News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Real Force Shutdown

Started by ic2, December 21, 2006, 07:46:31 AM

Previous topic - Next topic

ic2

Can masm do this, if so do anyone know how to translate this fasm code to masm code.  Size is not an issue.

I also included a complied exe.  If you try it make sure you don't have nothing important to save.  It will shut down the system totally in about 2 - 4 sec no question asked.  It works  for XP with or with-out service pack2.  I don't know about win2000

The link to this code is at http://board.flatassembler.net/topic.php?t=5068

Also is there something that can translate fasm to masm around anywhere.

Change .bin to .exe than execute it.

This seem to be the order calls are made

TOKEN_ADJUST_PRIVILEGES
NtOpenProcessToken
ShutdownPowerOff eax SeShutdownPrivilege 1
NtAdjustPrivilegesToken
mov     al, NtShutdownSystem

Thanks in advance

[attachment deleted by admin]


ic2

That's it E^cube

Now i can study how those api work.  It's hard to understand in fasm.

Thank you
Thank you
Thank you

sluggy

But why are you forcing a machine to just shut down? It is extremely bad UI to do that. And don't be surprised if your code soesn't work if the user is not administrator.


ic2

QuoteBut why are you forcing a machine to just shut down?
Because i like speed and and want to study the NT api.  Never saw no NT code in masm or anything that ever caught my attention until now ...

QuoteIt is extremely bad UI to do that.
Xp not complaining, I did it over 100x already ... I reboot instead of shutdown for testing so that the hard drive keep spinning to reduce stress.

QuoteAnd don't be surprised if your code soesn't work if the user is not administrator.

Glad you brought that to my attention. 

Do you mind sharing...  what is the script and where do I write it to be use in my XP as an administrator to protect my machine on an network from programs like the Timer shutdown being used mulishly over an network ?

Don't go and disappear on me again bud


ic2

Ok, I been working hard trying to translate from Fasm to Masm.  I could not make since of it because the fasm code really don't have a normal PE.  So, I set the program up in masm using NT api based on the Timer ShutDown code.  I think I have set things properly but having trouble with NtAdjustPrivilegesToken call.

Here is the entire test sample with a *stripped* down working PROC from the Timer ShutDown zip, a re-arranged, comment-out, 
Ancient One Fasm code for study purposes and my non-working NT PROC.

You can fire it up and it will do nothing more than display three message boxes to show if the three NT api work or not... Far as I can tell only one does not.

If there are no serious NT coders here to go into detail of how these API work would an enlightened coder still try to help me to get this code running.  I been at it for sometime now and I am  totally stumped.  You can see that in that code lay-out.  Should be easy to work with ...

Thanks in advance



.686
      .model flat, stdcall
      option casemap :none   ; case sensitive

            include \masm32\include\user32.inc
            include \masm32\include\kernel32.inc
            include \masm32\include\ADVAPI32.inc
            includelib \masm32\lib\user32.lib
            includelib \masm32\lib\kernel32.lib
            includelib \masm32\lib\ADVAPI32.lib

;=================
; Structures for
;=================

OSVINFO STRUCT
  dwOSVersionInfoSize   DWORD      ?
  dwMajorVersion        DWORD      ?
  dwMinorVersion        DWORD      ?
  dwBuildNumber         DWORD      ?
  dwPlatformId          DWORD      ?
  szCSDVersion          BYTE 128 dup (?)
OSVINFO ENDS

LUIDCUST STRUCT
  usedpart              DWORD      ?
  ignorehigh32bitpart   DWORD      ?
LUIDCUST ENDS

TOKEN_PRIVS STRUCT
  privilegecount        DWORD      ?
  theluid               LUIDCUST   <>
  attributes            DWORD      ?
TOKEN_PRIVS ENDS

AdjustToken     PROTO

;=================
;=================
.const

ShutdownPowerOff                equ  2

TOKEN_ADJUST_PRIVILEGES         equ  20h
SE_SHUTDOWN_NAME                equ       ("SeShutdownPrivilege")
SE_PRIVILEGE_ENABLED            equ  2h

