flat assembler
Message board for the users of flat assembler.

Index > Windows > Question to pro (pipes)

Author
Thread Post new topic Reply to topic
zxcv
Guest




zxcv
Maybe im dumb and i dont understand windows pipes, or maybe i dont know about some hidden tricks made by windows.
This should create tunnel, and write to in stdout
Code:
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>    

But, still i get this on my window, wtf is going on?
when i make cmd>file, it works fine.
Please, help me!


Code:
format pe console
section '.code' code readable executable
push 0
push SECURITY_ATTRIBUTES
push end_of_tunnel_here_should_be_cmd_output
push cmd_stdout_goes_here
call [CreatePipe]
push PROCESS_INFORMATION
push STARTUPINFO
push 0
push 0
push 0
push 1
push 0
push 0
push exec
push 0
call [CreateProcessA]
ret
section '.data' data readable writeable
exec db 'cmd',0
end_of_tunnel_here_should_be_cmd_output dd ?
cmd_stdout_goes_here dd ?
SECURITY_ATTRIBUTES:
dd 12
dd 0
dd 1
STARTUPINFO:
dd 68
rd 10
dd 4
rd 3
dd cmd_stdout_goes_here
dd cmd_stdout_goes_here
PROCESS_INFORMATION:
rd 4
section '.idata' import data readable
dd 0, 0, 0, RVA kernel32_name, RVA kernel32_table
dd 0, 0, 0, 0, 0
kernel32_table:
CreateProcessA dd RVA _CreateProcessA
CreatePipe dd RVA _CreatePipe
dd 0
kernel32_name db 'kernel32.DLL',0
_CreateProcessA dw 0
db 'CreateProcessA',0
_CreatePipe dw 0
db 'CreatePipe',0    
Post 20 Dec 2007, 02:30
Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
Ever thought that those little ?'s that you are so fond of are so succeptable to overflow they are probably messing up your code because they only allocate one byte?

Ohh... you just used it as an example? well, I have no clue... Try a stream or something if u can't get it working
Post 20 Dec 2007, 02:40
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv
fasm manual wrote:
All data definition directives also accept the ? value, which
means that this cell should not be initialized to any value and the effect
is the same as by using the data reservation directive.

rd 1 ; 1 nullified dword
dd ? ; reserved dword, value unknown
CreatePipe initilize them.


Last edited by zxcv on 20 Dec 2007, 02:55; edited 1 time in total
Post 20 Dec 2007, 02:51
Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
... Fine then... You do know that the second param you passed to CreateProcess() is what to execute, and if you execute cmd it is the shortcut for the command line itself, so that is why the command prompt keeps taking over your program when you execute 'cmd'
Post 20 Dec 2007, 02:54
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv
ive done some changes:
Code:
format pe console
section '.code' code readable executable
push 0
push SECURITY_ATTRIBUTES
push end_of_tunnel_here_should_be_cmd_output
push cmd_stdout_goes_here
call [CreatePipe]
push PROCESS_INFORMATION
push STARTUPINFO
push 0
push 0
push 0
push 1
push 0
push 0
push 0
push exec
call [CreateProcessA]
push ovr
push 0
push 128
push buff
push end_of_tunnel_here_should_be_cmd_output
call [ReadFile]
call [GetLastError]
push eax
push f
call [printf]
add esp, 8
ret
section '.data' data readable writeable
f db '%i',0
ovr dd ?
buff rb 128
exec db 'cmd',0
end_of_tunnel_here_should_be_cmd_output dd ?
cmd_stdout_goes_here dd ?
SECURITY_ATTRIBUTES:
dd 12
dd 0
dd 1
STARTUPINFO:
dd 68
rd 10
dd 4
rd 3
dd cmd_stdout_goes_here
dd cmd_stdout_goes_here
PROCESS_INFORMATION:
rd 4
section '.idata' import data readable
dd 0, 0, 0, RVA kernel32_name, RVA kernel32_table
dd 0, 0, 0, RVA msvcrt_name, RVA msvcrt_table
dd 0, 0, 0, 0, 0
kernel32_table:
CreateProcessA dd RVA _CreateProcessA
CreatePipe dd RVA _CreatePipe
ReadFile dd RVA _ReadFile
GetLastError dd RVA _GetLastError
dd 0
msvcrt_table:
printf dd RVA _printf
dd 0
kernel32_name db 'kernel32.dll',0
msvcrt_name db 'msvcrt.dll',0
_CreateProcessA dw 0
db 'CreateProcessA',0
_CreatePipe dw 0
db 'CreatePipe',0
_ReadFile dw 0
db 'ReadFile',0
_printf dw 0
db 'printf',0
_GetLastError dw 0
db 'GetLastError',0    

