flat assembler
Message board for the users of flat assembler.

Index > Windows > Bizarre - dual nature programs.

Author
Thread Post new topic Reply to topic
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 04 Aug 2006, 13:03
Maybe it will be boring or already known for most of You, but anyway I want to present You very simple examples of 'dual nature' programs i.e. programs which executes normally as a COM applications, but after changing their extensions runs as a scripts in such scripting languages as VBS or JScript.

Example of VBS/COM program:
Code:
; Program in FASM, which has a 'dual nature': it can be executed as a COM
; application (default) or as a VBS script (after changing a program extension
; to '.vbs').
;
; (C) Mikolaj Hajduk.
;
org     100h

; New line char.
;
NL      equ 0Dh, 0Ah

; Opcode 27h = 'apostrophe' ('daa' command) is used to generate VBS comment char.
;
daa

; Skip the script body.
;
jmp     COMBody

; Script body.
;
ScriptBody:
        db NL   ; Necessary new line char.

        db 'MsgBox("Hello from Visual Basic Script!")', NL

; Body of the COM program.
;
COMBody:
        daa     ; VBS comment.

        ; Show message(s).
        ;
        mov     ah, 09h
        mov     dx, Text
        int     21h

        ; Wait until the key is pressed.
        ;
        PressAnyKey:
                mov     ah, 1
                int     16h
                jz      PressAnyKey

        ; End of COM program.
        ;
        mov     ax, 4C00h
        int     21h

; Message text.
;
Text db "Hello from COM program!", NL, NL, 'Press any key: $'

    


Example of JScript/COM program:
Code:
; Program in FASM, which has a 'dual nature': it can be executed as a COM
; application (default) or as a JScript program (after changing a program
; extension to '.js').
;
; (C) Mikolaj Hajduk.
;
org     100h

; New line char.
;
NL      equ 0Dh, 0Ah

; Opcodes 2Fh 2Fh = '//' (duplicated 'das' command) is used to generate
; JScript comment char.
;
das
das

; Skip the script body.
;
jmp     COMBody

; Script body.
;
ScriptBody:
        db NL   ; Necessary new line char.

        db 'WScript.Echo("Hello from JScript program!");', NL

; Body of the COM program.
;
COMBody:
        das     ; JScript comment.
        das

        ; Show message(s).
        ;
        mov     ah, 09h
        mov     dx, Text
        int     21h

        ; Wait until the key is pressed.
        ;
        PressAnyKey:
                mov     ah, 1
                int     16h
                jz      PressAnyKey

        ; End of COM program.
        ;
        mov     ax, 4C00h
        int     21h

; Message text.
;
Text db "Hello from COM program!", NL, NL, 'Press any key: $'

    


Sincerely Yours
Mikolaj Hajduk.
Post 04 Aug 2006, 13:03
View user's profile Send private message Visit poster's website Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 04 Aug 2006, 13:20
Nice, havent seen nothing like this before.


edit: I'm wondering, how you got an idea to do this? Surprised
Post 04 Aug 2006, 13:20
View user's profile Send private message MSN Messenger Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 04 Aug 2006, 14:03
Thanks.

I was suggested by COM/BAT programs, which are simple hm... viruses under DOS system (batchviruses).
But presented examples are not malware and have only educational purpose.
Post 04 Aug 2006, 14:03
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 04 Aug 2006, 16:04
And something for dessert: an example of HTML/COM 'dual nature' program:
Code:
; Program in FASM, which has a 'dual nature': it can be executed as a COM
; application (default) or viewed as a HTML page (after changing a program
; extension to '.html' or '.htm').
;
; (C) Mikolaj Hajduk.
;
org     100h

; New line char.
;
NL      equ 0Dh, 0Ah

; Sequence of assembler commands corresponding to '<!--' (begin of HTML comment).
;
cmp al, 21h
sub ax, 202Dh

; Skip the content of HTML page.
;
jmp     COMBody

; Content of HTML page.
;
HTML:
        db '-->'        ; End of HTML comment.

        db '<html><head><title>HTML/COM</title></head><body>'
        db '<center><h1>Hello from HTML!</h1></center></body></html>'

; Body of the COM program.
;
COMBody:
        cmp al, 21h     ; Begin of HTML comment (sequence '<!--').
        sub ax, 202Dh   ;

        ; Show message(s).
        ;
        mov     ah, 09h
        mov     dx, Text
        int     21h

