Hi guys.

I wrote this to open a command prompt the hard way  :D,the only problem is it closes straight away.
Can anyone tell me how to keep this open when it runs.
Thanks .



;NASM
;
;compile with:
;NASM.EXE -fobj msvcrt.asm
;link with:
;ALINK.EXE msvcrt.obj -c -oPE

EXTERN ExitProcess
IMPORT ExitProcess kernel32.dll

segment .code USE32

..start

push ebp                      ;procedure prolog
mov ebp, esp                  ;
xor eax,eax                    ;make nulls
push eax                      ;put on stack
push eax                      ;
mov dword,6376736dh  ;vcsm
mov word , 7472h      ;tr
mov ecx, 7c590221h            ;offset of loadlibrary
lea eax,             ;load the msvcrt string into eax
push eax                      ;put it's address onto stack
call ecx                      ;call loadlibray
pop eax                        ;clean stack for later
xor eax,eax                    ;make nulls
push eax                      ;put nulls onto stack
mov dword ,2e646d63h  ;.dmc
mov word ,7865h      ;xe
mov byte ,65h        ;e
mov ecx,78018ebfh       ;offset for system
lea eax,              ;load system string into eax
push eax                      ;put it onto stack
call ecx                      ;call system
push ebp                    ;pocedure prolog
mov ebp,esp                ;
push 7c5969beh          ;address of exitprocess
xor eax,eax                ;make nulls
push eax                    ;
call dword       ;call exit process
Posted on 2006-06-05 08:15:53 by gavin_
The only thing I can see off the bat, is that your program does not "wait" after opening the command prompt (cmd.exe). Try testing out the "sleep" command after the "system" call to see if that is indeed the problem (sleep for 5-10 seconds, or something as obvious). If it is, you have to implement some loop to test of cmd.exe was closed (and then exit), or spawn it as a new process/thread.
Posted on 2006-06-05 14:45:14 by SpooK
Hi Spook.

I tried out the sleep function but had no luck.
The only reason I'm doing it this way is so I can actually learn whats going on.
I'll have another lok around to see if I can find anything .

Thanks alot.
Posted on 2006-06-06 11:09:44 by gavin_
well i tried it just for kicks in ollydbg with this code
system call doesnt return until i close the command.com
i dont think it should exit :( i am on 9x so cant commant on cmd.exe)


0040127F      68 30304000  PUSH    WIN.00403030                    ;  ASCII "msvcrt"
00401284      E8 25C9C8BF  CALL    LoadLibraryA
00401289      68 40304000  PUSH    WIN.00403040                    ;  ASCII "system"
0040128E      50            PUSH    EAX
0040128F      E8 145BB7BF  CALL    KERNEL32.GetProcAddress
00401294      68 50304000  PUSH    WIN.00403050                    ;  ASCII "command.com"
00401299      FFD0          CALL    NEAR EAX



also you could try sending the /k or /c parameter along and see if it still exits

Posted on 2006-06-06 11:28:48 by bluffer
Strictly from memory, which in my case is pretty unreliable, you have to call cmd.exe with the /k switch in order to have it stay open. I will chack to make sure when I get home from work tonight as I use it in WinExplorer, though not the msvcrt version.
Posted on 2006-06-06 13:12:33 by donkey
does that look like shellcode to you guys, huhu?
Posted on 2006-06-06 18:07:12 by comrade
comrade

Thats an understanable observation .
Actually come to think of it it does look like shellcode,but thats not what this is.
Simply trying to learn how to call functions and use the stack.


Posted on 2006-06-06 18:33:35 by gavin_
Hmmmmm...

1) why are you calling the file "msvcrt"?
2) why are you constructing strings on the stack?
3) why are you using hardcoded addresses?
Posted on 2006-06-07 03:13:05 by f0dder
Hi Fodder.

Msvcrt is the dll I'm calling the external functions from.
As I said already im learning the hard way so I know whats going on.
The way I see it is, I used masm for awhile and all I did was call api's using invoke and other macro's and only now I'm learning asm .

If you look at my previous posts I'm learing how the stack works I pushed stings for the messagebox function.

I don't have to use hardcoded addresses, i could use


EXTERN ExitProcess
IMPORT ExitProcess kernel32.dll
EXTERN MessageBoxA
IMPORT MessageBoxA user32.dll


but if I didn't decide to use hardcoded addresses I would still perhaps be in the dark as far as asm coding works without macros and the include files and libs.

Honestly I've learned more from doing it the hard way then 2 months using masm.
So far in the last few days my understanding of fuctions,dll's and the stack has been very enjoyable.

And for any guests or other uses who view the thread, I'm sure there learning things.


Thanks

Posted on 2006-06-07 07:07:50 by gavin_

Msvcrt is the dll I'm calling the external functions from.

Is it now? I don't see you using and libc functions, and msvcrt seems to be the module name of your .asm file. Sounds like somebody trying to hide a trojan alongside system files.

There's no reason to use hardcoded addresses either, they'll only work on your specific windows version / service pack, and thus aren't useful unless you're dealing with shady topics.

If you really want to "learn things the hard way", take a look at fasm and how import tables are constructed - that's a lot more useful, hard, interesting and useful-outside-malicious-code than hardcoded addresses are.

Sorry if I'm being a prick, but as comrade said your code snippet certainly smells of shellcode, and we don't like that here. And I especially don't like it after having had to clean trojans off a bunch of computers.
Posted on 2006-06-07 07:18:54 by f0dder
No problem.

If I had read this post a few days ago I wouldn't have a clue what you were on about.
But since I choose the hard way to do this code now I know what your on about.

Thanks for the suggestions about fasm I will look into that as soon as I understand assembler more.

Thanks for your opinions.




Posted on 2006-06-07 07:32:46 by gavin_
We're just a little paranoid around here lately - search this board for specific stuff, theres a wealth of info tucked away here, and if you wanna ask more specific questions, they'll most likely be answered, just avoid asking the WRONG questions and everyone is happy .. (the wrong questions are the ones that make you sound like you wish to dominate the world) ..
Posted on 2006-06-07 07:59:45 by Homer
Homer.

I didn't realise my question was like that untill comrad pointed it out.
Thanks alot so far anyways for your help guys.


Posted on 2006-06-07 08:40:51 by gavin_