nezumi-lab
February 13th, 2009, 11:18
back in the old days (UNIX, big iron) zombies were a real headache. what’s a zombie? it’s an orphan child - process without parents. how it might happen? well, guess, a mother process creates a children process and dies leaving the child alone in the dark. does it make a problem? for GUI apps - no problem, but console apps - are very different.
in general console apps share the same console. if we run cmd.exe from Explorer it creates a new console, but when we run format.com from cmd.exe - format.com uses the same console. it’s oblivious. oh, really?! NT is not MS-DOS!!! creating a new process (format.com) does not suspend the parent (cmd.exe). so, cmd.exe is still running. it would make a mess, if cmd.exe did not wait for finishing of format.com.
if you guys developed console shell you probably know that CreateProcess follows by WaitForSingleObject(hHandle,,) where hHandle - is handle of the created process. now, guess, the child process creates a sub-child and dies. WaitForSingleObject() returns control, but the sub-child is running and shares the same console!!!
consider the following code or download ("http://nezumi-lab.org/ffh/zombie-bug.zip") sources and binary:
what’s it good for? fist of all we can create “resident” programs living in foreign consoles (use console API to output text into desired positions). another idea - zombie can intercept all input and if zombie output nothing to the console - nobody notices it!!! a good stealth spy.
what we’re going to do? does anybody want to send a bug report to Microsoft and FAR manager team?
http://nezumi-lab.org/gif/zombie_bug.gifzombie - alone in the dark
http://nezumi-lab.org/blog/?p=143
in general console apps share the same console. if we run cmd.exe from Explorer it creates a new console, but when we run format.com from cmd.exe - format.com uses the same console. it’s oblivious. oh, really?! NT is not MS-DOS!!! creating a new process (format.com) does not suspend the parent (cmd.exe). so, cmd.exe is still running. it would make a mess, if cmd.exe did not wait for finishing of format.com.
if you guys developed console shell you probably know that CreateProcess follows by WaitForSingleObject(hHandle,,) where hHandle - is handle of the created process. now, guess, the child process creates a sub-child and dies. WaitForSingleObject() returns control, but the sub-child is running and shares the same console!!!
consider the following code or download ("http://nezumi-lab.org/ffh/zombie-bug.zip") sources and binary:
// if it’s child process - output message to the consolerun cmd.exe and type “zombie_bug.exe” (with extension!). wow!!! a very modern command prompt with a rotating fan! you can type cmd’ commands and they will be executed, but the rotating fan is working!!! now, start FAR manager ("http://www.farmanager.com/") and run zombie_bug.exe. ops! FAR has the same bug and our zombie is working again!!!
if (c > 1) while(1) printf(”\rI’m a zombie [%c]$”, x[++c % sizeof(x) - 1]), Sleep(69);
// creating a child and terminating itself
memset(&pi, 0, sizeof(pi)); memset(&si, 0, sizeof(si)); si.cb = sizeof(si);
if (!CreateProcess(v[0], “Im zombie”, 0, 0, 0, 0, 0, 0, &si, &pi)) return printf(”-ERR:create_proc\n”;
what’s it good for? fist of all we can create “resident” programs living in foreign consoles (use console API to output text into desired positions). another idea - zombie can intercept all input and if zombie output nothing to the console - nobody notices it!!! a good stealth spy.
what we’re going to do? does anybody want to send a bug report to Microsoft and FAR manager team?
http://nezumi-lab.org/gif/zombie_bug.gifzombie - alone in the dark
http://nezumi-lab.org/blog/?p=143