Does anyone know of a source of info for the Windows Messenger Service protocol (for Net send - not MSN)? i did some googling and searching on MSN. i assume it doesn't have a place in RFC, so i didn't bother checking there. Yes, i know that there is an API for this, but i just wanted to examine the protocol (anti-spoofing - the regular protocol can be easily be spoofed by using Micro$oft's on API).

BTW, i'm sorry if this belongs in the heap since it has nothing to do /w ASM
Posted on 2003-04-18 16:07:43 by jademtech
There is no real protocol. It uses NetMessageBufferSend and "Mailslots".
Posted on 2003-04-18 18:55:09 by bazik
i found the "NetMessageBufferSend" API, but it doesn't need a protocol to send data over the network for those annoying pop-up windows? :confused:
Posted on 2003-04-18 20:47:08 by jademtech
I recently coded a frontend GUI for the NetMessageBufferSend() API, it's quite simple really, and it's my first real attempt at anything big in ASM.

Screenshot:


It's nothing big, but i hope it'll be useful. One problem that has arisen is that the message cannot be over 256 bytes, although the API limits the message to be 1600 bytes, maybe it's some limitation with the Edit control, i may try to change it into a Richedit and see what happens. If anybody has any insight on this i will be very grateful :)

The source might contain alot of junky code, and probably can be optimzed very much, sowiee, i'm only a newbie :stupid:

Here is the source:
Posted on 2003-04-18 21:17:41 by Drocon
Oh, and i recall asking this question awhile back about mailslots, from what i can remember, the syntax for a basic mailslot message is like so:

.486

.model flat, stdcall
option casemap:none

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\gdi32.lib

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\gdi32.inc

.data
;'\\Network Name\MAILSLOT\Messngr'

MailSlot BYTE '\\127.0.0.1\MAILSLOT\MESSNGR',0

;'fromname',0,'spoofed to',0,'message'
MailMsg BYTE 'god',0,'jesus',0,'how are you my son',0
nNumberOfBytesToWrite = ($-MailSlot)
hfile DWORD ?
lpNumberOfBytesWritten DWORD ?



.code
start:


invoke CreateFile,
addr MailSlot,
GENERIC_WRITE,
FILE_SHARE_READ,
0,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
-1

mov hfile,eax

invoke WriteFile,
hfile,
addr MailMsg,
nNumberOfBytesToWrite,
addr lpNumberOfBytesWritten,
0

invoke CloseHandle,hfile
invoke ExitProcess,NULL

end start


You should try to search back a bit to find my post, it's probably more useful than this :)

The limitation to this is that (as far as i know) mailslot messages are limited within your own LAN and use your computer name, so the example above using '127.0.0.1' will not work, and you would have to replace it with your computer name, but the advantage of this is that by replacing the network name with a '*' (asterik), you can broadcast the message to the entire network (which may be quite annoying at times...)

Hope this helped!
Posted on 2003-04-18 21:29:21 by Drocon
Hehe... Thanks :alright:
Posted on 2003-04-18 23:32:09 by jademtech
I think it's part of the samba (SMB) protocol. Try a packet analyzer like ethereal, it will analyze the packets and show you what the bytes actually represent.

Thomas
Posted on 2003-04-19 04:10:27 by Thomas
And dont forget you can SPAM every default installed Win2K/NT/XP machine over Internet with that technic... muhahaha :grin:
Posted on 2003-04-19 07:45:16 by bazik
hm... i recently got this message from "SKINNY PERSON" to "FAT PERSON" advertising weight loss diets or something - and i am by no means fat :p
Posted on 2003-04-19 10:13:52 by jademtech

I recently coded a frontend GUI for the NetMessageBufferSend() API, it's quite simple really, and it's my first real attempt at anything big in ASM.

Screenshot:
Posted on 2003-04-20 03:25:44 by abc123
It seems spammers are now using Messenger Service to propagate their ads. Luckily in XP you can completely disable the service. It's in administrative tools. :alright:
Posted on 2003-04-21 18:17:43 by Paulicles the Philosopher
i think there is ways around it even when its disabled....

i remember some discussion about RPC calls being able to simulate the
popup message ( and you can't disable the RPC service )
Posted on 2003-04-21 21:01:45 by abc123



well this would probably be the problem:



invoke MultiByteToWideChar, CP_ACP, MB_PRECOMPOSED, ADDR Message, -1, ADDR MessageBuffer, 256


even if i change it to 1600, it won't work...
Posted on 2003-04-22 12:18:12 by Drocon