?
          .stack_size = 25
  end virtual
   SE_SHUTDOWN_NAME db 'SeShutdownPrivilege', 0
   TOKEN_ADJUST_PRIVILEDGE = 0x0020
   TOKEN_ADJUST_PRIVILEDGE = 2
section '.code' readable writable executable

        start:
                sub esp, .stack_size
                invoke GetCurrentProcess
                invoke OpenProcessToken, EAX, TOKEN_ADJUST_PRIVILEDGES, addr .handle
                test eax, eax
                jz .fail
                invoke LookUpPrivilegeValue, 0, SE_SHUTDOWN_NAME, ADDR .luid
                test eax, eax
                jz  .fail
                mov [.tokens], 1
                mov [.attr] , SE_PRIVILEGE_ENABLED
                mov eax, [.handle]
                invoke AdjusTokenPrivilges, eax, 0, addr .tokens+12, 0, 0, 0
                test eax, eax
                jz .fail
                invoke CloseHandle, [.handle]
                add esp, stack_size
                clc
                ret

                invoke MessageBox, NULL, msgTxt, msgTitle, MB_YESNO
                cmp EAX, IDYES
                jne exit
                invoke  InitiateSystemShutdown, NULL, msgTxt, 10, FALSE, TRUE
        exit:
                invoke ExitProcess,0
        fail:
                invoke CloseHandle, [.handle]
                add esp, stack_size
                stc
                ret

.end start    


when i try to assemble, i get this error

Code:
Error: Undefined symbol 'start.stack_size'    
Post 22 Feb 2017, 05:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 22 Feb 2017, 05:53
To use the code like that you have to move the virtual block after the start label.

But I suggest you don't try to incorporate the code like that. Instead just leave it as a separate function that you call from the main entry.
Post 22 Feb 2017, 05:53
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 22 Feb 2017, 05:57
Maybe like this:
Code:
include '%fasminc%\win32ax.inc'

TOKEN_ADJUST_PRIVILEGES = 0x0020
SE_PRIVILEGE_ENABLED    = 2

.data

        msgTxt                  db 'Restart PC?',0
        failTxt                 db 'Cannot get Shutdown Privilege',0
        msgTitle                db 'idris',0
        SE_SHUTDOWN_NAME        db 'SeShutdownPrivilege',0

.code

        start:
                invoke  MessageBox, NULL, msgTxt, msgTitle, MB_YESNO
                cmp     EAX, IDYES
                jne     exit
                stdcall enable_privilege
                jc      fail
                invoke  InitiateSystemShutdown, NULL, msgTxt, 10, FALSE, TRUE
        exit:
                invoke ExitProcess,0
        fail:
                invoke  MessageBox, NULL, failTxt, msgTitle, NULL
                jmp     exit


enable_privilege:
    virtual at esp
        .hndle  dd      ?
        .tokens dd      ?
        .luid   dq      ?
        .attr   dd      ?
        .stack_size=$-$$
    end virtual
        sub     esp,.stack_size
        invoke  GetCurrentProcess
        invoke  OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES,addr .hndle
        test    eax,eax
        jz      .fail
        invoke  LookupPrivilegeValue,0,SE_SHUTDOWN_NAME,addr .luid
        test    eax,eax
        jz      .fail
        mov     [.tokens],1
        mov     [.attr],SE_PRIVILEGE_ENABLED
        mov     eax,[.hndle]
        invoke  AdjustTokenPrivileges,eax,0,addr .tokens+12,0,0,0
        test    eax,eax
        jz      .fail
        invoke  CloseHandle,[.hndle]
        add     esp,.stack_size
        clc
        ret
    .fail:
        invoke  CloseHandle,[.hndle]
        add     esp,.stack_size
        stc
        ret

.end start    
Post 22 Feb 2017, 05:57
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 22 Feb 2017, 06:49
wow, learned new stuff already. this code now assembles

Code:
 include '%fasminc%\win32ax.inc'


   TOKEN_ADJUST_PRIVILEGE = 0x0020
   SE_PRIVILEGE_ENABLED = 2



.data
  msgTxt DB 'Restart PC?',0
  msgTitle DB 'idris', 0
  failTxt DB 'failed to get shutdown privilege',0
  SE_SHUTDOWN_NAME db 'SeShutdownPrivilege', 0


