Q

Home » Top Secret » Practical joke fodder for the prankster programmer!

Practical joke fodder for the prankster programmer!

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 45 other followers

Ok. I just discovered this little gem:

    case WM_SYSTEMMENU:
        PostMessage(HWND_BROADCAST,WM_SYSCOMMAND, SC_MINIMIZE,0);
        PostMessage(HWND_BROADCAST,WM_SYSCOMMAND, SC_RESTORE,0);

Which uncovered a TON of hidden windows.

Microsoft Outlook in particular is one ugly mother fucker.

No wonder it performs so abysmally.

To me it’s indicative of sloppy programming. Hacking in a way, but not in the “I’m out to get you, your credit cards, etc” nefarious kinda way. But more in a I’m a sloppy/misinformed coder and think the only way to thread an application is by creating a separate window kinda way.

So to be clear. Windows a function called CreateThread which can be accessed as an API call from ANY language that can access windows APIs. IN C++, there’s _beginthread(ex) and _endthread. Ya don’t have to create a window for a separate message thread of execution, you literally create a new thread.

Now if you’re interested in creating a new message pump and/or don’t have access to your own and you’re creating a hidden process and/or window to handle your message pump functionality, I understand. But let’s be real. Windows takes resources to manage windows and associated message pumping action..

With that gripe aside….

On another note.

There’s a LOT of fun to be had with this functionality which is what I was responding to when I wanted to check to see if my low level keyboard handler had actually captured the message (which it did):

Here’s a quick little demonstration of a low level keyboard handler callback function which manages the windows key press.

LRESULT CALLBACK LowLevelKeyboardProc( int nCode, WPARAM wParam, LPARAM lParam )
{
    if (nCode < 0 || nCode != HC_ACTION )  // do not process message 
        return CallNextHookEx( g_hKeyboardHook, nCode, wParam, lParam); 
 
    bool bEatKeystroke = false;
    KBDLLHOOKSTRUCT* p = (KBDLLHOOKSTRUCT*)lParam;
    switch (wParam) 
    {
        case WM_KEYDOWN:  
        case WM_KEYUP:    
        {
            if( p->vkCode == VK_LWIN || p->vkCode == VK_RWIN )
            {
                PostMessage( m_hWndMain, WM_SYSTEMMENU, wParam, lParam );
                bEatKeystroke = false;
            }
            break;
        }
    }
 
    if( bEatKeystroke )
        return 1;
    else
        return CallNextHookEx( g_hKeyboardHook, nCode, wParam, lParam );
}
 
int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
    UNREFERENCED_PARAMETER(hPrevInstance);
    UNREFERENCED_PARAMETER(lpCmdLine);

    g_hKeyboardHook = SetWindowsHookEx( WH_KEYBOARD_LL,  LowLevelKeyboardProc, GetModuleHandle(NULL), 0 );

// Initialize the main window here and do the message pump action....

 

As you can see, I am remapping the windows keyboard key to a user defined message I created, which gets processed in my main message loop.  Since I am overwriting the standard windows start menu and explorer with my own version, this nifty little trick captures the message prior to windows processing it.

Now here’s the fun. IF YOU are working in a corporate environment. Have some fun with a coworker.

Create a tiny little executable which every randomly drops a key or reinterprets it to another keystroke. For instance, the ‘s’ key is incredibly close to the ‘t’ key, so once randomly convert the virtual key for a keydown event for the ‘s’ key to ‘t’ and forward that on to subsequent message handlers.

Place this executable on your unsuspecting victim’s computer. Being sure to hide the process well by removing the caption and naming it something innocuous and benign (like msrm.exe), and from there just kick back and watch the fun.

To make it even more fun, you can create a TCP/UDP listener in this application which waits for messages you send to it via TCP or UDP which wait for messages which allow you to remotely set the random periodicity, the key combinations and filters, and even turn the application off remotely or lodge it in the windows\currentversion\run startup programs for next time.

Please be considerate of your target’s time and energy if you do do this, and try not to drive them too insane with this.

Put specifically, be respectful. And be close to them so you can see their reactions and to be sure you aren’t pushing things too far. There’s nothing worse than remote hacking someone with a hack like this when you will never see their responses AND KNOW when to back off and let them breathe!


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email.