Yeah SR, good idea.
It would take a little research first I suppose.
I'm not sure if you can specify an address outside of the process that recieves the WM_TIMER message.
I haven't tried it yet so I don't know for sure if it would work or not.
Worth a try,i'll be trying myself later.
Most of the memory within a Win2k default SYSTEM process seems to be READONLY,which would be a problem using EM_GETLINE.
I think that EM_GETLINE is interesting,writing to the heap,then executing it as Chris mentioned.
He also said an arbitrary address..dunno if this is possible,again,worth a look.
I don't know if the heap allocated for the EDIT control boxes would be executable or not,if not,it could be modified I guess.
I think you could probably modify the attributes of the EDIT box just in the same way you can using EM_SETLIMITTEXT.
So who knows?
On Win2k,as a GUEST group user,accessing Users and Passwords in the control panel throws up a box prompting for ADMINISTRATOR password.
I don't know if this runs as SYSTEM yet though.
If it does,it could be possible to do somthing with it to get SYSTEM privileges.
Another thing to look into might be the Management Console,it seems to communicate with a window when running,and I think it runs with SYSTEM privilege.
I started reading about making shellcode lastnight for Win32 systems,as i know very little about it,and couldn't understand the binary file that came with shatter,it was encrypted using a simple xor,but i couldn't be bothered deciphering it hehe
I did,but I still couldn't understand it.
It was xor'd because of null bytes..somthing like that anyway.
I think this weekend,I'll make some code to do various things.
simple things like starting CMD.EXE,adding user to system with ADMINISTRATOR privilege using NET.EXE..etc
Nothing like spawning remote shells,I plan on getting around to this though eventually.
The addresses are hardcoded for now,because I think if the code has to find the base address of the kernel,then the GetProcAddress API aswell as the other API's needed,it would be too big in the end.
that means it'l be system specific,but if could be easily modified to work on others i suppose.
You could write a program that assumed a starting address of 00400000h but when it ran inside a process which had an address different to the original,it probably wouldn't work.
If you look at some virus source code,you can see how they first find the address they are at in memory,and then use it throughout the program to work without crashing.
I'm still learning about all this stuff,but its interesting.