;=================
;=================
.data

sz_ntdll                        DB  "ntdll",0
sz_NtOpenProcessToken           DB  "NtOpenProcessToken",0          ; = 123
sz_NtAdjustPrivilegesToken      DB  "NtAdjustPrivilegesToken",0     ; = 011
sz_NtShutdownSystem             DB  "NtShutdownSystem",0            ; = 249

sz_SeShutdownPrivilege          DB  "SeShutdownPrivilege",0


sz_Code_Check_1                     DB  " NtOpenProcessToken:  Code Check 1 ",0
sz_Code_Check_2                     DB  " NtAdjustPrivilegesToken:Code Check 2",0
sz_Code_Check_3                     DB  " NtShutdownSystem:  Code Check 3 ",0

;=================
;=================
.data?

  temp                              DWORD   ?
__ntdll                             DWORD   ?
__NtOpenProcessToken                DWORD   ?       ; = 123  from Ancient One 104
__NtAdjustPrivilegesToken           DWORD   ?       ; = 011  Don't know if masm
__NtShutdownSystem                  DWORD   ?       ; = 249  use nubers or not
;  ..........................................
;  ..........................................
cProcessHandle      DWORD   ?
c_Token_Handle      DWORD   ?
lBufferNeeded       DWORD   ?
tBuff               BYTE    32 dup(?)
v_ID_POINTER        DWORD   ?
;  ..........................................
;  ..........................................
values_ID_STRUCT        LUIDCUST          <?>
tkp                     TOKEN_PRIVS       <?>
tkp_New_But_Ignored     TOKEN_PRIVS       <?>


;=================
;=================
;=================
;=================

.code

Start:

; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


;;;         jmp  __Avoid_this_NT_code

CALL nt_GET_NT_API

;=================      With little modifcation
;=================      of lables you can Jump over this if
;=================      to test the working version of 
;=================      the slow Timer ShutDown from Icz Website
;=================     
;=================      The 17 lines of code below is what
;=================      I am working on.  I think I got
;=================      NtOpenProcessToken right but having trouble
;=================      with  NtAdjustPrivilegesToken

;  ...........................................................  NtOpenProcessToken
PUSH  offset c_Token_Handle     ; OUT PHANDLE     TokenHandle
PUSH  TOKEN_ADJUST_PRIVILEGES   ; IN ACCESS_MASK  DesiredAccess  or 40
PUSH  cProcessHandle            ; IN HANDLE       ProcessHandle
CALL   __NtOpenProcessToken 

mov temp, eax

invoke MessageBoxA, 0, offset  temp, offset sz_Code_Check_1, 0

;  .......................................................  NtAdjustPrivilegesToken

PUSH  offset lBufferNeeded       ; OUT PULONG              RequiredLength OPTIONAL
PUSH  offset tkp_New_But_Ignored ; OUT PTOKEN_PRIVILEGES   PreviousPrivileges OPTIONAL
PUSH  SizeOf tkp_New_But_Ignored ; IN ULONG                PreviousPrivilegesLength
PUSH  offset tkp                 ; IN PTOKEN_PRIVILEGES    TokenPrivileges
PUSH  0                          ; IN BOOLEAN              DisableAllPrivileges
PUSH  c_Token_Handle             ; IN HANDLE               TokenHandle
CALL  __NtAdjustPrivilegesToken

mov temp, eax

invoke MessageBoxA, 0, offset  temp, offset sz_Code_Check_2, 0

;  ...................................................  NtShutdownSystem
PUSH    ShutdownPowerOff          ; Action
CALL  __NtShutdownSystem

mov temp, eax

invoke MessageBoxA, 0, offset  temp, offset sz_Code_Check_3, 0



;=================
;=================
;=================
;=================

jmp ___exit

;;       __Avoid_this_NT_code:

     jmp __Avoid_this_Kernel_code

; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    This is a working strip
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    Down verison of
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    ShutDownTimer from
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    Iczion Web Site
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    I use this to figure out
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    how to fill the NT api
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    used.  Goal is to match
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    the speed or Strength
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    of Ancient One 104 .
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    ShutDown and to learn
; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    something about the NT Api


