[21547] in bugtraq
RE: W2k: Unkillable Applications
daemon@ATHENA.MIT.EDU (Snow, Corey)
Mon Jul 16 18:10:39 2001
Message-ID: <200107162103.f6GL3VR05837@thumper.deltadentalwa.org>
From: "Snow, Corey" <CSNOW@ddpwa.com>
To: Bugtraq Mailing List <bugtraq@securityfocus.com>
Date: Mon, 16 Jul 2001 14:06:20 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
I can confirm this; I created a simple Win32 app named "Winlogon.exe" and
Task Manager refused to terminate it. However, I discovered something
interesting: Microsoft's "kill" utility will terminate the faux
winlogon.exe, but will not terminate the real one.
See below- pid 1692 is the pid for my fake winlogon.exe. When the 'kill'
command was executed, the process died right there with no fuss. However,
188 is the pid for the real winlogon.exe. Despite what it says about the
'NetDDE Agent' being killed, the winlogon.exe process continues to run just
fine, and one can actually issue a kill command repeatedly with the same
results. So far, it does not seem to have affected the operation of my
system in any way whatsoever.
Corey M. Snow- csnow@ddpwa.com
Senior Web Developer, Washington Dental Service
(206) 528-7361, Mobile (360) 481-2563
FAX: (206) 985-4939
Web: http://www.deltadentalwa.com
----
C:\TEMP>kill 1692
process WinLogon.exe (1692) - 'WinLogonTest' killed
C:\TEMP>kill 188
process WINLOGON.EXE (188) - 'NetDDE Agent' killed
C:\TEMP>
----
> -----Original Message-----
> From: Thomas Zehetbauer [mailto:thomasz@hostmaster.org]
> Sent: Monday, July 16, 2001 9:59 AM
> To: Bugtraq Mailing List
> Subject: W2k: Unkillable Applications
>
>
> Task Manager in Windows 2000 refuses to kill any process named
> - winlogon.exe
> - csrss.exe
> - smss.exe
> - services.exe
> showing a message box stating that this is a critical system
> process and
> cannot be ended by task manager.
>
> Although these processes were and are still protected by
> their ACL (Access
> Control List) Microsoft is now using case-insensitive string
> comparison to
> determine whether a process belongs to the operating system.
>
> You can now call you favorite trojan winlogon.exe and task
> manager will not
> only refuse to terminate it but will also incorrectly state
> that it is a
> critical system process.
>
> Regards
> Tom
>
> --
> T h o m a s Z e h e t b a u e r ( TZ251 )
> PGP encrypted mail preferred - KeyID 96FFCB89
> mail pgp-key-request@hostmaster.org
>
#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################
