##################################### # IPC - InterProcess Communications # # by ULTRAS [MATRiX] # ##################################### In this article is described mechanisms of use mailslot in macro viruses. Mailslot - mechanism for one - sided interprocess communication (IPC) (development by MicroSoft. Aplications, coded for Windows, can use IPC by saving the messages to Mailslot (slot). This messages may be put into the slot from the local computer or from the net computer. Slot is a pseudo file in the computer's memory. But slot is a temporary file. Each slot have it's own handle. If this handle closed all data(any type) in the slot will be lost. Process wich create the slot called the 'server'. When server create the slot it get the handle. Handle is using for control the slot. Slot exists until it will be closed or computer's reboot happens. All slot is a local for server process. Process can't create slot on the other computer. Other processes can send messages to slot calling it by name. This processes are called 'clients'. All messages are in the slot in order of delivering. If on other computers in the local net are the slots with same names, then there is a posiblillty to send messages to all computers simultaneously by pointing in the slot's name a working group. Mailslot's are very simple to use, they are a mechanism of a higher level then Microsoft sockets. For choosing a slot require to show it name. Then name of the slot is shown in strongly definite form. \\.\mailslot\[path]name For example: \\.\mailslot\messmgr - name of the slot (Winpopup programm) As you can see the pseudo path is accepted. For example, in one os the mine buisness progs using the slots with names of accountants. \\.\mailslot\taxes\olga \\.\mailslot\taxes\irina \\.\mailslot\taxes\larisa - for tax rates \\.\mailslot\sales\olga \\.\mailslot\sales\irina \\.\mailslot\sales\larisa - for information about selling. For sending the messages into the slot you must show the name of slot. If slot is in the other computer then you must show computer's name. \\computername\mailslot\[path]name If you want to send message to all computer's of the current working group then you must used this format: \\*\mailslot\[path]name Show the slot's name in this view you send the messages to computer's in the same work group(domain) with your local computer. If in the local net are the others working groups (domains), then you can used next format: \\domainname\mailslot\[path]name And again about names format fot creating the slot. The name consist of: two slash, dot, slash, word, slash and pseudo path or simply name of the slot. Formats of the name for sending the messages: \\.\mailslot\[path]name - for local slot \\computername\mailslot\[path]name - for slot on the choosed computer \\*\mailslot\[path]name - for slots on the all computers of the current domain \\domainname\mailslot\[path]name - for all slots of the selected domain The functions are used for work with slots. The servers and clients applications for working with slots must use this fucntions: The servers functions ~~~~~~~~~~~~~~~~~~~~~ This three functions may be used by the process created the slot only. Function Description CreateMailslot - Creating the slot and return it handle GetMailslotInfo - Return the information about max size of the message,size of the slot, size of the next message in the slot, number of the messaged in the slot, time of waiting the message in the slot. SetMailslotInfo - Change the time of waiting the message. Next functions are also used by server. Function Description DuplicateHandle - Duplicate slot's message ReadFile - Read the messages GetFileTime - Return date and time of the slot creating SetFileTime - Set date and time of the slot creating The clients functions ~~~~~~~~~~~~~~~~~~~~~ For the communication with slot client using next functions. Function Description CloseHandle - Close slot's handle for client's process. CreateFile - Create slot's handle for client's process. DuplicateHandle - Duplicate slot's handle WriteFile - Writing data to slot Creating the slot Mailslot supportind by three special functions: CreateMailslot, GetMailslotInfo and SetMailslotInfo. This functions are using by server.. The next sample_mailslot. 'Declaration of variables, functions and types Dim s As SECURITY_ATTRIBUTES Dim SlotName As String Dim mHandle As Long Declare Function CreateMailslot Lib "kernel32" Alias "CreateMailslotA" (ByVal lpName As String, _ ByVal nMaxMessageSize As Long, ByVal lReadTimeout As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES) As Long Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type 'Set S variable s.bInheritHandle = 0 s.lpSecurityDescriptor = 0 s.nLength = 12 'Creating the slot SlotName = "\\.\mailslot\sample_mailslot" mHandle = CreateMailslot(SlotName, -1, -1, s) If mHandle <> -1 Then MsgBox "Error in the slot creation!", vbOKOnly, "Error" End If If the variable mHandle <> -1 then error not appeared and the mHandle consist handle of the slot. If you set bInheritHandle to the TRUE then other processes can controls the created slot. The default parametr is FALSE. Writing data to slot ~~~~~~~~~~~~~~~~~~~~ Writing data to slot is same as a writing to normal file. Next code use the functions CreateFile, WriteFile and CloseHandle for writing a short message to the slot. The message send to every computer in the current domain. 'Variables Dim i As Long Dim Mess As String Dim u As Long Dim a As Long 'Constants Const GENERIC_WRITE = &H40000000 Const FILE_SHARE_WRITE = &H2 Const FILE_ATTRIBUTE_NORMAL = &H80 Const OPEN_EXISTING = 3 'Functions Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, _ ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, _ ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, _ ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, lpOverlapped As Any) As Long 'Open, write, close Mess = "Message to all comp's in the current domain" 'Message u = Len(Mess) 'Size of the message mFileHandle = CreateFile("\\*\mailslot\sample_mailslot", GENERIC_WRITE, FILE_SHARE_WRITE, s, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0) 'Open slot for writing i = WriteFile(mFileHandle, ByVal (Mess), ByVal (u), a, ByVal (0)) 'Writing CloseHandle mFileHandle 'Close handle The max size of the message is 400 bytes. The max number of the messages in the slot is not limited. Reading data from slot. The process, created the slot, can read the messages from slot using the slot's handle. The process use for it function ReadFile. The next code calling the GetMailslotInfo, wich return the info about messages in the slot. If messages is in the slot,this function read first message. Dim i As Long Dim a As Long Dim a1 As Long Dim a2 As Long Dim a3 As Long Dim a4 As Long Dim Mess As String Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, _ lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long Declare Function GetMailslotInfo Lib "kernel32" (ByVal hMailslot As Long, _ lpMaxMessageSize As Long, lpNextSize As Long, lpMessageCount As Long, lpReadTimeout As Long) As Long i = GetMailslotInfo(mHandle, a1, a2, a3, a4) If a3<1 Then 'Exit from procedure End If Mess = Space(a2) i = ReadFile(mHandle, ByVal (Mess), ByVal (a2), a, ByVal (CLng(0))) Mailslot exist until CloseHandle function will not called for all handles of current slot, created by server. When all handles, pointing to the slot, will closed all unread messages will be killed and clients handles will be closed. Get info about Mailslot ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Function GetMailslotInfo return information about current slot. lpMaxMessageSize - set max size of the message in bytes. lpNextSize - show the size of next message. If parametr equal (-1), then no messages. lpMessageCount - show the number of unread messages. lpReadTimeout - set the time of wait for read (in milliseconds), from start of the write operation to it end. If function have no erroe while executing then return value don't equal zero, in other case - zero. Last word ~~~~~~~~~ In the 29#4 & MATRiX#2, you can find a more info about using IPC in viruses. Some viruses wich use IPC technique: Win32.Vulcano by Benny/29a Win32.HIV by Benny/29a Win32.Dream by prizzy/29a Win32.Aid by mort/MATRiX ULTRAS [MATRiX] ultras@matrixvx.org