CALL GetCurrentProcess
        mov cProcessHandle,eax

        lea eax, tBuff                 ; address of temp buffer into eax
        mov v_ID_POINTER, eax          ; set pointer to temp buffer
        mov BYTE PTR [eax], 0          ; initialize the buffer




;  ....................................  LOOK_UP_PRIVILEGES_VALUES
;  ....................................  LOOK_UP_PRIVILEGES_VALUES
;  ....................................  LOOK_UP_PRIVILEGES_VALUES

PUSH  offset c_Token_Handle
PUSH  40
PUSH  cProcessHandle
CALL  OpenProcessToken

    PUSH  offset values_ID_STRUCT
    PUSH  offset sz_SeShutdownPrivilege
    PUSH  v_ID_POINTER
    CALL  LookupPrivilegeValue

        lea eax, values_ID_STRUCT

;  ....................................  FILL STRUCTURES
;  ....................................  FILL STRUCTURES
;  ....................................  FILL STRUCTURES

mov ecx, (LUIDCUST PTR [eax]).usedpart              ; Contents of STRUCT into ecx:edx
mov edx, (LUIDCUST PTR [eax]).ignorehigh32bitpart
         lea eax, tkp                               ; address of tkp into eax

mov (TOKEN_PRIVS PTR [eax]).privilegecount,     1
mov (TOKEN_PRIVS PTR [eax]).theluid.usedpart, ecx
mov (TOKEN_PRIVS PTR [eax]).theluid.ignorehigh32bitpart, edx
mov (TOKEN_PRIVS PTR [eax]).attributes,         2

;  .................................................  AJUST_TOKEN_PRIVILEGES
;  .................................................  AJUST_TOKEN_PRIVILEGES
;  .................................................  AJUST_TOKEN_PRIVILEGES
PUSH  offset lBufferNeeded
PUSH  offset tkp_New_But_Ignored
PUSH  SizeOf tkp_New_But_Ignored
PUSH  offset tkp
PUSH  0
PUSH  c_Token_Handle
CALL  AdjustTokenPrivileges
;  .................................................  SHUT THIS MONKEY DOWN
;  .................................................  SHUT THIS MONKEY DOWN
;  .................................................  SHUT THIS MONKEY DOWN

PUSH  0
PUSH  2 + 8 + 4
CALL  ExitWindowsEx


; EWX_SHUTDOWN + EWX_POWEROFF + EWX_FORCE + EWX_FORCEIFHUNG + EWX_REBOOT
; 1              8              4                        10            2



__Avoid_this_Kernel_code:
___exit:


      PUSH  0
         CALL  ExitProcess


;  #################################################################
;  #################################################################
;  #################################################################  Get NT Api
;  #################################################################  Get NT Api
;  #################################################################  Get NT Api
;  #################################################################  Get NT Api
;  #################################################################
;  #################################################################

nt_GET_NT_API    proc

        invoke LoadLibrary, offset sz_ntdll
            cmp eax, 0h
    je Unload
            mov __ntdll, eax

        invoke GetProcAddress, __ntdll, offset sz_NtOpenProcessToken
            cmp eax, 0h
    je Unload
            mov __NtOpenProcessToken, eax


        invoke GetProcAddress, __ntdll, offset sz_NtAdjustPrivilegesToken
            cmp eax, 0h
    je Unload
            mov __NtAdjustPrivilegesToken, eax

        invoke GetProcAddress, __ntdll, offset sz_NtShutdownSystem
            cmp eax, 0h
    je Unload
            mov __NtShutdownSystem, eax

  Unload:
ret

nt_GET_NT_API endp


;  #################################################################





end Start



;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 
;   ......................................................... 

