NetSend by Neil Munday

I wrote this program in August 2003 out of curiosity to discover how certain people generate the annoying Messenger pop-up messages in Windows XP, 2000 and NT (see below for an example). The Messenger service of these operating systems is not to be confused with either MSN or Windows Messenger.

You may not have experienced these messages if you are running the built in firewall of XP or any other available firewall. The Messenger service is run by default and is used to send and receive messages across any network. The service listens on port 135 which is blocked by most firewalls as this port is used as part of NetBIOS and for the Windows RPC (Remote Procedure Call) service. A flaw in the latter service was responsible for the spread of the MSBlast virus.

How does it work?

You can send messages using the Messenger service via the "net" program of Windows. To send a message to another computer, open a command window and then specify either the host's name or IP address like so:

net send 127.0.0.1 hello world!

net send workpc hello world!

You can also send messages to an entire workgroup (a technique used by commercial spammers).

net send workgroup hi!

However, the from host of the message will be the name of the sending host. Therefore, the receiver could easily send you a message back or trace the message.

Fortunately, it is relatively simple to send "anonymous" messages using the Messenger service. I use the term "anonymous" loosely as it could be possible for the receiver to find out the sender's IP address if they have software that monitors their network connection (e.g. a firewall).

Sending anonymous messages

By using the Windows API and either Visual Basic or Visual C++, it is possible to create a program to perform such a task. By using a function - NetMessageBufferSend - provided by the "netapi32" library, one can generate Messenger messages.

In VB the function is declared as follows:

Private Declare Function NetMessageBufferSend Lib "netapi32.dll" ( _
        lpServerName As Any, _
        lpMsgName As Byte, _
        lpFromName As Any, _
        lpBuf As Byte, _
        ByVal lnBufLen As Long _
) As Long

lpServerName is a pointer to a constant Unicode string specifying the name of the server on which the function is to execute. The string must begin with \\. If this parameter is NULL, the local computer is used.

lpMsgName is a pointer to a constant Unicode string specifying the message alias (recipient) to which the message buffer should be sent.

lpFromName is pointer to a constant Unicode string specifying who the message is from. If this parameter is NULL, the message is sent from the local computer name. This is the parameter that allows us to send messages anonymously.

lpBuf is a pointer to a buffer that contains the body of the message to be sent.

lnBufLen specifies a DWORD value that contains the length (in bytes) of the message text pointed to by the lpBuf parameter.

This function returns 1 if the message was sent.

The developed program

Using this function as the main part of the program, it was possible to create a user interface to allow users to send messages. The user interface can be seen below:

This program will only work on Windows XP, 2000 or NT. It can be download here.

This program is not to be used for spamming or any other unauthorised actions.

Copyright © Neil Munday 2003