Ahaha I found it 2 seconds after I posted this.
Here''s the link to the guys paper and file.
I was wrong, no source code, but he tells you exactly what he''s doing.
Here''s the link:
http://security.tombom.co.uk/shatter.html
Playing "Rocky" with Windows
Yes, I read that - the "Shatter Attack" is quite powerful. Foon's approach seems somewhat roundabout though. The source code is available. It's in a zip file. If you thought that was cool - you might also find the Debloit at Elicz's site interesting too. It's similar and simpler. However, I don't think that's what Boltimus is aiming for. 
I don't think needs "privilege elevation" to achieve his goal.
[edited by - lessbread on September 12, 2002 11:49:50 PM]
I don't think needs "privilege elevation" to achieve his goal.[edited by - lessbread on September 12, 2002 11:49:50 PM]
You don''t have to use it for privelege escalation. There are things you could use the general idea for though.
quote:Original post by Anonymous Poster
About a month ago on Slashdot, there was a guy that posted a link to someone who had this.
It was actually to demonstate a security flaw in Windows.
It basically was a window that got the HDC of the window underneath it(I think it was transparent), and then allowd you to send messages to the other program message queue.
It''s not that big of a secret that you can iterate all top-level windows - and get thier HWND, and thus thier HDC.
I have to agree that the more I read about this, the more it sounded like an attempt to acquire passwords...
Man, you could just make an always-on-top window, make it transparent and capture&forward all user input.
quote:Original post by Magmai Kai Holmlor
I have to agree that the more I read about this, the more it sounded like an attempt to acquire passwords...
I can see that too, but this is about the third thread that Boltimus has started in relation to his project. The first two pertained to using EnumWindows and TextOut to display information on the DC - Oluseyi helped out some in one of the other threads too. I don''t think that Bolt is attempting to write a "key logger" of sorts. Taking him at his word - he also wants to draw on the transparent window - not exactly the mark of a "stealth" program, imo. Unless it''s to say "hah! gotcha!" or somesuch
Author
Well to quote Forest, "I''m a simple man..." I''m not after any "secret" programs or anything like that. All that I am trying to figure out is how to basically write to the desktop window so as to simulate "wallpaper" in that everything (even the icons) could be drawn on the image I''m drawing. The image itself will be animated..
~Bolt
~Bolt
Author
quote: Original quote by LessBread...
The icons are part of the SysListView32 window - that code above merely toggles the visibility of that window. When that window is invisible - the icons are too - but the wallpaper still shows through. That tells me that the wallpaper is likely displayed as part of one of the two parent windows. Looking at the SHELLDLL_DefView window using that WinSpy program that I mentioned in the other thread, it turns out that the SHELLDLL_DefView window class uses the CS_PARENTDC style. According to the docs, that style sets the clipping rectangle of the child to that of the parent so that the child can draw on the parent. This doesn''t mean that the child gets the parents dc or dc settings. The child gets it''s own dc as it ordinarily would - the style is supposed to enhance performance - because the child window is clipped differently - the docs are kind of vague on this -
At any rate - that window is likely the one that holds the wallpaper...
I think that is it! I''m definitely going to try that this weekend right after finishing my Differential Equations homework....
~bolt
PS: Thanks Less!!!!
No problem Bolt! Differential Equations - fun! First order, Higher order, Laplace transforms and such? It''s been some years since I had to do any of those kinds of calculations.
Author
Okay, Less... here''s the scoop (couldn''t wait for the weekend..hehe) It looks like that the SHELLDLL_DefView is definitely the window. When I do a simple textout onto it''s HDC I can cover it up with the icons, there''s just one little obstacle left. It won''t refresh itself. I''ll post some code in a sec. I''ve tried UpdateWindow() and ShowWindow() repeatedly in a while(true) loop, but to no avail...any ideas..here''s the while loop...
HWND hwndProgMan = FindWindow("ProgMan", NULL);HWND hwndShellDef = FindWindowEx(hwndProgMan, NULL, "SHELLDLL_DefView", NULL);HWND hWndLV = FindWindowEx(hwndShellDef, NULL, "SysListView32", NULL);// enter main event loopwhile (true) { HDC_Desktop = GetWindowDC(hwndShellDef); sprintf(buffer_queue,"H-E-L-L-O", NULL); TextOut(HDC_Desktop, 300,300, buffer_queue, strlen(buffer_queue)); UpdateWindow(hwndProgMan); UpdateWindow(hwndShellDef); UpdateWindow(hWndLV); ReleaseDC(hwndShellDef, HDC_Desktop); GetMessage(&msg,NULL,0,0); // translate any accelerator keys TranslateMessage(&msg); // send the message to the window proc DispatchMessage(&msg); } // end while// return to Windows like this return(msg.wParam);} // end WinMain
Hi Bolt,
It might be better to call InvalidateRect instead of UpdateWindow - but first try removing the UpdateWindow calls on ProgMan and ListView.
Ultimately, I think you''ll want to create an off screen buffer - a memory dc - for writing to and then blit that to the target dc.
I haven''t yet compiled any of your code. Can you email me your source file so that I can work out some of it myself using the same base prog that you are? Thanks.
-Mike
It might be better to call InvalidateRect instead of UpdateWindow - but first try removing the UpdateWindow calls on ProgMan and ListView.
Ultimately, I think you''ll want to create an off screen buffer - a memory dc - for writing to and then blit that to the target dc.
I haven''t yet compiled any of your code. Can you email me your source file so that I can work out some of it myself using the same base prog that you are? Thanks.
-Mike
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