.code
        start:


                invoke MessageBox, NULL, msgTxt, msgTitle, MB_YESNO
                cmp EAX, IDYES
                jne exit
                stdcall enable_privilege
                jc fail
                invoke  InitiateSystemShutdown, NULL, msgTxt, 10, FALSE, TRUE
                exit:
                         invoke ExitProcess,0
                fail:
                   invoke MessageBox, NULL, failTxt, msgTitle, NULL
                   jmp exit
        enable_privilege:
                virtual at esp
                 .handle dd ?
                 .tokens dd ?
                 .luid dq ?
                 .attr dd ?
                 .stack_size = $$-$
                end virtual
                sub esp, .stack_size
                invoke GetCurrentProcess
                invoke OpenProcessToken, EAX, TOKEN_ADJUST_PRIVILEGE, addr .handle
                test eax, eax
                jz .fail
                invoke LookupPrivilegeValue, 0, SE_SHUTDOWN_NAME, addr .luid
                test eax, eax
                jz  .fail
                mov [.tokens], 1
                mov [.attr] , SE_PRIVILEGE_ENABLED
                mov eax, [.handle]
                invoke AdjustTokenPrivileges, eax, 0, addr .tokens+12, 0, 0, 0
                test eax, eax
                jz .fail
                invoke CloseHandle, [.handle]
                add esp, .stack_size
                clc
                ret
           .fail:
                  invoke CloseHandle, [.handle]
                  add esp, .stack_size
                  stc
                  ret

.end start    


it runs, asks if i want to restart, clicked YES and it still does nothing.

I ran as admin, btw Sad Sad Sad
Post 22 Feb 2017, 06:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 22 Feb 2017, 13:44
What is the return value from InitiateSystemShutdown? If it is zero then what is returned by GetLastError?

The error codes can tell you what is going wrong.
Post 22 Feb 2017, 13:44
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 23 Feb 2017, 07:20
sir, this is the new code:

Code:
 include '%fasminc%\win32ax.inc'


   TOKEN_ADJUST_PRIVILEGE = 0x0020
   SE_PRIVILEGE_ENABLED = 2



.data
  msgTxt DB 'Restart PC?',0
  msgTitle DB 'idris', 0
  failTxt DB 'failed to get shutdown privilege',0
  SE_SHUTDOWN_NAME db 'SeShutdownPrivilege', 0


.code
        start:


                invoke MessageBox, NULL, msgTxt, msgTitle, MB_YESNO
                cmp EAX, IDYES
                jne exit
                stdcall enable_privilege
                jc fail
                invoke  InitiateSystemShutdown, NULL, msgTxt, 10, FALSE, TRUE
                cmp eax, 0
                je check_error
                exit:
                         invoke ExitProcess,0
                fail:
                   invoke MessageBox, NULL, failTxt, msgTitle, NULL
                   jmp exit
                check_error:
                    invoke GetLastError
                    invoke MessageBox, NULL, eax, msgTitle, NULL
        enable_privilege:
                virtual at esp
                 .handle dd ?
                 .tokens dd ?
                 .luid dq ?
                 .attr dd ?
                 .stack_size = $$-$
                end virtual
                sub esp, .stack_size
                invoke GetCurrentProcess
                invoke OpenProcessToken, EAX, TOKEN_ADJUST_PRIVILEGE, addr .handle
                test eax, eax
                jz .fail
                invoke LookupPrivilegeValue, 0, SE_SHUTDOWN_NAME, addr .luid
                test eax, eax
                jz  .fail
                mov [.tokens], 1
                mov [.attr] , SE_PRIVILEGE_ENABLED
                mov eax, [.handle]
                invoke AdjustTokenPrivileges, eax, 0, addr .tokens+12, 0, 0, 0
                test eax, eax
                jz .fail
                invoke CloseHandle, [.handle]
                add esp, .stack_size
                clc
                ret
           .fail:
                  invoke CloseHandle, [.handle]
                  add esp, .stack_size
                  stc
                  ret

.end start    


it runs, asks if 'i want to restart pc' then ends abruptly after i clicked yes. i included code to check the error but still confused Crying or Very sad
Post 23 Feb 2017, 07:20
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 23 Feb 2017, 07:30
Okay, the error code from GetLastError is just a number, so if you want to display it then it needs to be converted to text form. But in the meantime you can just replace the eax part with some random text like "Could not initiate shutdown" or something just to see if the API call succeeds or not.
Code:
                    invoke GetLastError
                    invoke MessageBox, NULL, "Could not initiate shutdown", msgTitle, NULL    
Post 23 Feb 2017, 07:30
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 23 Feb 2017, 07:35
made the correction, the program still ends abruptly
Post 23 Feb 2017, 07:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 23 Feb 2017, 07:54
Just to confirm things are happening as expected you can add a MessageBox after the call to InitiateSystemShutdown just to show that the API returned and there was no error reported. Assuming that is all fine then you might need to do some research into the InitiateSystemShutdown API details to figure out why it won't do it's thing for you.
Code:
;...
                invoke  InitiateSystemShutdown, NULL, msgTxt, 10, FALSE, TRUE
                cmp eax, 0
                je check_error
                invoke MessageBox, NULL, "Shutdown was initiated", msgTitle, NULL
;...    
Post 23 Feb 2017, 07:54
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 25 Feb 2017, 07:13
thanks REV for the help so far . so this is the whole code