;   .........................................................  This is Ancient One
;   .........................................................  FASM 104 byte fast
;   .........................................................  system shutdown
;   .........................................................  I just line those jumps
;   .........................................................  up for study
;    mov     ebx, esp
;    push    ebx
;    push    TOKEN_ADJUST_PRIVILEGES
;    push    (-1) ebx NtOpenProcessToken
;    pop     eax
;dd imageBase
;dd 4
;dd 4

;    call    edi
;    push    ShutdownPowerOff eax SeShutdownPrivilege 1
;    mov     ebp, esp
;    push    eax
;dd entryPoint

;    push    eax eax ebp eax
;dd sizeof.image
;dd sizeof.peHeaders

;    push    dword [ebx]
;dw 2
;sizeof.optionalHeader = $-optionalHeader
;sizeof.peHeaders = sizeof.optionalHeader

;    push    ebp
;    mov     al, NtAdjustPrivilegesToken
;    call    edi
;    leave

;    mov     al, NtShutdownSystem
;_sysEnter:
;    mov     edx, esp
;    sysenter
;sizeof.image=$


PBrennick

#6
ic2,
I think I have something that will help you. It is my version of a 'force shutdown' utility. It is not as small as the FASM version, but it works. I see you are making excellent progress with your conversion. The only reason I am attaching my version is so you can examine how I handled the Privileges issue.

I hope this helps you finish your project.

Paul

[attachment deleted by admin]
The GeneSys Project is available from:
The Repository or My crappy website

AkinforASM

As a newbie I mean to help. I hope I can manage it.

In delphi I can use the following winapis to force (even) XP to shut down.


SendMessage(HWND_BROADCAST, WM_SHUTDOWN, 0, 0);
ExitWindowsEx(EWX_SHUTDOWN, 0);


This is the pascal syntax. And this two lines ensure that the computer is shut down. HTH.

Ehtyar

Are you not first required to acquire the SeShutdownPrivilege?

Ehtyar.

AkinforASM

Quote from: Ehtyar on December 23, 2006, 09:14:31 PM
Are you not first required to acquire the SeShutdownPrivilege?

Ehtyar.

:dazzled: This time I've tested these two lines but they did not shut the OS down. :dazzled:

When I tested this code I was using XP (with no SPs) as an admin (at least 1,5 years ago). Now I'm using it as a user/admin, it fails.  :eek

Sorry for the mislead. Regards.

ic2

Thanks Pbrennick for the effort, but it still kernel code,  not direct Nt-API code which will produce the desired results.  There are only three possible ways to hit a total SYSTEM HALT on XP like Ancient One did ...

1: Using the NT Api. 2: Ring 0, or 3: Totally Crashing the system... which is not a bad idea.  Data will be loss but it will not harm my NT machine.  A TOTAL system HALT is what The Ancient One code actually accomplished. The programmer dream !!!

You get first crack at your own sh*t before some nut or vir** do.  You already know that when  *guys*  like that get through f**king you out of what they  came for,   *they only shut you down*   and move on to the next weak puter-chick  . . . ..

This what got me interested in the NT Api. but let me add this to my question.

Do anyone got some old bad code that once crashed your XP?  I mean from The Blue Screen of Death to a total shutdown.

Thank for the present replies and all new suggestion that may come.

Btw: a BROADCAST for a shutdown.  Not exactly what I'm after but i will be trying that in a minute. You said it works depending... that's going to be a big surprise for a lot of people.  It must be Christmas :)

Ehtyar

The trouble with BSOD code is that it's the one thing microsoft is actually efficient at patching. You will find in most cases that any BSOD code publicly available will no longer work, and on the off chance it still does, your use of it, or posting it on public forums, will undoubtebly lead to the vulnerability being patched even sooner. However, as you said, it is relavively easy to crash a machine from ring0, though accessing ring0 from ring3 is intentionally made almost impossible by microsoft for this very reason. You can always install a driver at runtime, and use code from it to crash the machine, but again, that is made intentionally difficult by Microsoft. I can't help you in any of these respects on principal, but these are your options, i hope some of it helps, provided your intentions are legitimate.

Ehtyar.

P.S. If you decide to persue driver development, have a look here for the Kernel Mode Driver Kit, which contains some very helpful beginner examples and skeleton code.

ic2

I hate questions like that when im trying to solve a little problem and the know code is spreaded around the world somewhere.

