FastLife Posted May 14, 2014 Posted May 14, 2014 Is there a way to shutdown/exit a process/application without using a api and without hardcoding?
simple Posted May 14, 2014 Posted May 14, 2014 dont know if I understand u good, but instead of using apis maybe you can use retn instead, and it will "exit" the calling thread depending on the app, maybe force a crash and depending on some things itll show the unhandled exception error, freeze completely, etc. this wouldnt be a clean exit 1
deepzero Posted May 14, 2014 Posted May 14, 2014 a retn from the EP will return back into kernel32 and call ExitThread, which will also terminate the process. 1
cypher Posted May 17, 2014 Posted May 17, 2014 hold down power button of your PC for ~5 seconds or pull the power plug. ok for real: by "without hardcoding" you mean sth like calculating or decrypting the used API function calls so they arent findable /breakpointable just until they are executed? Thats indeed possible and I'v seen that various times 1
FastLife Posted May 17, 2014 Author Posted May 17, 2014 thank you people from tuts4you! i use a ret and it seems to work nicely to cypher: no imports is used at all.
DMichael Posted May 24, 2014 Posted May 24, 2014 maybe:move eax,00000000call eax or maybe some loop to freeze i think it depends on imagination 1
Peter Ferrie Posted June 20, 2014 Posted June 20, 2014 Just execute int3 without any exception handler present. Windows will forcibly terminate your application (but possibly trigger a popup and Watson report as a result). 1
LCF-AT Posted June 20, 2014 Posted June 20, 2014 Press the reset button on your PC. XOR EDX,EDX SYSENTER 4 Bytes only and bye bye. greetz 1
Conquest Posted June 21, 2014 Posted June 21, 2014 (edited) Is there a way to shutdown/exit a process/application without using a api and without hardcoding? The clean way of performing this will be emulating proper syscall for exitprocess function . but it is a tiresome process to exactly make it universal considering the syscall value for each os is different . http://en.wikipedia.org/wiki/Exit_%28system_call%29 Edited June 21, 2014 by Conquest 1
LCF-AT Posted June 21, 2014 Posted June 21, 2014 So I think FastLife only want to know something about Windows systems & Exit and not on Linux etc right? On the other hand if you don't like those postet possibilities by us etc then just use the ExitProcess API of the target itself which you want to exit if you need it. Here the exit API is stored in Notepad.exe XP for exsample ------------------------------------------------------------- $-608A 01001318 <>77C09E7E msvcrt.exit Lets say you want to patch your exit call at OEP (exsample) ------------------------------------------------------------- $ ==> 0100739D <> E8 00000000 CALL 010073A2 $+5 010073A2 58 POP EAX $+6 010073A3 6A 00 PUSH 0x0 ; ExitCode $+8 010073A5 FF90 769FFFFF CALL DWORD PTR DS:[EAX+0xFFFF9F76] ; msvcrt.exit After the short call + pop into eax (or any other R32 register - not esp of course) you have the address where the pop is into eax = 010073A2 in this case.Now check where the exit API is stored in your file = address 01001318 and now just sub it... 010073A2 - 01001318 = 608A bytes = lenght from one address to the other and now just create a call "call dword [eax-608A]" (as above) and that it.Now your target can run with any base XY and the call will always point to exit "IF" you keep this patch at this address (pop address) so if you change it then just re-calc the new lenght. Or just make a little patch who read the PEB and find ExitProcess API via export table which you can use them.Just try a little and use what you like. greetz 2
FastLife Posted June 21, 2014 Author Posted June 21, 2014 thank you all tuts4you members, very usefulll to me i want to exit without looping though exports and without crashing the program
EvOlUtIoN Posted July 17, 2014 Posted July 17, 2014 @Cleiton Directly in pascal it is not possible. @FastLife Without crashing the application and without calling an API, you have to return over the OEP. So you can save the stack at OEP in any way you want, then just restore it and make RETN when you want to close the program. It won't give any exception, and also closes all open handles.
xSRTsect Posted July 17, 2014 Posted July 17, 2014 @evolution: pascal has got inline asm, so why do you say it is not possible?
FastLife Posted July 19, 2014 Author Posted July 19, 2014 once again thank you all guys for the information
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now