        ; Wait until the key is pressed.
        ;
        PressAnyKey:
                mov     ah, 1
                int     16h
                jz      PressAnyKey

        ; End of COM program.
        ;
        mov     ax, 4C00h
        int     21h

; Message text.
;
Text db "Hello from COM program!", NL, NL, 'Press any key: $ -->'

    
Post 04 Aug 2006, 16:04
View user's profile Send private message Visit poster's website Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 04 Aug 2006, 21:22
Also when you have ready HTML file and put it as a stub in PE files it has dual nature. I've seen an example with some simple HTML file, but when the HTML is written correctly it should work even when after it there are the headers, code and data Smile
Post 04 Aug 2006, 21:22
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo 05 Aug 2006, 00:20
http://www.deater.net/weave/vmwprod/asm/

Quote:

dual is a quick hack that creates a Hello World binary that can run, withouth modification, on both Linux and MS-DOS/Windows systems. That is, it is both an ELF and DOS COM executable at the same time. get the source or the 150byte binary.
Post 05 Aug 2006, 00:20
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 05 Aug 2006, 01:38
Code:
format pe gui 4.0

include 'win32a.inc'

start:
  mov eax, 0x8fffffff
  cpuid

  mov     ebp, esp
  mov     esp, buffer+4*4
  push    edx
  push    ecx
  push    ebx
  push    eax
  mov     esp, ebp

  invoke  MessageBox, 0, buffer, tittle, MB_ICONINFORMATION
  ret

  buffer  rb 4*4
          db 0
  tittle  db "AMD64 Easter Egg",0

data import

  library user32,'USER32.DLL'
  import  user32, MessageBox, 'MessageBoxA'

end data    


Nice finding rugxulo Very Happy

Regards

PD: IT'S HAMMER TIME
Post 05 Aug 2006, 01:38
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 05 Aug 2006, 12:30
Señor 'Loco del assembly',

I'm afraid that I don't understand the essentials of 'duality' of Your program.
¿Could You explain it to me in details? Smile

Atentamente,
Mikolaj Hajduk.
Post 05 Aug 2006, 12:30
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 05 Aug 2006, 15:11
Señor Mikolaj Hajduk,

Yep, it's a completely off-topic post I know. I posted it because I found the linux code on the link that rugxulo posted but it has no duality at all.

Atentamente,
Hernán
Post 05 Aug 2006, 15:11
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 18 Aug 2006, 11:37
Here is an example of HTML/EXE 'dual nature' program.

  • After changing its extension from '.bin' to '.exe' it becomes normal Windows application:

    Image

  • If its extension has been modified to '.htm' or '.html', it may be viewed in WWW browser as a normal HTML page:

    Image

This program is based on babyboy10777's 'Manual .EXE template' (just changed and reedited a little).
Code:
; Program in FASM, which is an example of HTML/EXE 'dual nature' program.
; After changing its extension from '.bin' to '.exe' it becomes normal
; Win application. If its extension has been modified to '.htm' or '.html',
; it may be viewed in WWW browser as a normal HTML page.
;
; (C) Mikolaj Hajduk, 18.08.2006.
; based on babyboy10777's 'Manual .EXE template'.
;
macro align n { db ((n-1)-($+n-1) mod n) dup(0) }

use32

exe_begin:
        dw 'MZ'                   ; Useless...
        db '<!--'                 ; Begin of HTML comment.
        db 36h dup(0)
        dd 40h
        db 'PE', 0, 0             ; Signature,
        dd 1014Ch, 0, 0, 0        ; cpu (.I386+). # sections, etc,
        dd 10F00E0h, 10Bh         ; n/a,
        dd 0, 0, 0                ; .code/.idata/.data sizes,
        dd 1000h, 0, 0, 400000h   ; entry, .code/.data offsets, base address,
        dd 1000h, 200h            ; section alignment in memory and file: 1K/512,
        dd 1, 0, 4, 0             ; versions,
        dd (((1000h +\            ; image size = (rva + section size) aligned to 1000h,
           prg_core_end-prg_core)\
           shr 12) + 1) shl 12
        dd 200h, 0                ; section 1 offset,
        dw 2, 0                   ; subsystem,
        dd 1000h, 1000h, 1000h, 0 ; stack/heap reserve/commit,
        dd 0, 16                  ; flags, # directories,
        dq 0                      ; "data directory" structures,
        dd it+0E00h               ; import table rva, size...
        dd prg_core_end-it
        dq 14 dup(0)

        dq '.core'                ; Section header. File offset = 138h.
        dd prg_core_end-prg_core  ; Size,
        dd 1000h                  ; rva,
        dd exe_end-prg_core       ; size rounded to 200h,
        dd 200h, 0, 0, 0          ; file offset, skip relocations, etc,
        dd 0E0000020h             ; attributes: readable, writable, executable, etc,
        db 200h-$ dup(0)          ; proceed to 200h/1000h.