Now i have to explain myself AGAIN  :(  ;(  ;(

There are some things i do for my machines "only", when it comes to coding certain type programs.  I wrote my own type system monitoring that is useful enough for what i need it for.

I use my same development machine while surfing the net.  This is stupid but I got my own way to deal with any attacks.  I wait for them just to make sure my sh*t work.  I don't rely totally on no known public program.  I don't even truth the OS itself.  I use nothing but a half way decent firewall.  I seen people turn of my firewall before my very eyes, MANY, MANY TIMES until they gave up after a few months.

I got big tricks when things like that happens, and if someone manage to bypass my tricks, I'm no fool. It SHUT DOWN.  I just founded a better way to shut down and want to code it in masm to throw it into my bag of trick.  As I said i don't even trust the OS, I only rely on what I can do for it to be as secure as i need it to be and i got my way of challenging that.  This is where i have my fun.

So yes, my intentions are legitimate.

Now that I read your reply, you are absolutely right.  I already know that...  Even NT code get change with patches.  MS will try to fix anything and is right doing so, but I need this for my own  machines.  I think i indicated that from the start.

So if someone know to halt a system PM me with that few lines of code.  As far as my original question real such down we all know by now it got to be done with the NT Structure coding so that question remain.

Ehtyar, I got the KMD kit about a week ago and been looking into it seriously.  It's enough for me to be fooling around with NT coding, my encryption program, updating my system monitor, building a web browsers cause i hate google useless packets running through my machine all day when I never use them. FireFox sold out...  etc... It all got me trying to reconstructing Qeditor and Ewayne AsmEdit to my convenience to rapidly fly though all of this before I forget something important all at the same time.  Dame, i could go on and on and still end up with my original question never being answered here.. . I hardly ever go elsewhere with the same question.

Thanks for your insight Ehtyar and all your help.  I know you are sincere  but if someone ever worry about my intentions again Im going to go some place and hide from the world and drown myself in booze and women for the rest of my like. I accually joined this pass summer and out of the few questions I asked I been re-questioned in nearly every thread I made from day 1.

I had more fun being reading guest. Than I spent all of my time explaining what i need to do it for like some kind of kid, than, the re-questionnaire leave and never come back with any type of response and no one else would even bother after seeing it all.

My questions usually are a little deeper but that's because I been following the assembler boards in the background for a long time.

I thought that was all over by now.  Shutting a system down ... This is not a un-common thing to do.  I just want to do it faster. 
I use kernel code for year.  There nothing wrong with NT, MS$ use it to better there own programs and change up when we get hip to it that's all..

sinsi

May be useful...Can't remember if I got it from this board, seem to remember something about "smallest Win32 EXE" or similar.

[attachment deleted by admin]
Light travels faster than sound, that's why some people seem bright until you hear them.

ic2

Thanks sinsi, that is one of the fasm code back when they had the fastest, smallest shutdown challenge.  Like bitRAKE and The Svin use to do with masm.  The Ancient One was the smallest coming in at 104 bytes.  I consider him as the Svin of fasm.

I would do fasm but I might get caught up in mastering fasm development with NO HELP instead of writing ready-to-do-something programs.  Over all there are only three places that I know of where help is in abundances and this is one of them.

Anyway, these are the three must-use API for masm to match the functionality of those fasm programs.  Forget about being the smallest... masm can't beat fasm in that area, so size is not the issue.  Just in case someone come up with something all of below MUST be included in that code any think else is kernel level code.  NT can get like ring 0 but it don't last long if MS find out you got to fancy with it or do better with it than he they.  hee  hee  They call it a bug in a minute. ..


Thanks again for trying sinsi


Equates
SE_PRIVILEGE_ENABLED equ 2
SeShutdownPrivilege equ ("SeShutdownPrivilege")
TOKEN_ADJUST_PRIVILEGES equ 20h


Api Calls
NtAdjustPrivilegesToken
NtOpenProcessToken
NtShutdownSystem