flat assembler
Message board for the users of flat assembler.
Index
> Windows > Question to pro (pipes) |
Author |
|
AlexP 20 Dec 2007, 02:40
Ever thought that those little ?'s that you are so fond of are so succeptable to overflow they are probably messing up your code because they only allocate one byte?
Ohh... you just used it as an example? well, I have no clue... Try a stream or something if u can't get it working |
|||
20 Dec 2007, 02:40 |
|
zxcv 20 Dec 2007, 02:51
fasm manual wrote: All data definition directives also accept the ? value, which rd 1 ; 1 nullified dword dd ? ; reserved dword, value unknown CreatePipe initilize them. Last edited by zxcv on 20 Dec 2007, 02:55; edited 1 time in total |
|||
20 Dec 2007, 02:51 |
|
AlexP 20 Dec 2007, 02:54
... Fine then... You do know that the second param you passed to CreateProcess() is what to execute, and if you execute cmd it is the shortcut for the command line itself, so that is why the command prompt keeps taking over your program when you execute 'cmd'
|
|||
20 Dec 2007, 02:54 |
|
zxcv 20 Dec 2007, 03:09
ive done some changes:
Code: format pe console section '.code' code readable executable push 0 push SECURITY_ATTRIBUTES push end_of_tunnel_here_should_be_cmd_output push cmd_stdout_goes_here call [CreatePipe] push PROCESS_INFORMATION push STARTUPINFO push 0 push 0 push 0 push 1 push 0 push 0 push 0 push exec call [CreateProcessA] push ovr push 0 push 128 push buff push end_of_tunnel_here_should_be_cmd_output call [ReadFile] call [GetLastError] push eax push f call [printf] add esp, 8 ret section '.data' data readable writeable f db '%i',0 ovr dd ? buff rb 128 exec db 'cmd',0 end_of_tunnel_here_should_be_cmd_output dd ? cmd_stdout_goes_here dd ? SECURITY_ATTRIBUTES: dd 12 dd 0 dd 1 STARTUPINFO: dd 68 rd 10 dd 4 rd 3 dd cmd_stdout_goes_here dd cmd_stdout_goes_here PROCESS_INFORMATION: rd 4 section '.idata' import data readable dd 0, 0, 0, RVA kernel32_name, RVA kernel32_table dd 0, 0, 0, RVA msvcrt_name, RVA msvcrt_table dd 0, 0, 0, 0, 0 kernel32_table: CreateProcessA dd RVA _CreateProcessA CreatePipe dd RVA _CreatePipe ReadFile dd RVA _ReadFile GetLastError dd RVA _GetLastError dd 0 msvcrt_table: printf dd RVA _printf dd 0 kernel32_name db 'kernel32.dll',0 msvcrt_name db 'msvcrt.dll',0 _CreateProcessA dw 0 db 'CreateProcessA',0 _CreatePipe dw 0 db 'CreatePipe',0 _ReadFile dw 0 db 'ReadFile',0 _printf dw 0 db 'printf',0 _GetLastError dw 0 db 'GetLastError',0 finally, i dont have this on stdout, but readfile returns 0, ant getlasterror INVALID_HANDLE =/ |
|||
20 Dec 2007, 03:09 |
|
AlexP 20 Dec 2007, 03:15
ohh.. I just got it... I've never had to work with pipes before.. You should call CreateProcess(), GetStdHandle(), then CreatePipe() and ReadFile(). That should do it if you totally debug it with GetLastError after every call. The handle by CreateProcess does not point to the process's output buffer, to get that you need to call GetStdHandle from within the process, or AttachConsole then GetStdHandle, which gets complicated. Then create the pipe, and use ReadFile with the handle to the output buffer to read from it. I don't even think you need a pipe at all, most people just call ReadFile directly to access the output buffer.
|
|||
20 Dec 2007, 03:15 |
|
zxcv 20 Dec 2007, 04:32
damn, i complicated it. I was checking sizes of structures in c program uising przintf (sizeof()), same i did whth argument of STARTUPINFO. It should be 256, not 4, my mistake. So ignore all my posts here.