Code:
 include '%fasminc%\win32ax.inc'


   TOKEN_ADJUST_PRIVILEGE = 0x0020
   SE_PRIVILEGE_ENABLED = 2



.data
  msgTxt DB 'Restart PC?',0
  msgTitle DB 'idris', 0
  failTxt DB 'failed to get shutdown privilege',0
  SE_SHUTDOWN_NAME db 'SeShutdownPrivilege', 0


.code
        start:


                invoke MessageBox, NULL, msgTxt, msgTitle, MB_YESNO
                cmp EAX, IDYES
                jne exit

                stdcall enable_privilege

                jc fail
                invoke  InitiateSystemShutdown, NULL, msgTxt, 0, FALSE, TRUE
                cmp eax, 0
                je check_error
                invoke MessageBox, NULL, "shutdown initiated", msgTitle, NULL
                exit:
                         invoke ExitProcess,0
                fail:
                   invoke MessageBox, NULL, failTxt, msgTitle, NULL
                   jmp exit
                check_error:
                    invoke GetLastError
                    invoke MessageBox, NULL, "Could not initiate shutdown", msgTitle, NULL
        enable_privilege:
                virtual at esp
                 .handle dd ?
                 .tokens dd ?
                 .luid dq ?
                 .attr dd ?
                 .stack_size = $$-$
                end virtual

                sub esp, .stack_size

                invoke GetCurrentProcess
                invoke OpenProcessToken, EAX, TOKEN_ADJUST_PRIVILEGE, addr .handle

                test eax, eax
                jz .fail
                invoke LookupPrivilegeValue, 0, SE_SHUTDOWN_NAME, addr .luid
                test eax, eax

                jz  .fail
                mov [.tokens], 1
                mov [.attr] , SE_PRIVILEGE_ENABLED
                mov eax, [.handle]

                invoke AdjustTokenPrivileges, eax, 0, addr .tokens+12, 0, 0, 0
                test eax, eax

                jz .fail
                invoke CloseHandle, [.handle]
                add esp, .stack_size

                clc

                ret
           .fail:
                  invoke CloseHandle, [.handle]
                  add esp, .stack_size
                  stc
                  ret

.end start
    


i started looking for the error by putting

Code:
invoke MessageBox, NULL, "sup?", msgTitle, NULL    


after each API function call and assembled then execute (one at a time, not all at once), this is to ascertain if they execute successfully, no problem.

i still stepped into the "stdcall enable_privilege" and placed the same

"
Code:
invoke MessageBox, NULL, "sup?", msgTitle, NULL    
"

after each of the API calls inside the enable_privilege, it all assembled and executed.

even placed it just before the "ret" and it still worked, however if i return to the main procedure and placed

Code:
invoke MessageBox, NULL, "sup?", msgTitle, NULL    


after

Code:
stdcall enable_privilege    


it assembles but when i run the program, it crashes before the "Sup" messagebox is displayed so i'm assuming that the enable_privilege procedure is not returning control to the main.

i'm confused sir Crying or Very sad [/code]
Post 25 Feb 2017, 07:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 25 Feb 2017, 07:24
Yup, you have reversed the stack size calculation from $-$$ to $$-$. I am not surprised it crashes.

BTW: Your debugging would be much faster with a real debugger. Although using this basic "print message debugging" works also, but it is more tedious.
Post 25 Feb 2017, 07:24
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 25 Feb 2017, 11:00
Wow, it's works, flawlessly now.. Thanks. Btw can you recommend a good debugger ?
Post 25 Feb 2017, 11:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 25 Feb 2017, 11:34
I use Ollydbg. There are others also. Note that Olly doesn't work for 64-bit code.
Post 25 Feb 2017, 11:34
View user's profile Send private message Visit poster's website Reply with quote
Fullnewb1234567



Joined: 18 Feb 2017
Posts: 10
Fullnewb1234567 25 Feb 2017, 12:18
Thanks rev. Now I'm about to ask some questions.

First, what does

The "STC" instruction does?

Also what's the work of "addr .token+12".

And how is it different from using " .token+12" alone.
Post 25 Feb 2017, 12:18
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20481
Location: In your JS exploiting you and your system
revolution 25 Feb 2017, 13:37
stc is a basic CPU instruction. Set the carry flag. If you don't already have either the Intel, or the AMD, instruction manuals then I encourage you to download them.

.token is not a plain numeric value. It has an embedded offset from esp. If you look in the debugger you will see that the generated instruction is lea edx,[esp+offset] followed by push edx. So simply trying to push .token+12 will fail because of the embedded esp register and the offset. push esp+offset: there is no such instruction when offset is not zero.
Post 25 Feb 2017, 13:37
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.