Hi guys.
I wrote this to open a command prompt the hard way :D,the only problem is it closes straight away.
Can anyone tell me how to keep this open when it runs.
Thanks .
I wrote this to open a command prompt the hard way :D,the only problem is it closes straight away.
Can anyone tell me how to keep this open when it runs.
Thanks .
;NASM
;
;compile with:
;NASM.EXE -fobj msvcrt.asm
;link with:
;ALINK.EXE msvcrt.obj -c -oPE
EXTERN ExitProcess
IMPORT ExitProcess kernel32.dll
segment .code USE32
..start
push ebp ;procedure prolog
mov ebp, esp ;
xor eax,eax ;make nulls
push eax ;put on stack
push eax ;
mov dword,6376736dh ;vcsm
mov word , 7472h ;tr
mov ecx, 7c590221h ;offset of loadlibrary
lea eax, ;load the msvcrt string into eax
push eax ;put it's address onto stack
call ecx ;call loadlibray
pop eax ;clean stack for later
xor eax,eax ;make nulls
push eax ;put nulls onto stack
mov dword ,2e646d63h ;.dmc
mov word ,7865h ;xe
mov byte ,65h ;e
mov ecx,78018ebfh ;offset for system
lea eax, ;load system string into eax
push eax ;put it onto stack
call ecx ;call system
push ebp ;pocedure prolog
mov ebp,esp ;
push 7c5969beh ;address of exitprocess
xor eax,eax ;make nulls
push eax ;
call dword ;call exit process
The only thing I can see off the bat, is that your program does not "wait" after opening the command prompt (cmd.exe). Try testing out the "sleep" command after the "system" call to see if that is indeed the problem (sleep for 5-10 seconds, or something as obvious). If it is, you have to implement some loop to test of cmd.exe was closed (and then exit), or spawn it as a new process/thread.
Hi Spook.
I tried out the sleep function but had no luck.
The only reason I'm doing it this way is so I can actually learn whats going on.
I'll have another lok around to see if I can find anything .
Thanks alot.
I tried out the sleep function but had no luck.
The only reason I'm doing it this way is so I can actually learn whats going on.
I'll have another lok around to see if I can find anything .
Thanks alot.
well i tried it just for kicks in ollydbg with this code
system call doesnt return until i close the command.com
i dont think it should exit :( i am on 9x so cant commant on cmd.exe)
also you could try sending the /k or /c parameter along and see if it still exits
system call doesnt return until i close the command.com
i dont think it should exit :( i am on 9x so cant commant on cmd.exe)
0040127F 68 30304000 PUSH WIN.00403030 ; ASCII "msvcrt"
00401284 E8 25C9C8BF CALL LoadLibraryA
00401289 68 40304000 PUSH WIN.00403040 ; ASCII "system"
0040128E 50 PUSH EAX
0040128F E8 145BB7BF CALL KERNEL32.GetProcAddress
00401294 68 50304000 PUSH WIN.00403050 ; ASCII "command.com"
00401299 FFD0 CALL NEAR EAX
also you could try sending the /k or /c parameter along and see if it still exits
Strictly from memory, which in my case is pretty unreliable, you have to call cmd.exe with the /k switch in order to have it stay open. I will chack to make sure when I get home from work tonight as I use it in WinExplorer, though not the msvcrt version.
does that look like shellcode to you guys, huhu?
comrade
Thats an understanable observation .
Actually come to think of it it does look like shellcode,but thats not what this is.
Simply trying to learn how to call functions and use the stack.
Thats an understanable observation .
Actually come to think of it it does look like shellcode,but thats not what this is.
Simply trying to learn how to call functions and use the stack.
Hmmmmm...
1) why are you calling the file "msvcrt"?
2) why are you constructing strings on the stack?
3) why are you using hardcoded addresses?
1) why are you calling the file "msvcrt"?
2) why are you constructing strings on the stack?
3) why are you using hardcoded addresses?
Hi Fodder.
Msvcrt is the dll I'm calling the external functions from.
As I said already im learning the hard way so I know whats going on.
The way I see it is, I used masm for awhile and all I did was call api's using invoke and other macro's and only now I'm learning asm .
If you look at my previous posts I'm learing how the stack works I pushed stings for the messagebox function.
I don't have to use hardcoded addresses, i could use
but if I didn't decide to use hardcoded addresses I would still perhaps be in the dark as far as asm coding works without macros and the include files and libs.
Honestly I've learned more from doing it the hard way then 2 months using masm.
So far in the last few days my understanding of fuctions,dll's and the stack has been very enjoyable.
And for any guests or other uses who view the thread, I'm sure there learning things.
Thanks
Msvcrt is the dll I'm calling the external functions from.
As I said already im learning the hard way so I know whats going on.
The way I see it is, I used masm for awhile and all I did was call api's using invoke and other macro's and only now I'm learning asm .
If you look at my previous posts I'm learing how the stack works I pushed stings for the messagebox function.
I don't have to use hardcoded addresses, i could use
EXTERN ExitProcess
IMPORT ExitProcess kernel32.dll
EXTERN MessageBoxA
IMPORT MessageBoxA user32.dll
but if I didn't decide to use hardcoded addresses I would still perhaps be in the dark as far as asm coding works without macros and the include files and libs.
Honestly I've learned more from doing it the hard way then 2 months using masm.
So far in the last few days my understanding of fuctions,dll's and the stack has been very enjoyable.
And for any guests or other uses who view the thread, I'm sure there learning things.
Thanks
Msvcrt is the dll I'm calling the external functions from.
Is it now? I don't see you using and libc functions, and msvcrt seems to be the module name of your .asm file. Sounds like somebody trying to hide a trojan alongside system files.
There's no reason to use hardcoded addresses either, they'll only work on your specific windows version / service pack, and thus aren't useful unless you're dealing with shady topics.
If you really want to "learn things the hard way", take a look at fasm and how import tables are constructed - that's a lot more useful, hard, interesting and useful-outside-malicious-code than hardcoded addresses are.
Sorry if I'm being a prick, but as comrade said your code snippet certainly smells of shellcode, and we don't like that here. And I especially don't like it after having had to clean trojans off a bunch of computers.
No problem.
If I had read this post a few days ago I wouldn't have a clue what you were on about.
But since I choose the hard way to do this code now I know what your on about.
Thanks for the suggestions about fasm I will look into that as soon as I understand assembler more.
Thanks for your opinions.
If I had read this post a few days ago I wouldn't have a clue what you were on about.
But since I choose the hard way to do this code now I know what your on about.
Thanks for the suggestions about fasm I will look into that as soon as I understand assembler more.
Thanks for your opinions.
We're just a little paranoid around here lately - search this board for specific stuff, theres a wealth of info tucked away here, and if you wanna ask more specific questions, they'll most likely be answered, just avoid asking the WRONG questions and everyone is happy .. (the wrong questions are the ones that make you sound like you wish to dominate the world) ..
Homer.
I didn't realise my question was like that untill comrad pointed it out.
Thanks alot so far anyways for your help guys.
I didn't realise my question was like that untill comrad pointed it out.
Thanks alot so far anyways for your help guys.