; 'Core' of the program.
;
prg_core:
        push 0 msgbox_caption+400E00h msgbox_message+400E00h 0
        call dword [MessageBox+400E00h]
        push 0
        call dword [ExitProcess+400E00h]

; Program data.
;
msgbox_caption db 'HTML/EXE example.', 0
msgbox_message db 'Hello from EXE!', 0

; Import table.
;
it:
        dd 0, 0, 0, kernel_name+0E00h, kernel_table+0E00h
        dd 0, 0, 0, user_name+0E00h, user_table+0E00h
        dd 0, 0, 0, 0, 0

kernel_name db 'KERNEL32.DLL', 0

kernel_table:
        ExitProcess dd _ExitProcess+0E00h
        dd 0
        _ExitProcess db 0, 0, 'ExitProcess', 0

user_name db 'USER32.DLL', 0

user_table:
        MessageBox dd _MessageBox+0E00h
        dd 0
        _MessageBox db 0, 0, 'MessageBoxA', 0

; End of the main part of application.
;
prg_core_end:
        ; End of HTML comment.
        ;
        db '-->'

        ; Content of HTML page.
        ;
        db '<html><head><title>HTML/EXE</title></head>'
        db '<body text="black" bgcolor="black"><center>'
        db '<h1 style="color: red;">Hello from HTML!</h1>'
        db '</center></body></html>'

align 512

exe_end:
    

Regards,
M.H.

[EDIT] Images were moved to another server. [/EDIT]


Last edited by MHajduk on 07 Nov 2006, 14:41; edited 2 times in total
Post 18 Aug 2006, 11:37
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY 18 Aug 2006, 12:36
I got this idea years ago when I was learning ASM, I got interessed in viruses and how they work. I read lots of vx zines and I also read nowadays. I think it's very educative knowledge if used with ethics.
I also coded a COM/JPG virus for educational purposes and having fun only. Smile

COM programs are very flexible because they have no headers and are very tiny. I also coded one polymorphic engine that resulted in a COM file that could change every byte of its own.


The cool thing is how FASM is designed, you have an exact image of the COM file in your ASM source code. And you can play around with headers.
Also you can build MZ, PE or ELF executables from scratch using FASM.
The best feature of FASM in my opinion is exactly this. If I build the import section in my PE in a way that user32.dll comes before kernel32.dll in my source code, it'll be also in this way in the EXE file. And I even don't need a linker! Very Happy
Post 18 Aug 2006, 12:36
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 18 Aug 2006, 13:57
OzzY wrote:
I also coded one polymorphic engine that resulted in a COM file that could change every byte of its own.

I think, that 'polymorphic engine' is very close to 'evolutional (genetic) engine'. Am I right? Wink
But in this case programmer have to accept that not every copy of virus will 'survive' in 'computer environment'.

Regards,
M.H.
Post 18 Aug 2006, 13:57
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6115
Location: Poland
MHajduk 21 Aug 2006, 13:32
What I want to say will be slightly off-topic here, but related to my last post.

A few years ago I wrote a packet of programs, which allows to creating crosswords matching to previously prepared scheme (mathematical model) by using genetic algorithm encoded in Java. Rest of programs, written in PERL, was designed for DTP purposes (output file was a program in PostScript).


Last edited by MHajduk on 06 May 2007, 15:31; edited 2 times in total
Post 21 Aug 2006, 13:32
View user's profile Send private message Visit poster's website Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32 07 Oct 2006, 03:35
Does it only work with the contained .PE or can a file be included?
Can you show more exmples?
Post 07 Oct 2006, 03:35
View user's profile Send private message Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo 08 Oct 2006, 00:53
Check this out:

Quote:

POLYGLOT - a program in seven languages (15 February 1991)

COBOL, Pascal, Fortran, C, PostScript, sh, 8086 machine code (DOS .COM)

Written by Kevin Bungard, Peter Lisle, and Chris Tham
Post 08 Oct 2006, 00:53
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.