finally, i dont have this on stdout, but readfile returns 0, ant getlasterror INVALID_HANDLE =/
Post 20 Dec 2007, 03:09
Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
ohh.. I just got it... I've never had to work with pipes before.. You should call CreateProcess(), GetStdHandle(), then CreatePipe() and ReadFile(). That should do it if you totally debug it with GetLastError after every call. The handle by CreateProcess does not point to the process's output buffer, to get that you need to call GetStdHandle from within the process, or AttachConsole then GetStdHandle, which gets complicated. Then create the pipe, and use ReadFile with the handle to the output buffer to read from it. I don't even think you need a pipe at all, most people just call ReadFile directly to access the output buffer.
Post 20 Dec 2007, 03:15
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv
damn, i complicated it. I was checking sizes of structures in c program uising przintf (sizeof()), same i did whth argument of STARTUPINFO. It should be 256, not 4, my mistake. So ignore all my posts here.
Code:
section '.code' code readable executable



push PROCESS_INFORMATION
push STARTUPINFO
push 0
push 0
push 0
push 1
push 0
push 0
push 0
push exec
call [CreateProcessA]
push dword [PROCESS_INFORMATION+8]
push eax
push f
call [printf]
add esp, 12
ret
section '.data' data readable writeable

here_should_be_output dd ?
exec db 'c:\windows\system32\cmd.exe',0
f db '%i',13,10,'%i',0





STARTUPINFO:
dd 68
rd 10
dd 256
rd 3
dd here_should_be_output
rd 1
PROCESS_INFORMATION:
rd 4
SECURITY_ATTRIBUTES :
dd 12
dd 0
dd 1    

works, got 1 and pid, so process is creating as it should. But it die =/
How can i use getstdhandle, if i ALREADY told createprocess to use my (uninitilized) pipe. So, i must initilize it before create process.
Post 20 Dec 2007, 04:32
Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
Here's how to call GetStdHandle to get the output/input buffers for the currently running process. Again, please explain your intentions because without them I cannot help you very well. Do you wish to start CMD and take over it's output buffer? Are you writing some sort of wanna-be hack or something lol?? Whatever you are trying to manipulate it for, please explain.
Code:
        ;Get Input Buffer Handle
        push -0x0A
        call [GetStdHandle]
        mov [hStdIn],eax

        ;Get Output Buffer Handle
        push -0x0B
        call [GetStdHandle]
        mov [hStdOut],eax

        ;Write startup screen
        push 0                ;NULL
        push NumWritten ;Pointer to receive bytes written
        push 45              ;Characters to write
        push MainScreen ;My main screen
        push [hStdOut]   ;Handle to output buffer of console
        call [WriteConsole]
    


Just a tip: if you are trying to take control of another process's console window, any part of it, it is not going to work. Look up AttachConsole on MSDN and you will see what needs to be done. Unless the windows command prompt program intentionally gives up it's console window, you're going to have to give up. Expecially a windows program, nonetheless the command prompt itself. Maybe do a timing attack on the windows command prompt to take control of it? Please reply if you need anything in the next 5 hours.
Post 20 Dec 2007, 22:39
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv
Do you know such program 'netcat'?
You can set -e option, and exec cmd.
nc -e cmd.exe -l -p 123

im want to do such thing. I was searching in nc sources, but i cant understand anything from it (too much usless crap).
Post 21 Dec 2007, 01:19
Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
If you can't figure out how to do it in assembly, perhaps you should just do it in C.

But you're writing shellcode, I guess?
Post 21 Dec 2007, 01:37
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv
Quote:
But you're writing shellcode, I guess?

yes, but first id like to have it in exe
Post 21 Dec 2007, 02:15
Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Moron.
Post 21 Dec 2007, 10:03
View user's profile Send private message Visit poster's website Reply with quote
zxcv
Guest




zxcv
bump, how can i do that? Does really nobody know?
I cant reverse engeneer that 'example' from msdn.
Post 08 Jan 2008, 19:37
Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
by 'example', do you mean "AttachConsole"? Well, I have no experience in shellcode, and I think something as important as the cmd.exe in Windows is signed so much John Hancock would be proud Smile I don't know how shellcode works, but I know that debuggers can insert instructions while the program is running (like Int 3) so you should be able to mess with programs while they are in memory. Just do some -ex API's to get into the memory space and you have free reign over the code and memory!! IDK if that will work, but you can try. Try looking up "inserting dll's into other processes". I read a VERY interesting article on code insertion techniques which is probably what you are going for. Sparked many new ideas after I read it, there is an abundance of reading on it for Windows. Just ask if u can't find any, I'll send u something.
[EDIT] I just remembered u tried to start cmd.exe with your own process handle Smile I'd expect that Microsoft made cmd not accessible to other programs, nevermind that if u did it would probably be illegal??
Post 10 Jan 2008, 04:27
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
AlexP wrote:

[EDIT] I just remembered u tried to start cmd.exe with your own process handle Smile I'd expect that Microsoft made cmd not accessible to other programs, nevermind that if u did it would probably be illegal??


why whould they make CMD.EXE inaccessible to other programs? It's just a shell, nothing special you can do with it that you couldn't do with API calls.

There's a little catch, however: win32 console programs are a bit special.

_________________
Image - carpe noctem
Post 10 Jan 2008, 12:36
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
Hmm... Interesting... Anyway, I do like my Hancock analogy Smile I still think cmd is not just a totallly accessible thing.
Post 11 Jan 2008, 14:42
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.