Fake (or Anonymous) NetSend for Windows NT/2000/XP

• Download demo project - 15 Kb
• Download source - 4 Kb

Introduction

A few years ago I was working at a software development company and one day my co-worker asked me if would be possible to use the Windows Net Send mechanism to send messages through the corporate network using some programming language like C++. I found the idea very interesting since we could implement this functionality in some of our applications so they could send messages to our computers when an exception occurs and/or something goes wrong.

After some time of MSDN and Google, learning about MailSlots, I could write the first test program and, for our surprise, worked like a charm.

With our program ready, we've started do create a generic function to send the messages, so we could make it avaliable at our "shared" directory, when I got an idea: "What if we use an invalid User Name to send the message?". Well, I think I don't need to tell you how this history ends :)

Background Information

The FakeSend (and Net Send) mechanism is very simple. It uses an Interprocess Communication (IPC) resource called "MailSlots". We can create MailSlots to swap messages between applications on a network environment just like we do with Sockets, Named Pipes, etc... The MailSlot internally uses a datagram socket, which means that we cannot be sure if the message has arrived. To learn more about MailSlots read the MailSlot Reference from MSDN Library.

Using the code

The code is very straightforward. We have the main function NetSend() that receives three values:

• szSender - The name of the person who is sending the message (Any name you want);
  
• szReceiver - The User Name (Network Login) or Machine name of the person who will receive the message;
  
• szMessage - The Message you want to send.

bool NetSend(const char * szSender, const char * szReceiver,
             const char * szMessage)
{
    // Our main variables

    char * pszMailSlot = NULL;
    unsigned char * pucMessage = NULL;
    unsigned int nMailSlotLen, nMsgFormatLen;

    HANDLE hHandle;
    DWORD dwBytesWritten;
    bool bRet = false;

    // Get the length of the strings

    nMailSlotLen  = strlen(szReceiver) + sizeof(szMailSlotPath);
    nMsgFormatLen = strlen(szSender) + strlen(szReceiver) +
                    strlen(szMessage) + sizeof(szMsgFormat);

    // Allocate necessary memory

    pszMailSlot = new char[nMailSlotLen];
    pucMessage  = new unsigned char[nMsgFormatLen];

    // Network path for <Receiver> MailSlot:

    // "\\Receiver\MAILSLOT\messngr"

    sprintf(pszMailSlot, szMailSlotPath, szReceiver);

    // Message Format:

    // "Sender\0Receiver\0Message\0"

    // sprintf doesn't work with \0 so here I'm using \r

    sprintf((char *)pucMessage, szMsgFormat, szSender,
                                szReceiver, szMessage);

    // Replace all '\r' characters with '\0'

    for (unsigned short i = 0; i < nMsgFormatLen; i++)
    {
        if (pucMessage[i] == '\r')
            pucMessage[i] = '\0';

        else if (pucMessage[i] == '\0')
            break;
    }

    // Create the file into Receiver's MailSlot and get a Handle to this file

    hHandle = CreateFile(pszMailSlot, GENERIC_WRITE, FILE_SHARE_READ, NULL,
                            OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    // Do we have a valid handle?

    if (hHandle)
    {
        // Write the message to file

        bRet = (WriteFile(hHandle, pucMessage, (DWORD)nMsgFormatLen,
                    &dwBytesWritten, NULL) == TRUE);

        // Free the handle

        CloseHandle(hHandle);
    }

    return bRet;
}

History

• 2003-06-08 - First version of FakeSend. Bugs: Zero, I hope :)
• 2003-06-11 - Version 1.01. Just improving the code.