No replies to this topic

[JMC31337]

heres a simple way of seeing whether or not you ran a program from the Windows GUI or from the CONSOLE... TASM32 is a lost art... I give my thanx to Benny 29/A and the VX'RS for teaching me and showing me the way... I have learned much and the road is long and hard....I still have much to learn...

;COMPILATION STYLES
; tasm32 -ml test.asm
; tlink32 -Tpe -c -x test ,,, import32
;tasm32 /mx /m3 /z /q new
;tlink32 -x /Tpe /aa /c new,new,, import32.lib
;====================
.386p 
locals
jumps
.model flat, stdcall
include windows.inc
extrn InternetOpenUrlA:PROC  ;========== AV'S DONT DETECT THIS
extrn ExitProcess:PROC   
extrn VirtualFree:PROC 
extrn FindFirstFileA:PROC 
extrn FindNextFileA:PROC 
extrn FindClose:PROC 
extrn InternetOpenA:PROC  ;============== NOR THIS
extrn GetModuleFileNameA:PROC 
extrn ReadFile:PROC 
extrn WriteFile:PROC 
extrn CreateFileA:PROC 
;extrn bind:PROC         ;===========F-PROT AV DETECTS THIS AS BACKDOOR
extrn CloseHandle:PROC 
extrn MessageBoxA:PROC 
extrn InternetReadFile:PROC    ;================= NOT THIS
extrn GetFileSize:PROC 
extrn VirtualAlloc:PROC 
extrn DeviceIoControl:PROC 
extrn GetFileAttributesA:PROC 
;extrn WSAStartup:PROC     ;================AND THIS
extrn GetTempFileNameA:PROC 
extrn CreateProcessA:PROC 
extrn GetVersion:PROC
extrn WinExec:PROC
extrn GetCommandLineA:PROC
extrn InternetQueryDataAvailable:PROC   ;===========NOR THIS
extrn GetStdHandle:PROC
extrn WriteConsoleA:PROC
extrn WriteFile:proc
extrn GetModuleHandleA:PROC
extrn DefWindowProcA:PROC
;extrn socket:PROC    ;============= AND THIS
extrn ExitProcess:PROC
extrn LoadIconA:PROC
extrn LoadCursorA:PROC
extrn DialogBoxParamA:PROC
extrn EndDialog:PROC
;extrn recv:PROC     ;==============AND THIS
extrn WinExec:PROC
extrn LoadLibraryA:PROC
;extrn htons:PROC ;=================AND THIS
extrn GetProcAddress:PROC
extrn RegCreateKeyExA:PROC
;extrn listen:PROC ;=================AND THIS
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn GetWindowsDirectoryA:PROC
;extrn accept:PROC  ;=================AND THIS
extrn FindWindowA:PROC
extrn CopyFileA:PROC
extrn MoveFileA:PROC
;extrn send:PROC    ;================AND THIS
extrn DeleteFileA:PROC
extrn closesocket:PROC
extrn ShellExecuteA:PROC
extrn mciSendStringA:PROC
;extrn WSAAsyncSelect:PROC ;==============AND THIS
extrn GetDlgItemTextA:PROC
extrn GetDlgItem:PROC
extrn GetDlgItemText:PROC
 
mb_ok     equ 0                  ; 0 is std windows messaging
mb_ok2     equ 32              ;32 is the windows ? mark style
hWnd      equ 0   
lpCaption equ offset caption
lpWIN    equ offset logoWIN
lpDOS    equ offset logoDOS
 
.data
caption    db "",0
logoWIN    db "RAN ON WIN32 GUI",0
logoDOS    db "RAN FROM CONSOLE",0
 
fname db 256 dup (?)
 
.code
start:
 
 mov esi, offset fname   ;where to store virus filename
 push 256    ;size of filename
 push esi    ;ptr to filename
 push 0
 call GetModuleFileNameA 
 xchg edx,esi
 call GetCommandLineA   ;get command-line
 xchg eax, esi    ;to esi
 
 lodsb
 cmp al, '"'   
 ;je test       ;I PUT THIS IN SO TO ADD MORE API TO TEST
 je win    
 jne dos
 
test:
 
ret
dos:
push mb_ok
push lpCaption
push lpDOS
push hWnd
call MessageBoxA
ret
 
win:
push mb_ok2
push lpCaption
push lpWIN
push hWnd
call MessageBoxA
ret
 
end start    
 

how it works: when you double click the windows messaging services throw a " around the PATH + FILENAME ie, "C:\TEST.EXE"
but when you run a program from console it doesnt throw "
ie, C:\TEST.EXE this is easily detected via compare cmp al (accumulator low byte) to the original "

██████ VX'R ██████

Edited by JMC31337, 13 June 2010 - 10:20 PM.