Code: section '.code' code readable executable push PROCESS_INFORMATION push STARTUPINFO push 0 push 0 push 0 push 1 push 0 push 0 push 0 push exec call [CreateProcessA] push dword [PROCESS_INFORMATION+8] push eax push f call [printf] add esp, 12 ret section '.data' data readable writeable here_should_be_output dd ? exec db 'c:\windows\system32\cmd.exe',0 f db '%i',13,10,'%i',0 STARTUPINFO: dd 68 rd 10 dd 256 rd 3 dd here_should_be_output rd 1 PROCESS_INFORMATION: rd 4 SECURITY_ATTRIBUTES : dd 12 dd 0 dd 1 works, got 1 and pid, so process is creating as it should. But it die =/ How can i use getstdhandle, if i ALREADY told createprocess to use my (uninitilized) pipe. So, i must initilize it before create process. |
|||
20 Dec 2007, 04:32 |
|
AlexP 20 Dec 2007, 22:39
Here's how to call GetStdHandle to get the output/input buffers for the currently running process. Again, please explain your intentions because without them I cannot help you very well. Do you wish to start CMD and take over it's output buffer? Are you writing some sort of wanna-be hack or something lol?? Whatever you are trying to manipulate it for, please explain.
Code: ;Get Input Buffer Handle push -0x0A call [GetStdHandle] mov [hStdIn],eax ;Get Output Buffer Handle push -0x0B call [GetStdHandle] mov [hStdOut],eax ;Write startup screen push 0 ;NULL push NumWritten ;Pointer to receive bytes written push 45 ;Characters to write push MainScreen ;My main screen push [hStdOut] ;Handle to output buffer of console call [WriteConsole] Just a tip: if you are trying to take control of another process's console window, any part of it, it is not going to work. Look up AttachConsole on MSDN and you will see what needs to be done. Unless the windows command prompt program intentionally gives up it's console window, you're going to have to give up. Expecially a windows program, nonetheless the command prompt itself. Maybe do a timing attack on the windows command prompt to take control of it? Please reply if you need anything in the next 5 hours. |
|||
20 Dec 2007, 22:39 |
|
zxcv 21 Dec 2007, 01:19
Do you know such program 'netcat'?
You can set -e option, and exec cmd. nc -e cmd.exe -l -p 123 im want to do such thing. I was searching in nc sources, but i cant understand anything from it (too much usless crap). |
|||
21 Dec 2007, 01:19 |
|
f0dder 21 Dec 2007, 01:37
If you can't figure out how to do it in assembly, perhaps you should just do it in C.
But you're writing shellcode, I guess? |
|||
21 Dec 2007, 01:37 |
|
zxcv 21 Dec 2007, 02:15
Quote: But you're writing shellcode, I guess? yes, but first id like to have it in exe |
|||
21 Dec 2007, 02:15 |
|
f0dder 21 Dec 2007, 10:03
Moron.
|
|||
21 Dec 2007, 10:03 |
|
zxcv 08 Jan 2008, 19:37
bump, how can i do that? Does really nobody know?
I cant reverse engeneer that 'example' from msdn. |
|||
08 Jan 2008, 19:37 |
|
AlexP 10 Jan 2008, 04:27
by 'example', do you mean "AttachConsole"? Well, I have no experience in shellcode, and I think something as important as the cmd.exe in Windows is signed so much John Hancock would be proud I don't know how shellcode works, but I know that debuggers can insert instructions while the program is running (like Int 3) so you should be able to mess with programs while they are in memory. Just do some -ex API's to get into the memory space and you have free reign over the code and memory!! IDK if that will work, but you can try. Try looking up "inserting dll's into other processes". I read a VERY interesting article on code insertion techniques which is probably what you are going for. Sparked many new ideas after I read it, there is an abundance of reading on it for Windows. Just ask if u can't find any, I'll send u something.
[EDIT] I just remembered u tried to start cmd.exe with your own process handle I'd expect that Microsoft made cmd not accessible to other programs, nevermind that if u did it would probably be illegal?? |
|||
10 Jan 2008, 04:27 |
|
f0dder 10 Jan 2008, 12:36
AlexP wrote:
why whould they make CMD.EXE inaccessible to other programs? It's just a shell, nothing special you can do with it that you couldn't do with API calls. There's a little catch, however: win32 console programs are a bit special. _________________ - carpe noctem |
|||
10 Jan 2008, 12:36 |
|
AlexP 11 Jan 2008, 14:42
Hmm... Interesting... Anyway, I do like my Hancock analogy I still think cmd is not just a totallly accessible thing.
|
|||
11 Jan 2008, 14:42 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.